An Information Security Culture Model Validated with Structural Equation Modelling

Information security culture must be considered as part of the information security programme to direct employee behaviour. Such a culture can contribute to the protection of information and minimise the risk that employee behaviour poses. This paper proposes a theoretical model, i.e. an information security culture model (ISCM) with four mechanisms (i.e. management, policies, awareness and compliance) that potentially influence information security culture positively. ISCM is based on the information security culture assessment (ISCA) questionnaire dimensions that are correlated with the theoretical mechanisms (dimensions). The theoretical model is validated through structural equation modelling (SEM) using empirical data derived from an ISCA assessment. This research produces a sound theoretical information security culture model, which is supported by the empirical study and further confirms the research hypothesis that management, policies, awareness and compliance contribute to an information security-positive culture as represented by the validated model.

[1]  Keshnee Padayachee,et al.  Taxonomy of compliant information security behavior , 2012, Comput. Secur..

[2]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[3]  Julie D Nosworthy,et al.  Implementing Information Security In The 21st Century Do You Have the Balancing Factors? , 2000, Comput. Secur..

[4]  Rebecca Herold,et al.  Managing an Information Security and Privacy Awareness and Training Program, Second Edition , 2010 .

[5]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[6]  G. Hofstede,et al.  Culture′s Consequences: International Differences in Work-Related Values , 1980 .

[7]  M. Eric Johnson,et al.  Embedding Information Security into the Organization , 2007, IEEE Security & Privacy.

[8]  S. Furnell,et al.  Understanding the influences on information security behaviour , 2012 .

[9]  H. Kaiser A second generation little jiffy , 1970 .

[10]  H. Kaiser An index of factorial simplicity , 1974 .

[11]  B. Tabachnick,et al.  Using Multivariate Statistics , 1983 .

[12]  Pascale Carayon,et al.  Human and organizational factors in computer and information security: Pathways to vulnerabilities , 2009, Comput. Secur..

[13]  Nico Martins,et al.  Improving the information security culture through monitoring and implementation actions illustrated through a case study , 2015, Comput. Secur..

[14]  A. Swan ORGANISATIONAL CULTURE , 2004 .

[15]  R. Cattell The Scree Test For The Number Of Factors. , 1966, Multivariate behavioral research.

[16]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[17]  R. C. Durfee,et al.  MULTIPLE FACTOR ANALYSIS. , 1967 .

[18]  Richard Pettinger,et al.  Introduction to Management , 1994 .

[19]  Steven Furnell,et al.  From culture to disobedience: Recognising the varying user acceptance of IT security , 2009 .

[20]  T. Gladwin Culture's Consequences: International Differences in Work-Related Values , 1981 .

[21]  J. Hair Multivariate data analysis , 1972 .

[22]  R. Solms,et al.  Cultivating an organizational information security culture , 2006 .

[23]  B. Tabachnick,et al.  Using multivariate statistics, 5th ed. , 2007 .

[24]  Celeste P.M. Wilderom,et al.  A longitudinal study of the effects of charismatic leadership and organizational culture on objective and perceived corporate performance. , 2012 .

[25]  Stephanie Teufel,et al.  Tool Supported Management of Information Security Culture , 2005, SEC.

[26]  Nathan L. Clarke,et al.  Power to the people? The evolving recognition of human aspects of security , 2012, Comput. Secur..

[27]  D. Pottas,et al.  Improving Information Security Behaviour in the Healthcare Context , 2013 .

[28]  Rossouw von Solms,et al.  Information security culture: A management perspective , 2010, Comput. Secur..

[29]  M. Bartlett,et al.  A note on the multiplying factors for various chi square approximations , 1954 .

[30]  F. Nelson Ford,et al.  Information security: management's effect on culture and policy , 2006, Inf. Manag. Comput. Secur..

[31]  H. Ahmad.,et al.  Determining Sample Size for Research Activities , 2017 .

[32]  A. B. Ruighaver,et al.  Organisational security culture: Extending the end-user perspective , 2007, Comput. Secur..