Understanding and measuring information security culture in developing countries : case of Saudi Arabia

The purpose of the current study was to develop a measurement of information security culture in developing countries such as Saudi Arabia. In order to achieve this goal, the study commenced with a comprehensive review of the literature, the outcome being the development of a conceptual model as a reference base. The literature review revealed a lack of academic and professional research into information security culture in developing countries and more specifically in Saudi Arabia. Given the increasing importance and significant investment developing countries are making in information technology, there is a clear need to investigate information security culture from developing countries perspective such as Saudi Arabia. Furthermore, our analysis indicated a lack of clear conceptualization and distinction between factors that constitute information security culture and factors that influence information security culture. Our research aims to fill this gap by developing and validating a measurement model of information security culture, as well as developing initial understanding of factors that influence security culture. A sequential mixed method consisting of a qualitative phase to explore the conceptualisation of information security culture, and a quantitative phase to validate the model is adopted for this research. In the qualitative phase, eight interviews with information security experts in eight different Saudi organisations were conducted, revealing that security culture can be constituted as reflection of security awareness, security compliance and security ownership. Additionally, the qualitative interviews have revealed that factors that influence security culture are top management involvement, policy enforcement, policy maintenance, training and ethical conduct policies. These factors were confirmed by the literature review as being critical and important for the creation of security culture and formed the basis for our initial information security culture model, which was operationalised and tested in different Saudi Arabian organisations. Using data from two hundred and fifty-four valid responses, we demonstrated the validity and reliability of the information security culture model through Exploratory Factor Analysis (EFA), followed by Confirmatory Factor Analysis (CFA.) In addition, using Structural Equation Modelling (SEM) we were further able to demonstrate the validity of the model in a nomological net, as well as provide some preliminary findings on the factors that influence information security culture. The current study contributes to the existing body of knowledge in two major ways: firstly, it develops an information security culture measurement model; secondly, it presents empirical evidence for the nomological validity for the security culture measurement model and discovery of factors that influence information security culture. The current study also indicates possible future related research needs.

[1]  D. Straub,et al.  A Qualitative Assessment of Arab Culture and Information Technology Transfer , 1998 .

[2]  Nicholas Gaunt,et al.  Practical approaches to creating a security culture , 2000, Int. J. Medical Informatics.

[3]  Steven Furnell,et al.  A prototype tool for information security awareness and training , 2002 .

[4]  F. Nelson Ford,et al.  Information security: management's effect on culture and policy , 2006, Inf. Manag. Comput. Secur..

[5]  Sharman Lichtenstein,et al.  Fostering Information Security Culture in Small and Medium Size Enterprises: An Interpretive Study in Australia , 2007, ECIS.

[6]  Stephanie Teufel,et al.  Analyzing information security culture: increased trust by an appropriate information security culture , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[7]  Atul Gupta,et al.  Information systems security issues and decisions for small businesses: An empirical examination , 2005, Inf. Manag. Comput. Security.

[8]  Abbas Tashakkori,et al.  Mixed Methodology: Combining Qualitative and Quantitative Approaches , 1998 .

[9]  Anol Bhattacherjee,et al.  Understanding Information Systems Continuance: An Expectation-Confirmation Model , 2001, MIS Q..

[10]  Rossouw von Solms,et al.  Information security obedience: a definition , 2005, Comput. Secur..

[11]  Retha Snyman,et al.  Corporate South Africa: making multicultural knowledge sharing work , 2005, J. Knowl. Manag..

[12]  Darshana Sedera,et al.  Measuring Enterprise Systems Success: A Preliminary Model , 2003, AMCIS.

[13]  David W. Gerbing,et al.  An Updated Paradigm for Scale Development Incorporating Unidimensionality and Its Assessment , 1988 .

[14]  M. Mcclendon,et al.  Multiple Regression and Causal Analysis , 1994 .

[15]  Muzafer Sherif,et al.  Attitude, ego-involvement, and change , 1967 .

[16]  Sebastiaan H. von Solms,et al.  Information Security Governance - Compliance management vs operational management , 2005, Comput. Secur..

[17]  Rossouw von Solms,et al.  From policies to culture , 2004, Comput. Secur..

[18]  Stewart Kowalski,et al.  A Social-Technical View of ICT Security Issues, Trends, and Challenges: Towards a Culture of ICT Security - The Case of Tanzania , 2006, ISSA.

