INFORMATION SECURITY CULTURE
FROM ANALYSIS TO CHANGE
Thomas Schlienger, Stephanie Teufel
iimt (international institute of management in telecommunications)
University of Fribourg
+41 26 300 84 28
+41 26 300 84 35
Université de Fribourg
Av. de Tivoli 3
Information Security Culture includes all socio-cultural measures that support technical security
methods, so that information security becomes a natural aspect in the daily activity of every em-
ployee. To apply these socio-cultural measures in an effective and efficient way, certain manage-
ment models and tools are needed. In our research we developed a framework analyzing the secu-
rity culture of an organization which we then applied in a pre-evaluation survey. This paper is based
on the results of this survey. We will develop a management model for creating, changing and
maintaining Information Security Culture. This model will then be used to define explicit socio-
cultural measures, based on the concept of internal marketing.
information security culture, information security awareness, information security marketing,
evaluation of information security culture, change and maintenance of information security culture
Schlienger, T. and S. Teufel (2003). Information Security Culture - From Analysis to Change. In: J. Eloff,
H. Venter, L. Labuschagne and M. Eloff, Eds. Information Security South Africa - Proceedings of ISSA
2003, 3rd Annual Information Security South Africa Conference, 9-11 July 2003, Sandton Convention
Center, Johannesburg, South Africa, ISSA: 183-195.
INFORMATION SECURITY CULTURE
FROM ANALYSIS TO CHANGE
In our research on Information Security Culture, we developed a method-mix framework that we
applied in our survey at the telecommunications company Orange Switzerland (Schlienger and Teu-
fel 2003). This framework will be discussed briefly and the main results of the survey will be pre-
sented. We asked all employees how they understand the security policy of Orange Switzerland.
The results impressively show that the security policy is known in general, but not supported in all
points, neither by the employees nor by the management. It also shows that the employees need ex-
tra security training and education. Security at Orange Switzerland is managed only on a technical
and an organizational level. Socio-cultural aspects are missing. Methods to create, maintain and to
change the security culture are therefore needed.
Based on this insight, we will develop an Information Security Culture management model in this
paper. Also, the life cycle of the security culture has to be considered, since its different stages need
different management methods. Radical management methods should be used to create or change
culture, whereas more subtle methods are needed to maintain an appropriate culture. With the cul-
tural management model and the results of the culture survey, we will define an action plan to
change and maintain security culture.
Information Security Culture is a part of the organizational culture. Before going on in the discus-
sion of how to manage security culture, we give a short definition of organizational culture. From it,
we deduce the concept of Information Security Culture. For a more detailed discussion of our In-
formation Security Culture concept see (Schlienger and Teufel 2002).
1.1. Definition of Information Security Culture
Organizational culture defines how an employee sees the organization (Ulich 2001). It is a collec-
tive phenomenon that grows and changes over time and, to some extent, it can be influenced or
even designed by the management.
Maxims, rules, prohibitions
Language, rituals, forms,
Hidden and mostly
Visible, but not yet
“The employees are
our security assets.”
articipates yearly in a
Figure 1. The three Layers of Information Security Culture, see (Schein 1985)
The two core elements of organizational culture are basic assumptions and beliefs. Organizational
culture is consequently expressed in the collective values, norms and knowledge of organizations.
In turn, these collective norms and values affect the behaviour of the employees. Artefacts and crea-
tions such as handbooks, rituals and anecdotes are the expression of such norms and values. Ulti-
mately, organizational culture has a crucial impact on corporate success (Rühli 1991). Organiza-
tional culture emerges and grows with time. It is formed by the behaviour of dominant organization
members such as founders and top managers.
An organizational culture can have different subcultures based on suborganizations or functions.
Information Security Culture is a subculture in regard to general corporate functions. It should sup-
port all activities so that information security becomes a natural aspect in the daily activities of
every employee. The three layers of Information Security Culture and their interactions are illus-
trated in Figure 1.
