scholarly journals An approach to information security culture change combining ADKAR and the ISCA questionnaire to aid transition to the desired culture

2018 ◽  
Vol 26 (5) ◽  
pp. 584-612 ◽  
Author(s):  
Adéle Da Veiga
Keyword(s):  
Information Security ◽  
Change Management ◽  
Culture Change ◽  
Qualitative Assessment ◽  
Diagnostic Instrument ◽  
Content Type ◽  
Security Culture ◽  
Management Interventions ◽  
Management Approaches ◽  
Information Security Culture

PurposeEmployee behaviour is a continuous concern owing to the number of information security incidents resulting from employee behaviour. The purpose of this paper is to propose an approach to information security culture change management (ISCCM) that integrates existing change management approaches, such as the ADKAR model of Prosci, and the Information Security Culture Assessment (ISCA) diagnostic instrument (questionnaire), to aid in addressing the risk of employee behaviour that could compromise information security.Design/methodology/approachThe ISCCM approach is constructed based on literature and the inclusion of the ISCA diagnostic instrument. The ISCA diagnostic instrument statements are also presented in this paper. The ISCCM approach using ISCA is illustrated using data from an empirical study.FindingsThe ISCCM approach was found to be useful in defining change management interventions for organisations using the data of the ISCA survey. Employees’ perception and acceptance of change to ensure information security and the effectiveness of the information security training initiatives improved significantly from the as-is survey to the follow-up survey.Research limitations/implicationsThe research illustrates the ISCCM approach and shows how it should be combined with the ISCA diagnostic instrument. Future research will focus on including a qualitative assessment of information security culture to complement the empirical data.Practical implicationsOrganisations do not have to rely on or adapt organisational development approaches to change their information security culture – they can use the proposed ISCCM approach, which has been customised from information security and change management approaches, together with the presented ISCA questionnaire, to address information security culture change purposefully.Originality/valueThe proposed ISCCM approach can be applied to complement existing information security management approaches through a holistic and structured approach that combines the ADKAR model, Prosci’s approach of change management and the ISCA diagnostic instrument. It will enable organisations to focus on transitioning to a positive or desired information security culture that mitigates the risk of the human element in the protection of information.

scholarly journals A systematic review of scales for measuring information security culture

2020 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Špela Orehek ◽  
Gregor Petrič
Keyword(s):  
Systematic Review ◽  
Information Security ◽  
Critical Evaluation ◽  
Face Validity ◽  
Measurement Scale ◽  
Limited Evidence ◽  
Content Type ◽  
Security Culture ◽  
Concept Of Information ◽  
Information Security Culture

Purpose The concept of information security culture, which recently gained increased attention, aims to comprehensively grasp socio-cultural mechanisms that have an impact on organizational security. Different measurement instruments have been developed to measure and assess information security culture using survey-based tools. However, the content, breadth and face validity of these scales vary greatly. This study aims to identify and provide an overview of the scales that are used to measure information security culture and to evaluate the rigor of reported scale development and validation procedures. Design/methodology/approach Papers that introduce a new or adapt an existing scale of information security culture were systematically reviewed to evaluate scales of information security culture. A standard search strategy was applied to identify 19 relevant scales, which were evaluated based on the framework of 16 criteria pertaining to the rigor of reported operationalization and the reported validity and reliability of the identified scales. Findings The results show that the rigor with which scales of information security culture are validated varies greatly and that none of the scales meet all the evaluation criteria. Moreover, most of the studies provide somewhat limited evidence of the validation of scales, indicating room for further improvement. Particularly, critical issues seem to be the lack of evidence regarding discriminant and criterion validity and incomplete documentation of the operationalization process. Research limitations/implications Researchers focusing on the human factor in information security need to reach a certain level of agreement on the essential elements of the concept of information security culture. Future studies need to build on existing scales, address their limitations and gain further evidence regarding the validity of scales of information security culture. Further research should also investigate the quality of definitions and make expert assessments of the content fit between concepts and items. Practical implications Organizations that aim to assess the level of information security culture among employees can use the results of this systematic review to support the selection of an adequate measurement scale. However, caution is needed for scales that provide limited evidence of validation. Originality/value This is the first study that offers a critical evaluation of existing scales of information security culture. The results have decision-making value for researchers who intend to conduct survey-based examinations of information security culture.