[19]  Ab Ruighaver,et al.  Understanding organisational security culture , 2002 .

[20]  Sharman Lichtenstein,et al.  Effective Management and Policy in e-Business Security , 2001, Bled eConference.

[21]  Yolande E. Chan,et al.  Knowledge sharing in a multi-cultural setting: a case study , 2003 .

[22]  P. Chisnall Mail and Internet Surveys: The Tailored Design Method , 2007, Journal of Advertising Research.

[23]  R. P. McDonald,et al.  Structural Equations with Latent Variables , 1989 .

[24]  M. Zairi,et al.  Global benchmarking for internet and e‐commerce applications , 2006 .

[25]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[26]  Dennis Longley,et al.  Information Security: Dictionary of Concepts, Standards and Terms , 1992 .

[27]  Julie D Nosworthy,et al.  Implementing Information Security In The 21st Century Do You Have the Balancing Factors? , 2000, Comput. Secur..

[28]  Rossouw von Solms,et al.  Information security management: why standards are important , 1999, Inf. Manag. Comput. Secur..

[29]  A. B. Ruighaver,et al.  Security Governance: Its Impact on Security Culture , 2005, AISM.

[30]  Guy G. Gable,et al.  Integrating case study and survey research methods: an example in information systems , 1994 .

[31]  W. Caelli,et al.  Information Security for Managers , 1989, Palgrave Macmillan UK.

[32]  X. Koufteros Testing a model of pull production: a paradigm for manufacturing research using structural equation modeling , 1999 .

[33]  Jan H. P. Eloff,et al.  Information Security Culture , 2002, SEC.

[34]  G. Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[35]  G. Hofstede Culture′s Consequences: Comparing Values, Behaviors, Institutions and Organizations Across Nations , 2001 .

[36]  C. Robertson,et al.  The relationship between Arab values and work beliefs: An exploratory examination , 2002 .

[37]  Detmar W. Straub,et al.  Transfer of Information Technology to the Arab World: A Test of Cultural Influence Modeling , 2001, J. Glob. Inf. Manag..

[38]  John J. Mauriel,et al.  A Framework for Linking Culture and Improvement Initiatives in Organizations , 2000 .

[39]  A. Vidich,et al.  A Comparison of Participant Observation and Survey Data , 1955 .

[40]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[41]  F. P. Bresz People – Often the Weakest Link in Security, but One of the Best Places to Start , 2004 .

[42]  Peter Massingham,et al.  National culture and the standardization versus adaptation of knowledge management , 2007, J. Knowl. Manag..

[43]  Job Asheri Chaula,et al.  A Socio-technical Analysis of Information Systems Security Assurance : A Case Study for Effective Assurance , 2006 .

[44]  Sebastiaan H. von Solms,et al.  Information Security Management: An Approach to Combine Process Certification And Product Evaluation , 2000, Comput. Secur..

[45]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[46]  Jacques A. Cazemier,et al.  Information Security Management with ITIL V3 , 2010 .

[47]  N. Ben Fairweather,et al.  THE MOTIVATIONS FOR CHANGE TOWARDS E-GOVERNMENT ADOPTION : CASE STUDIES FROM SAUDI ARABIA , 2006 .

[48]  John P. Ceraolo Penetration Testing Through Social Engineering , 1996, Inf. Secur. J. A Glob. Perspect..

[49]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[50]  Sebastiaan H. von Solms,et al.  Information Security - A Multidimensional Discipline , 2001, Comput. Secur..

[51]  Ashish Garg,et al.  Quantifying the financial impact of IT security breaches , 2003, Inf. Manag. Comput. Secur..

[52]  Rossouw von Solms,et al.  A holistic framework for the fostering of an information security sub-culture in organizations , 2005, ISSA.

[53]  Efraim Turban,et al.  Information Technology for Management: Improving Quality and Productivity , 1996 .

[54]  Eike-Henner W. Kluge,et al.  Secure e-Health: Managing risks to patient health data , 2007, Int. J. Medical Informatics.

[55]  T. C. Edwin Cheng,et al.  Application of structural equation modeling to evaluate the intention of shippers to use Internet services in liner shipping , 2007, Eur. J. Oper. Res..

[56]  R. Bagozzi,et al.  On the evaluation of structural equation models , 1988 .

