More than the individual: Examining the relationship between culture and Information Security Awareness

Abstract The relationship between security culture and Information Security Awareness (ISA) has received preliminary support; however, its interplay with organisational culture is yet to be empirically investigated. Therefore, this study explored the relationship between ISA, organisational culture, and security culture. A total of 508 working Australians completed an online questionnaire. ISA was measured using the Human Aspects of Information Security Questionnaire (HAIS-Q); organisational culture was measured using the Denison Organisational Culture Survey (DOCS); and security culture was assessed through the Organisational Security Culture Measure. Our results showed that while organisational culture and security culture were correlated with ISA, security culture played an important mediating relationship between organisational culture and ISA. This suggests that organisations should focus on security culture rather than organisational culture to improve ISA, saving time and resources. Future research could further extend current findings by also considering national culture.

[1]  Marcus A. Butavicius,et al.  Test-retest reliability and internal consistency of the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2016, ACIS.

[2]  K. Cameron,et al.  Diagnosing and Changing Organizational Culture: Based on the Competing Values Framework , 1999 .

[3]  Yajiong Xue,et al.  Punishment, Justice, and Compliance in Mandatory IT Settings , 2011, Inf. Syst. Res..

[4]  Stephanie Teufel,et al.  Analyzing information security culture: increased trust by an appropriate information security culture , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[5]  Johan Van Niekerk,et al.  Brain-compatible, web-based information security education: a statistical study , 2014, Inf. Manag. Comput. Secur..

[6]  Paul E. Spector Using self‐report questionnaires in OB research: A comment on the use of a controversial method , 1994 .

[7]  Özlem Müge Testik,et al.  Analysis of personal information security behavior and awareness , 2016, Comput. Secur..

[8]  Nathan L. Clarke,et al.  Power to the people? The evolving recognition of human aspects of security , 2012, Comput. Secur..

[9]  J. Doug Tygar,et al.  Organisational culture, procedural countermeasures, and employee security behaviour: A qualitative study , 2017, Inf. Comput. Secur..

[10]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[11]  Nico Martins,et al.  Information security culture and information protection culture: A validated assessment instrument , 2015, Comput. Law Secur. Rev..

[12]  Malcolm Robert Pattinson,et al.  Individual differences and Information Security Awareness , 2017, Comput. Hum. Behav..

[13]  Lee Cronk,et al.  Culture’s Influence on Behavior: Steps Toward a Theory , 2017 .

[14]  A. B. Ruighaver,et al.  Security Governance: Its Impact on Security Culture , 2005, AISM.

[15]  A. B. Ruighaver,et al.  Organisational security culture: Extending the end-user perspective , 2007, Comput. Secur..

[16]  Jordan Shropshire,et al.  Personality and IT security: An application of the five-factor model , 2006, AMCIS.

[17]  Jennifer A. Chatman,et al.  PEOPLE AND ORGANIZATIONAL CULTURE: A PROFILE COMPARISON APPROACH TO ASSESSING PERSON-ORGANIZATION FIT , 1991 .

[18]  D. A. Kenny,et al.  The moderator-mediator variable distinction in social psychological research: conceptual, strategic, and statistical considerations. , 1986, Journal of personality and social psychology.

[19]  Malcolm Robert Pattinson,et al.  The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies , 2017, Comput. Secur..

[20]  Malcolm Robert Pattinson,et al.  The effect of resilience and job stress on information security awareness , 2018, Inf. Comput. Secur..

[21]  J. D'Arcy,et al.  Security culture and the employment relationship as drivers of employees' security compliance , 2014, Inf. Manag. Comput. Secur..

[22]  John Sanders,et al.  Defining terms: Data, information and knowledge , 2016, 2016 SAI Computing Conference (SAI).

[23]  Daniel R. Denison,et al.  Do consistent corporate cultures have better business performance? Exploring the interaction effects , 2012 .

[24]  Irena Kokina,et al.  THE ANALYSIS OF ORGANIZATIONAL CULTURE WITH THE DENISON MODEL (The Case Study of Latvian Municipality) , 2014 .

[25]  R. A. Cooke,et al.  The Impact of Group Interaction Styles on Problem-Solving Effectiveness , 1994 .

[26]  D. Denison,et al.  Linking organizational culture and customer satisfaction: Results from two companies in different industries , 2008 .

[27]  Malcolm Robert Pattinson,et al.  Assessing information security attitudes: a comparison of two studies , 2016, Inf. Comput. Secur..

[28]  Jan H. P. Eloff,et al.  Information Security Culture , 2002, SEC.

[29]  Heather Wilson Creating a security culture , 1997 .

[30]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[31]  Noor Hafizah Hassan,et al.  A Conceptual Model for Investigating Factors Influencing Information Security Culture in Healthcare Environment , 2012 .

[32]  Adéle da Veiga,et al.  An approach to information security culture change combining ADKAR and the ISCA questionnaire to aid transition to the desired culture , 2018, Inf. Comput. Secur..

[33]  Rossouw von Solms,et al.  Information security culture: A management perspective , 2010, Comput. Secur..

[34]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[35]  Julie D Nosworthy,et al.  Implementing Information Security In The 21st Century Do You Have the Balancing Factors? , 2000, Comput. Secur..

[36]  Robert W. Tucker,et al.  Can Questionnaires Objectively Assess Organisational Culture , 1990 .

[37]  Cheri Ostroff,et al.  Organizational Climate and Culture: Reflections on the History of the Constructs in the Journal of Applied Psychology , 2017, The Journal of applied psychology.

[38]  E. Schein Organizational Culture and Leadership , 1991 .

[39]  Rossouw von Solms,et al.  A holistic framework for the fostering of an information security sub-culture in organizations , 2005, ISSA.

[40]  D. Denison What is the Difference Between Organizational Culture and Organizational Climate? A Native's Point of View on a Decade of Paradigm Wars , 1996 .

[41]  Mohd Rashid Ab Hamid,et al.  An analysis on the dimensions of information security culture concept: A review , 2019, J. Inf. Secur. Appl..

[42]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[43]  Gert Roodt,et al.  Job satisfaction in relation to organisational culture , 2002 .

[44]  Nor Badrul Anuar Bin Juma'at Reengineering Information Security Culture Formulation Through Management Perspective , 2007 .

[45]  Ann Marie Ryan,et al.  Which comes first, organizational culture or performance? A longitudinal study of causal priority with automobile dealerships , 2015 .