Information security culture – state-of-the-art review between 2000 and 2013

2015 ◽  
Vol 23 (3) ◽  
pp. 246-285 ◽  
Author(s):  
Fredrik Karlsson ◽  
Joachim Åström ◽  
Martin Karlsson
Keyword(s):  
Information Security ◽  
Research Methods ◽  
State Of The Art ◽  
Assessment Tools ◽  
Future Research ◽  
Research Topics ◽  
Content Type ◽  
Security Culture ◽  
Systems Research ◽  
Information Security Culture

Purpose – The aim of this paper is to survey existing information security culture research to scrutinise the kind of knowledge that has been developed and the way in which this knowledge has been brought about. Design/methodology/approach – Results are based on a literature review of information security culture research published between 2000 and 2013 (December). Findings – This paper can conclude that existing research has focused on a broad set of research topics, but with limited depth. It is striking that the effects of different information security cultures have not been part of that focus. Moreover, existing research has used a small repertoire of research methods, a repertoire that is more limited than in information systems research in general. Furthermore, an extensive part of the research is descriptive, philosophical or theoretical – lacking a structured use of empirical data – which means that it is quite immature. Research limitations/implications – Findings call for future research that: addresses the effects of different information security cultures; addresses the identified research topics with greater depth; focuses more on generating theories or testing theories to increase the maturity of this subfield of information security research; and uses a broader set of research methods. It would be particularly interesting to see future studies that use intervening or ethnographic approaches because, to date, these have been completely lacking in existing research. Practical implications – Findings show that existing research is, to a large extent, descriptive, philosophical or theoretical. Hence, it is difficult for practitioners to adopt these research results, such as frameworks for cultivating or assessment tools, which have not been empirically validated. Originality/value – Few state-of-the-art reviews have sought to assess the maturity of existing research on information security culture. Findings on types of research methods used in information security culture research extend beyond the existing knowledge base, which allows for a critical discussion about existing research in this sub-discipline of information security.

scholarly journals Comparing the information security culture of employees who had read the information security policy and those who had not

2016 ◽  
Vol 24 (2) ◽  
pp. 139-151 ◽  
Author(s):  
Adéle Da Veiga
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Positive Influence ◽  
Theoretical Research ◽  
Information Security Policy ◽  
Content Type ◽  
Security Culture ◽  
Targeted Interventions ◽  
Information Security Culture ◽  
Over Time

Purpose This study aims, firstly, to determine what influence the information security policy has on the information security culture by comparing the culture of employees who read the policy to those who do not, and, secondly, whether a stronger information security culture is embedded over time if more employees have read the information security policy. Design/methodology/approach An empirical study is conducted at four intervals over eight years across 12 countries using a validated information security culture assessment (ISCA) questionnaire. Findings The overall information security culture average scores as well as individual statements for all four survey assessments were significantly more positive for employees who had read the information security policy compared with employees who had not. The overall information security culture also improved from one assessment to the next. Research limitations/implications The information security culture should be measured and benchmarked over time to monitor change and identify and prioritise actions to improve the information security culture. If employees read the information security policy, it has a positive influence on the information security culture of an organisation. Practical implications Organisations should ensure that employees have read the information security policy to aid in minimising the human risk, related errors and incidents and, ultimately, to instil a stronger information security culture with a higher level of compliant behaviour. Originality/value This research confirms theoretical research indicating that the information security policy could influence the information security culture positively. It provides novel and statistical evidence illustrating that if employees read the information security policy, they have a stronger information security culture and that the culture can be improved through targeted interventions using an ISCA.

Enhancing supply chain resilience by counteracting the Achilles heel of information sharing

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Hwee-Chin Tan ◽  
Keng Lin Soh ◽  
Wai Peng Wong ◽  
Ming-Lang Tseng
Keyword(s):  
Supply Chain ◽  
Information Security ◽  
Information Sharing ◽  
Information Leakage ◽  
Equation Modeling ◽  
Content Type ◽  
Supply Chain Resilience ◽  
Security Culture ◽  
The Impact ◽  
Information Security Culture

PurposeIn the face of information leakage, this study aims to demonstrate pathways to supply chain resilience (SCR) during information sharing by deploying organizational ethical climate (OEC) and information security culture (ISC) as non-punitive mitigation approaches.Design/methodology/approachThis empirical study was conducted to verify the framework using a questionnaire distributed to Malaysian multinational corporations (MNCs) of the manufacturing sector. The data were analysed using structural equation modeling (SEM) techniques with the AMOS software.FindingsThis study has confirmed the adverse impact of intentional and unintentional leakages on information sharing effectiveness. The findings showed ISC could reduce the impact of information leakage, but an OCE could not. This study provides evidence that information sharing effectiveness could impact SCR. The former is a mediator between information leakage and SCR, with information leakage moderated by information security culture. These findings convey that multinationals should set up an ISC to reduce information leakage and enhance their SCR.Originality/valuePrior studies lacked the explanation of the impact of mitigating factors on information leakage in information sharing effectiveness affecting SCR. A framework that explains the relationships add value to organizations making available strategic decisions to curb information leakage and manage SCR.

