Conference PaperPDF Available

Information Security Culture: The Socio-Cultural Dimension in Information Security Management

Authors:
1
Schlienger, T. and Teufel, S. (2002). Information Security Culture - The Socio-
Cultural
Dimension in Information Security Management. Security in the information
society: visions and perspectives. IFIP TC11 International Conference on
Information Security (Sec2002), Cairo, Egypt, Kluwer Academic Publishers.
Information Security Culture
The socio-cultural dimension in information security management
Thomas Schlienger, Stephanie Teufel
iimt - international institute of management in telecommunications
University of Fribourg (CH)
Abstract: The information security management mostly disregards the human
dimension. The main focus is on technical and procedural measures. The user
is seen as a security enemy, not as a security asset. In our paper we identify
some problems, that emerge from this sight and we propose a paradigm shift
from a technical approach to a socio-cultural one, from “the user is my enemy”
to “the user is my security asset” approach. We explain the concept of
corporate culture and show exemplary on the example of the security culture,
how the cultural theory can help to increase the overall security of an
organization.
Key words: Security Culture, Awareness, Human Dimension, Information Security
Management
1. MOTIVATION
In the information security discussion the human dimension is mostly
disregarded. The main focus is on technical security measures where users
are seen as a threat for information security. As of this technical focus, the
possibilities of information security measures are mostly used in an
unsatisfactory way. In our paper we propose a paradigm shift from a
technical to a human centric focus, from “the user is my enemy” to the “my
user is my security asset”. We are not yet in a position to give final answers
and guidelines to this new approach in information security management, but
in this paper we will discuss some aspects, that can help to build a security
management, which also takes the human dimension in account.
2
T
homas Schlienger, Stephanie Teu
fel
Worldwide, the ARIS Attack Registry and Intelligence Service [Attack
Registry & Intelligence Service (ARIS) 2001] registered over 90 Mio
incidents in the time from 1.1.01 to 23.10.01. In those incidents, over 9’000
different attack types from over 1.5 Mio different IP addresses were
launched. Another example is the 23.10.2001. On that day alone, over
200’000 attacks were registered worldwide.
The 2001 Computer Crime and Security Survey from the Computer
Security Institute & the FBI [Computer Security Institute 2001, 14], is trying
to quantify the loss resulting from the different attacks. In the study 35% of
the surveyed organizations were able to give exact numbers of their loss,
which amounted to an overall loss of 378 Mio USD. This averages on 2 Mio
USD per organization. The most expensive attacks or frauds were:
1. Theft of proprietary information
2. Financial fraud
3. Virus attacks
4. Insider net abuse
Asking about the perpetrators, the study reports that 49% of the incidents
were done by insiders. Another study, conducted by the magazine
InformationWeek and PricewaterhouseCoopers [Gerbich 2001], lists a
detailed analysis of the perpetrators. In 54% of the threads worldwide,
insiders were involved. Of those, 23% were authorized users, 16% were
unauthorized users and 15% were former employees.
The organizations are able to directly influence these people. Security
actions aiming at this group should therefore help to decrease the internal
amount of perpetrators. In the first place potential employees should be
screened thoroughly, with simultaneous consideration of individual privacy
and the data protection law. This proper selection of future employees can
improve the security of the organization greatly. It should be avoided to hire
unmotivated or malicious staff. Secondly, the hired people must be educated
and encouraged to behave in correct manners and thus support the
organizational information security. Figure 1 illustrates this idealized
approach. In addition, highly motivated and qualified people also help to
decrease external threads such as email viruses and worms.
Information Security Culture 3
type X
(malicious,
unmotivated,
security adverse)
type Y
(benevolent,
motivated,
security conform)
Number of employees
indifferent Type of
employee
Don’t hire Hire and motivate to behave
security conform
Screening barrier
Figure 1. Screening and motivating employees with regards to information security
In General, the number of security incidents increased highly during the
last years and organizations increasingly risk to loose money and reputation.
Therefore information security has become a critical success factor for
organizations. In this approach, the employees play a primary role. In the
following chapters we show a possibility for an organization, to turn its
employees into valuable security assets. First, we briefly show the
development of information security management over the last decades with
its rather technical approach. We will then present a method to increase the
overall information security of an organization based on organizational and
industrial psychology.
