Cultivating and assessing information security culture

The manner in which employees perceive and interact (behave) with controls implemented to protect information assets is one of the main threats to the protection of such assets and the effective use of information security controls. Should the interaction not be conducive to the protection of the information assets, it could have a profound impact on the profit of an organisation, productive working hours could be lost, confidential information might be disclosed to unauthorised people and compliance with legal and regulatory regulations could be affected – all this, despite the fact that adequate technical and procedural controls might be in place. Current research highlights the importance of a strong information security culture to address the threat that employee behaviour poses to the protection of information assets. Various research perspectives propose how an acceptable level of information security culture should be cultivated, and how to assess this culture to determine whether it is on an acceptable level. These approaches are however not adequate to cultivate information security culture, as all the relevant information security components and the influences on the information security culture have to be considered. This leads to the question as to whether the assessment instruments proposed to assess the information security culture are indeed adequate and valid. The main contribution of this research relates to the development of an information security culture framework and process consisting of an assessment instrument to assess information security culture. In order to develop the information security culture framework, the researcher developed a Comprehensive Information Security Framework (CISF) that equips organisations with a holistic approach to the implementation of information security. The framework provides a single point of reference for the governance of information security. The Information Security Culture Framework (ISCF) is developed using the CISF as foundation. The ISCF can be used by organisations to cultivate an information security culture conducive to the protection of information assets. It considers all the components required for information security culture, namely information security, organisational culture and organisational behaviour. It integrates the aforementioned concepts and illustrates the influence between the components. The ISCF further serves as a basis for designing an information security culture assessment instrument. This instrument is incorporated as part of an Information Security Culture Assessment process (ISCULA) defined by the researcher. ISCULA provides management with the steps to conduct an information security culture assessment, as well as the steps to validate the assessment instrument. The application of ISCULA is tested in an empirical study conducted in an organisation. It illustrates how to validate an information security culture assessment instrument by ensuring that it is designed based on the ISCF and meets the statistical requirements for a valid and reliable assessment instrument. Both the ISCF and the ISCULA process can ultimately be deployed by organisations to minimise the threat that employee behaviour poses to the protection of information assets.

[1]  D. C. Howell Fundamental Statistics for the Behavioral Sciences , 1985 .

[2]  Barrie Gunter,et al.  Corporate Assessment: Auditing a Company's Personality , 1993 .

[3]  Sebastiaan H. von Solms,et al.  Information Security - The Fourth Wave , 2006, Comput. Secur..

[4]  Nico Martins,et al.  A model for managing trust. , 2002 .

[5]  Steven J. Ross Creating a Culture of Security , 2011 .

[6]  Rossouw von Solms Driving safely on the information superhighway , 2013 .

[7]  Sebastiaan H. von Solms,et al.  Information Security - The Third Wave? , 2000, Comput. Secur..

[8]  R. Cardinali Reinforcing our moral vision : Examining the relationship between unethical behavior and computer crime , 1995 .

[9]  Jan H. P. Eloff,et al.  Information Security Culture , 2002, SEC.

[10]  Nicholas Gaunt,et al.  Practical approaches to creating a security culture , 2000, Int. J. Medical Informatics.

[11]  H. Tohidi,et al.  Organizational culture and leadership , 2012 .

[12]  Stephen Flowerday,et al.  Trust: An Element of Information Security , 2006, SEC.

[13]  Sebastiaan H. von Solms,et al.  Information Security Governance - Compliance management vs operational management , 2005, Comput. Secur..

[14]  Yva Doually,et al.  Information Technology , 1997, IFIP Advances in Information and Communication Technology.

[15]  Stephanie Teufel,et al.  Tool Supported Management of Information Security Culture , 2005, SEC.

[16]  Omar Zakaria,et al.  Internalisation of Information Security Culture amongst Employees through Basic Security Knowledge , 2006, SEC.

[17]  N. Martins,et al.  Organisational climate measurement - new and emerging dimensions during a period of transformation , 2003 .

[18]  Isij Monitor,et al.  Information Security Architecture: An Integrated Approach to Security in the Organization , 2000 .

[19]  Jan H. P. Eloff,et al.  Information security culture - validation of an assessment instrument , 2007 .

[20]  Jan H. P. Eloff,et al.  Special Features: A Framework for the Implementation of Socio-ethical Controls in Information Security , 2001 .

[21]  H. Ahmad.,et al.  Determining Sample Size for Research Activities , 2017 .

[22]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..