ArticlePDF Available

Information security culture: From analysis to change

Authors:

Abstract and Figures

Information Security Culture includes all socio-cultural measures that support technical security methods, so that information security becomes a natural aspect in the daily activity of every em- ployee. To apply these socio-cultural measures in an effective and efficient way, certain manage- ment models and tools are needed. In our research we developed a framework analyzing the secu- rity culture of an organization which we th en applied in a pre-evaluation survey. This paper is based on the results of this survey. We will develop a management model for creating, changing and maintaining Information Security Culture. This model will then be used to define explicit socio- cultural measures, based on the concept of internal marketing.
Content may be subject to copyright.
INFORMATION SECURITY CULTURE
FROM ANALYSIS TO CHANGE
Thomas Schlienger, Stephanie Teufel
iimt (international institute of management in telecommunications)
University of Fribourg
thomas.schlienger@unifr.ch
+41 26 300 84 28
stephanie.teufel@unifr.ch
+41 26 300 84 35
iimt
Université de Fribourg
Av. de Tivoli 3
CH-1700 Fribourg
ABSTRACT
Information Security Culture includes all socio-cultural measures that support technical security
methods, so that information security becomes a natural aspect in the daily activity of every em-
ployee. To apply these socio-cultural measures in an effective and efficient way, certain manage-
ment models and tools are needed. In our research we developed a framework analyzing the secu-
rity culture of an organization which we then applied in a pre-evaluation survey. This paper is based
on the results of this survey. We will develop a management model for creating, changing and
maintaining Information Security Culture. This model will then be used to define explicit socio-
cultural measures, based on the concept of internal marketing.
KEY WORDS
information security culture, information security awareness, information security marketing,
evaluation of information security culture, change and maintenance of information security culture
Schlienger, T. and S. Teufel (2003). Information Security Culture - From Analysis to Change. In: J. Eloff,
H. Venter, L. Labuschagne and M. Eloff, Eds. Information Security South Africa - Proceedings of ISSA
2003, 3rd Annual Information Security South Africa Conference, 9-11 July 2003, Sandton Convention
Center, Johannesburg, South Africa, ISSA: 183-195.
INFORMATION SECURITY CULTURE
FROM ANALYSIS TO CHANGE
1. INTRODUCTION
In our research on Information Security Culture, we developed a method-mix framework that we
applied in our survey at the telecommunications company Orange Switzerland (Schlienger and Teu-
fel 2003). This framework will be discussed briefly and the main results of the survey will be pre-
sented. We asked all employees how they understand the security policy of Orange Switzerland.
The results impressively show that the security policy is known in general, but not supported in all
points, neither by the employees nor by the management. It also shows that the employees need ex-
tra security training and education. Security at Orange Switzerland is managed only on a technical
and an organizational level. Socio-cultural aspects are missing. Methods to create, maintain and to
change the security culture are therefore needed.
Based on this insight, we will develop an Information Security Culture management model in this
paper. Also, the life cycle of the security culture has to be considered, since its different stages need
different management methods. Radical management methods should be used to create or change
culture, whereas more subtle methods are needed to maintain an appropriate culture. With the cul-
tural management model and the results of the culture survey, we will define an action plan to
change and maintain security culture.
Information Security Culture is a part of the organizational culture. Before going on in the discus-
sion of how to manage security culture, we give a short definition of organizational culture. From it,
we deduce the concept of Information Security Culture. For a more detailed discussion of our In-
formation Security Culture concept see (Schlienger and Teufel 2002).
1.1. Definition of Information Security Culture
Organizational culture defines how an employee sees the organization (Ulich 2001). It is a collec-
tive phenomenon that grows and changes over time and, to some extent, it can be influenced or
even designed by the management.
Basic assumptions
and beliefs
Collective values,
norms and
knowledge
Artefacts and
creations
Maxims, rules, prohibitions
Language, rituals, forms,
technology, art,
behaviour patterns
Hidden and mostly
unconscious
Partially visible
and conscious
Visible, but not yet
interpreted
“The employees are
our security assets.”
“Security aware
employees increase
the organization’s
securit
y”
“Every employee
p
articipates yearly in a
security awareness
course.
Figure 1. The three Layers of Information Security Culture, see (Schein 1985)
The two core elements of organizational culture are basic assumptions and beliefs. Organizational
culture is consequently expressed in the collective values, norms and knowledge of organizations.
In turn, these collective norms and values affect the behaviour of the employees. Artefacts and crea-
tions such as handbooks, rituals and anecdotes are the expression of such norms and values. Ulti-
mately, organizational culture has a crucial impact on corporate success (Rühli 1991). Organiza-
tional culture emerges and grows with time. It is formed by the behaviour of dominant organization
members such as founders and top managers.