2. THE STATE OF THE ART IN INFORMATION
SECURITY MANAGEMENT
Today’s information security management is based on mistrust and has a
highly technological focus. Technical measures are set up to intercept
intruders at the gate, to protect the user from making mistakes and to prevent
misuse. During the last years security specialists agreed upon the fact, that
security management can only be successful if it is embedded in an
organizational and managerial structure within the organization. [von Solms
2000, 615] has identified three waves in the developments of information
security management.
The first wave was completely based on technical measures and lasted
until the beginning of the eighties. Employees were declared to be security
risks. The organization had to decrease this risk using technical measures.
Security was primarily seen as a technical problem that had to be solved by
4
T
homas Schlienger, Stephanie Teu
fel
technicians using technology. The main development was the
implementation of access controls lists, user-ids and passwords.
The start of the second wave can be identified in the early eighties and
had its focus on managerial and organizational aspects. Managers got
involved in the security process, security responsibles were declared and
incorporated into the organizational chart (e.g. chief security officer, CSO).
Security policies and concepts were developed in parallel.
Nevertheless as the examples in the introduction show, these technical
and procedural measures are not sufficient; socio-cultural measures are also
needed. The last link in the security chain is the user who works with the
information technology. To him security is laborious and unnecessary
[Adams and Sasse 1999, 43]. Today the main problems are, among others,
the missing usability of security products and procedures and the
organization’s mistrust against it’s own employees.
For the last years of the nineties, [von Solms 2000, 615] identified a third
wave, building up a technical, procedural and socio-cultural security
infrastructure: the wave of institutionalisation. It consists of several parts:
standardization, certification, metrics and security culture. The latter
concentrates on the human dimension in information security, which we
want to discuss in depths.
3. THE HUMAN DIMENSION IN INFORMATION
SECURITY
Let’s give a short example, why users play an important role in
information security:
A traditional way to protect information systems is the use of passwords.
According to the study of [Furnell, et al. 2000, 533-535] 91% of all systems
use passwords, despite the existence of alternative techniques, which are
more secure and also more usable. Around 38% of the users have to
memorize four or more passwords for their daily work. Some 46% of the
users have to change their passwords at least once every six month.
Although passwords are unpractical (especially if you have to memorize
several of them) and tend to be insecure (especially if you write all your
passwords on a note and hide it under the keyboard or if you use very simple
passwords), users like them. The study compared the acceptance of
passwords with biometric authentication. Authentication using physical
attributes doesn’t require anymore to remember passwords, thus reducing the
mental overhead of the users and thus tending to be more secure, because
users don’t choose simple passwords or write them down. While 95.7% of
the users still preferred passwords, only 53.4% preferred voice recognition,
Information Security Culture 5
49.1% face recognition and 48.8% fingerprint recognition. Why don’t accept
users more comfortable and secure authentication technologies? One clue
might come from the fact, that criminal records normally include
fingerprints. The scanning of fingerprints can have therefore a negative
touch in European countries. An organization simply cannot implement a
biometric authentication mechanism if the users do not support them. The
rollout of new security products and procedures can only be successful, if
firstly the users understand the why’s and the how’s, and secondly if the
users can be motivated to support such a change.
In another study about user’s security behaviour, [Adams and Sasse
1999, 42] identified the user’s perceptions of organizational security and
information sensitivity as one of the four major factors influencing effective
password usage. In their study they showed clearly, that users are not
sufficiently informed about security issues and that the security departments
lacks the knowledge about users.
The following Table 1 shows a summary of today’s information security
management problems. It also includes some ideas for future improvements.
Table 1. Problems of information security management and ideas for improvements
Problems Ideas for improvements
Security products and procedures tend to be
unusable Security engineers should start their design
from the users perspective and not from a
technological perspective
The user doesn’t know the risks of
information technology The user should be informed about the risk of
information technology
The user doesn’t understand the security
measures / techniques The user should be trained in information
security
The user doesn’t understand the meaning of
information security The user should be involved from the
beginning
The user is seen as security risk The user should be accepted as partner in
security questions
We postulate a cultural change in information security management: A
socio-cultural, human centric approach that is based on trust and partnership,
accompanied by appropriate security technology.
Trust can be circumscribed as: „One leaves others an opportunity to harm
one when one trusts, and also shows one’s confidence that they will not take
it. Reasonable trust will require good grounds for such confidence in
another’s good will, or at least the absence of good grounds for expecting
their ill will or indifference. Trust, then, on this first approximation, is
accepted vulnerability to another’s possible but not expected ill will (or lack
of good will) toward one” [Baier 1986]. In this definition we see two
important points:
6
T
homas Schlienger, Stephanie Teu
fel
The trustor accepts willingly the risk of ill will of a trustee.
