scholarly journals Comparing the information security culture of employees who had read the information security policy and those who had not

2016 ◽  
Vol 24 (2) ◽  
pp. 139-151 ◽  
Author(s):  
Adéle Da Veiga
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Positive Influence ◽  
Theoretical Research ◽  
Information Security Policy ◽  
Content Type ◽  
Security Culture ◽  
Targeted Interventions ◽  
Information Security Culture ◽  
Over Time

Purpose This study aims, firstly, to determine what influence the information security policy has on the information security culture by comparing the culture of employees who read the policy to those who do not, and, secondly, whether a stronger information security culture is embedded over time if more employees have read the information security policy. Design/methodology/approach An empirical study is conducted at four intervals over eight years across 12 countries using a validated information security culture assessment (ISCA) questionnaire. Findings The overall information security culture average scores as well as individual statements for all four survey assessments were significantly more positive for employees who had read the information security policy compared with employees who had not. The overall information security culture also improved from one assessment to the next. Research limitations/implications The information security culture should be measured and benchmarked over time to monitor change and identify and prioritise actions to improve the information security culture. If employees read the information security policy, it has a positive influence on the information security culture of an organisation. Practical implications Organisations should ensure that employees have read the information security policy to aid in minimising the human risk, related errors and incidents and, ultimately, to instil a stronger information security culture with a higher level of compliant behaviour. Originality/value This research confirms theoretical research indicating that the information security policy could influence the information security culture positively. It provides novel and statistical evidence illustrating that if employees read the information security policy, they have a stronger information security culture and that the culture can be improved through targeted interventions using an ISCA.

Work-related groups and information security policy compliance

2018 ◽  
Vol 26 (5) ◽  
pp. 533-550 ◽  
Author(s):  
Teodor Sommestad
Keyword(s):  
Decision Making ◽  
Information Security ◽  
Security Policy ◽  
Content Type ◽  
Security Culture ◽  
Work Related ◽  
Individual Perceptions ◽  
Information Security Policy Compliance ◽  
Security Policy Compliance ◽  
Information Security Culture

PurposeIt is widely acknowledged that norms and culture influence decisions related to information security. The purpose of this paper is to investigate how work-related groups influence information security policy compliance intentions and to what extent this influence is captured by the Theory of Planned Behavior, an established model over individual decision-making.Design/methodology/approachA multilevel model is used to test the influence of work-related groups using a cluster sample of responses from 2,291 employees from 203 worksites, 119 organizations, 6 industries and 38 professions.FindingsThe results suggest that work-related groups influence individuals’ decision-making in the manner in which contemporary theories of information security culture posit. However, the influence is weak to modest and overshadowed by individual perceptions that are straightforward to measure.Research limitations/implicationsThis paper is limited to one national culture and four types of work-related groups. However, the results suggest that the Theory of Planned Behavior captures most of the influence that work-related groups have on decision-making. Future research on security culture and similar phenomena should take this into account.Practical implicationsInformation security perceptions in work-related groups are diverse and information security decisions appear to be based on individual perceptions and priorities rather than groupthink or peer-pressure. Security management interventions may be more effective if they target individuals rather than groups.Originality/valueThis paper tests some of the basic ideas related to information security culture and its influence on individuals’ decision-making.

scholarly journals A systematic review of scales for measuring information security culture

2020 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Špela Orehek ◽  
Gregor Petrič
Keyword(s):  
Systematic Review ◽  
Information Security ◽  
Critical Evaluation ◽  
Face Validity ◽  
Measurement Scale ◽  
Limited Evidence ◽  
Content Type ◽  
Security Culture ◽  
Concept Of Information ◽  
Information Security Culture

Purpose The concept of information security culture, which recently gained increased attention, aims to comprehensively grasp socio-cultural mechanisms that have an impact on organizational security. Different measurement instruments have been developed to measure and assess information security culture using survey-based tools. However, the content, breadth and face validity of these scales vary greatly. This study aims to identify and provide an overview of the scales that are used to measure information security culture and to evaluate the rigor of reported scale development and validation procedures. Design/methodology/approach Papers that introduce a new or adapt an existing scale of information security culture were systematically reviewed to evaluate scales of information security culture. A standard search strategy was applied to identify 19 relevant scales, which were evaluated based on the framework of 16 criteria pertaining to the rigor of reported operationalization and the reported validity and reliability of the identified scales. Findings The results show that the rigor with which scales of information security culture are validated varies greatly and that none of the scales meet all the evaluation criteria. Moreover, most of the studies provide somewhat limited evidence of the validation of scales, indicating room for further improvement. Particularly, critical issues seem to be the lack of evidence regarding discriminant and criterion validity and incomplete documentation of the operationalization process. Research limitations/implications Researchers focusing on the human factor in information security need to reach a certain level of agreement on the essential elements of the concept of information security culture. Future studies need to build on existing scales, address their limitations and gain further evidence regarding the validity of scales of information security culture. Further research should also investigate the quality of definitions and make expert assessments of the content fit between concepts and items. Practical implications Organizations that aim to assess the level of information security culture among employees can use the results of this systematic review to support the selection of an adequate measurement scale. However, caution is needed for scales that provide limited evidence of validation. Originality/value This is the first study that offers a critical evaluation of existing scales of information security culture. The results have decision-making value for researchers who intend to conduct survey-based examinations of information security culture.

