Fostering information security culture through intergrating theory and technology

Today information can be seen as a basic commodity that is crucial to the continuous well-being of modern organizations. Many modern organizations will be unable to do business without access to their information resources. It is therefor of vital importance for organizations to ensure that their information resources are adequately protected against both internal and external threats. This protection of information resources is known as information security and is, to a large extent, dependent on the behavior of humans in the organization. Humans, at various levels in the organization, play vital roles in the processes that secure organizational information resources. Many of the problems experienced in information security can be directly contributed to the humans involved in the process. Employees, either intentionally or through negligence, often due to a lack of knowledge, can be seen as the greatest threat to information security. Addressing this human factor in information security is the primary focus of this thesis. The majority of current approaches to dealing with the human factors in information security acknowledge the need to foster an information security culture in the organization. However, very few current approaches attempt to adjust the ”generic” model(s) used to define organizational culture to be specific to the needs of information security. This thesis firstly proposes, and argues, such an adapted conceptual model which aims to improve the understanding of what an information security culture is. The thesis secondly focuses on the underlying role that information security educational programs play in the fostering of an organizational information security culture. It is argued that many current information security educational programs are not based on sound pedagogical theory. The use of learning taxonomies during the design of information security educational

[1]  Ivan Horrocks Security Training: Education For an Emerging Profession? , 2001, Comput. Secur..

[2]  Adéle Martins,et al.  Assessing Information Security Culture , 2002, ISSA.

[3]  Rossouw von Solms,et al.  From policies to culture , 2004, Comput. Secur..

[4]  Jean Woodall,et al.  Managing culture change: can it ever be ethical? , 1996 .

[5]  Wendy Goucher Getting the most from training sessions: the art of raising security awareness without curing insomnia 1 1 This is not to say that curing insomnia would be a bad thing. , 2008 .

[6]  Tom Murray,et al.  Authoring Tools for Advanced Technology Learning Environments , 2003 .

[7]  Kevin Young Is e‐learning delivering ROI? , 2002 .

[8]  James C. Lester,et al.  The pedagogical design studio: exploiting artifact-based task models for constructivist learning , 1997, IUI '97.

[9]  Steven Furnell,et al.  From culture to disobedience: Recognising the varying user acceptance of IT security , 2009 .

[10]  Adrian John Wilkinson,et al.  Agents of change?: Bank branch managers and the management of corporate culture change , 1996 .

[11]  M. Easterby-Smith,et al.  Working With Pluralism , 2008 .

[12]  Pamela B. Lawhead,et al.  The Web and distance learning: what is appropriate and what is not: report of the ITiCSE '97 working group on the Web and distance learning , 1997, SCOU.

[13]  Nicholas Gaunt,et al.  Practical approaches to creating a security culture , 2000, Int. J. Medical Informatics.

[14]  Rossouw von Solms,et al.  Corporate Information Security Education: Is Outcomes Based Education the Solution? , 2004, International Information Security Workshops.

[15]  Sebastian Garde,et al.  Can design principles of traditional learning theories be fulfilled by computer-based training systems in medicine: The example of CAMPUS , 2007, Int. J. Medical Informatics.

[16]  Karen J. Nelson,et al.  Proposed Framework for Understanding Information Security Culture and Practices in the Saudi Context , 2009 .

[17]  Jan H. P. Eloff,et al.  Information Security Culture , 2002, SEC.

[18]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[19]  M. Maher Diagnosing and Changing Organizational Culture: Based on the Competing Values Framework , 2000 .

[20]  Namjoo Choi,et al.  Knowing is doing: An empirical validation of the relationship between managerial information security awareness and action , 2008, Inf. Manag. Comput. Secur..

[21]  Thomas Finne The information security chain in a company , 1996, Comput. Secur..

[22]  Jan H. P. Eloff,et al.  Information security culture - validation of an assessment instrument , 2007 .

[23]  Rossouw von Solms Information security management (3): the Code of Practice for Information Security Management (BS 7799) , 1998, Inf. Manag. Comput. Secur..

[24]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[25]  Steven Furnell,et al.  A prototype tool for information security awareness and training , 2002 .

