Abstract
This chapter provides a discussion of the importance of the wider organisational context that the network administrator needs to deal with by describing how the organisational culture can impact on the degree to which security can be successfully maintained. It starts with an acknowledgement of the general clusters of factors that affect security (technology, processes, organisational, and human), and focuses on the human element within these. The types of risk that arise from humans in the system are described, such as motivation, ability, awareness (and lack of awareness). Errors and purposeful violations are compared, and individual, organisational, and latent risk factors explained. The chapter's key focus is the role of organisational culture. A general description of culture and its application in organisations leads into a discussion of security culture. A comparison is made between safety and security culture. Similarities are listed as the impacts of regulatory influence, reputational damage, having multiple causes, and the fact both are often driven by adverse events. Differences are examined. For example, the victim of a poor safety culture is often the perpetrator, whereas this is less often true in security violations. Intrinsic motivation and the impact of certain systems designs are further differences. Gaps in security culture research are noted as a lack of an accepted practical definition, a lack of an accepted way of measuring security culture that can be used outside narrow domains, research into engendering and enhancing security culture is narrowly focused on specific aspects of culture, and a lack of research relating security culture to organisational performance. A project to address some of these gaps by defining and measuring security culture is described. Qualitative and quantitative research was used to develop a questionnaire consisting of seven scales and fourteen sub-scales, each measuring a reliable and distinct factor. The content of these factors is noted, and a case study of the questionnaire's application to facilitate the development of security culture is outlined. Two key benefits result from the use of the questionnaire: diagnosis of aspects of security culture that may need improvement and benchmarking within (and between) organisations.
Published Version
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