Holistic framework for evaluating and improving information security culture

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Krunoslav Arbanas ◽  
Mario Spremic ◽  
Nikolina Zajdela Hrustek
Keyword(s):  
Information Security ◽  
Latent Variables ◽  
Convergent Validity ◽  
Social Issues ◽  
The Body ◽  
Measuring Instrument ◽  
Validity And Reliability ◽  
Content Type ◽  
Security Culture ◽  
Information Security Culture

PurposeThe objective of this research was to propose and validate a holistic framework for information security culture evaluation, built around a novel approach, which includes technological, organizational and social issues. The framework's validity and reliability were determined with the help of experts in the information security field and by using multivariate statistical methods.Design/methodology/approachThe conceptual framework was constructed upon a detailed literature review and validated using a range of methods: first, measuring instrument was developed, and then content and construct validity of measuring instrument was confirmed via experts' opinion and by closed map sorting method. Convergent validity was confirmed by factor analysis, while the reliability of the measuring instrument was tested using Cronbach's alpha coefficient to measure internal consistency.FindingsThe proposed framework was validated based upon the results of empirical research and the usage of multivariate analysis. The resulting framework ultimately consists of 46 items (manifest variables), describing eight factors (first level latent variables), grouped into three categories (second level latent variables). These three categories were built around technological, organizational and social issues.Originality/valueThis paper contributes to the body of knowledge in information security culture by developing and validating holistic framework for information security culture evaluation, which does not observe information security culture in only one aspect but takes into account its organizational, sociological and technical component.

Information sharing and the bane of information leakage: a multigroup analysis of contract versus noncontract

2020 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Wai-Peng Wong ◽  
Kim Hua Tan ◽  
Stephanie Hui-Wen Chuah ◽  
Ming-Lang Tseng ◽  
Kuan Yew Wong ◽  
...  
Keyword(s):  
Information Security ◽  
Information Sharing ◽  
Information Quality ◽  
Information Leakage ◽  
Quality Information ◽  
Content Type ◽  
Security Culture ◽  
Multigroup Analysis ◽  
Information Security Culture ◽  
Better Than

PurposeThis study investigates information quality, information security technology and information sharing with moderation by information security culture and information leakage and how they all play out to influence supply chain performance for contract suppliers (Contract), noncontract suppliers (Noncontract) and pooled suppliers (Contract and Noncontract combined).Design/methodology/approachMultigroup analysis was deployed to compare the impact on Contract and Noncontract.FindingsThe finding on pooled suppliers confirmed the hypothesis that, in the multigroup analysis, information security culture negatively impacted the information quality–information sharing relationship of Contract.Practical implicationsThe practical learning point is that Noncontract could still share information and perform and in some instances better than Contract. Noncontract suppliers are still workable.Originality/valueInformation security culture motivated Noncontract to share and perform better than Contract. This result presents a dilemma.

Predicting information security culture among employees of telecommunication companies in an emerging market

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Nurul Asmui Azmi Md Azmi ◽  
Ai Ping Teoh ◽  
Ali Vafaei-Zadeh ◽  
Haniruzila Hanifah
Keyword(s):  
Information Security ◽  
Emerging Market ◽  
Mediating Effect ◽  
Security Awareness ◽  
Content Type ◽  
Security Culture ◽  
Information Security Awareness ◽  
The Relationship ◽  
Information Security Culture ◽  
Telecommunications Companies

Purpose The purpose of this study is to examine factors, which influence information security culture among employees of telecommunications companies. The motivation for this study was the rise in the number of data breach incidents caused by the organizations’ own employees. Design/methodology/approach A total of 139 usable responses were collected via a Web-based questionnaire survey from employees of Malaysian telecommunications companies. Data were analysed by using SmartPLS 3. Findings Security education, training and awareness (SETA) programmes and information security awareness were found to have a positive and significant impact on Information Security Culture. Additionally, self-reported employees’ security behaviour was found to act as a partial mediator on the relationship between information security awareness and information security culture. Research limitations/implications The study was cross-sectional in nature. Therefore, it could not measure changes in population over time. Practical implications The empirical data provides a new perspective on significant elements that influence information security culture in an emerging market. Organizations in the telecommunications industry can now recognize that SETA programmes and information security awareness have a significant impact on information security culture. Employees’ security behaviour also mediates the relationship between information security awareness and information security culture. Originality/value This is the first study to analyse the mediating effect of employees’ security behaviour on the relationship between information security awareness and information security culture in the Malaysian telecommunications context.