The trustor has confidence, that the trustee will not take this possibility.
We have to be aware that 100% security is not possible besides not being
cost effective. In information security the costs of the countermeasures must
always be compared with its benefit of decreased risk. Thus the same applies
to technical countermeasures as to human measures: We have to accept some
residual risk. The security policy has to define, how big this residual risk
shall be.
Concerning trust, we can differ two types, a cognition-based and an
effect-based type. The later is a social trust, “it encompasses care and
concern, benevolence, altruism, a sense of personal obligation, commitment,
mutual respect, openness, a capacity for listening and understanding, and a
belief that sentiments are reciprocated” [Scott and Gable 1997, 108]. The
first is a rational trust that can be actively build up by training and/or
experience, “it encompasses competence, ability, responsibility, integrity,
credibility, reliability, and dependability” [Scott and Gable 1997, 108]. Trust
can have various directions: unidirectional, bi-directional and transitive. It
can also involve different parties. In our trust model we define trust with
regard to information security as cognition-based and bi-directional between
an organization, its managers and owners respectively, and its employees.
Trust can have some economic advantages: Economic theory suggests, that
trust lowers the risk of a transaction and therefore also lowers transactional
costs [Chircu, et al. 2000, 1]. How can an organization have confidence in
their employees, that they don’t misuse their trust (and vice versa)? How can
an organization build up trust regarding information security? In the next
section we show a possible way to build up this trust.
4. INFORMATION SECURITY CULTURE
Corporate culture defines, how an employee sees the organization [Ulich
2001, 503]. In organizational theory a minimum of two opposite
assumptions on corporate culture can be identified [Schreyögg 1999, 438],
[Rühli 1991, 14]. In the functionalistic view, corporate culture influences the
behaviour of its organizational members: Every organization has its own
culture. In the opposite, cognitive-interpretative view, the theory of
corporate culture is used to explain the organization’s phenomena of a mini
society: Every organization is a culture. In our paper we follow the theory of
[Rühli 1991], that these two approaches can be integrated. The corporate
culture is therefore a collective phenomenon that is growing and changing
Information Security Culture 7
over time and it can be influenced or even designed by the management of
the organization.
The core substances of the corporate culture are basic assumptions and
beliefs. These assumptions concern the nature of the people, their behaviour
and their relationship. The corporate culture is consequently expressed in the
collective values, norms and knowledge of organizations. In turn those
collective norms and values affect the behaviour of the employees. They are
expressed in form of artifacts and creations such as handbooks, rituals and
anecdotes. Ultimately the corporate culture has a crucial impact onto the
corporate success [Rühli 1991, 15]. Corporate culture emerges and grows
with time. It is formed by the behaviour of dominant organization members
like founders and top managers. The three layers of security culture and their
interactions are illustrated in Figure 2.
Basic assumptions
and beliefs
Collective values,
norms and
knowledge
Artifacts and
creations
Maxims, rules, prohibitions
Language, rituals, forms,
technology, art, behaviour patterns
Hidden and mostly unconscious
partially visible and conscious
Visible but need to interpret
“The employees are
our security assets.”
“Every employee
must behave
security conform.
“Every employee has
to participate
yearly in a security
awareness course.”
Figure 2. The three layers of security culture and their interactions [Schein 1985, 14] with
examples for information security culture
A corporate culture can have different subcultures based on sub-
organizations or content. The subculture is a subsystem that has specific
values, norms and knowledge, which differentiates it from the corporate
culture. An organizational subculture could be the values, norms and
knowledge of the informatics or of the sales department, whereas the
information security culture is a subculture in regards to content. Security
culture should support all activities in a way, that information security
becomes a natural aspect in the daily activities of every employee. Corporate
culture helps to build the necessary trust between the different partners in
8
T
homas Schlienger, Stephanie Teu
fel
our trust model. According to [von Solms 2000, 616], the security culture is
addressing the “my own user is my biggest enemy” syndrome.
The information security culture focuses on the socio-cultural aspects of
information security management. To build up an information security
culture, we can get inspired by the international nuclear safety advisory
group [Brandao 1994]. After the catastrophe of Chernobyl, they defined the
concept of the safety culture [International Nuclear Safety Advisory Group
1986], see also [Freitag 1994, 132]. With little modifications this safety
culture can be adapted to the information security culture. The measures of
the safety culture mainly target the layer of norms, values and knowledge.