2. MANAGING INFORMATION SECURITY CULTURE
Information Security Culture, like organizational culture, cannot be created once and then used in-
definitely without further action or modification. To ensure that it corresponds with the targets of
the organization and that the organizational members do not forget it, culture must be created, main-
tained or changed continuously. It is a never ending process, a cycle of evaluation and change or
maintenance. The first step is to analyze the actual Information Security Culture (pre-evaluation). If
the culture does not fit with the organization’s targets the culture must be changed. If it fits, it
should be reinforced. The success of the actions taken must then be controlled (post-evaluation).
This cycle is illustrated in Figure 2.
change / maintenance
need for im
check for improvement
Figure 2. The Information Security Culture Management Cycle
Having a closer look at this cycle of Information Security Culture management, we can identify the
following five phases, see also (Bruhn 1999):
2. Strategic Planning
a. Definition of targets
b. Segmentation of organizational members
3. Operative Planning
a. Instruments of internal marketing
b. Instruments of human resources management
c. Instruments of organizational development
This proposed process is very similar to the internal marketing concept. As in internal marketing,
security culture management aims to promote certain values, corporate goals and philosophies
within an organization. We want to “sell” information security awareness behaviour to our employ-
ees. The methods of internal marketing create advantages in competition by promoting and creating
the understanding and engagement of the corporate goals throughout the organization (Bruhn 1999;
In order for security culture to make a substantial contribution to the field of information security, it
is necessary to have a set of methods for its study. Unfortunately, no unique toolset and method for
the study of organizational and therefore security culture exists. Research is therefore still needed in
this field. The researcher must solve two main questions:
1. What to analyze: according to the cultural model used, one could measure the collective
values, norms and knowledge, or, one could measure the cultural indicators, the artefacts.
Basics assumptions are a priori not feasible. Values can be officially stated, but, do they
then match the real – conscious or unconscious – values? Values with negative social sanc-
tions are in that case not revealed but consciously hidden. We differentiate therefore be-
tween official and true values.
2. How to analyze: for the measurement of observable indicators, social sciences often pro-
pose to analyze documents, to observe physical indicators and to interview an organization’s
members. For the measurement of norms, values and beliefs, it is proposed to use narrative
interviews, participative observations and group sessions.
A more detailed discussion of the evaluation items (what) and methods (how) can be found in
(Schlienger and Teufel 2003). Bearing in mind the difficulties to comprehend culture at all, the use
of a combination of measuring items and methods as proposed among others by (Rühli 1991;
Schreyögg 1999; Vecchio 2000) seems evident. This allows verification of the results with other
methods and the use of different viewpoints in interpreting them. The researcher is now able to pick
the appropriate methods, which help him/her assess the security culture in his/her organization. In
our research we use the following method-mix illustrated in Table 1.
Table 1. Items and Methods for evaluating Information Security Culture
Questionnaire Group ses-
all level of
the Chief Se-
The concrete approach we use in our research project at Orange Switzerland (see also (Schlienger
and Teufel 2003)) is named in the grey-shaded box. In our project we focus on the security attitude
and perception of the employees, without specific analysis of information security management and
concepts. Therefore, the main target of the questionnaire with its ten questions is to find out the fol-
lowing: Do the employees know what the security policy states and do they support it? We strictly
followed the main points of the policy in our analysis. Each question has three sub-questions (see
example question in Table 2): a) individual attitude (true values), b) perception of company’s atti-
tude (official values: security policy) and c) best solution. This trichotomy will give interesting in-
sights and reveal gaps between the individual’s and the company’s perception. It also has a didactic
impact, since the user has to reflect upon the best solution.
Table 2. Example question
2 The computer and electronic communications systems should be used for Or-
ange's business activities only.
a) Personally I think, this is True False I don’t know
b) Orange regards this as True False I don’t know
c) If I were responsible, I would regard this as True False I don’t know
The whole process was supported by several unstructured interviews with the Chief Security Offi-
cer of Orange Switzerland, with whom we discussed the security policy and the findings of the sur-
vey. Audits to verify the given answers and the real behaviour are in the planning stage.