Work-related groups and information security policy compliance

2018 ◽  
Vol 26 (5) ◽  
pp. 533-550 ◽  
Author(s):  
Teodor Sommestad
Keyword(s):  
Decision Making ◽  
Information Security ◽  
Security Policy ◽  
Content Type ◽  
Security Culture ◽  
Work Related ◽  
Individual Perceptions ◽  
Information Security Policy Compliance ◽  
Security Policy Compliance ◽  
Information Security Culture

PurposeIt is widely acknowledged that norms and culture influence decisions related to information security. The purpose of this paper is to investigate how work-related groups influence information security policy compliance intentions and to what extent this influence is captured by the Theory of Planned Behavior, an established model over individual decision-making.Design/methodology/approachA multilevel model is used to test the influence of work-related groups using a cluster sample of responses from 2,291 employees from 203 worksites, 119 organizations, 6 industries and 38 professions.FindingsThe results suggest that work-related groups influence individuals’ decision-making in the manner in which contemporary theories of information security culture posit. However, the influence is weak to modest and overshadowed by individual perceptions that are straightforward to measure.Research limitations/implicationsThis paper is limited to one national culture and four types of work-related groups. However, the results suggest that the Theory of Planned Behavior captures most of the influence that work-related groups have on decision-making. Future research on security culture and similar phenomena should take this into account.Practical implicationsInformation security perceptions in work-related groups are diverse and information security decisions appear to be based on individual perceptions and priorities rather than groupthink or peer-pressure. Security management interventions may be more effective if they target individuals rather than groups.Originality/valueThis paper tests some of the basic ideas related to information security culture and its influence on individuals’ decision-making.

Key elements of an information security culture in organisations

2019 ◽  
Vol 27 (2) ◽  
pp. 146-164 ◽  
Author(s):  
Frans Nel ◽  
Lynette Drevin
Keyword(s):  
South Africa ◽  
Information Security ◽  
Design Methodology ◽  
Online Survey ◽  
Security Awareness ◽  
Content Type ◽  
Security Culture ◽  
Key Aspects ◽  
Information Security Culture ◽  
Initial Framework

Purpose The purpose of this paper is to report on a study that investigated the information security culture in organisations in South Africa, with the aim of identifying key aspects of the culture. The unique aspects for building an information security culture were examined and presented in the form of an initial framework. These efforts are necessary to address the critical human aspect of information security in organisations where risky cyber behaviour is still experienced. Design/methodology/approach Literature was investigated with the focus on the main keywords security culture and information security. The information security culture aspects of different studies were compared and analysed to identify key elements of information security culture after which an initial framework was constructed. An online survey was then conducted in which respondents were asked to assess the importance of the elements and to record possible missing elements/aspects regarding their organisation’s information security culture to construct an enhanced framework. Findings A list of 21 unique security culture elements was identified from the literature. These elements/aspects were divided into three groups based on the frequency each was mentioned or discussed in studies. The number of times an element was found was interpreted as an indication of how important that element/aspect is. A further four aspects were added to the enhanced framework based on the results that emerged from the survey. Originality/value The value of this research is that an initial framework of information security culture aspects was constructed that can be used to ensure that an organisation incorporates all key aspects in its own information security culture. This framework was further enhanced from the results of the survey. The framework can also assist further studies related to the information security culture in organisations for improved security awareness and safer cyber behaviour of employees.

The influence of organisational culture and information security culture on employee compliance behaviour

2020 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Grant Solomon ◽  
Irwin Brown
Keyword(s):  
Information Security ◽  
Structural Equation ◽  
Online Survey ◽  
Organisational Culture ◽  
Partial Least Square ◽  
Least Square ◽  
Security Policies ◽  
Content Type ◽  
Security Culture ◽  
Information Security Culture

PurposeOrganisational culture plays an important role in influencing employee compliance with information security policies. Creating a subculture of information security can assist in facilitating compliance. The purpose of this paper is to explain the nature of the combined influence of organisational culture and information security culture on employee information security compliance. This study also aims to explain the influence of organisational culture on information security culture.Design/methodology/approachA theoretical model was developed showing the relationships between organisational culture, information security culture and employee compliance. Using an online survey, data was collected from a sample of individuals who work in organisations having information security policies. The data was analysed with Partial Least Square Structural Equation Modelling (PLS-SEM) to test the model.FindingsOrganisational culture and information security culture have significant, yet similar influences on employee compliance. In addition, organisational culture has a strong causal influence on information security culture.Practical implicationsControl-oriented organisational cultures are conducive to information security compliant behaviour. For an information security subculture to be effectively embedded in an organisation's culture, the dominant organisational culture would have to be considered first.Originality/valueThis research provides empirical evidence that information security subculture is influenced by organisational culture. Compliance is best explained by their joint influence.

Sign in / Sign up

Export Citation Format

Share Document