According to this model, the security culture should define three layers of
responsibility (see Figure 3):
1. Corporate politics
2. Management
3. Individuals
These layers are enclosed by the external basic conditions as well as the
social norms and values that for example are expressed in national and
international law.
On the corporate politics level, information security should be defined as
a corporate target. This means that the top management is responsible to
define the security policy. Consequently they must provide sufficient
resources to implement this policy. This task could be delegated, e.g. to a
chief security officer (CSO), but the top management as whole remains
responsible. A CSO can be positioned on several places within the
organization chart: in the informatics department, in a new staff unit or in an
existing security department.
The different department managers are then responsible for the
compliance of the information security policy and for the implementation in
their units. They must be sufficiently motivated to observe the security
policy; since without their assistance it’s not possible to implement such a
policy. To implement this security policy, the management must define and
control the different security measures. Additionally they must qualify and
train their employees. Security conform behaviour must be awarded,
malicious security breaches prosecuted. Also, the security strategy must be
audited and benchmarked on a regular basis.
On the individual layer, every employee must contribute to the security
of the organization him/herself. He/she has to have a critical attitude, by
asking:
Have I understood my task?
Information Security Culture 9
What are my responsibilities?
In which relationship do they stand to the information security?
Do I have enough knowledge to fulfil my task?
Do I need help?
He/she has to act carefully and with due diligence. Abnormal behaviour
of people or computer systems including malfunctions must be registered
and reported. Furthermore, the user has to be integrated in the risk analysis
process and the company should install an employee suggestion system.
Security Policy
Organisational structure
Ressources
Corporate politics
Implementation of security policy
Definition of responsibilities
Qualification and training
Awards and prosecutions
Audits and benchmarks
Top management
Critical attitude
Act carefully and with due diligence
Communication
Individuals
Security Culture
External basic conditions
Figure 3. The layers of security culture
Concerning security culture the most important points are:
The exemplary behaviour of the managers
Security training of the employees, this includes creating awareness
about the risks of information technology and training in the use of
security products
Awarding of security conform behaviour
It is important to notice, that security conform behaviour can also include
making and confessing security breaches. Informing the management about
errors and mistakes can help the organization to improve the security
behaviour by better understanding the possible risks and errors. Only
malicious behaviour should be prosecuted.
10
T
homas Schlienger, Stephanie Teu
fel
5. CONCLUSION
Humans and technology have different peculiarities, which are presented
in the following Table 2. Humans can establish order in self-organizing
form, whereas technology can only be used to sustain order using well-
defined rules. The human being is a creative problem solver, whereas
technology is dumb and deterministic. The strengths of humans and
technology are thus complementary parts that can solve tasks together,
which, individually approached, would be unsolvable.
Table 2. Difference peculiarities of humans and technology [Zumbach and Bilhuber 2001, 82]
Humans Technology
Bundle of potentials
- Humans “are” not, they “become”
permanent
- dynamic
- adaptive
Bundle of attributes
- technology “is”
- deterministic
Combination of sense organs
- orientation in complex, unexpected
situations
Sensors
- none to human comparable sense organs
Capable of anticipation
Designing a security process and implementing a security technology
should start at the business process and the employees working in this
process, not at the technology. The combination of technology and human
awareness and qualification can improve the overall security level of an
organization greatly. In the words of the Oxygen project [Laboratory for
Computer Science (LCS) 2001] – here used in a different context - security
should become as natural as air. To reach this target it is necessary to have a
security culture that addresses the socio-cultural aspects of security. We have
shown the concept of security culture and we proposed also a way to
implement this culture. There are still many open questions in this field, but
information security can only be increased by the help of the users.
6. BIBLIOGRAPHY
Adams A. and Sasse M. A., "Users are not the enemy," Communications of the ACM, vol. 42
(12), pp. 41 - 46, 1999.
Attack Registry & Intelligence Service (ARIS), "ARIS Analyzer," SecurityFocus, 2001,
http://aris.securityfocus.com, accessed on 23.10.2001.
Baier A., "Trust and antitrust," Ethics, 1986.
Information Security Culture 11
Brandao R., "IT-Sicherheitskultur im Unternehmen," diploma thesis IFI. Zürich: Universität
Zürich, 1994, pp. 110.