[57]  T. Ali Influence of National Culture on Construction Safety Climate in Pakistan , 2006 .

[58]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[59]  Christine DiStefano,et al.  Using Confirmatory Factor Analysis for Construct Validation: An Empirical Review , 2005 .

[60]  M. Angela Sasse,et al.  Pretty good persuasion: a first step towards effective password security in the real world , 2001, NSPW '01.

[61]  Janell D. Townsend,et al.  Does culture explain acceptance of new products in a country?: An empirical investigation , 2003 .

[62]  Eugene Schultz Security training and awareness - fitting a square peg in a round hole , 2004, Comput. Secur..

[63]  E. Schein The Corporate Culture Survival Guide , 1999 .

[64]  L. R. Chao,et al.  An empirical study of information security policy on information security elevation in Taiwan , 2006, Inf. Manag. Comput. Secur..

[65]  Rossouw von Solms,et al.  The 10 deadly sins of information security management , 2004, Comput. Secur..

[66]  Charles N. Tarimo,et al.  ICT Security Readiness Checklist for Developing Countries: A Social-Technical Approach , 2006 .

[67]  Dorothy E. Denning,et al.  Information Warfare And Security , 1998 .

[68]  Salman T. Al-Sedairy Management of conflict: Public-sector construction in Saudi Arabia , 1994 .

[69]  Gustavo Stubrich The Fifth Discipline: The Art and Practice of the Learning Organization , 1993 .

[70]  Stephanie Teufel,et al.  Tool Supported Management of Information Security Culture , 2005, SEC.

[71]  Geoff Walsham,et al.  Doing interpretive research , 2006, Eur. J. Inf. Syst..

[72]  Terry Anthony Byrd,et al.  Information security policy: An organizational-level process model , 2009, Comput. Secur..

[73]  Susan D. Hansche Designing a Security Awareness Program: Part 1 , 2001, Inf. Secur. J. A Glob. Perspect..

[74]  Julie Pallant,et al.  SPSS survival manual : a step by step guide to data analysis using SPSS for Windows , 2001, Behaviour Change.

[75]  B. Thompson Exploratory and Confirmatory Factor Analysis: Understanding Concepts and Applications , 2004 .

[76]  C. Stein,et al.  Structural equation modeling. , 2012, Methods in molecular biology.

[77]  R. Kelly Rainer,et al.  Do Information Security Professionals and Business Managers View Information Security Issues Differently? , 2007, Inf. Secur. J. A Glob. Perspect..

[78]  Rossouw von Solms Information security management (1): why information security is so important , 1998, Inf. Manag. Comput. Secur..

[79]  H. Russell Bernard,et al.  Social Research Methods: Qualitative and Quantitative Approaches , 2000 .

[80]  Rachna Shah,et al.  Use of structural equation modeling in operations management research: Looking back and forward ☆ , 2006 .

[81]  Tim Lane,et al.  A Model for Improving e-Security in Australian Universities , 2006, J. Theor. Appl. Electron. Commer. Res..

[82]  Gilbert A. Churchill A Paradigm for Developing Better Measures of Marketing Constructs , 1979 .

[83]  Srinivasan V. Rao,et al.  Information Security Cultures of Four Professions: A Comparative Study , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[84]  Jan H. P. Eloff,et al.  An Information Security Governance Framework , 2007, Inf. Syst. Manag..

[85]  Jan H. P. Eloff,et al.  Information Security Policy - What do International Information Security Standards say? , 2002, ISSA.

[86]  Jan H. P. Eloff,et al.  Information security culture - validation of an assessment instrument , 2007 .

[87]  Patrick S. W. Fong,et al.  Chapter 6 – Managing knowledge in project-based professional services firms: an international comparison , 2005 .

[88]  Rossouw von Solms,et al.  Management of risk in the information age , 2005, Comput. Secur..

[89]  Qiang Tu,et al.  A path analytic study of the effect of top management support for information systems performance , 2004 .

[90]  K L Indermill,et al.  Making the right decision. , 1992, Dental economics - oral hygiene.

[91]  Gurpreet Dhillon,et al.  Interpreting the management of information systems security , 1995 .

[92]  Kenneth L. Kraemer,et al.  Computerized Data-Based Systems and Productivity among Professional Workers: The Case of Detectives , 1985 .

[93]  Alain Pinsonneault,et al.  Survey Research Methodology in Management Information Systems: An Assessment , 1993, J. Manag. Inf. Syst..