An organizational culture can have different subcultures based on suborganizations or functions.
Information Security Culture is a subculture in regard to general corporate functions. It should sup-
port all activities so that information security becomes a natural aspect in the daily activities of
every employee. The three layers of Information Security Culture and their interactions are illus-
trated in Figure 1.
2. MANAGING INFORMATION SECURITY CULTURE
Information Security Culture, like organizational culture, cannot be created once and then used in-
definitely without further action or modification. To ensure that it corresponds with the targets of
the organization and that the organizational members do not forget it, culture must be created, main-
tained or changed continuously. It is a never ending process, a cycle of evaluation and change or
maintenance. The first step is to analyze the actual Information Security Culture (pre-evaluation). If
the culture does not fit with the organization’s targets the culture must be changed. If it fits, it
should be reinforced. The success of the actions taken must then be controlled (post-evaluation).
This cycle is illustrated in Figure 2.
change / maintenance
evaluation
need for im
p
rovement
check for improvement
Figure 2. The Information Security Culture Management Cycle
Having a closer look at this cycle of Information Security Culture management, we can identify the
following five phases, see also (Bruhn 1999):
1. Pre-Evaluation
2. Strategic Planning
a. Definition of targets
b. Segmentation of organizational members
3. Operative Planning
a. Instruments of internal marketing
b. Instruments of human resources management
c. Instruments of organizational development
4. Implementation
5. Post-Evaluation
This proposed process is very similar to the internal marketing concept. As in internal marketing,
security culture management aims to promote certain values, corporate goals and philosophies
within an organization. We want to “sell” information security awareness behaviour to our employ-
ees. The methods of internal marketing create advantages in competition by promoting and creating
the understanding and engagement of the corporate goals throughout the organization (Bruhn 1999;
Purtschert 2001).
3. EVALUATION
In order for security culture to make a substantial contribution to the field of information security, it
is necessary to have a set of methods for its study. Unfortunately, no unique toolset and method for
the study of organizational and therefore security culture exists. Research is therefore still needed in
this field. The researcher must solve two main questions:
1. What to analyze: according to the cultural model used, one could measure the collective
values, norms and knowledge, or, one could measure the cultural indicators, the artefacts.
Basics assumptions are a priori not feasible. Values can be officially stated, but, do they
then match the real – conscious or unconscious – values? Values with negative social sanc-
tions are in that case not revealed but consciously hidden. We differentiate therefore be-
tween official and true values.
2. How to analyze: for the measurement of observable indicators, social sciences often pro-
pose to analyze documents, to observe physical indicators and to interview an organization’s
members. For the measurement of norms, values and beliefs, it is proposed to use narrative
interviews, participative observations and group sessions.
A more detailed discussion of the evaluation items (what) and methods (how) can be found in
(Schlienger and Teufel 2003). Bearing in mind the difficulties to comprehend culture at all, the use
of a combination of measuring items and methods as proposed among others by (Rühli 1991;
Schreyögg 1999; Vecchio 2000) seems evident. This allows verification of the results with other
methods and the use of different viewpoints in interpreting them. The researcher is now able to pick
the appropriate methods, which help him/her assess the security culture in his/her organization. In
our research we use the following method-mix illustrated in Table 1.
Table 1. Items and Methods for evaluating Information Security Culture
Method
Item
Analysis of
documents
Questionnaire Group ses-
sion
Interview Observation
Artefacts Audit
Official values
Analysis of
the security
policy
True values
Questioning
all level of
employees
Interview with
the Chief Se-
curity Officer
(CSO)
The concrete approach we use in our research project at Orange Switzerland (see also (Schlienger
and Teufel 2003)) is named in the grey-shaded box. In our project we focus on the security attitude
and perception of the employees, without specific analysis of information security management and
concepts. Therefore, the main target of the questionnaire with its ten questions is to find out the fol-
lowing: Do the employees know what the security policy states and do they support it? We strictly
followed the main points of the policy in our analysis. Each question has three sub-questions (see
example question in Table 2): a) individual attitude (true values), b) perception of company’s atti-
tude (official values: security policy) and c) best solution. This trichotomy will give interesting in-
sights and reveal gaps between the individual’s and the company’s perception. It also has a didactic
impact, since the user has to reflect upon the best solution.
