The mass application of information and communication technologies (ICT) has facilitated the functioning of organizations, but has also increased their vulnerability and conditioned the development of the information security function. Attacks on ICT systems involve people as potential targets of vulnerability, highlighting the importance of paying close attention to an employee's behavior in interactions with elements of the ICT system and its environment, as well as developing an information security culture (ISC) as an integrative component of organizational culture and an important factor in the organization's information security. The paper attempts to set a comprehensive concept of ISC based on the unity of knowledge, perceptions, beliefs and attitudes of employees and their coordinated actions in the application of security measures, which emphasize the role of the organization and its management in creating, building and maintaining ISC. The focus of determining ISC is on understanding and applying information security policy measures, but it also includes the behavior of employees in situations that are not or could not be predicted, when employees are expected to protect the information assets of the organization. The paper identifies the most important external factors that are mostly objective, determined by the situation in the country in which the organization operates and contained in the elements of general social (national) culture and country's economic and technological development. As a specific impact on ISC, the activities of malicious individuals, groups and organizations in cyberspace - stand out, manifested through threats and endangerment to the integrity of the ICT system. Internal factors are mostly subjective and dependent on general organization; the knowledge, vision and actions of management in the field of information security; individual characteristics of people, their values, needs, knowledge, understanding and application of information security policy measures. Among the factors, the highest level of management stands out for its role and importance due to the greatest responsibility for organization's information security, but also as the creator of its strategy and policy, the holder of resource engagement policy, shaper of professional security teams, decisionmaker on hardware and software protection, and supporter, creator and implementer of programs for ISC level raising.
Read full abstract