[94]  R. Brislin Back-Translation for Cross-Cultural Research , 1970 .

[95]  Y. Aharoni Cultures and Organizations: Software of the Mind , 1992 .

[96]  Gurpreet Dhillon,et al.  Managing and controlling computer misuse , 1999, Inf. Manag. Comput. Secur..

[97]  Van Niekerk,et al.  Establishing an information security culture in organizations : an outcomes based education approach , 2005 .

[98]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[99]  Clifton L. Smith,et al.  The Development of Access Control Policies for Information Technology Systems , 2002, Comput. Secur..

[100]  Geoff Walsham,et al.  Interpretive case studies in IS research: nature and method , 1995 .

[101]  Andrew Rathmell,et al.  Protecting Critical Information Infrastructures , 2001, Comput. Secur..

[102]  Stephen Flowerday,et al.  Trust: An Element of Information Security , 2006, SEC.

[103]  B. Bjerke,et al.  Culture′s Consequences: Management in Saudi Arabia , 1993 .

[104]  Industrial Strategy Information security breaches survey , 2013 .

[105]  Judy Downs-Lombardi Did You Ever Have to Make Up Your Mind , 1995 .

[106]  Rossouw von Solms,et al.  Formalizing information security requirements , 2001, Inf. Manag. Comput. Secur..

[107]  Stephanie Teufel,et al.  Information Security Culture: The Socio-Cultural Dimension in Information Security Management , 2002, SEC.

[108]  V. Sambamurthy,et al.  Information Technology Assimilation in Firms: The Influence of Senior Leadership and IT Infrastructures , 1999, Inf. Syst. Res..

[109]  Robert Y. Cavana,et al.  Applied Business research: Qualitative and Quantitative Methods , 2001 .

[110]  Blake Ives,et al.  An empirical study of the impact of user involvement on system usage and information satisfaction , 1986, CACM.

[111]  Omar Zakaria Pita Jarupunphol and Abdullah Gani Paradigm Mapping for Information Security Culture Approach , 2003 .

[112]  Ugur Yavas,et al.  Facilitating the adoption of information technology in a developing country , 1992, Inf. Manag..

[113]  Robert K. Yin,et al.  Applications of case study research , 1993 .

[114]  Angus Mcilwraith Information Security and Employee Behaviour: How to Reduce Risk Through Employee Education, Training and Awareness , 2006 .

[115]  Sebastiaan H. von Solms,et al.  Information Security - The Fourth Wave , 2006, Comput. Secur..

[116]  Detmar W. Straub,et al.  Measuring System Usage: Implications for IS Theory Testing , 1995 .

[117]  T. Helokunnas,et al.  Information security culture in a value net , 2003, IEMC '03 Proceedings. Managing Technologically Driven Organizations: The Human Side of Innovation and Change.

[118]  Wasana Bandara,et al.  Process modelling success factors and measures , 2007 .

[119]  P. D. Howard The Security Policy Life Cycle: Functions and Responsibilities , 2002 .

[120]  Stephen Hinde Security surveys spring crop , 2002, Comput. Secur..

[121]  Young,et al.  The Ernst & Young International Information Security Survey 1995 , 1996, Inf. Manag. Comput. Secur..

[122]  Rossouw von Solms,et al.  Understanding Information Security Culture: A Conceptual Framework , 2006, ISSA.

[123]  S. Kowalski,et al.  Technology as a Tool for Fighting Poverty: How Culture in the Developing World Affect the Security of Information Systems , 2006, Fourth IEEE International Workshop on Technology for Education in Developing Countries (TEDC'06).

[124]  Matthew Warren,et al.  Institutionalising information security culture in Australian SMEs: framework and key issues , 2007 .

[125]  G. Hofstede,et al.  Culture′s Consequences: International Differences in Work-Related Values , 1980 .

[126]  Nick Gaunt,et al.  Installing an appropriate information security policy , 1998, Int. J. Medical Informatics.

[127]  Karen A. Forcht,et al.  Laws and regulations affecting information management and frameworks for assessing compliance , 2006, Inf. Manag. Comput. Secur..

[128]  Stephen Hinde It Was Déjá vu all Over Again , 2002, Comput. Secur..

[129]  S. B. Maynard,et al.  Evaluating IS Security Policy Development , 2002 .

