Understanding And Measuring Information Security Culture

The purpose of the current paper was to develop a measurement of information security culture. Our literature analysis indicated a lack of clear conceptualization and distinction between factors that constitute information security culture and factors that influence information security culture. A sequential mixed method consisting of a qualitative phase to explore the conceptualisation of information security culture, and a quantitative phase to validate the model is adopted for this research. Eight interviews with information security experts in eight different Saudi organisations were conducted, revealing that security culture can be constituted as reflection of security awareness and security ownership. Additionally, the qualitative interviews have revealed that factors that influence security culture are top management involvement, policy enforcement, and training. These factors were confirmed formed the basis for our initial information security culture model, which was operationalised and tested in different Saudi Arabian organisations. Using data from two hundred and fifty-four valid responses, we demonstrated the validity and reliability of the information security culture model. We were further able to demonstrate the validity of the model in a nomological net, as well as provide some preliminary findings on the factors that influence information security culture

[1]  R. Kelly Rainer,et al.  Do Information Security Professionals and Business Managers View Information Security Issues Differently? , 2007, Inf. Secur. J. A Glob. Perspect..

[2]  Jan H. P. Eloff,et al.  Information security culture - validation of an assessment instrument , 2007 .

[3]  Sean B. Maynard,et al.  Embedding Information Security Culture Emerging Concerns and Challenges , 2010, PACIS.

[4]  鄭宇庭 行銷硏究 : Marketing research , 2009 .

[5]  Julie Pallant,et al.  SPSS survival manual : a step by step guide to data analysis using SPSS for Windows , 2001, Behaviour Change.

[6]  Sebastiaan H. von Solms,et al.  Information Security Management: A Hierarchical Framework for Various Approaches , 2000, Comput. Secur..

[7]  S. B. Maynard,et al.  Evaluating IS Security Policy Development , 2002 .

[8]  Izak Benbasat,et al.  Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation , 1991, Inf. Syst. Res..

[9]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[10]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[11]  Sebastiaan H. von Solms,et al.  Information Security - The Third Wave? , 2000, Comput. Secur..

[12]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[13]  Detmar W. Straub,et al.  Measuring System Usage: Implications for IS Theory Testing , 1995 .

[14]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[15]  Rachna Shah,et al.  Use of structural equation modeling in operations management research: Looking back and forward ☆ , 2006 .

[16]  Srinivasan V. Rao,et al.  Information Security Cultures of Four Professions: A Comparative Study , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[17]  Rex B. Kline,et al.  Principles and Practice of Structural Equation Modeling , 1998 .

[18]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[19]  J. Hair Multivariate data analysis , 1972 .

[20]  Rossouw von Solms,et al.  A holistic framework for the fostering of an information security sub-culture in organizations , 2005, ISSA.

[21]  Gurpreet Dhillon,et al.  Managing and controlling computer misuse , 1999, Inf. Manag. Comput. Secur..

[22]  Rossouw von Solms,et al.  From policies to culture , 2004, Comput. Secur..

[23]  Sharman Lichtenstein,et al.  Effective Management and Policy in e-Business Security , 2001, Bled eConference.

[24]  Jan H. P. Eloff,et al.  Information Security Culture , 2002, SEC.

[25]  Eike-Henner W. Kluge,et al.  Secure e-Health: Managing risks to patient health data , 2007, Int. J. Medical Informatics.

[26]  Rossouw von Solms,et al.  The 10 deadly sins of information security management , 2004, Comput. Secur..

[27]  Pascale Carayon,et al.  Human and organizational factors in computer and information security: Pathways to vulnerabilities , 2009, Comput. Secur..

[28]  Stephanie Teufel,et al.  Analyzing information security culture: increased trust by an appropriate information security culture , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[29]  F. Nelson Ford,et al.  Information security: management's effect on culture and policy , 2006, Inf. Manag. Comput. Secur..

[30]  Ab Ruighaver,et al.  Understanding organisational security culture , 2002 .

[31]  A. B. Ruighaver,et al.  Security Governance: Its Impact on Security Culture , 2005, AISM.

[32]  Sharman Lichtenstein,et al.  Fostering Information Security Culture in Small and Medium Size Enterprises: An Interpretive Study in Australia , 2007, ECIS.

[33]  David W. Gerbing,et al.  An Updated Paradigm for Scale Development Incorporating Unidimensionality and Its Assessment , 1988 .

[34]  B. Tabachnick,et al.  Using Multivariate Statistics , 1983 .

[35]  Adele Da Veiga Cultivating and assessing information security culture , 2009 .

[36]  Andy P. Field,et al.  Discovering Statistics Using SPSS , 2000 .