Security Culture and Security Education, Training and Awareness (SETA) Influencing Information Security Management

Abstract

Information security management (ISM) ensures the protection of organisations' data assets. Studying actual security events becomes more critical for ISM preparation. The Capital Market constitutes a wealth of data sources which react to various security incidents. ISM is an essential part of this industry due to high technology dependency. The previous literature emphasises the need for a holistic approach for ISM; therefore, there is necessary to investigate the current state of the ISM to develop a cybersecurity and ISM culture. Research should further explore the impact of national and organisational culture and its effects on ISM and explore ISM practices and initiatives that organisations implement to develop a security culture. This paper explores the factors in order to improve how employees' culture and IS awareness affect ISM implementation. A qualitative approach using the case study method was applied to understand the problem. Twenty-two semi-structured interviews were conducted in the Middle Eastern Capital Market. The thematic data analysis revealed that Middle Eastern culture is a dominant factor influencing ISM and the security culture and awareness significantly impact ISM. This suggests that organisations should focus on security culture and, even more, on IS awareness to improve ISM. This research identifies several challenges in current security practices in the Middle Eastern Capital Market industry, including the lack of attention to cultural effects, generic SETA programs that do not consider specific industry needs, and a lack of connection between culture and awareness programs.