Problems of evaluating the organization’s information security culture

Abstract

Nowadays, digitization of all areas of human activity leads to an increase in the number of information security incidents in organizations. From this point of view, the problem of information security culture in organizations becomes very relevant in modern times. Obviously, the majority of incidents related to information security violations in organizations are associated to the human factor. To overcome this problem, the research in the field of the evaluation of information security culture is urgent. Measuring and evaluating information security culture can enable an organization to identify its weaknesses in this area and take measures to eliminate them. This article examines various approaches to the concept of information security culture, and analyzes the affecting factors within the organization (management’s attitude towards information security, information security policy, information security awareness and employee’s behaviors). It also studies the documents adopted in the field of development and evaluation of information security culture in the European Union countries and the United States, and implemented projects. It analyzes proposed methods for measuring the information security culture in the organization using various methods. Moreover, the article reveals existing problems in this field and provides certain recommendations for their elimination. The methods of analysis and synthesis, comparison, generalization and systematic approach are used in this research.