Information security practice in Saudi Arabia: case study on Saudi organizations

Purpose Information security of an organization is influenced by the deployed policy and procedures. Information security policy reflects the organization’s attitude to the protection of its information assets. The purpose of this paper is to investigate the status of the information security policy at a subset of Saudi’s organizations by understanding the perceptions of their information technology’s employees. Design/methodology/approach A descriptive and statistical approach has been used to describe the collected data and characteristics of the IT employees and managers to understand the information security policy at the surveyed organizations. The author believes that understanding the IT employees’ views gives a better understanding of the organization’s status of information security policy. Findings It has been found that most of the surveyed organizations have established information security policy and deployed fair technology; however, many of such policies are not enforced and publicized effectively and efficiently which degraded the deployed technology for such protection. In addition, the clarity and the comprehensibility of such policies are questionable as indicated by most of the IT employees’ responses. A comparison with similar studies at Middle Eastern and European countries has shown similar findings and shares the same concerns. Originality/value The findings of this research suggest that the Saudi Communications and Information Technology Commission should develop a national framework for information security to guide the governmental and non-governmental organizations as well as the information security practitioners on the good information security practices in terms of policy and procedures to help the organizations to avoid any vulnerability that may lead to violations on the security of their information.

[1]  Serpil Aytac,et al.  Factors influencing information security management in small- and medium-sized enterprises: A case study from Turkey , 2011, Int. J. Inf. Manag..

[2]  Terry Anthony Byrd,et al.  Information security policy: An organizational-level process model , 2009, Comput. Secur..

[3]  Karen J. Nelson,et al.  Proposed Framework for Understanding Information Security Culture and Practices in the Saudi Context , 2009 .

[4]  Carl Colwill,et al.  Human factors in information security: The insider threat - Who can you trust these days? , 2009, Inf. Secur. Tech. Rep..

[5]  H. Tootell,et al.  A study of information security awareness and practices in Saudi Arabia , 2012, 2012 International Conference on Communications and Information Technology (ICCIT).

[6]  Gavriel Salvendy,et al.  Factors affecting perception of information security and their impacts on IT adoption and security practices , 2011, Int. J. Hum. Comput. Stud..

[7]  Kelly O. Finnerty,et al.  Cyber Security Breaches Survey 2020 , 2019 .

[8]  Stephen Flowerday,et al.  Information security policy development and implementation: The what, how and who , 2016, Comput. Secur..

[9]  Nick Gaunt,et al.  Installing an appropriate information security policy , 1998, Int. J. Medical Informatics.

[10]  Sami M. Alageel Development of an information security awareness training program for the Royal Saudi Naval Forces (RSNF) , 2003 .

[11]  Ahmad A. Abu-Musa Investigating the Perceived Threats of Computerized Accounting Information Systems in Developing Countries: An Empirical Study on Saudi Organizations , 2006, J. King Saud Univ. Comput. Inf. Sci..

[12]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[13]  Joan Hash,et al.  Building an Information Technology Security Awareness and Training Program , 2003 .

[14]  David C. Yen,et al.  National information security policy and its implementation: A case study in Taiwan , 2009 .

[15]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[16]  Ahmad Abu-Musa Information security governance in Saudi organizations: an empirical study , 2010, Inf. Manag. Comput. Secur..