3.1. Need for Improvement
To identify the main gaps between the policy and the perception of the employees, we used the sta-
tistical factor analysis interpreting the answers of the questionnaire. Factor analysis is used to re-
duce a given set of variables (in our case the 30 answers of the questionnaire) to a smaller inde-
pendent set of factors (Bühl and Zöfel 2000). Our analysis identified 11 factors. 10 factors are iden-
tical to the 10 questions. One factor is new and includes 4 sub-questions concerning the official pol-
icy (sub-question b) in the fields of: encryption of confidential emails (question 6), security training
(question 7), management buy-in (question 8) and role of security policy (question 9). In the de-
scriptive analysis of the answers (see Figure 3), these four sub-questions were also identified as
Figure 3. Information Security Culture Radar
The results of the evaluation show that the security policy is known in general, but not supported in
all points, neither by the employees nor by the management. It also shows that the employees need
extra security training and education. Security at Orange Switzerland is managed only on a techni-
cal and on an organizational level. Socio-cultural aspects are missing. Methods to create, maintain
and to change the security culture are therefore needed.
4. STRATEGIC PLANNING
The evaluation stage revealed the actual culture and its problems. Depending on the target culture,
specific actions must be taken to maintain or even change the culture. It must be considered that
changing an existing culture needs more radical measures than maintaining an appropriate culture.
Whereas an appropriate security culture can be maintained by a good awareness-program, possibly
in combination with the existing course-program, in order to change a culture, all existing cultural
measures must be reengineered.
Clear objectives for the development of an appropriate security culture must be set. In our project,
the target security culture is defined by the security policy. It is a superior document for all meas-
ures concerning information security and defines the basics for security behaviour. Defining a target
culture is not based on a clear top-down approach. A security policy should not be developed inde-
pendently from real life. It depends on the actual corporate culture and the manifested work proc-
esses. A pre-evaluation may reveal the need to redesign the security policy first. In our research we
found some weak points in the security policy that should have been eliminated prior to any other
action. Only after this can the security policy be used as the superior security culture document.
4.2. Segmentation of Organizational Members
To be able to define the right cultural measures, it is essential to know which people one wishes to
influence. A widely used approach is to define three groups: IT-staff, managers and employees and
to implement special measures for each one. In our research, segmentation by function (IT vs. busi-
ness) or position (employee vs. manager) revealed statistically significant differences that suggest
the need to define special cultural measures for specific departments or management levels.
Another method used to segment an organization’s members is in applying statistical cluster analy-
sis. Cluster analysis composes different groups so that the group members have as similar attributes
as possible (Bühl and Zöfel 2000). In our case, the cluster analysis defined four different groups.
According to their answer patterns we named them:
• “I’m happy”-Cluster: These people are happy with the security policy and seem to follow
the defined rules (44% of answers).
• “Danger comes from outside”-Cluster: These people see all the dangers outside the com-
pany and do not care about what is happening within the company. Information security lies
in the responsibility of the security staff who have to protect the company from outside dan-
gers (19% of answers).
• “Careless people”-Cluster: These people do not see any problem and consider security
policies and rules as needless (4% of answers).
• “I’m unhappy”-Cluster: These people are unhappy with the actual policy and would like
to have more security (32% of answers).
Clustering the people will help the security personnel a lot when choosing the appropriate instru-
ments and defining the appropriate measures for the right target group.
5. OPERATIVE PLANNING
Comparing the actual with the target security culture, one can choose the right instruments to im-
plement the target culture. Culture cannot be decreed by regulations; more subtle actions are possi-
ble and necessary. We want to discuss three exemplary main instruments. On the basis of internal
communication, training, education and exemplary action of managers, a culture can be developed
step by step. The aim of the cultural measures is to encourage security awareness among the man-
agement and employees. Increased awareness creates and supports a good security culture.