Chircu A. M., Davis G. B., and Kauffman R. J., "Trust, Expertise and E-Commerce
Intermediary Adoption," presented at The 2000 Americas Conference on Information
Systems, Long Beach, CA (USA), 2000.
Computer Security Institute, "2001 CSI/FBI Computer Crime and Security Survey,"
Computer Security Issue & Trends, vol. 7 (1), pp. 1 - 20, 2001.
Freitag M., "Sicherheitskultur (Safety Culture) - ein brauchbares Konzept für
Systemsicherheit und Arbeitssicherheit?," in Psychologie der Arbeitssicherheit, Burkhardt
F. and Winklmeier C., Eds. Heidelberg: Roland Asanger Verlag, 1994.
Furnell S. M., Dowland P. S., Illingworth H. M., and Reynolds P. L., "Authentication and
Supervision: A Survey of User Attitudes," Computers & Security, vol. 19 (6), pp. 529 -
539, 2000.
Gerbich S., "IT-Security 2001: Sind sie (noch ganz) dicht?," Informationweek (18), 2001.
International Nuclear Safety Advisory Group, "Summary Report on the Post-Accident
Review Meeting on the Chernobyl accident," Safety Series, vol. 75-INSAG-1, 1986.
Laboratory for Computer Science (LCS), "MIT Project Oxygen," MIT, Laboratory for
Computer Science, 2001, http://www.oxygen.lcs.mit.edu, accessed on 23.10.2001.
Rühli E., "Unternehmungskultur - Konzepte und Methoden," in Kulturmanagement in
schweizerischen Unternehmungen, Rühli E. and Keller A., Eds. Bern / Stuttgart: Verlag
Paul Haupt, pp. 9 - 48, 1991.
Schein E. H., Organizational Culture and Leadership: A Dynamic View. San Francisco:
Jossey-Bass, 1985.
Schreyögg G., Organisation: Grundlagen moderner Organisationsgestaltung. Wiesbaden:
Gabler Verlag, 1999.
Scott J. E. and Gable G., "Goal congruence, trust, and organizational culture: strengthening
knowledge links," presented at The eighteenth international conference on Information
systems, 1997.
Ulich E., Arbeitspsychologie. Zürich: vdf, Hochschulverlag an der ETH Zürich, 2001.
von Solms B., "Information Security - The Third Wave," Computers & Security, vol. 19 (7),
pp. 615 - 620, 2000.
Zumbach F. and Bilhuber E., "HRM im Spannungsfeld zwischen Mensch, Technik und
Organisation," in Excellence durch Personal- und Organisationskompetenz, Thom N. and
Zaugg R. J., Eds. Bern: Paul Haupt Verlag, 2001.
... The concept of security culture started gaining prominence in the early 2000s (Schlienger and Teufel 2002;United Nations General Assembly 2003) with the uptake of information technology systems and increased internet connectivity. Companies using OT have been increasingly digitalizing over the past decade (i.e., IT/OT convergence, Industry 4.0), which has led to cybersecurity becoming a prominent concern given the extended attack surface (Evripidou et al. 2022). ...
... Finally, communications at all levels, both vertically (e.g., management to employees) and horizontally (e.g., between co-workers) are another essential culture enabler (Reegård, Blackett, and Katta 2019). Schein's model was employed by some early works (Schlienger and Teufel 2002;R. von Solms and von Solms 2004), with Schlienger and Teufel (2002) recognizing the similarities between safety and security cultures. ...
... Schein's model was employed by some early works (Schlienger and Teufel 2002;R. von Solms and von Solms 2004), with Schlienger and Teufel (2002) recognizing the similarities between safety and security cultures. The field has been growing since then, with studies looking at the relationship between culture's enabling factors, and security behaviors and their antecedents like knowledge. ...
... Table 1 presents some of them. Security culture includes all socio-cultural measures supporting technical security measures so that information security becomes a natural aspect of every employee's daily activities [4]. ...
... Schlienger and Teufel [4] also state that information security culture is a "sub-culture in terms of content". In other words, it is a part of the organizational culture. ...
... The level of employee's awareness is one of the main challenges that organizations face in achieving an appropriate security level. When employees are aware of safety policies, and the safety policies are followed, then a safety culture develops [4]. Consequently, security awareness is a key factor leading to higher compliance with security requirements and the development of a security culture [10]. ...