[130]  Graeme Baxter,et al.  Corporate information security management , 1999 .

[131]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[132]  Detmar W. Straub,et al.  Diffusing the Internet in the Arab world: the role of social norms and technological culturation , 2003, IEEE Trans. Engineering Management.

[133]  Robert F. Testa,et al.  Educational Research: Competencies for Analysis and Application , 1979 .

[134]  P. Chia Exploring Organisational Security Culture : Developing a comprehensive research model , 2002 .

[135]  S. Mann Research Methods for Business: A Skill-Building Approach , 2013 .

[136]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[137]  Barbara M. Byrne,et al.  Structural equation modeling with AMOS , 2010 .

[138]  Izak Benbasat,et al.  Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation , 1991, Inf. Syst. Res..

[139]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[140]  Neil F. Doherty,et al.  The application of information security policies in large UK-based organizations: an exploratory investigation , 2003, Inf. Manag. Comput. Secur..

[141]  Shuchih Ernest Chang,et al.  Exploring organizational culture for information security management , 2007, Ind. Manag. Data Syst..

[142]  Gurpreet Dhillon,et al.  Principles of information systems security - text and cases , 2006 .

[143]  Rodger Jamieson,et al.  An Action Research Program to Improve Information Systems Security Compliance across Government Agencies , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[144]  M. Patton Qualitative evaluation and research methods, 2nd ed. , 1990 .

[145]  Wanda J. Orlikowski,et al.  Studying Information Technology in Organizations: Research Approaches and Assumptions , 1991, Inf. Syst. Res..

[146]  Huong Ngo Higgins,et al.  Corporate system security: towards an integrated management approach , 1999, Inf. Manag. Comput. Secur..

[147]  Norhayati Zakaria,et al.  Designing and implementing culturally-sensitive IT applications: The interaction of culture values and privacy issues in the Middle East , 2003, Inf. Technol. People.

[148]  James C. Anderson,et al.  STRUCTURAL EQUATION MODELING IN PRACTICE: A REVIEW AND RECOMMENDED TWO-STEP APPROACH , 1988 .

[149]  Mehmood A. Chadhar,et al.  Impact of National Culture and ERP Systems Success IMPACT OF NATIONAL CULTURE ON ERP SYSTEMS SUCCESS , 2004 .

[150]  Steven Furnell,et al.  A preliminary model of end user sophistication for insider threat prediction in IT systems , 2005, Comput. Secur..

[151]  Adele Da Veiga Cultivating and assessing information security culture , 2009 .

[152]  Andy P. Field,et al.  Discovering Statistics Using SPSS , 2000 .

[153]  Bernard P. Zajac Commonsense computer security — Your practical guide to information protection - 2nd edition : Martin Smith, McGraw-Hill, 1993, 280 pages, £24.95, $24.95 (USA), ISBN: 0-07-707805-5. , 1994 .

[154]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[155]  Jan C. Recker Understanding process modelling grammar continuance : a study of the consequences of representational capabilities , 2008 .

[156]  Robert W. Smyth,et al.  CASE success factors : an evaluation of factors involved in the successful adoption of a computer aided software engineering (CASE) package , 2001 .

[157]  Jan H. P. Eloff,et al.  Special Features: A Framework for the Implementation of Socio-ethical Controls in Information Security , 2001 .

[158]  Said S. Al-Gahtani,et al.  Computer Technology Acceptance Success Factors in Saudi Arabia: An Exploratory Study , 2004 .

[159]  Wynne W. Chin,et al.  On the use, usefulness, and ease of use of structural equation modeling in MIS research: a note of caution , 1995 .

[160]  L. R. Chao,et al.  An integrated system theory of information security management , 2003, Inf. Manag. Comput. Secur..

[161]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[162]  Rossouw von Solms Information security management: The second generation , 1996, Comput. Secur..

[163]  Gilbert A. Churchill,et al.  Marketing Research: Methodological Foundations , 1976 .

[164]  J.P.J. Geleijnse Human and organisational aspects of library automation , 1996 .

[165]  George Bakehouse,et al.  Empirical Research in Information Systems , 2000 .

[166]  Omar Zakaria Understanding Challenges of Information Security Culture: A Methodological Issue , 2004, AISM.

[167]  Sebastiaan H. von Solms,et al.  Information Security - The Third Wave? , 2000, Comput. Secur..