Understanding Information Security Culture: A Survey in Small and Medium Sized Enterprises

Information security is a relevant fact for current organizations. There are factors inextricably linked to this issue, and one cannot talk about information security in an organization without addressing and understanding the information security culture of that institution. Maximizing the organizational culture within an organization will enable the safeguard of information security. For that, we need to understand which the inhibiting and the enabling factors are. This paper contributes to point out those factors by presenting the results of a survey concerning information security culture in small and medium sized enterprises (SMEs). We discuss the results in the light of related literature, and we identify future works aiming to enhance information security within organizations.

[1]  Michael Taylor,et al.  SMEs and e‐business , 2004 .

[2]  Jan H. P. Eloff,et al.  Information Security Culture , 2002, SEC.

[3]  Adele Da Veiga Cultivating and assessing information security culture , 2009 .

[4]  Jan H. P. Eloff,et al.  An Information Security Governance Framework , 2007, Inf. Syst. Manag..

[5]  S. B. Maynard,et al.  Evaluating IS Security Policy Development , 2002 .

[6]  Terence Lee,et al.  Assessment of safety culture at a nuclear reprocessing plant , 1998 .

[7]  Stephanie Teufel,et al.  Analyzing information security culture: increased trust by an appropriate information security culture , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[8]  Rossouw von Solms,et al.  A holistic framework for the fostering of an information security sub-culture in organizations , 2005, ISSA.

[9]  Gurpreet Dhillon,et al.  Managing and controlling computer misuse , 1999, Inf. Manag. Comput. Secur..

[10]  Sebastiaan H. von Solms,et al.  Information Security Management: A Hierarchical Framework for Various Approaches , 2000, Comput. Secur..

[11]  F. Guldenmund The nature of safety culture: a review of theory and research , 2000 .

[12]  Andrew Hale,et al.  Culture's confusions , 2000 .

[13]  Charles Cresson Wood,et al.  Writing infosec policies , 1995, Computers & security.

[14]  A. Glendon,et al.  Perspectives on safety culture , 2000 .

[15]  Jan H. P. Eloff,et al.  Information security culture - validation of an assessment instrument , 2007 .

[16]  Gurpreet Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[17]  Steven Furnell,et al.  Approaches to IT Security in Small and Medium Enterprises , 2004, AISM.

[18]  Tuija Kuusisto,et al.  INFORMATION SECURITY CULTURE IN SMALL AND MEDIUM SIZE ENTERPRISES , 2003 .