Table 2. Example question
2 The computer and electronic communications systems should be used for Or-
ange's business activities only.
a) Personally I think, this is True False I don’t know
b) Orange regards this as True False I don’t know
c) If I were responsible, I would regard this as True False I don’t know
The whole process was supported by several unstructured interviews with the Chief Security Offi-
cer of Orange Switzerland, with whom we discussed the security policy and the findings of the sur-
vey. Audits to verify the given answers and the real behaviour are in the planning stage.
3.1. Need for Improvement
To identify the main gaps between the policy and the perception of the employees, we used the sta-
tistical factor analysis interpreting the answers of the questionnaire. Factor analysis is used to re-
duce a given set of variables (in our case the 30 answers of the questionnaire) to a smaller inde-
pendent set of factors (Bühl and Zöfel 2000). Our analysis identified 11 factors. 10 factors are iden-
tical to the 10 questions. One factor is new and includes 4 sub-questions concerning the official pol-
icy (sub-question b) in the fields of: encryption of confidential emails (question 6), security training
(question 7), management buy-in (question 8) and role of security policy (question 9). In the de-
scriptive analysis of the answers (see Figure 3), these four sub-questions were also identified as
main problems.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Q
uestion 1
Question 2
Question 3
Question 4
Question 5
Question 6
Question 7
Question 8
Question 9
Question 10
a
b
c
Figure 3. Information Security Culture Radar
The results of the evaluation show that the security policy is known in general, but not supported in
all points, neither by the employees nor by the management. It also shows that the employees need
extra security training and education. Security at Orange Switzerland is managed only on a techni-
cal and on an organizational level. Socio-cultural aspects are missing. Methods to create, maintain
and to change the security culture are therefore needed.
4. STRATEGIC PLANNING
The evaluation stage revealed the actual culture and its problems. Depending on the target culture,
specific actions must be taken to maintain or even change the culture. It must be considered that
changing an existing culture needs more radical measures than maintaining an appropriate culture.
Whereas an appropriate security culture can be maintained by a good awareness-program, possibly
in combination with the existing course-program, in order to change a culture, all existing cultural
measures must be reengineered.
4.1. Targets
Clear objectives for the development of an appropriate security culture must be set. In our project,
the target security culture is defined by the security policy. It is a superior document for all meas-
ures concerning information security and defines the basics for security behaviour. Defining a target
culture is not based on a clear top-down approach. A security policy should not be developed inde-
pendently from real life. It depends on the actual corporate culture and the manifested work proc-
esses. A pre-evaluation may reveal the need to redesign the security policy first. In our research we
found some weak points in the security policy that should have been eliminated prior to any other
action. Only after this can the security policy be used as the superior security culture document.
4.2. Segmentation of Organizational Members
To be able to define the right cultural measures, it is essential to know which people one wishes to
influence. A widely used approach is to define three groups: IT-staff, managers and employees and
to implement special measures for each one. In our research, segmentation by function (IT vs. busi-
ness) or position (employee vs. manager) revealed statistically significant differences that suggest
the need to define special cultural measures for specific departments or management levels.
Another method used to segment an organization’s members is in applying statistical cluster analy-
sis. Cluster analysis composes different groups so that the group members have as similar attributes
as possible (Bühl and Zöfel 2000). In our case, the cluster analysis defined four different groups.
According to their answer patterns we named them:
“I’m happy”-Cluster: These people are happy with the security policy and seem to follow
the defined rules (44% of answers).
“Danger comes from outside”-Cluster: These people see all the dangers outside the com-
pany and do not care about what is happening within the company. Information security lies
in the responsibility of the security staff who have to protect the company from outside dan-
gers (19% of answers).
“Careless people”-Cluster: These people do not see any problem and consider security
policies and rules as needless (4% of answers).
“I’m unhappy”-Cluster: These people are unhappy with the actual policy and would like
to have more security (32% of answers).
Clustering the people will help the security personnel a lot when choosing the appropriate instru-
ments and defining the appropriate measures for the right target group.
5. OPERATIVE PLANNING
Comparing the actual with the target security culture, one can choose the right instruments to im-
plement the target culture. Culture cannot be decreed by regulations; more subtle actions are possi-
ble and necessary. We want to discuss three exemplary main instruments. On the basis of internal
communication, training, education and exemplary action of managers, a culture can be developed
step by step. The aim of the cultural measures is to encourage security awareness among the man-
agement and employees. Increased awareness creates and supports a good security culture.