Article
Full-text available
Nowadays, digitization of all areas of human activity leads to an increase in the number of information security incidents in organizations. From this point of view, the problem of information security culture in organizations becomes very relevant in modern times. Obviously, the majority of incidents related to information security violations in organizations are associated to the human factor. To overcome this problem, the research in the field of the evaluation of information security culture is urgent. Measuring and evaluating information security culture can enable an organization to identify its weaknesses in this area and take measures to eliminate them. This article examines various approaches to the concept of information security culture, and analyzes the affecting factors within the organization (management’s attitude towards information security, information security policy, information security awareness and employee’s behaviors). It also studies the documents adopted in the field of development and evaluation of information security culture in the European Union countries and the United States, and implemented projects. It analyzes proposed methods for measuring the information security culture in the organization using various methods. Moreover, the article reveals existing problems in this field and provides certain recommendations for their elimination. The methods of analysis and synthesis, comparison, generalization and systematic approach are used in this research.
... Finally, Schlienger & Teufel (2002) underline the problem with today's approach to information security management. According to (Schlienger & Teufel, 2002), the problem lies in the conception of the human dimension of information security. ...
... Finally, Schlienger & Teufel (2002) underline the problem with today's approach to information security management. According to (Schlienger & Teufel, 2002), the problem lies in the conception of the human dimension of information security. In the present-day, information security management is mainly focused on technical measures. ...
... In this scenario, information security management treats users as the "enemy" and there is no inclination to discuss the human aspect of information security. However, Schlienger & Teufel (2002) also propose a solution to this imbroglio. According to (Schlienger & Teufel, 2002), the solution lies in information security management undergoing a paradigm shift in regard to its conception of the human dimension. ...
Book
This book aims to identify the impact of information security management on the effectiveness of applying e-management in the Governmental Organizations in Gaza. The research used the analytical descriptive approach and the comprehensive survey to collect the data in order to meet research objectives using the Statistical Package for the Social Sciences (SPSS). Questionnaires were distributed as a tool to explore the opinions of the study population, the collected questionnaires were (144), represent response rate (91.14%). Ten fields of information security management were investigated at (8) Governmental Organizations along with the effectiveness of applying e-management. The ten fields of information security management include: Security Policy, Organizational Security, Assets Classification and Control, Personnel Security, Physical and Environmental Security, Computer and Network Management, System Access Control, System Development and Maintenance, Business Continuity Planning, Compliance to Legal Requirements.
... An information security culture is a subculture of the organisational culture (Hayden, 2016;Niekerk and Solms, 2005;Schlienger and Teufel, 2002). In line with Schein's (1985) definition of organisational culture, the information security culture also comprises assumptions, values, beliefs, and attitudes (Schlienger and Teufel, 2002;von Solms and van Niekerk, 2013) of employees toward information security. ...
... An information security culture is a subculture of the organisational culture (Hayden, 2016;Niekerk and Solms, 2005;Schlienger and Teufel, 2002). In line with Schein's (1985) definition of organisational culture, the information security culture also comprises assumptions, values, beliefs, and attitudes (Schlienger and Teufel, 2002;von Solms and van Niekerk, 2013) of employees toward information security. These influence the employee behaviour when employees interact with information and information systems and, over time, become the way things are done in the organisation to protect information and information systems and will be visible in behaviour and artifacts in the organisation (Da Veiga, 2019. ...
Article
Full-text available
Purpose This study aims to elicit an understanding of creativity and innovation to enable a totally aligned information security culture. A model is proposed to encourage creativity and innovation as part of the information security culture. Design/methodology/approach The study first applied a theoretical approach with a scoping literature review using the preferred reporting items for systematic reviews and meta-analyses method to propose a conceptual model for engendering employee creativity and innovation as part of the information security culture. A qualitative research method was further applied with expert interviews and qualitative data analysis in Atlas.ti to validate and refine the conceptual model. Findings A refined and validated information security culture model enabled through creativity and innovation is presented. The input from the expert panel was used to extend the model by 18 elements highlighting that the risk appetite of an organisation defines how much creativity and innovation can be tolerated to reach a balance with the potential risks it might introduce. Embedding creativity and innovation as part of the organisational culture to facilitate it further as part of the information security culture can aid in combating cyber threats and incidents; however, it should be managed through a decision-making process while governed within policies that define the boundaries of creativity and innovation in information security. Research limitations/implications The research serves as a point of reference for further research about the influence of creativity and innovation in information security culture which can be investigated through structural equation modelling. Practical implications This study offers novel insights for managerial practice to encourage creativity and innovation as part of information security. Originality/value The research proposes a novel concept of introducing creativity and innovation as part of the information security culture and presents a novel model to facilitate this.