The hunt for computerized support in information security policy management

2020 ◽  
Vol 28 (2) ◽  
pp. 215-259 ◽  
Author(s):  
Elham Rostami ◽  
Fredrik Karlsson ◽  
Ella Kolkowska
Keyword(s):  
Information Security ◽  
Research Methods ◽  
Security Policy ◽  
Critical Discussion ◽  
Future Research ◽  
Management Process ◽  
Management Research ◽  
Information Security Policy ◽  
Content Type ◽  
Literature Reviews

Purpose The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about. Design/methodology/approach The results are based on a literature review of ISP management research published between 1990 and 2017. Findings Existing research has focused mostly on manual support for managing ISPs. Very few papers have considered computerised support. The entire complexity of the ISP management process has received little attention. Existing research has not focused much on the interaction between the different ISP management phases. Few research methods have been used extensively and intervention-oriented research is rare. Research limitations/implications Future research should to a larger extent address the interaction between the ISP management phases, apply more intervention research to develop computerised support for ISP management, investigate to what extent computerised support can enhance integration of ISP management phases and reduce the complexity of such a management process. Practical implications The limited focus on computerised support for ISP management affects the kind of advice and artefacts the research community can offer to practitioners. Originality/value Today, there are no literature reviews on to what extent computerised support the ISP management process. Findings on how the complexity of ISP management has been addressed and the research methods used extend beyond the existing knowledge base, allowing for a critical discussion of existing research and future research needs.

Information security culture – state-of-the-art review between 2000 and 2013

2015 ◽  
Vol 23 (3) ◽  
pp. 246-285 ◽  
Author(s):  
Fredrik Karlsson ◽  
Joachim Åström ◽  
Martin Karlsson
Keyword(s):  
Information Security ◽  
Research Methods ◽  
State Of The Art ◽  
Assessment Tools ◽  
Future Research ◽  
Research Topics ◽  
Content Type ◽  
Security Culture ◽  
Systems Research ◽  
Information Security Culture

Purpose – The aim of this paper is to survey existing information security culture research to scrutinise the kind of knowledge that has been developed and the way in which this knowledge has been brought about. Design/methodology/approach – Results are based on a literature review of information security culture research published between 2000 and 2013 (December). Findings – This paper can conclude that existing research has focused on a broad set of research topics, but with limited depth. It is striking that the effects of different information security cultures have not been part of that focus. Moreover, existing research has used a small repertoire of research methods, a repertoire that is more limited than in information systems research in general. Furthermore, an extensive part of the research is descriptive, philosophical or theoretical – lacking a structured use of empirical data – which means that it is quite immature. Research limitations/implications – Findings call for future research that: addresses the effects of different information security cultures; addresses the identified research topics with greater depth; focuses more on generating theories or testing theories to increase the maturity of this subfield of information security research; and uses a broader set of research methods. It would be particularly interesting to see future studies that use intervening or ethnographic approaches because, to date, these have been completely lacking in existing research. Practical implications – Findings show that existing research is, to a large extent, descriptive, philosophical or theoretical. Hence, it is difficult for practitioners to adopt these research results, such as frameworks for cultivating or assessment tools, which have not been empirically validated. Originality/value – Few state-of-the-art reviews have sought to assess the maturity of existing research on information security culture. Findings on types of research methods used in information security culture research extend beyond the existing knowledge base, which allows for a critical discussion about existing research in this sub-discipline of information security.