5.1. Internal Communication
Every cultural measure is based on the theory of internal communication, an instrument of corpo-
rate communication. Internal communication enables a company to share information, knowledge
and motivation, to take up the dialog between top management and employees and to receive feed-
back. It creates acceptance and obtains commitment for the corporate targets and strategies (Bruhn
1999; Meier 2000). Internal communication has the following functions:
Informational functions: to rule, coordinate and orientate
Dialog functions: to orientate and contact
Also two main forms of internal communication can be identified; we added the most common in-
struments of each:
Interpersonal communication: discussion between employee and employer, seminars,
training and workshops
Communication via medias: corporate newspaper, intranet, guidelines and black board
A good cultural program needs the right mixture of communication instruments. We will now dis-
cuss some important instruments in more detail.
5.2. Management-Buy-In
Before implementing a security training and awareness program, it is vital to convince the man-
agement of the importance of information security. The inherent problem of information security is
that one cannot calculate the revenue of security investments. To be able to convince management
despite this factor, (Haller 1990) proposes “risk dialogue”. Objective arguments, such as statistics
or references, can help to convince management. Emotional argumentation including examples,
comparisons or suggestions can also motivate management to support information security. Our
“rational” decisions are often based on our feelings, even if we argue objectively (Braun 2001).
5.3. Security Awareness and Training Program
Training is one of the core elements to create security awareness. It is vital to implement security
policy. The Chief Security Officer is responsible for developing the appropriate training program
and/or to implement security elements in the existing IT training program. A security training and
awareness program can be divided into three different parts, see e.g. (Tudor 2000; Horrocks 2001):
Education: The employee must understand, why information security is important for the
organization. He/she must understand, that everybody is responsible for security in his/her
own sphere of influence. Education can be implemented e.g. with a special information se-
curity course. It can also be basic information security education in schools and universities,
as proposed by (Horrocks 2001).
Training: The employee has to know how he/she can operate securely. He/she must know,
how to use the security functions within the applications and in his/her own work process.
Training on special security tools or features within applications must be offered.
Awareness: Education and training are the basis for security programs. However, they do
not guarantee security behaviour conformity in daily work life. Awareness measures outside
of the classroom remind the employees of the lessons learnt. Items such as posters, mouse-
pads and pens with security slogans help to make the security topic omnipresent. Incentive
and suggestion systems encourage employees to participate. Controls, rules and penalties
show the importance of information security.
The security awareness and training program leads from “become aware” to “stay aware” and ends
up in “be aware”, which changes a security culture definitively.
6. IMPLEMENTATION
The implementation of information security can be divided into the following four stages, illus-
trated in Figure 4.
Stage 1
Commitment of the management
Stage 2
Communication with organizational members
Stage 3
Courses for all organizational members
Stage 4
Commitment of the employees
Figure 4. The four Stages of Information Security Culture Implementation
Stage one prepares the management on the topic of information security and gets their commitment.
Next, the understanding and acceptance of the topic must be obtained from all employees. Open
dialogue and discussion between management and employees are important in this stage. Also, in
stage three the organizational members are trained and educated. The last stage guides to a lasting
change of security culture, it includes omnipresent awareness campaigns and specific security rules.
These four processes run parallel, with slightly different starting times.
To implement Information Security Culture, we can use the well known four P’s of the marketing-
mix, see e.g. (Purtschert 2001; Kotler 2003). These P’s define four instruments which help to de-
sign the relationship between the different players and simultaneously change the behaviour of the
target group. We briefly discuss the four P’s and give some examples of how they could be used for
Information Security Culture management.
6.1. Product
The “product” we want to sell is information security. This product must have a specific quality and
packaging to gain the attention of the employees. Security tools must have high usability, and poli-
cies; manuals and courses must be attractive and motivating.
6.2. Price
We do not understand price as real costs, but the psychological expenditure to learn new tools and
processes. This expenditure can be very high, because organizational members have to learn new
behaviour without receiving a direct return. The organization has to introduce appropriate incentive
systems to lower the “price” of security.
6.3. Place
Place defines the distribution channels and the distribution organization. The organization defines,
who implements the security culture measures: internal or external specialists? This question de-
pends on the internal know-how and resources. The organization also defines the cooperation of
departments such as IT, marketing and human resources. The distribution channel defines whether
the organization uses direct or indirect channels. Training and education by the chief security offi-
cer himself is a direct channel. Whereas involvement of the individual department managers is an
indirect channel.
6.4. Promotion
Promotion defines the different ways that could be used to communicate information security, as
we have already discussed in section 5. Which media do we use to communicate the message of
information security? It is also indispensable to create a specific security logo and slogan that will
be used in every security context.
7. SUMMARY
The research work presented in this paper defines a model for managing Information Security Cul-
ture and an action plan that helps to change and maintain Information Security Culture in an organi-
zation. The model is based on the results of a pre-evaluation Information Security Culture survey at
the telecommunications company Orange Switzerland and on the theory of internal marketing. We
discussed the five main phases: pre-evaluation, strategic planning, operative planning, implementa-
tion and post-evaluation. The implementation phase can be separated into the four different stages
of management commitment, internal communication, know-how transfer and employee commit-
ment. The four marketing P’s product, price, place and promotion help to design these stages opera-
tively.