5.1. Internal Communication
Every cultural measure is based on the theory of internal communication, an instrument of corpo-
rate communication. Internal communication enables a company to share information, knowledge
and motivation, to take up the dialog between top management and employees and to receive feed-
back. It creates acceptance and obtains commitment for the corporate targets and strategies (Bruhn
1999; Meier 2000). Internal communication has the following functions:
• Informational functions: to rule, coordinate and orientate
• Dialog functions: to orientate and contact
Also two main forms of internal communication can be identified; we added the most common in-
struments of each:
• Interpersonal communication: discussion between employee and employer, seminars,
training and workshops
• Communication via medias: corporate newspaper, intranet, guidelines and black board
A good cultural program needs the right mixture of communication instruments. We will now dis-
cuss some important instruments in more detail.
Before implementing a security training and awareness program, it is vital to convince the man-
agement of the importance of information security. The inherent problem of information security is
that one cannot calculate the revenue of security investments. To be able to convince management
despite this factor, (Haller 1990) proposes “risk dialogue”. Objective arguments, such as statistics
or references, can help to convince management. Emotional argumentation including examples,
comparisons or suggestions can also motivate management to support information security. Our
“rational” decisions are often based on our feelings, even if we argue objectively (Braun 2001).
5.3. Security Awareness and Training Program
Training is one of the core elements to create security awareness. It is vital to implement security
policy. The Chief Security Officer is responsible for developing the appropriate training program
and/or to implement security elements in the existing IT training program. A security training and
awareness program can be divided into three different parts, see e.g. (Tudor 2000; Horrocks 2001):
• Education: The employee must understand, why information security is important for the
organization. He/she must understand, that everybody is responsible for security in his/her
own sphere of influence. Education can be implemented e.g. with a special information se-
curity course. It can also be basic information security education in schools and universities,
as proposed by (Horrocks 2001).
• Training: The employee has to know how he/she can operate securely. He/she must know,
how to use the security functions within the applications and in his/her own work process.
Training on special security tools or features within applications must be offered.
• Awareness: Education and training are the basis for security programs. However, they do
not guarantee security behaviour conformity in daily work life. Awareness measures outside
of the classroom remind the employees of the lessons learnt. Items such as posters, mouse-
pads and pens with security slogans help to make the security topic omnipresent. Incentive
and suggestion systems encourage employees to participate. Controls, rules and penalties
show the importance of information security.
The security awareness and training program leads from “become aware” to “stay aware” and ends
up in “be aware”, which changes a security culture definitively.
The implementation of information security can be divided into the following four stages, illus-
trated in Figure 4.
Commitment of the management
Communication with organizational members
Courses for all organizational members
Commitment of the employees
Figure 4. The four Stages of Information Security Culture Implementation
Stage one prepares the management on the topic of information security and gets their commitment.
Next, the understanding and acceptance of the topic must be obtained from all employees. Open
dialogue and discussion between management and employees are important in this stage. Also, in
stage three the organizational members are trained and educated. The last stage guides to a lasting
change of security culture, it includes omnipresent awareness campaigns and specific security rules.
These four processes run parallel, with slightly different starting times.
To implement Information Security Culture, we can use the well known four P’s of the marketing-
mix, see e.g. (Purtschert 2001; Kotler 2003). These P’s define four instruments which help to de-
sign the relationship between the different players and simultaneously change the behaviour of the
target group. We briefly discuss the four P’s and give some examples of how they could be used for
Information Security Culture management.
The “product” we want to sell is information security. This product must have a specific quality and
packaging to gain the attention of the employees. Security tools must have high usability, and poli-
cies; manuals and courses must be attractive and motivating.
We do not understand price as real costs, but the psychological expenditure to learn new tools and
processes. This expenditure can be very high, because organizational members have to learn new
behaviour without receiving a direct return. The organization has to introduce appropriate incentive
systems to lower the “price” of security.
Place defines the distribution channels and the distribution organization. The organization defines,
who implements the security culture measures: internal or external specialists? This question de-
pends on the internal know-how and resources. The organization also defines the cooperation of
departments such as IT, marketing and human resources. The distribution channel defines whether
the organization uses direct or indirect channels. Training and education by the chief security offi-
cer himself is a direct channel. Whereas involvement of the individual department managers is an
Promotion defines the different ways that could be used to communicate information security, as
we have already discussed in section 5. Which media do we use to communicate the message of
information security? It is also indispensable to create a specific security logo and slogan that will
be used in every security context.
