Information security culture as the key factor in ensuring an adequate level of information security

Authors

  • Alenka Rožanec
  • Sebastijan Lahajnar

Keywords:

information security, human factors of information security, information security culture

Abstract

Studies have shown that most recent information security incidents have been caused by improper user actions, and not by using IT hacking tools. The paper therefore explains why IT tools and procedures in nowadays use are no longer effective enough, and how should the information security management change in the future. Besides management support, security politics and procedures, user actions mainly depend on their security awareness, knowledge, beliefs and motivation, called the information security culture. In the paper, we present OECD's principles, standards, models, and research in the field of information security culture, as well as principles of managing its changes. Using only technical solutions, without implementing the proper information security culture, and consequently, secure behaviour of users, organisations will not be able to reach adequate information security levels anymore.

References

AlHogail, A. (2015). Design and validation of information security culture framework. Computers in Human Behavior, No. 49, pp. 567–575.

AlHogail, A. (2015a). Cultivating and assessing an organizational information security culture. International Journal of Security and Its Applications, 9, No. 7, pp.163–178.

Alhogail, A. and Mirza, A. (2014). A framework of information security culture change. Journal of Theoretical and Applied Information Technology, 64, No. 2, pp. 540–549.

Alnatheer, M. (2014). A conceptual model to understand Information Security Culture. International Journal of Social Science and Humanity, 4, No. 2, pp. 104–107.

Alnatheer, M. and Nelson, K. (2009). Proposed Framework for Understanding Information Security Culture and Practices in the Saudi Context. Retrieved on 6/29/2017 from the Inter-net: http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1001 &context=ism.

Alnatheer, M. et al. (2012). Understanding and measuring Information Security Culture. Re-trieved on 8/25/2017 from the Internet: http://aisel.aisnet.org/cgi/viewcontent.cgi ?article=119&context=pacis 2012.

Armerding, T. (2017). The 15 worst data security breaches of the 21st century. Retrieved on 1/22/2017 from the Internet: http://www.csoonline.com/article/2130877/data-protection/dataprotection-html.

Armstrong, M. (2006). A Handbook of Human Resource Management Practice. 11th ed., London and Philadelphia: Kogan Page.

Cadle, Y. and Yeates, D. (2001). Project management for information systems. London: Pear-son Education.

Cameron, E. and Green, M. (2015). Making sense of change management: a complete guide to the models, tools and techniques of organizational change. London: Kogan Page.

CISO (2011). Human behaviour and security culture. Retrieved on 8/30/2017 from the Inter-net: http://exec.tuck.dartmouth.edu/downloads/623/human_behavior_and_security_ cultu-re_ciso_workshop_overview.pdf.

Da Veiga, A. and Eloff, J. H. P. (2010). A framework and assessment instrument for infor-mation security culture. Computers & Security, 29, No. 2, pp. 196–207.

Da Veiga, A. and Martins, N. (2014). Information Security Culture: A Comparative Analysis of Four Assessments. Retrieved on 8/15/2017 from the Internet: http://uir.unisa.ac.za/bitstream/handle/10500/18734/Information%20Security%20Culture%20A%20Comparative%20

Analysis%20of%20Four%20Assessments%202014.pdf?sequence=1&isAllowed=y.

Da Veiga, A. et al. (2007). Information security culture – validation of an assessment instru-ment. Southern African Business Review, 11, No. 1, pp. 147–166.

Dhillon, G. (1999). Managing and controlling computer misuse, Information Management & Computer Security, 7, No. 4, pp. 171–175.

Gebrasilase, T. in Lessa, L. F. (2011). Information Security Culture in Public Hospitals. The Xase of Hawasa Referral Hospital. The African Journal of Information Systems, 3, No. 3, pp. 72–86.

Hassan, N. H. and Ismail, Z. (2012). A conceptual model for investigating factors influencing information security culture in healthcare environment. Retrieved on 6/27/2017 from the In-ternet: http://www.sciencedirect.com/science/article/pii/S1877042812052196.

Hassan, N. H. et al. (2015). Information Security Culture: A systematic literature review. Re-trieved on 8/24/2017 from the Internet: http://www.icoci.cms.net.my/proceedings/2015/PDF/PID205.pdf.

Ifinedo, P. (2014).The effects of national culture on the assessment of information security threats and controls in financial services industry. International journal of electronic business management, 12, No. 2, pp. 75–89.