... The model will serve as a point of reference for further academic work to investigate the influence of creativity and innovation on the information security culture. An information security culture is a subculture of the organisational culture [19][20][21]. In line with Schein's [14] definition of organisational culture, the information security culture also comprises assumptions, values, beliefs and attitudes [21,22] of employees toward information security. ...
... An information security culture is a subculture of the organisational culture [19][20][21]. In line with Schein's [14] definition of organisational culture, the information security culture also comprises assumptions, values, beliefs and attitudes [21,22] of employees toward information security. These influence the employee behaviour when employees interact with information and information systems and, over time, become the way things are done in the organisation to protect information and information systems, that will be visible in behaviour and artifacts in the organisation [23,24]. ...
Chapter
Full-text available
This research aims to elicit a conceptual understanding of creativity and innovation to enable a totally aligned information security culture. Stimulating the creativity and innovation of employees in an organisation can help to solve information security problems and to create a culture where information security issues are addressed and resolved, as opposed to being introduced by end-users. The study applied a theoretical approach with a scoping literature review using the PRISMA method to derive traits and programmes that organisations can implement to stimulate creativity and innovation as part of the organisational culture. A model for engendering employee creativity and innovation as part of the information security culture is proposed, through the lens of the three levels of organisational culture. This study both offers novel insights for managerial practice and serves as a point of reference for further academic research about the influence of creativity and innovation in information security culture.
... Organizational culture may have different subcultures based on sub-organizations or functions. For [16], IS security culture is a subculture with respect to the general functions of the company. It should support all activities in such a way that IS security becomes a natural aspect in the daily activities of every employee. ...
Chapter
This paper examines the relationship between information system (IS) security culture and IS user security behaviors, which is little examined in the literature [1]. This article first goes through a review of literature in the field of information security systems, then the proposal of a framework based on [2] three-level culture model and finally the presentation of a qualitative study conducted with twenty-two users from eight French small and medium enterprises (SMEs). The results of this study show that there is a strong relationship between IS security culture and user behaviors related to IS security, in the sense that a positive security culture is conducive to creating security behaviors.
Preprint
Full-text available
The healthcare industry increasingly relies on Knowledge Process Outsourcing (KPO) to handle vast amounts of sensitive patient data. This study investigates information security compliance in healthcare KPOs to protect patient privacy and data integrity. Employing a qualitative approach, it analyzes existing security policies, revealing the current state of information security in these organizations and factors influencing compliance. Key themes include employee training, technology, regulatory adherence, and organizational culture. The study uncovers the intricate relationships between these factors and their role in mitigating security risks. Additionally, the research aims to identify best practices to enhance information security compliance in healthcare KPOs. The findings benefit KPO leaders, healthcare providers, and policymakers, enhancing patient data confidentiality while optimizing KPO benefits in healthcare. By contributing insights into information security compliance in healthcare KPOs, this study also enriches discussions on safeguarding sensitive data amid evolving threats and regulations, bolstering trust in healthcare KPO operations.
Book
Cybersecurity needs a change in communication. It is time to show the world that cybersecurity is an exciting and diverse field to work in. Cybersecurity is not only about hackers and technical gobbledygook. It is a diverse field of work with a lot of collaboration with other disciplines. Over the years, security professionals have tried different awareness strategies to promote their work and to improve the knowledge of their audience but without much success. Communication problems are holding back advances in in the field. Visual Communication for Cybersecurity explores the possibilities of visual communication as a tool to improve the communication about cybersecurity and to better connect with non-experts. Visual communication is useful to explain complex topics and to solve complex problems. Visual tools are easy to share through social media and have the possibility to reach a wide audience. When applied strategically, visual communication can contribute to a people-centric approach to security, where employees are encouraged to actively engage in security activities rather than simply complying with the policies. Cybersecurity education does not usually include communication theory or creative skills. Many experts think that it is not part of their job and is best left to the communication department or they think that they lack any creative talent. This book introduces communication theories and models, gives practical tips, and shows many examples. The book can support students in cybersecurity education and professionals searching for alternatives to bullet-point presentations and textual reports. On top of that, if this book succeeds in inspiring the reader to start creating visuals, it may also give the reader the pleasure of seeing new possibilities and improving their performance. The book is divided into different parts for readers with different interests. There is no need to read the book from cover to cover; the chapters are organized thematically. Readers that are interested in how to apply communication theory to cybersecurity will enjoy the chapters about learning, the context in which communication takes place, and how people are persuaded. Readers that are looking for inspiration and examples of how to use visuals in their daily tasks go straight to the third section of the book. The last section is a workbook that will help the reader to take the first steps towards using visual communication at work.