Whereas the evaluation phase has already been conducted successfully, implementation of security
culture measures has not yet been carried out. Practical experience has to show if the proposed
method can change or maintain an appropriate Information Security Culture.
8. ACKNOWLEDGEMENT
We thank Mr. Daniel Hallen from Orange Switzerland for his ongoing cooperation in our Informa-
tion Security Culture project. We also thank the students of the course “Management in telecom-
munications 2003” for their valuable contribution: Arnold Natalie, Borter Patrick, Corabianu Dinu,
Fraser André, Giger Dominic, Krieger Manuel, Künzli Josef, Sieber Karin, Unterberger Claudius.
BIBLIOGRAPHY
Braun, R. (2001). Die Macht der Rhetorik: besser reden - mehr erreichen. Frankfurt, C. Ueberreuter.
Bruhn, M. (1999). Internes Marketing als Forschungsgebiet der Marketingwissenschaft. Eine Ein-
führung in die theoretischen und praktischen Probleme. In: M. Bruhn, Ed. Internes Marketing: Inte-
gration der Kunden- und Mitarbeiterorientierung. Grundlagen - Implementierung - Praxisbeispiele.
Wiesbaden, Gabler. 2. Auflage: 15-44.
Bühl, A. and P. Zöfel (2000). SPSS Version 10. München, Addison-Wesley.
Haller, M. (1990). Risikodialog. In: R. Königswieser and C. Lutz, Eds. Das systemisch-
evolutionäre Management. Wien, Orac-Verlag.
Horrocks, I. (2001). "Security Training: Education For an Emerging Profession?" Computers & Se-
curity 20(3): 219-226.
Kotler, P. (2003). Marketing management. Upper Saddle River, N.J, Prentice Hall.
Meier, P. (2000). Interne Kommunikation von Unternehmen: theoretische und empirische Aspekte
zur Organisation und Sprache der Internen Kommunikation grosser Unternehmen in der Schweiz.
Zürich.
Purtschert, R. (2001). Marketing für Verbände und weitere Nonprofit-Organisationen. Bern, Haupt.
Rühli, E. (1991). Unternehmungskultur - Konzepte und Methoden. In: E. Rühli and A. Keller, Eds.
Kulturmanagement in schweizerischen Industrieunternehmungen. Bern und Stuttgart, Paul Haupt
Verlag: 11-49.
Schein, E. H. (1985). Organizational Culture and Leadership: A Dynamic View. San Francisco,
Jossey-Bass.
Schlienger, T. and S. Teufel (2002). Information Security Culture - The Socio-Cultural Dimension
in Information Security Management. In: M. A. Ghonaimy, M. T. El-Hadidi and H. K. Aslan, Eds.
Security in the information society: visions and perspectives. IFIP TC11 International Conference
on Information Security (Sec2002), Cairo, Egypt, Kluwer Academic Publishers.
Schlienger, T. and S. Teufel (2003). Analyzing Information Security Culture: Increasing Trust by
an Appropriate Information Security Culture. unpublished, accepted on the TrustBus'03 workshop
in conjunction with the 14th International Conference on Database and Expert Systems Applica-
tions (DEXA 2003).
Schreyögg, G. (1999). Organisation: Grundlagen moderner Organisationsgestaltung. Wiesbaden,
Gabler Verlag.
Tudor, J. K. (2000). Information security architecture. Boca Raton, FL, Auerbach.
Ulich, E. (2001). Arbeitspsychologie. Zürich, vdf, Hochschulverlag an der ETH Zürich.
Vecchio, R. P. (2000). Organizational behavior : core concepts. Fort Worth, Dryden Press.
... Cette communication propose un modèle théorique qui doit permettre d'évaluer la maturité de la culture SSI d'une PME. Ce modèle est construit en se basant sur la théorie des trois niveaux de la culture sécurité de Schlienger et Teufel (2003) adapté de Schein (1985. Dans cette communication nous présentons également notre méthode de recherche et les cas prévus. ...
... Une autre définition est celle proposée par Schlienger et Teufel, (2003) : « La culture de sécurité englobe toutes les mesures socioculturelles qui soutiennent les mesures de sécurité techniques, de sorte que la sécurité de l'information devient un aspect naturel des activités quotidiennes de chaque employé ». Pour Dhillon (1997) il définit que la culture de sécurité est le comportement dans une organisation qui contribue à la protection des données, des informations et des connaissances. ...