[26]  F. Nelson Ford,et al.  Information security: management's effect on culture and policy , 2006, Inf. Manag. Comput. Secur..

[27]  P. Draper Reflexive methodology - new vistas for qualitative research: Media Reviews , 2008 .

[28]  Rossouw von Solms,et al.  Information security obedience: a definition , 2005, Comput. Secur..

[29]  Brian Lees,et al.  Developing corporate culture as a competitive advantage , 2001 .

[30]  Timothy P. Layton Information Security Awareness , 2005 .

[31]  Rossouw von Solms,et al.  A holistic framework for the fostering of an information security sub-culture in organizations , 2005, ISSA.

[32]  Guvenc G. Alpander Culture, strategy and teamwork: The keys to organizational change (Культура, стратегия и работа команды: ключи к организационному изменению) , 1995 .

[33]  Rossouw von Solms,et al.  Using Bloom's Taxonomy for Information Security Education , 2009, World Conference on Information Security Education.

[34]  Mariana Hentea A Perspective on Achieving Information Security Awareness , 2005 .

[35]  Agata Sawicka,et al.  A Framework for Human Factors in Information Security , 2002 .

[36]  Chris Argyris,et al.  chris argyris : theories of action , double-loop learning and organizational learning , 2006 .

[37]  Gurpreet Dhillon,et al.  Managing and controlling computer misuse , 1999, Inf. Manag. Comput. Secur..

[38]  Van Niekerk,et al.  Establishing an information security culture in organizations : an outcomes based education approach , 2005 .

[39]  Monika Schäffner Book Review: Assessment in the Classroom: Constructing and Interpreting Tests , 1999 .

[40]  S. Furnell End-user security culture: A lesson that will never be learnt? , 2008 .

[41]  L. Unneberg Grand designs for e‐learning – can e‐learning make the grade for our biggest corporates? , 2007 .

[42]  Eugene Schultz Security training and awareness - fitting a square peg in a round hole , 2004, Comput. Secur..

[43]  William L. Simon,et al.  The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers , 2005 .

[44]  Debi Ashenden,et al.  Information Security management: A human challenge? , 2008, Inf. Secur. Tech. Rep..

[45]  Alfred Kobsa,et al.  The Adaptive Web, Methods and Strategies of Web Personalization , 2007, The Adaptive Web.

[46]  Vladan Devedzic,et al.  A survey of components for intelligent tutoring pedagogical aspects of GET-BITS model , 1999, SCOU.

[47]  Y. Aharoni Cultures and Organizations: Software of the Mind , 1992 .

[48]  Cynthia E. Irvine,et al.  A video game for cyber security training and awareness , 2007, Comput. Secur..

[49]  Rossouw von Solms,et al.  Understanding Information Security Culture: A Conceptual Framework , 2006, ISSA.

[50]  M. E. Kabay,et al.  Computer Security Handbook , 2002 .

[51]  R. Solms,et al.  Cultivating an organizational information security culture , 2006 .

[52]  J. Amis,et al.  The Philosophy and Politics of Quality in Qualitative Organizational Research , 2008 .

[53]  Sebastiaan H. von Solms,et al.  Information Security - The Third Wave? , 2000, Comput. Secur..

[54]  J. Meyrick What is Good Qualitative Research? , 2006, Journal of health psychology.

[55]  Wenliang Du,et al.  A novel approach for computer security education using Minix instructional operating system , 2006, Comput. Secur..

[56]  E. Hall The Silent Language , 1959 .

[57]  N. Carr IT doesn't matter , 2003, IEEE Engineering Management Review.

[58]  Rita Smilkstein We're Born to Learn: Using the Brain's Natural Learning Process to Create Today's Curriculum. Second Edition. , 2002 .

[59]  Tahir M. Nisar,et al.  Organisational determinants of e-learning , 2002 .

[60]  Mica R. Endsley,et al.  Measurement of Situation Awareness in Dynamic Systems , 1995, Hum. Factors.

[61]  E. Schein The Corporate Culture Survival Guide , 1999 .

[62]  Johan Van Niekerk A Web-Based Portal For Information Security Education , 2002, ISSA.

