Assessing information security culture: A critical analysis of current approaches

Today's businesses operate in an interconnected and global environment allowing them to collaborate with one another and share information resources. At the same time this interconnectivity exposes the organization to many internal (employees) and external threats. Internal threat is among the top information security issues facing organizations as the human factor is regarded the weakest link in the security chain. To address this “human factor” researchers have suggested the fostering of an information security culture to address the human behavior so that information security becomes a second nature to employees. An important step in the fostering of an information security culture is the assessment of the current state of the culture. This paper focuses on the analysis and comparison of current information security culture assessment approaches, to evaluate their suitability specific for use in the culture change process.

[1]  Steven J. Ross Creating a Culture of Security , 2011 .

[2]  Rossouw von Solms,et al.  Information security culture: A management perspective , 2010, Comput. Secur..

[3]  Wanlei Zhou,et al.  Assessing the level of I.T. security culture improvement: Results from three Australian SMEs , 2009, 2009 35th Annual Conference of IEEE Industrial Electronics.

[4]  Cathy Banwell,et al.  Qualitative Health Research , 1997 .

[5]  J. Bullock The Corporate Culture Handbook: How to Plan, Implement and Measure a Successful Culture Change Programme , 2007 .

[6]  Jan H. P. Eloff,et al.  Information security culture - validation of an assessment instrument , 2007 .

[7]  R. Solms,et al.  Cultivating an organizational information security culture , 2006 .

[8]  Gabrielle O’Donovan The Corporate Culture Handbook: How to Plan, Implement and Measure a Successful Culture Change Programme , 2006 .

[9]  Stephanie Teufel,et al.  Tool Supported Management of Information Security Culture , 2005, SEC.

[10]  Rossouw von Solms,et al.  A holistic framework for the fostering of an information security sub-culture in organizations , 2005, ISSA.

[11]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[12]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[13]  Stephanie Teufel,et al.  Analyzing information security culture: increased trust by an appropriate information security culture , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[14]  Stephanie Teufel,et al.  Information security culture - from analysis to change , 2003, South Afr. Comput. J..

[15]  Jan H. P. Eloff,et al.  Information Security Culture , 2002, SEC.

[16]  Adéle Martins,et al.  Assessing Information Security Culture , 2002, ISSA.

[17]  P. Chia Exploring Organisational Security Culture : Developing a comprehensive research model , 2002 .

[18]  M. Maher Diagnosing and Changing Organizational Culture: Based on the Competing Values Framework , 2000 .

[19]  I. Monitor Information Security Management Handbook , 2000 .

[20]  E. Schein The Corporate Culture Survival Guide , 1999 .

[21]  K. Cameron,et al.  Diagnosing and Changing Organizational Culture: Based on the Competing Values Framework , 1999 .

[22]  E. Schein Organizational Culture and Leadership , 1991 .

[23]  Klaus Krippendorff,et al.  Content Analysis: An Introduction to Its Methodology , 1980 .

[24]  D. Buchanan,et al.  Organizational Behaviour: an Introductory Text , 1972 .