... La plupart des auteurs, qui ont tenté à définir le concept de la CSI se sont donc basés sur la culture organisationnelle. Selon Schlienger et Teufel (2003) et Van Niekerk et Von Solms (2005), la culture de la sécurité de l'information est une sous-culture de la culture organisationnelle. Ils font référence aux comportements dans une organisation lorsque les employés traitent les informations. ...
Conference Paper
Full-text available
En 2019 selon une enquête du CPME 1 41 % des entreprises interrogées de 0 à 9 salariés et 44% des entreprises de 9 à 49 salariés ont déjà subi une ou plusieurs attaques ou tentatives d'attaques informatiques. En ayant une culture sécurité des systèmes d'information (CSSI) efficace où les employés protègent les actifs informationnels, les petites et moyennes entreprises (PME) pourraient améliorer la sécurité de leurs systèmes d'information (Dojkovski et Al 2007). Cependant, les recherches antérieures ont largement ignoré le développement d'une telle culture pour les PME. L'objectif de cette recherche est de répondre à la question : « Comment évaluer la maturité de la culture sécurité des SI dans les PME ». Cette communication propose un modèle théorique qui doit permettre d'évaluer la maturité de la culture SSI d'une PME. Ce modèle est construit en se basant sur la théorie des trois niveaux de la culture sécurité de Schlienger et Teufel (2003) adapté de Schein (1985). Dans cette communication nous présentons également notre méthode de recherche et les cas prévus. Par la suite ce modèle fera l'objet d'une validation par des études de cas.
... According to Schlienger and Teufel (2003), information security culture is a vital part of an organization's culture. AlHogail and Mirza (2014, p. 2) defined ISC as, "the collection of perceptions, attitudes, values, assumptions and knowledge that guides how things are done in an organization to be consistent with the information security requirements with the aim of protecting the information assets and influencing employees' security behaviour in a way that preserving the information security becomes a second nature". ...
... ISC comprises all socio-cultural measures which act as a base for technical security methods. This, in turn, makes information security a natural part of employees' daily routine (Schlienger and Teufel, 2003). Masrek et al. (2018) described ISC as a situation where employees not only have awareness and the skills needed for information security but are also well versed in the processes and procedures which ensure information security. ...
... In addition to this, Schlienger and Teufel (2003), found that increased ISA helped to create a good ISC. Findings by Glaspie and Karwowski (2018) further confirmed that ISA leads to ISC. ...
Article
Purpose The purpose of this study is to examine factors, which influence information security culture among employees of telecommunications companies. The motivation for this study was the rise in the number of data breach incidents caused by the organizations’ own employees. Design/methodology/approach A total of 139 usable responses were collected via a Web-based questionnaire survey from employees of Malaysian telecommunications companies. Data were analysed by using SmartPLS 3. Findings Security education, training and awareness (SETA) programmes and information security awareness were found to have a positive and significant impact on Information Security Culture. Additionally, self-reported employees’ security behaviour was found to act as a partial mediator on the relationship between information security awareness and information security culture. Research limitations/implications The study was cross-sectional in nature. Therefore, it could not measure changes in population over time. Practical implications The empirical data provides a new perspective on significant elements that influence information security culture in an emerging market. Organizations in the telecommunications industry can now recognize that SETA programmes and information security awareness have a significant impact on information security culture. Employees’ security behaviour also mediates the relationship between information security awareness and information security culture. Originality/value This is the first study to analyse the mediating effect of employees’ security behaviour on the relationship between information security awareness and information security culture in the Malaysian telecommunications context.
... As for Shared Tacit Assumptions, this level consists of the beliefs and values of the employees. If such a belief should conflict with one of the espoused values, with adequate knowledge, knowing why a specific control is needed, might play a vital role in ensuring compliance [9]. As for ISC this level of corporate culture directly influences the behaviour of employees that can be observed at the artefact level [4]. ...
Conference Paper
Cyber Security Culture (CSC) is a culture that could produce a secure cyber space and could improve the quality of cyber world engagement. Despite many benefits that could be offered by CSC, there is a lack of models and guidelines on how to cultivate this culture. This paper discusses the concept of CSC model in terms of elements that form the model to suggest how CSC could be cultivated. Information Security Culture (ISC) model developed by [1] is used as a framework in discussing the concept of CSC. A literature search also is conducted to find and analyses the most suitable elements for CSC. A new model of CSC was proposed as a result of this study. The findings could provide better understanding of CSC and could be used as baseline to conduct more research on CSC.
