Adele Da Veiga

Improving the information security culture through monitoring and implementation actions illustrated through a case study

The human aspect, together with technology and process controls, needs to be considered as part of an information security programme. Current and former employees are still regarded as one of the root causes of information security incidents. One way of addressing the human aspect is to embed an information security culture where the interaction of employees with information assets contributes to the protection of these assets. In other words, it is critical to improve the information security culture in organisations such that the behaviour of employees is in compliance with information security and related information processing policies and regulatory requirements. This can be achieved by assessing, monitoring and influencing an information security culture. An information security culture can be assessed by using an approach such as an information security culture assessment (ISCA). The empirical data derived from an ISCA can be used to influence the information security culture by focussing on developmental areas, of which awareness and training programmes are a critical facet.In this paper we discuss a case study of an international financial institution at which ISCA was conducted at four intervals over a period of eight years, across twelve countries. Comparative and multivariate analyses were conducted to establish whether the information security culture improved from one assessment to the next based on the developmental actions implemented. One of the key actions implemented was training and awareness focussing on the critical dimensions identified by ISCA. The information security culture improved from one assessment to the next, with the most positive results inÂ?the fourth assessment.This research illustrates that the theoretical ISCA tool previously developed can be implemented successfully in organisations to positively influence the information security culture. Empirical evidence is provided supporting the effectiveness of ISCA in the context of identified shortcomings in the organisations information security culture. In addition, empirical evidence is presented indicating that information security training and awareness is a significant factor in positively influencing an information security culture when applied in the context of ISCA.

Comparing the information security culture of employees who had read the information security policy and those who had not: Illustrated through an empirical study

Purpose This study aims, firstly, to determine what influence the information security policy has on the information security culture by comparing the culture of employees who read the policy to those who do not, and, secondly, whether a stronger information security culture is embedded over time if more employees have read the information security policy. Design/methodology/approach An empirical study is conducted at four intervals over eight years across 12 countries using a validated information security culture assessment (ISCA) questionnaire. Findings The overall information security culture average scores as well as individual statements for all four survey assessments were significantly more positive for employees who had read the information security policy compared with employees who had not. The overall information security culture also improved from one assessment to the next. Research limitations/implications The information security culture should be measured and benchmarked over time to monitor change and identify and prioritise actions to improve the information security culture. If employees read the information security policy, it has a positive influence on the information security culture of an organisation. Practical implications Organisations should ensure that employees have read the information security policy to aid in minimising the human risk, related errors and incidents and, ultimately, to instil a stronger information security culture with a higher level of compliant behaviour. Originality/value This research confirms theoretical research indicating that the information security policy could influence the information security culture positively. It provides novel and statistical evidence illustrating that if employees read the information security policy, they have a stronger information security culture and that the culture can be improved through targeted interventions using an ISCA.

Defining and identifying dominant information security cultures and subcultures

Abstract When considering an information security culture in an organisation, researchers have to consider the possibility of several information security subcultures that could be present in the organisation. This means that different geographical, ethnic or age groups of employees could have different assumptions, values and beliefs about the protection of information, resulting in unique information security subcultures. This research sets out to understand how dominant information security cultures and subcultures develop and how they can be influenced positively over time through targeted interventions. In support of this, a summary of the intrinsic and extrinsic factors that influence information security culture is presented. An empirical case study was conducted using a survey approach with a validated information security culture questionnaire to illustrate how to identify dominant information security cultures and subcultures. The survey was conducted at four intervals in the same organisation over a number of years to identify potential information security subcultures and to monitor the change, if targeted interventions for each are implemented. Using t-tests and ANOVA tests, a number of information security subcultures were identified, mostly evident across the organisations office locations (which are separated geographically), as well as between employees that worked in the IT division compared to those who did not. The data indicate that the dominant information security culture and subcultures improved over time to a more positive information security culture after the implementation of targeted interventions. This illustrates how the identification and targeting of information security subcultures with customised interventions can influence the information security culture positively. By using information security interventions, organisations can target their high-risk subcultures and monitor the change over time through continuous assessment, thereby minimising the risk to information protection from a human perspective.

A cybersecurity culture research philosophy and approach to develop a valid and reliable measuring instrument

A cybersecurity culture must be promoted at an international, national, organizational, and individual level to aid in minimizing risks from a human perspective in cyberspace. To promote such a culture it has to be understood and quantified in order to direct change. This research makes use of the disciplines of information technology and industrial psychology to define a cybersecurity culture. A quantitative research methodology, cybersecurity culture research methodology (CSeCRM), is proposed that can be used to measure a cybersecurity culture. The objective of CSeCRM is to ensure that a reliable and valid measuring instrument is used to measure cybersecurity culture. The results derived from using such an instrument can aid in identifying actions to change and direct the cybersecurity culture at, for instance, schools or businesses, at national or international level. The CSeCRM is illustrated by implementing it in an organization where a cybersecurity culture measuring instrument was validated.