Information security culture - validation of an assessment instrument

Organisations need to ensure that the interaction among people, as well as between people and information technology (IT) systems, contributes to the protection of information assets. Organisations therefore need to assess their employees’ behaviour and attitudes towards the protection of information assets in order to establish whether employee behaviour is an asset or a threat to the protection of information. One approach that organisations could use is to assess whether an acceptable level of information security culture has been inculcated in the organisation and, if not, take corrective action. The aim of this paper is to validate an information security culture assessment instrument. This is achieved by performing a factor and reliability analysis on the data from an information security culture assessment in a financial organisation. The results of the analysis are used to identify areas for improving the information security culture assessment instrument. The study makes a contribution to the existing body of knowledge concerned with the assessment of information security culture and its value for management to ensure the protection of information assets.

[1]  Neil Rankin,et al.  The psychology of work. , 2008, Occupational health & safety.

[2]  Omar Zakaria,et al.  Internalisation of Information Security Culture amongst Employees through Basic Security Knowledge , 2006, SEC.

[3]  Hennie A. Kruger,et al.  Value-Focused Assessment of Information Communication and Technology Security Awareness in an Academic Environment , 2006, SEC.

[4]  A. B. Ruighaver,et al.  Organizational Security Culture: More Than Just an End-User Phenomenon , 2006, SEC.

[5]  Sebastiaan H. von Solms,et al.  Information Security - The Fourth Wave , 2006, Comput. Secur..

[6]  Stephanie Teufel,et al.  Tool Supported Management of Information Security Culture , 2005, SEC.

[7]  F. P. Bresz People – Often the Weakest Link in Security, but One of the Best Places to Start , 2004 .

[8]  Stephanie Teufel,et al.  Analyzing information security culture: increased trust by an appropriate information security culture , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[9]  N. Martins,et al.  Organisational climate measurement - new and emerging dimensions during a period of transformation , 2003 .

[10]  Jan H. P. Eloff,et al.  Information Security Culture , 2002, SEC.

[11]  T. Schlienger,et al.  Information Security Culture: The Socio-Cultural Dimension in Information Security Management , 2002, SEC.

[12]  Nicholas Gaunt,et al.  Practical approaches to creating a security culture , 2000, Int. J. Medical Informatics.

[13]  Sebastiaan H. von Solms,et al.  Information Security - The Third Wave? , 2000, Comput. Secur..

[14]  Ellen Caroline Martins Die invloed van organisasiekultuur op kreatiwiteit en innovasie in 'n universiteitsbiblioteek , 2000 .

[15]  Heather Wilson Creating a security culture , 1997 .

[16]  Yva Doually,et al.  Information Technology , 1997, IFIP Advances in Information and Communication Technology.

[17]  Allen I. Kraut,et al.  Organizational surveys : tools for assessment and change , 1996 .

[18]  Rolph E. Anderson,et al.  Multivariate data analysis (4th ed.): with readings , 1995 .

[19]  Barrie Gunter,et al.  Corporate Assessment: Auditing a Company's Personality , 1993 .

[20]  William R. Dillon,et al.  Essentials of Marketing Research , 1992 .

[21]  John D. McKenzie,et al.  Number Cruncher Statistical Systems (NCSS) , 1985 .

[22]  D. C. Howell Fundamental Statistics for the Behavioral Sciences , 1985 .

[23]  R. V. Krejcie,et al.  Determining Sample Size for Research Activities , 1970 .

[24]  S. Siegel,et al.  Nonparametric Statistics for the Behavioral Sciences , 2022, The SAGE Encyclopedia of Research Design.