... Plusieurs auteurs ont tenté de définir le concept de la culture sécurité des S.I. (Von Solms 2000 ;Schlienger & Teufel, 2003 ;Da Veiga & Eloff, 2010 ;AlHogail & A. Mirza, 2014). Ici, nous avons choisi de prendre en compte la définition de Da Veiga et Eloff (2010), que nous estimons la plus complète : « La culture de la sécurité se compose des attitudes, hypothèses, croyances, valeurs et connaissances que les employés et les parties prenantes utilisent pour interagir avec les systèmes et les procédures de l'organisation à tout moment. ...
Conference Paper
Full-text available
En premier lieu, cette communication vise à présenter les principaux résultats des études de cas réalisées dans des PME, où nous avons cherché quels sont les facteurs qui peuvent influencer une culture sécurité des utilisateurs des systèmes d'information (S.I), selon Reix et Rowe, (2002), un S.I. est l'ensemble d'acteurs sociaux qui transforment et mémorisent des représentations à travers des technologies de l'information et des modes opératoires. Ensuite, nous présentons notre deuxième méthode de recherche qui est la recherche-intervention, que nous avons réalisée au sein d'une PME, à travers une formation et une sensibilisation destinées aux utilisateurs des S.I afin d'améliorer leur culture ainsi que leurs comportements liés à la sécurité des S.I. Les objectifs, le processus de recherche adopté et les résultats sont développés dans cette communication. Mots-clés : Culture sécurité, sécurité des systèmes d'information (SSI), comportements liés à la sécurité, recherche-intervention, PME.
... To enable comparison of these models, we applied normalisation to the model outputs. We concur with Schlienger and Teufel [30] that a cyber security culture should reflect on the social, cultural, and ethical aspects of the users in order to alter the users' overall cyber security behaviour. We argue that culture is evident in the behaviour of the users and that the cultural dimension values and real user behaviour data in the form of the login credential parameters are essential in the accurate assessment of CML. ...
Conference Paper
Full-text available
Different assessment models exist to measure a coun-try's cyber security maturity levels. These levels serve as a benchmark for indicating how well prepared a nation is against a cyber security attack and how resilient it would be in recovering from such an attack. However, results from these maturity assessments are either too general, overly complex, or resource intensive to apply and guide important national cyber security strategies and frameworks. To address this we propose a model to link national culture with a country's cyber security maturity through fuzzy logic mapping to ensure that a more uniform reflection of the cyber security maturity level within a country can be measured. In this paper, we present additional research towards optimising our model. The extended model incorporates input from two cyber security assessment models, and validates the refined output models on 11 countries to compare the maturity levels from the traditional assessment model with our optimised fuzzy model. Our results show that it is viable to reduce the resources required to conduct a national cyber security maturity assessment.
... Wider research on cybersecurity and management has focused on the foundation of hierarchy and appropriate behavior by employees and workers toward security concerns (Solms and Niekerk, 2013). The information and cybersecurity management culture are also a significant part of organizational culture (Leidner, 2010;Leidner and Kayworth, 2006;Schlienger and Teufel, 2003), which is mainly concerned with employees' perceptions (Hu et al., 2012;Ngo et al., 2005). To prevent security threats in cyberspace and to identify and manage risks, the coherence of network traffic checking or monitoring and the ability to act on planned and strategic analyses need to be enhanced (Franke and Brynielsson, 2014). ...
Article
Full-text available
Cybersecurity is a serious issue that many organizations face these days. Therefore, cybersecurity management is very important for any organization. Organizations should learn to deal with these cyber threats through effective management across all business functions. The main purpose of this study is to identify the factors that affect cybersecurity within an organization and analyze relationships among these factors. The modified total interpretive structural modeling (M-TISM) technique is used to build a hierarchical model and define the common interactions between the factors. This study presents the impact of collaboration, training, resources and capabilities, information flow, technology awareness, and technological infrastructure on effective cybersecurity management. In addition, the study also explains the interrelationships among the identified factors in the M-TISM model.
... Wider research on cybersecurity and management has focused on the foundation of hierarchy and appropriate behavior by employees and workers toward security concerns (Solms and Niekerk, 2013). The information and cybersecurity management culture are also a significant part of organizational culture (Leidner, 2010;Leidner and Kayworth, 2006;Schlienger and Teufel, 2003), which is mainly concerned with employees' perceptions (Hu et al., 2012;Ngo et al., 2005). To prevent security threats in cyberspace and to identify and manage risks, the coherence of network traffic checking or monitoring and the ability to act on planned and strategic analyses need to be enhanced (Franke and Brynielsson, 2014). ...
