Understanding Transition towards Information Security Culture Change

Transitioning towards an information security culture for organisations has not been adequately explored in the current security and management literature. Many authors have proposed how information security culture can be created, fostered and managed within organisations, but have failed to adequately address the transition process towards information security culture change, particularly for small medium enterprises (SMEs). This paper aims to (1) recapitulate key developments and trends within information security culture literature; (2) explore in detail the transition process towards organisational change; (3) adapt the transition process with respects to the key players involved in transition and propose a transition model for information security culture change; and (4) consider how this model could be used by managers and employees of Australian SMEs. A major intention of this paper is to provide academic researchers and practicing managers with an understanding of the transition process towards achieving information security culture change within SMEs.

[1]  John Leach,et al.  Improving user security behaviour , 2003, Comput. Secur..

[2]  Rossouw von Solms,et al.  From policies to culture , 2004, Comput. Secur..

[3]  E. Schein Organizational Culture and Leadership: A Dynamic View , 1985 .

[4]  John Marangos,et al.  Alternative paths to the transition process , 2005 .

[5]  Stephanie Teufel,et al.  Analyzing information security culture: increased trust by an appropriate information security culture , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[6]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[7]  R. Kuusisto,et al.  Unite security culture: May a unified security culture be plausible? , 2004 .

[8]  John Iacovini,et al.  The human side of organization change , 1993 .

[9]  Managing the transition , 2003 .

[10]  Jan H. P. Eloff,et al.  Information Security Culture , 2002, SEC.

[11]  Christine Harbottle,et al.  Managing Transitions: Making the Most of Change , 1991 .

[12]  Stephanie Teufel,et al.  Information security culture - from analysis to change , 2003, South Afr. Comput. J..

[13]  Wanlei Zhou,et al.  The Multifaceted and Ever-Changing Directions of Information Security — Australia Get Ready! , 2005, Third International Conference on Information Technology and Applications (ICITA'05).

[14]  Jeffrey M. Stanton,et al.  Behavioral Information Security: Two End User Survey Studies of Motivation and Security Practices , 2004, AMCIS.

[15]  Indira R. Guzman,et al.  Examining the linkage between organizational commitment and information security , 2003, SMC'03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483).

[16]  D. E. Thompson,et al.  Successful organizational change , 1974 .

[17]  Sebastiaan H. von Solms,et al.  Information Security - The Third Wave? , 2000, Comput. Secur..