You Are Here Home Science laboratory technology project topics Defining an Information Security Culture

Defining an Information Security Culture

Project topics and materials 0

Get Complete Project Material File(s) Now! »

Information security culture and organisational culture

Probably the best-known definition of organisational culture is “the way things are done here” (Lundy & Cowling 1996). Organisational culture can be seen as the personality of the organisation (Robbins 2001) and it is the social glue that binds the members of an organisation together (Kreitner & Kinicki 1995: 532).
An organisational culture develops on the basis of certain activities in the organisation, such as the vision of management and the behaviour that employees exhibit on an individual, group and organisational level (tier) (Hellriegel, Slocum & Woodman 1998; Robbins 2001). The organisational culture that develops on the basis of the exhibited behaviour is evident in artifacts (locked door), values (‘employees are valuable assets’) and basic assumptions (‘the Information Technology department is responsible for the security of CIS’) (Schein 1985: 14).
According to Robbins (2001), organisational behaviour is about what people do in an organisation and how their behaviour affects the performance of the organisation. The term also incorporates employee attitude and how it relates to the behaviour of employees in the organisation (Hellriegel, Slocum & Woodman 1998: 4). An information security culture develops due to the information security behaviour of employees in the same manner that an organisational culture develops due to the organisational behaviour of employees in the organisation (Martins 2002; Martins & Eloff 2002; Robbins, Odendaal & Roodt 2003: 15; Hellriegel, Slocum & Woodman 1998: 594). An information security culture is therefore based on the interaction of employees with information assets and the security behaviour they exhibit.

Influencing information security behaviour and cultivating an information security culture

Figure 5.1 (level 1) illustrates that information security components (A) are implemented in the organisation. These components can be seen as the input that influences information security behaviour in the organisation (B). Implementing the information security components impacts on the interaction of employees with information assets, and employees consequently exhibit certain behaviour referred to as information security behaviour. The objective is to instil information security behaviour that is conducive to the protection of information assets based on the organisation’s information security policies and code of ethics. Such behaviour could involve the reporting of security incidents, adherence to a clear desk policy or the secure disposal of confidential documents. In time, this security behaviour evolves as the way that things are done in the organisation and an information security culture is therefore established (cultivated) (C). A culture is thus promoted in which ensuring the security of information is accepted as the way things are done.
To illustrate the interaction between A, B and C, the following example is used. The information security policy, one of the information security components, is used to provide employees with a clear understanding of management’s direction and support for information security (ISO/IEC 27001 2005). According to Whitman and Mattord (2003), the objective of a policy is to influence the decisions, actions and behaviours of employees. It further specifies what behaviour is regarded as acceptable and what not. For instance, the information security policy may state that a laptop must be physically secured at all times. The statement in the policy is aimed at directing employee behaviour to protect both the physical asset and the data saved on the laptop. The objective is to influence the employee’s behaviour when interacting with the laptop to ensure the protection thereof. Without this statement and its enforcement, employees could leave their laptops unsecured. Therefore, without information security components to direct and influence employee behaviour, employees could well interact with information assets in ways that would introduce risk. In time, such potentially harmful behaviour could unfortunately give rise to a culture where neglect is regarded as acceptable.
To administer a positively acceptable level of information security, organisations should ensure that a comprehensive and adequate set of information security components is implemented. This set of information security components aids in addressing threats on the technical, process and people levels, in other words threats that would negatively influence the establishment of an acceptable information security culture within the organisation. Organisations should furthermore ensure that employee interaction is in line with the requirements of the information security policy.
These requirements could involve actions such as making back-ups to the server on a daily basis, password protect information on removable media or the deletion of unsolicited e-mails with attachments.

READ  Metallurgy of Endodontic Files

PART I
Chapter 1 Introduction
1.1 Introduction
1.2 Background to and motivation for the research
1.3 Problem statement
1.3.1 Research questions
1.4 Research scope
1.5 Research methodology
1.7 Layout of thesis
Chapter 2 Defining an Information Security Culture
2.1 Introduction
2.2 Definition of an information security culture
2.3 Comparing the different information security culture definitions
2.4 Information security culture as defined for this research study
2.5 Conclusion
Chapter 3 Current Research Perspectives
3.1 Introduction
3.2 Current perspectives on information security culture research
3.3 Conclusion
PART II
Chapter 4 A Framework for Information Security
4.1 Introduction
4.2 Information security approaches
4.3 Investigation of information security approaches
4.4 Proposed Information Security Framework
4.5 Conclusion
Chapter 5 A Framework for Information Security Culture
5. 1. Introduction
5. 2. A framework for information security culture
5. 3. Applying the Information Security Culture Framework
5. 4. Benefits of the Information Security Culture Framework
5. 5. Conclusion
PART III
Chapter 6 A Process for Assessing Information Security Culture
6.1 Introduction
6.2 Assessing the information security culture in an organisation
6.3 Background on processes to assess information security culture
6.4 Proposed process to assess information security culture
6.5 Conclusion
Chapter 7 An Empirical Study
7.1 Introduction
7.2 Background
7.3 Information on empirical study organisation
7.4 Step 1: Information security culture assessment planning and organisation
7.5 Step 2: Information security culture assessment administration
7.6 Step 3: Information security culture assessment data analysis
7.7 Information security culture assessment report writing and feedback
7.8 Empirical study evaluation
7.9 Conclusion
PART IV
Chapter 8 Conclusion
8.1 Introduction
8.2 Revisiting the problem statement
8.3 Main contribution
8.4 Limitations
8.4 Future research
Bibliography

GET THE COMPLETE PROJECT

Related Posts

Finite element model for three-dimensional compressible turbulent flows

CALIBRATION SYSTEM OF STEAM FLOWMETERS

Challenges for thermal diagnosis on building walls in situ

Postseismic creep along the North Anatolian Fault

Measurement of the trap oscillation frequencies

Affective values in human decision-making