Article
Cybersecurity is a serious issue that many organizations face these days. Therefore, cybersecurity management is very important for any organization. Organizations should learn to deal with these cyber threats through effective management across all business functions. The main purpose of this study is to identify the factors that affect cybersecurity within an organization and analyze relationships among these factors. The modified total interpretive structural modeling (M-TISM) technique is used to build a hierarchical model and define the common interactions between the factors. This study presents the impact of collaboration, training, resources and capabilities, information flow, technology awareness, and technological infrastructure on effective cybersecurity management. In addition, the study also explains the interrelationships among the identified factors in the M-TISM model.
... All employees who have access to SWIFT or who work in relevant substructures should receive annual cyber security and awareness training (Defuel, 2003) ...
Article
Full-text available
As technology is developed on the world, crime types continue to develop with it; recent research shows that even corporate banks can face weaknesses in the face of cyber-attacks. We have investigated the most severe attacks that the banking systems have been facing and tried to sketch out major measurements against hackers who are using phishing attacks to hack swift system. Web based managing accounts still includes numerous sorts of dangers. Phishing attacks can be particularly harming to banks and clients who do not play it safe against this sort of security hazard. Since phishing programmers utilize a few refined strategies, going from tricky attacks to DNS attacks, banks must refresh their safety efforts consistently.
Chapter
The acceleration of cyber-attacks in the past few years certainly has negative influences on the investors and shareholders’ trustworthiness in the firms’ abilities to protect their interests. This is likely to be reflected on the firms’ shares price. Thus, the influence of cybersecurity on firms’ overall performance is a questionable issue. To be able to proceed through the cyber risks, firms face the challenge of enhancing their cybersecurity to avoid and combat against the endless cyber-attacks. Further to that the studies that cast light on the relationship between cybersecurity and firms’ performance from a holistic perspective are lacking.
Conference Paper
Full-text available
Security culture encompasses all socio-cultural measures that support technical security measures, so that information security becomes a natural aspect in the daily activities of every employee. The cultural concept helps to increase trust between the different actors concerning information security within an organization. We start with the explanation of the "organizational culture concept," asking how it can be used to implement information security culture. To create, maintain and change security culture, certain measuring instruments are necessary. We discuss several ways and methods to analyze organizational culture. Furthermore, we ask to what extent they could be used in the context of security culture and what special problems might arise. Finally, the possible implementation is discussed in the context of an ongoing survey from which we present some results.
Chapter
Der Titel dieses Sammelbandes umreißt bereits das zentrale Spannungsfeld, in dem das Interne Marketing angesiedelt ist: in der Schnittstelle zwischen dem Marketing- und Personalmanagement. Blickt man einige Jahre bzw. Jahrzehnte in der betriebswirtschaftlichen Forschung zurück, so war der Personalbereich eindeutig innenorientiert und vollständig getrennt von allen Aktivitäten, die ein Unternehmen über den Absatz seiner Leistungen mit dem Markt verbanden. Es dominierte über Jahrzehnte eine reine funktionale Betrachtungsweise der Betriebswirtschaftslehre; diese trennte die nach innen gerichtete Personalarbeit — institutionalisiert durch die Personalabteilung — von einer nach außen gerichteten Marketingarbeit — institutionalisiert durch die Marketingabteilung.
Article
Is security a profession? What has the professional status - or lack of it - of security got to do with security training and education? This paper argues that the two are inherently linked. The lack of status has a detrimental effect on the development of training and education for the industry. This, in turn, affects both the status of the 'profession' and the development of a professional status. Lack of recognised educational opportunities combined with the professional standing of the industry then have a profound effect on the way the industry and those in it are perceived by those outside the industry and other professions. The paper explores what can be done to combat this situation.
Die Macht der Rhetorik: besser reden -mehr erreichen
  • R Braun
Braun, R. (2001). Die Macht der Rhetorik: besser reden -mehr erreichen. Frankfurt, C. Ueberreuter.
Marketing management
  • P Kotler
Kotler, P. (2003). Marketing management. Upper Saddle River, N.J, Prentice Hall.
Interne Kommunikation von Unternehmen: theoretische und empirische Aspekte zur Organisation und Sprache der Internen Kommunikation grosser Unternehmen in der Schweiz
  • P Meier
Meier, P. (2000). Interne Kommunikation von Unternehmen: theoretische und empirische Aspekte zur Organisation und Sprache der Internen Kommunikation grosser Unternehmen in der Schweiz. Zürich.
Marketing für Verbände und weitere Nonprofit-Organisationen
  • R Purtschert
Purtschert, R. (2001). Marketing für Verbände und weitere Nonprofit-Organisationen. Bern, Haupt.