Abstract

The human aspect, together with technology and process controls, needs to be considered as part of an information security programme. Current and former employees are still regarded as one of the root causes of information security incidents. One way of addressing the human aspect is to embed an information security culture where the interaction of employees with information assets contributes to the protection of these assets. In other words, it is critical to improve the information security culture in organisations such that the behaviour of employees is in compliance with information security and related information processing policies and regulatory requirements. This can be achieved by assessing, monitoring and influencing an information security culture. An information security culture can be assessed by using an approach such as an information security culture assessment (ISCA). The empirical data derived from an ISCA can be used to influence the information security culture by focussing on developmental areas, of which awareness and training programmes are a critical facet.In this paper we discuss a case study of an international financial institution at which ISCA was conducted at four intervals over a period of eight years, across twelve countries. Comparative and multivariate analyses were conducted to establish whether the information security culture improved from one assessment to the next based on the developmental actions implemented. One of the key actions implemented was training and awareness focussing on the critical dimensions identified by ISCA. The information security culture improved from one assessment to the next, with the most positive results in the fourth assessment.This research illustrates that the theoretical ISCA tool previously developed can be implemented successfully in organisations to positively influence the information security culture. Empirical evidence is provided supporting the effectiveness of ISCA in the context of identified shortcomings in the organisation's information security culture. In addition, empirical evidence is presented indicating that information security training and awareness is a significant factor in positively influencing an information security culture when applied in the context of ISCA.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.