Security Governance: Its Impact on Security Culture

While there is an overwhelming amount of literature that recognises the need for organisations to create a security culture in order to effectively manage security, little is known about how to create a good security culture or even what constitutes a good security culture. In this paper, we report on one of two case studies performed to examine how security governance influences security culture and in particular, the sense of responsibility and ownership of security. The results indicate that although the structural and functional mechanisms in security governance are influencing factors, it is the extent of social participation that may be the major contributing component in security governance that influences the levels of responsibility and sense of ownership that IT security personnel have over the management of security within an organisation.

[1]  Sebastiaan H. von Solms,et al.  Information Security - A Multidimensional Discipline , 2001, Comput. Secur..

[2]  P. Weill,et al.  Don't Just Lead, Govern: Implementing Effective it Governance , 2002 .

[3]  Pieter M. A. Ribbers,et al.  Information Technology Governance Processes Under Environmental Dynamism: Investigating Competing Theories of Decision Making and Knowledge Sharing , 2002, ICIS.

[4]  John J. Mauriel,et al.  A Framework for Linking Culture and Improvement Initiatives in Organizations , 2000 .

[5]  Prabuddha De,et al.  Proceedings of the 20th international conference on Information Systems , 1999 .

[6]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[7]  Ab Ruighaver,et al.  Understanding organisational security culture , 2002 .

[8]  Julie D Nosworthy,et al.  Implementing Information Security In The 21st Century Do You Have the Balancing Factors? , 2000, Comput. Secur..

[9]  Stephanie Teufel,et al.  Analyzing information security culture: increased trust by an appropriate information security culture , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[10]  Jan H. P. Eloff,et al.  Information Security Culture , 2002, SEC.

[11]  Robert W. Zmud,et al.  Arrangements for Information Technology Governance: A Theory of Multiple Contingencies , 1999, MIS Q..

[12]  H. Russell Bernard,et al.  Social Research Methods: Qualitative and Quantitative Approaches , 2000 .

[13]  Margaret M. Blair,et al.  Ownership and Control: Rethinking Corporate Governance for the Twenty-first Century , 1997 .

[14]  Sebastiaan H. von Solms,et al.  Information Security - The Third Wave? , 2000, Comput. Secur..

[15]  Linda S. Lotto Qualitative Data Analysis: A Sourcebook of New Methods , 1986 .

[16]  Andrew Kakabadse,et al.  IS/IT governance: need for an integrated model , 2001 .

[17]  Carol V. Brown,et al.  Reconceptualizing the Context-Design Issue for the Information Systems Function , 1998 .

[18]  Graeme G. Shanks,et al.  Guidelines for Conducting Positivist Case Study Research in Information Systems , 2002, Australas. J. Inf. Syst..

[19]  W. Neuman,et al.  Social Research Methods: Qualitative and Quantitative Approaches , 2002 .

[20]  Stephanie Teufel,et al.  Information Security Culture: The Socio-Cultural Dimension in Information Security Management , 2002, SEC.

[21]  Pieter M. A. Ribbers,et al.  Information technology governance by design: investigating hybrid configurations and integration mechanisms , 2000, ICIS.

[22]  Stephanie Teufel,et al.  Information security culture - from analysis to change , 2003, South Afr. Comput. J..

[23]  Carol V. Brown Examining the Emergence of Hybrid IS Governance Solutions: Evidence From a Single Case Site , 1997, Inf. Syst. Res..

[24]  H. Klein,et al.  Information systems research: contemporary approaches and emergent traditions , 1991 .