[63]  Johan Van Niekerk,et al.  Evaluating the Cisco Networking Academy Program's Instructional Model against Bloom's Taxonomy for the Purpose of Information Security Education for Organizational End-Users , 2010, Key Competencies in the Knowledge Society.

[64]  Rossouw von Solms,et al.  Sweetening the medicine: educating users about information security by means of game play , 2010, SAICSIT '10.

[65]  R. Killen OUTCOMES-BASED EDUCATION: PRINCIPLES AND POSSIBILITIES , 2000 .

[66]  Peter Fingar The blueprint for business objects , 1996 .

[67]  Zoltan J. Acs,et al.  Managerial Economics and Organization , 1995 .

[68]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[69]  Hennie A. Kruger,et al.  Consensus ranking - An ICT security awareness case study , 2008, Comput. Secur..

[70]  Sushil K. Sharma,et al.  Teaching information systems security courses: A hands-onapproach , 2007, Comput. Secur..

[71]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[72]  Klaus Krippendorff,et al.  Content Analysis: An Introduction to Its Methodology , 1980 .

[73]  Eirik Albrechtsen,et al.  The information security digital divide between information security managers and users , 2009, Comput. Secur..

[74]  Sebastiaan H. von Solms,et al.  Information Security Management: An Approach to Combine Process Certification And Product Evaluation , 2000, Comput. Secur..

[75]  Timothy Paul Cronan,et al.  Modeling IT Ethics: A Study in Situational Ethics , 1998, MIS Q..

[76]  Mark Wilson,et al.  SP 800-16. Information Technology Security Training Requirements: a Role- and Performance-Based Model , 1998 .

[77]  Benjamin S. Bloom,et al.  A Taxonomy for Learning, Teaching, and Assessing: A Revision of Bloom's Taxonomy of Educational Objectives , 2000 .

[78]  J. Wylder Strategic Information Security , 2003 .

[79]  Jane P. Laudon,et al.  Management Information Systems: Managing the Digital Firm , 2010 .

[80]  J. Andrew Valentine,et al.  Enhancing the employee security awareness model , 2006 .

[81]  Jo Bryce,et al.  Young people, disclosure of personal information and online privacy: Control, choice and consequences , 2009, Inf. Secur. Tech. Rep..

[82]  Kirstie Hawkey,et al.  An integrated view of human, organizational, and technological challenges of IT security management , 2009, Inf. Manag. Comput. Secur..

[83]  Steven Furnell,et al.  Securing the next generation: enhancing e-safety awareness among young people , 2009 .

[84]  D. Collingridge,et al.  The Quality of Qualitative Research , 2008, American journal of medical quality : the official journal of the American College of Medical Quality.

[85]  John Leach,et al.  Improving user security behaviour , 2003, Comput. Secur..

[86]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[87]  Hennie A. Kruger,et al.  Value-focused assessment of ICT security awareness in an academic environment , 2007, Comput. Secur..

[88]  David A Sousa,et al.  How the Brain Learns , 2000 .

[89]  Pascale Carayon,et al.  Human and organizational factors in computer and information security: Pathways to vulnerabilities , 2009, Comput. Secur..

[90]  Riccardo Rizzo,et al.  Map-based horizontal navigation in educational Hypertext , 2002, HYPERTEXT '02.

[91]  Shuchih Ernest Chang,et al.  Exploring organizational culture for information security management , 2007, Ind. Manag. Data Syst..

[92]  Gurpreet Dhillon,et al.  Principles of information systems security - text and cases , 2006 .

[93]  J. Creswell Qualitative inquiry and research design: choosing among five traditions. , 1998 .

[94]  Petri Puhakainen,et al.  A design theory for information security awareness , 2006 .

[95]  Peter Brusilovsky,et al.  KnowledgeTree: a distributed architecture for adaptive e-learning , 2004, WWW Alt. '04.

[96]  Ina Fourie,et al.  Management Information Systems: Managing Information Technology in the Internetworked Enterprise (4th ed.) , 2000 .

[97]  E. Turban Information Technology for Management : Transforming Business in the Digital Economy , 2001 .

[98]  Johan Ismail,et al.  The design of an e-learning system: Beyond the hype , 2001, Internet High. Educ..

