Security Cultures in Organizations: A Theoretical Model

Development of a security culture in an organization needs an understanding of the factors that influence the security-related beliefs and behaviors of organizational members. Security culture in an organization includes the culture of management and the culture of employees. The focus of the current study is on the security culture of employees. First, we argue that the security culture of employees of an organization is not monolithic, but comprises a collection of the security sub-cultures of the diverse professional groups in the organization. Thus understanding security culture of employees equates to understanding the factors that influence the security sub-cultures of professional groups in the organization. Next, we argue that security-related beliefs (espoused security culture) may be different from the security-related behaviors (enacted security culture). Hence, models of security culture should incorporate both constructs. With these goals in mind, we propose a preliminary theoretical model of the security sub-cultures of professional groups in organizations.

[1]  E. Schein Organizational Culture and Leadership , 1991 .

[2]  Sebastiaan H. von Solms,et al.  Information Security - The Third Wave? , 2000, Comput. Secur..

[3]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[4]  Allen S. Lee A Scientific Methodology for MIS Case Studies , 1989, MIS Q..

[5]  Budi Arief,et al.  Computer security impaired by legal users , 2003 .

[6]  P. Hawkins Organizational Culture: Sailing Between Evangelism and Complexity , 1997 .

[7]  A. B. Ruighaver,et al.  Understanding Organizational Security Culture , 2002 .

[8]  Joanne D. Martin,et al.  Organizational culture and counterculture: An uneasy symbiosis. , 1983 .

[9]  Stephanie Teufel,et al.  Analyzing information security culture: increased trust by an appropriate information security culture , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[10]  John M. Jermier,et al.  Organizational Subcultures in a Soft Bureaucracy: Resistance Behind the Myth and Facade of an Official Culture , 1991 .

[11]  Gurpreet Dhillon,et al.  Interpreting the management of information systems security , 1995 .

[12]  R. Yin Case Study Research: Design and Methods , 1984 .

[13]  John J. Mauriel,et al.  A Framework for Linking Culture and Improvement Initiatives in Organizations , 2000 .

[14]  D. Hambrick,et al.  Upper Echelons: The Organization as a Reflection of Its Top Managers , 1984 .

[15]  Izak Benbasat,et al.  The Case Research Strategy in Studies of Information Systems , 1987, MIS Q..

[16]  R. Dewar,et al.  Elite Values Versus Organizational Structure in Predicting Innovation , 1973 .