The research work presented in this paper defines a model for managing Information Security Cul-
ture and an action plan that helps to change and maintain Information Security Culture in an organi-
zation. The model is based on the results of a pre-evaluation Information Security Culture survey at
the telecommunications company Orange Switzerland and on the theory of internal marketing. We
discussed the five main phases: pre-evaluation, strategic planning, operative planning, implementa-
tion and post-evaluation. The implementation phase can be separated into the four different stages
of management commitment, internal communication, know-how transfer and employee commit-
ment. The four marketing P’s product, price, place and promotion help to design these stages opera-
Whereas the evaluation phase has already been conducted successfully, implementation of security
culture measures has not yet been carried out. Practical experience has to show if the proposed
method can change or maintain an appropriate Information Security Culture.
We thank Mr. Daniel Hallen from Orange Switzerland for his ongoing cooperation in our Informa-
tion Security Culture project. We also thank the students of the course “Management in telecom-
munications 2003” for their valuable contribution: Arnold Natalie, Borter Patrick, Corabianu Dinu,
Fraser André, Giger Dominic, Krieger Manuel, Künzli Josef, Sieber Karin, Unterberger Claudius.
Braun, R. (2001). Die Macht der Rhetorik: besser reden - mehr erreichen. Frankfurt, C. Ueberreuter.
Bruhn, M. (1999). Internes Marketing als Forschungsgebiet der Marketingwissenschaft. Eine Ein-
führung in die theoretischen und praktischen Probleme. In: M. Bruhn, Ed. Internes Marketing: Inte-
gration der Kunden- und Mitarbeiterorientierung. Grundlagen - Implementierung - Praxisbeispiele.
Wiesbaden, Gabler. 2. Auflage: 15-44.
Bühl, A. and P. Zöfel (2000). SPSS Version 10. München, Addison-Wesley.
Haller, M. (1990). Risikodialog. In: R. Königswieser and C. Lutz, Eds. Das systemisch-
evolutionäre Management. Wien, Orac-Verlag.
Horrocks, I. (2001). "Security Training: Education For an Emerging Profession?" Computers & Se-
curity 20(3): 219-226.
Kotler, P. (2003). Marketing management. Upper Saddle River, N.J, Prentice Hall.
Meier, P. (2000). Interne Kommunikation von Unternehmen: theoretische und empirische Aspekte
zur Organisation und Sprache der Internen Kommunikation grosser Unternehmen in der Schweiz.
Purtschert, R. (2001). Marketing für Verbände und weitere Nonprofit-Organisationen. Bern, Haupt.
Rühli, E. (1991). Unternehmungskultur - Konzepte und Methoden. In: E. Rühli and A. Keller, Eds.
Kulturmanagement in schweizerischen Industrieunternehmungen. Bern und Stuttgart, Paul Haupt
Schein, E. H. (1985). Organizational Culture and Leadership: A Dynamic View. San Francisco,
Schlienger, T. and S. Teufel (2002). Information Security Culture - The Socio-Cultural Dimension
in Information Security Management. In: M. A. Ghonaimy, M. T. El-Hadidi and H. K. Aslan, Eds.
Security in the information society: visions and perspectives. IFIP TC11 International Conference
on Information Security (Sec2002), Cairo, Egypt, Kluwer Academic Publishers.
Schlienger, T. and S. Teufel (2003). Analyzing Information Security Culture: Increasing Trust by
an Appropriate Information Security Culture. unpublished, accepted on the TrustBus'03 workshop
in conjunction with the 14th International Conference on Database and Expert Systems Applica-
tions (DEXA 2003).
Schreyögg, G. (1999). Organisation: Grundlagen moderner Organisationsgestaltung. Wiesbaden,
Tudor, J. K. (2000). Information security architecture. Boca Raton, FL, Auerbach.
Ulich, E. (2001). Arbeitspsychologie. Zürich, vdf, Hochschulverlag an der ETH Zürich.
Vecchio, R. P. (2000). Organizational behavior : core concepts. Fort Worth, Dryden Press.