[99]  Jane Bell E‐learning: your flexible development friend? , 2007 .

[100]  Steven Furnell,et al.  Recognising and addressing ‘security fatigue’ , 2009 .

[101]  Jane Grimson,et al.  A multimedia approach to raising awareness of information and communications technology amongst healthcare professionals , 2000, Int. J. Medical Informatics.

[102]  M. Driscoll Psychology of Learning for Instruction , 1993 .

[103]  Kregg Aytes,et al.  A Research Model for Investigating Human Behavior Related to Computer Security , 2003, AMCIS.

[104]  Charles Cresson Wood,et al.  Policies alone do not constitute a sufficient awareness effort , 1997 .

[105]  Eirik Albrechtsen,et al.  Effects on employees' information security abilities by e-learning , 2009, Inf. Manag. Comput. Secur..

[106]  Steven Lonn,et al.  Saving time or innovating practice: Investigating perceptions and uses of Learning Management Systems , 2009, Comput. Educ..

[107]  Donald J. McCubbrey,et al.  Management Information Systems for the Information Age , 1997 .

[108]  Richard W. Power,et al.  Case Study: a bold new approach to awareness and education, and how it met an ignoble fate , 2006 .

[109]  Patricia A. H. Williams When trust defies common security sense , 2008, Health Informatics J..

[110]  Rebecca Herold,et al.  Managing an Information Security and Privacy Awareness and Training Program, Second Edition , 2010 .

[111]  Elmarie Kritzinger,et al.  Information security management: An information security retrieval and awareness model for industry , 2008, Comput. Secur..

[112]  Nick Gaunt,et al.  Installing an appropriate information security policy , 1998, Int. J. Medical Informatics.

[113]  Edgar H. Schein,et al.  Empowerment, coercive persuasion and organizational learning: do they connect? , 1999 .

[114]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[115]  Rossouw von Solms,et al.  A Formalized Approach to the Effective Selection and Evaluation of Information Security Control , 2000, Comput. Secur..

[116]  Graeme Baxter,et al.  Corporate information security management , 1999 .

[117]  Rossouw von Solms,et al.  Information security culture: A management perspective , 2010, Comput. Secur..

[118]  Ursula Fuller,et al.  Developing a computer science-specific learning taxonomy , 2007, ITiCSE-WGR '07.

[119]  Philip E. T. Lewis,et al.  Research Methods for Business Students (5th edn) , 2007 .

[120]  Rossouw von Solms,et al.  Bloom's Taxonomy for Information Security Education , 2008, ISSA.

[121]  Stephanie Teufel,et al.  Information security culture - from analysis to change , 2003, South Afr. Comput. J..

[122]  Lynn F. Fischer,et al.  Security education, awareness, and training : from theory to practice , 2006 .

[123]  Yacine Rezgui,et al.  Information security awareness in higher education: An exploratory study , 2008, Comput. Secur..

[124]  Mariana Hentea,et al.  A perspective on fulfilling the expectations of distance education , 2003, CITC4 '03.

[125]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[126]  Basie Von Solms Information Security , 2000 .

[127]  Christoph Meinel,et al.  Tele-Lab "IT-Security" on CD: portable, reliable and safe IT security training , 2004, Comput. Secur..

[128]  Mikko T. Siponen,et al.  Five dimensions of information security awareness , 2001, CSOC.

[129]  Charlie C. Chen,et al.  A cross-cultural investigation of situational information security awareness programs , 2008, Inf. Manag. Comput. Secur..

[130]  Sebastiaan H. von Solms,et al.  Information Security - The Fourth Wave , 2006, Comput. Secur..

[131]  Sokratis K. Katsikas Health care management and information systems security: awareness, training or education? , 2000, Int. J. Medical Informatics.

[132]  J. B. Hunt,et al.  The relationship between organisational culture, organisational climate and managerial values , 1999 .

[133]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[134]  Julie D Nosworthy,et al.  Implementing Information Security In The 21st Century Do You Have the Balancing Factors? , 2000, Comput. Secur..

[135]  Rossouw von Solms,et al.  Information security management: why standards are important , 1999, Inf. Manag. Comput. Secur..