A model for information security culture with creativity and innovation as enablers – refined with an expert panel

Abstract

PurposeThis study aims to elicit an understanding of creativity and innovation to enable a totally aligned information security culture. A model is proposed to encourage creativity and innovation as part of the information security culture.Design/methodology/approachThe study first applied a theoretical approach with a scoping literature review using the preferred reporting items for systematic reviews and meta-analyses method to propose a conceptual model for engendering employee creativity and innovation as part of the information security culture. A qualitative research method was further applied with expert interviews and qualitative data analysis in Atlas.ti to validate and refine the conceptual model.FindingsA refined and validated information security culture model enabled through creativity and innovation is presented. The input from the expert panel was used to extend the model by 18 elements highlighting that the risk appetite of an organisation defines how much creativity and innovation can be tolerated to reach a balance with the potential risks it might introduce. Embedding creativity and innovation as part of the organisational culture to facilitate it further as part of the information security culture can aid in combating cyber threats and incidents; however, it should be managed through a decision-making process while governed within policies that define the boundaries of creativity and innovation in information security.Research limitations/implicationsThe research serves as a point of reference for further research about the influence of creativity and innovation in information security culture which can be investigated through structural equation modelling.Practical implicationsThis study offers novel insights for managerial practice to encourage creativity and innovation as part of information security.Originality/valueThe research proposes a novel concept of introducing creativity and innovation as part of the information security culture and presents a novel model to facilitate this.