International Organisation for Standardization. ISO/IEC: 27001:2013, Information technology-- Security techniques -- Information security management systems – Requirements. Re-trieved on 2/3/2017 from the Internet: http://www.iso.org/iso /catalogue_detail?csnumber=54534.

International Organisation for Standardization. ISO/IEC: 27002:2013, Information technolo-gy -- Security techniques -- Code of practice for information security controls. Retrieved on 2/3/2017 from the Internet: http://www.iso.org/iso/catalogue _detail?csnumber=54533.

IT Governance Institute (2007). CobiT 4.1. Rolling Meadows: IT Governance Institute.

Knapp, K. J. et al. (2006a). The top information security issues facing organizations: What can government do to help? Information Security And Risk Management, 15, No. 4. pp. 51–58.

Knapp, K. J. et al. (2006b), Information security: management’s effect on culture and policy, Information Management and Computer Security, 14, No. 1, pp. 24–36.

Martins, A. in Eloff, J. (2002). Information security culture. Retrieved on 8/26/2017 from the Internet https://link.springer.com/content/pdf/10.1007%2F978-0-387-35586-3_16.pdf.

Martins, N. and Da Veiga, A (2015). An information security culture model validated with structural Equitation modelling. Retrieved on 8/30/2017 from the Internet: http://uir.unisa.ac.za/bitstream/handle/10500/19061/CSCAN-OA-254%20Inf%20Sec%20 Cul%20Model%20with%20SEM%20HAISA%202015.pdf?sequence=1&isAllowed=y.

Martins, N. and Da Veiga, A. (2014). The value of using a validated information security culture assessment instrument. Retrieved on 8/30/2017 from the Internet: http://uir.unisa.ac.za/bitstream/handle/10500/14350/Martins%20Da%20Veiga_The%20Value%20of%20Using%20a%20

Validated%20Information%20Security%20Culture%20Instrument.pdf?sequence=2.

OECD (2002). Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security. Retrieved on 1/5/2017 from the Internet: http://www.oecd.org/sti/ieconomy/15582260.pdf.

Opcomm (2013). Pridobljeno dne 3. 2. 2017 s svetovnega spleta: http://www.opcomm.eu/sl/medijsko-sredisce/blog/139-zakaj-postaja-internet-stvari-najveja-globalna-panoga.

Prislan, K. in Bernik, I. (2014). Trendi informacijske varnosti v sodobni organizaciji. Uporabna informatika, 22, št. 1, str. 25–37.

Rančigaj, K. in Lobnikar, B. (2012). Vedenjski vidiki zagotavljanja informacijske varnosti: pomen upravljanja informacijske varnostne kulture. Pridobljeno dne 20. 1. 2017 s svetovnega spleta: http://www.fvv.um.si/konferencaiv/zbornik/Rancigaj_Lobnikar.pdf.

Sans Institute (2017). Pridobljeno dne 22. 1. 2017 s svetovnega spleta: https://www.sans.org/reading-room/whitepapers/analyst/survey-mobility-byod-security-policies-practices-35175.

Schlienger, T. and Teufel, S. (2003). Analyzing information security culture: increased trust by an appropriate information security culture. Retrieved on 8/22/2017 from the Internet: http://ieeexplore.ieee.org/abstract/document/1232055/.

Talib, S. et al. (2010). An analysis of information security awareness within home and work environments. Retrieved on 2/1/2017 from the Internet: http://ro.ecu.edu.au/cgi/ viewcon-tent.cgi?article=7348&context=ecuworks.

Van Niekerk, J. F. and Von Solms, R. (2010). Information Security Culture: A management perspective. Computers & Security, 29, No. 4, pp. 476–486.

Van Niekerk, J. F. and Von Solms, R. (2005). A holistic framework for the fostering of an information security sub-culture in organizations. Retrieved on 8/30/2017 from the Internet: https://www.researchgate.net/profile/Johan_Van_Niekerk2/publication/220803201 _A_holistic_framework_for_the_fostering_of_an_information_security_sub-culture_in_organizations/links/0deec519093063e1f2000000.pdf.

Downloads

Published

2022-03-31

How to Cite

Rožanec, A., & Lahajnar, S. (2022). Information security culture as the key factor in ensuring an adequate level of information security. Journal of Economic and Business Sciences, 4(2), 92–109. Retrieved from https://www.eb-nm.si/index.php/EB/article/view/51

Issue

Vol. 4 No. 2 (2017)

Section

Articles

License

Copyright (c) 2022 Journal of Economic and Business Sciences

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.