Article
Full-text available
In this article, the author discusses why users compromise computer security mechanisms and how to take remedial measures. Confidentiality is an important aspect of computer security. It depends on authentication mechanisms, such as passwords, to safeguard access to information. Traditionally, authentication procedures are divided into two stages: identification and secret password. To date, research on password security and the usability of these mechanisms has rarely been investigated. Since security mechanisms are designed, implemented, applied and breached by people, human factors should be considered in their design. It seems that currently, hackers pay more attention to the human link in the security chain than security designers do, by using social engineering techniques to obtain passwords. The key element in password security is the crackablity of a password combination. System-generated passwords are essentially the optimal security approach; user-generated passwords are potentially more memorable and thus less likely to be disclosed. Password composition, alphanumeric password is more secure than one composed of letters alone. INSET: Recommendations.
Article
User authentication is a vital element in ensuring the secure operation of IT systems. In the vast majority of cases, this role is fulfilled by the password, but evidence suggests that this approach is easily compromised. Whilst many alternatives exist, particularly in the form of biometric methods, questions remain over the likely user acceptance. This paper presents the results of a survey that examines user attitudes towards a range of authentication and supervision techniques. It is concluded that whilst there is still an element of reluctance amongst users to depart from the familiar password based mechanisms, many are convinced of the need for improved authentication controls. The acceptability to users of various new techniques is variable, but many seem willing to consider a range of alternative methods.
Article
This research investigates how the amount of trust a consumer has in an electronic commerce intermediary and the amount of expertise that consumer needs to acquire in order to be able to use the intermediary affect the intention to adopt the electronic commerce intermediary. The paper analyzes both the direct effects of trust and expertise on adoption intention, as well as the indirect effects through two mediating variables widely used in adoption studies, usefulness and ease of use. These effects are hypothesized to be further moderated by the level of transaction complexity. The results partially support both the direct effects model and the indirect effects model, pointing out that trust and expertise are, as hypothesized by academicians and practitioners alike, important in encouraging adoption of electronic commerce technologies. In addition, the results show that trust and expertise become more important in determining the adoption intention as transaction complexity increases.
Conference Paper
Collaboration between organizations benefits from knowledge links—a form of strategic alliance that gives organizations access to the skills and capabilities of their partner and opportunity to create new capabilities together. Using the example of alliances between two universities and SAP AG, the market leader in Enterprise Software, the paper suggests some management practices to improve goal congruence, trust, and alignment between different organizational cultures. For example, faceto-face interactions are critical for building a close relationship over time. A theoretical framework of the five phases of partnership development and the three challenges faced by knowledge link partnerships is proposed, along with implications for management, universities, and research.
IT-Sicherheitskultur im Unternehmen
  • R Brandao
Brandao R., "IT-Sicherheitskultur im Unternehmen," diploma thesis IFI. Zürich: Universität Zürich, 1994, pp. 110.
2001 CSI/FBI Computer Crime and Security Survey
Computer Security Institute, "2001 CSI/FBI Computer Crime and Security Survey," Computer Security Issue & Trends, vol. 7 (1), pp. 1 -20, 2001.
Sicherheitskultur (Safety Culture) -ein brauchbares Konzept für Systemsicherheit und Arbeitssicherheit?
  • M Freitag
Freitag M., "Sicherheitskultur (Safety Culture) -ein brauchbares Konzept für Systemsicherheit und Arbeitssicherheit?," in Psychologie der Arbeitssicherheit, Burkhardt F. and Winklmeier C., Eds. Heidelberg: Roland Asanger Verlag, 1994.
Laboratory for Computer Science (LCS), "MIT Project Oxygen
  • S Gerbich
Gerbich S., "IT-Security 2001: Sind sie (noch ganz) dicht?," Informationweek (18), 2001. International Nuclear Safety Advisory Group, "Summary Report on the Post-Accident Review Meeting on the Chernobyl accident," Safety Series, vol. 75-INSAG-1, 1986. Laboratory for Computer Science (LCS), "MIT Project Oxygen," MIT, Laboratory for Computer Science, 2001, http://www.oxygen.lcs.mit.edu, accessed on 23.10.2001.