Building an awareness-centered information security policy compliance model

2019 ◽  
Vol 120 (1) ◽  
pp. 231-247 ◽  
Author(s):  
Alex Koohang ◽  
Jonathan Anderson ◽  
Jeretta Horn Nord ◽  
Joanna Paliszkiewicz
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Path Modeling ◽  
Information Security Policy ◽  
Content Type ◽  
Security Issues ◽  
Compliance Model ◽  
Security Compliance ◽  
Trusting Beliefs ◽  
Practical Implications

Purpose The purpose of this paper is to build an awareness-centered information security policy (ISP) compliance model, asserting that awareness is the key to ISP compliance and that awareness depends upon several variables that influence successful ISP compliance. Design/methodology/approach The authors built a model with seven constructs, i.e., leadership, trusting beliefs, information security issues awareness (ISIA), ISP awareness, understanding resource vulnerability, self-efficacy (SE) and intention to comply. Seven hypotheses were stated. A sample of 285 non-management employees was used from various organizations in the USA. The authors used path modeling to analyze the data. Findings The findings indicated that IS awareness depends on effective organizational leadership and elevated employees’ trusting beliefs. The understanding of resource vulnerability (URV) and SE are influenced by IS awareness resulting from effective leadership and elevated employees’ trusting beliefs which guide employees to comply with ISP requirements. Practical implications Practical implications were aimed at organizations embracing an awareness-centered information security compliance program to secure organizations’ assets against threats by implementing various security education and training awareness programs. Originality/value This paper asserts that awareness is central to ISP compliance. Leadership and trusting beliefs variables play significant roles in the information security awareness which in turn positively affect employees’ URV and SE variables leading employees to comply with the ISP requirements.

Enhancing supply chain resilience by counteracting the Achilles heel of information sharing

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Hwee-Chin Tan ◽  
Keng Lin Soh ◽  
Wai Peng Wong ◽  
Ming-Lang Tseng
Keyword(s):  
Supply Chain ◽  
Information Security ◽  
Information Sharing ◽  
Information Leakage ◽  
Equation Modeling ◽  
Content Type ◽  
Supply Chain Resilience ◽  
Security Culture ◽  
The Impact ◽  
Information Security Culture

PurposeIn the face of information leakage, this study aims to demonstrate pathways to supply chain resilience (SCR) during information sharing by deploying organizational ethical climate (OEC) and information security culture (ISC) as non-punitive mitigation approaches.Design/methodology/approachThis empirical study was conducted to verify the framework using a questionnaire distributed to Malaysian multinational corporations (MNCs) of the manufacturing sector. The data were analysed using structural equation modeling (SEM) techniques with the AMOS software.FindingsThis study has confirmed the adverse impact of intentional and unintentional leakages on information sharing effectiveness. The findings showed ISC could reduce the impact of information leakage, but an OCE could not. This study provides evidence that information sharing effectiveness could impact SCR. The former is a mediator between information leakage and SCR, with information leakage moderated by information security culture. These findings convey that multinationals should set up an ISC to reduce information leakage and enhance their SCR.Originality/valuePrior studies lacked the explanation of the impact of mitigating factors on information leakage in information sharing effectiveness affecting SCR. A framework that explains the relationships add value to organizations making available strategic decisions to curb information leakage and manage SCR.

Holistic framework for evaluating and improving information security culture

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Krunoslav Arbanas ◽  
Mario Spremic ◽  
Nikolina Zajdela Hrustek
Keyword(s):  
Information Security ◽  
Latent Variables ◽  
Convergent Validity ◽  
Social Issues ◽  
The Body ◽  
Measuring Instrument ◽  
Validity And Reliability ◽  
Content Type ◽  
Security Culture ◽  
Information Security Culture

PurposeThe objective of this research was to propose and validate a holistic framework for information security culture evaluation, built around a novel approach, which includes technological, organizational and social issues. The framework's validity and reliability were determined with the help of experts in the information security field and by using multivariate statistical methods.Design/methodology/approachThe conceptual framework was constructed upon a detailed literature review and validated using a range of methods: first, measuring instrument was developed, and then content and construct validity of measuring instrument was confirmed via experts' opinion and by closed map sorting method. Convergent validity was confirmed by factor analysis, while the reliability of the measuring instrument was tested using Cronbach's alpha coefficient to measure internal consistency.FindingsThe proposed framework was validated based upon the results of empirical research and the usage of multivariate analysis. The resulting framework ultimately consists of 46 items (manifest variables), describing eight factors (first level latent variables), grouped into three categories (second level latent variables). These three categories were built around technological, organizational and social issues.Originality/valueThis paper contributes to the body of knowledge in information security culture by developing and validating holistic framework for information security culture evaluation, which does not observe information security culture in only one aspect but takes into account its organizational, sociological and technical component.

Sign in / Sign up

Export Citation Format

Share Document