Abstract
Companies are exposed to the risk of falling victim to cyber attacks every day and therefore invest in optimizing their information security (IS) level. In addition to technological investments, the focus is now increasingly on employees, as their attitude and behavior has a significant influence on the IS level of a company. There is already extensive research on the influencing factors and the establishment of an IS culture in companies. However, little attention has been paid to the group of IT employees, although it has been proven that their attitude, behavior and judgment regarding cyber attacks and IS in general differ from non-IT employees. Even within an IT department, one can expect to see different degrees of these factors, as a distinction must be made between IS employees and employees with traditional IT functions (software development, server operation, etc.).
Based on 25 recent IS studies, a literature review has identified four factors that influence the IS attitude and behavior of employees in an internal IT department and thus have an impact on the IS culture. These four components are IT tools, IS skill, appreciation and sub-cultures.
The results show that more qualitative research with a focus on employees of an IT department is necessary to advance the findings in the area of IS culture. In addition, CIOs and CISOs benefit from the results, as they specify fields of action that can be tested and optimized in their own organizations.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Allianz: Allianz Risk Barometer Report – Identifying the major business risks for 2020 (2020)
World Economic Forum: The Global Risks Report 2020 (2020)
International Data Group: Otto Beisheim School of Management – Wissenschaftliche Hochschule für Unternehmensführung, Bechtle AG (2020) CIO Agenda (2020)
Hooper, V., Blunt, C.: Factors influencing the information security behaviour of IT employees. Behav. Inf. Technol. 1–13, (2019). https://doi.org/10.1080/0144929X.2019.1623322
Nel, F., Drevin, L.: Key elements of an information security culture in organisations. Inf. Comput. Secur. 27, 146–164 (2019). https://doi.org/10.1108/ICS-12-2016-0095
Cram, W.A., D’Arcy, J., Proudfoot, J.G.: Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance. MISQ 43, 525–554 (2019). https://doi.org/10.25300/MISQ/2019/15117
Da Veiga, A., Astakhova, L.V., Botha, A., Herselman, M.: Defining organisational information security culture—Perspectives from academia and industry. Comput. Secur. 92, 101713 (2020). https://doi.org/10.1016/j.cose.2020.101713
Awawdeh, S.A., Tubaishat, A.: An information security awareness program to address common security concerns in IT unit. In: 2014 11th International Conference on Information Technology: New Generations, Las Vegas, NV, USA. IEEE, pp. 273–278 (2014)
Lin, C., Wittmer, J.L.S.: Proactive information security behavior and individual creativity: effects of group culture and decentralized IT governance. In: 2017 IEEE International Conference on Intelligence and Security Informatics (ISI). Univ Arizona, Artificial Intelligence Lab; Univ. Chinese Acad. Sci., pp 1–6 (2017)
Al-Mohannadi, H., Awan, I., Al Hamar, J., Al Hamar, Y., Shah, M., Musa, A.: Understanding awareness of cyber security threat among IT employees. In: 2018 6th International Conference on Future Internet of Things and Cloud Workshops (FiCloudW), Barcelona, pp. 188–192. IEEE (2018)
Nasir, A., Arshah, R.A., Hamid, M.R.A., Fahmy, S.: An analysis on the dimensions of information security culture concept: a review. J. Inf. Secur. Appl. 44, 12–22 (2019). https://doi.org/10.1016/j.jisa.2018.11.003
Hutchinson, G., Ophoff, J.: A descriptive review and classification of organizational information security awareness research. In: Venter, H., Loock, M., Coetzee, M., Eloff, M., Eloff, J. (eds.) ISSA 2019. CCIS, vol. 1166, pp. 114–130. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-43276-8_9
Gangire, Y., Da Veiga, A., Herselman, M.: A conceptual model of information security compliant behaviour based on the self-determination theory. In: 2019 Conference on Information Communications Technology and Society (ICTAS), Durban, South Africa, pp. 1–6. IEEE (2019)
Nasir, A., Abdullah Arshah, R., Rashid Ab Hamid, M.: The significance of main constructs of theory of planned behavior in recent information security policy compliance behavior study: a comparison among top three behavioral theories. IJET 7, 737 (2018). https://doi.org/10.14419/ijet.v7i2.29.14008
Menard, P., Bott, G.J., Crossler, R.E.: User motivations in protecting information security: protection motivation theory versus self-determination theory. J. Manag. Inf. Syst. 34, 1203–1230 (2017). https://doi.org/10.1080/07421222.2017.1394083
Da Veiga, A., Eloff, J.H.P.: A framework and assessment instrument for information security culture. Comput. Secur. 29, 196–207 (2010). https://doi.org/10.1016/j.cose.2009.09.002
Tolah, A., Furnell, S.M., Papadaki, M.: A Comprehensive framework for cultivating and assessing information security culture, p. 13 (2017)
Van Niekerk, J.F., Von Solms, R.: Information security culture: a management perspective. Comput. Secur. 29, 476–486 (2010). https://doi.org/10.1016/j.cose.2009.10.005
Webster, J., Watson, R.T.: Analyzing the past to prepare for the future: writing a literature review. MIS Q. 26, xiii–xxiii (2002)
Yilmaz, K.: Comparison of quantitative and qualitative research traditions: epistemological, theoretical, and methodological differences. Eur. J. Educ. 48, 311–325 (2013). https://doi.org/10.1111/ejed.12014
Ahmad, Z., Ong, T.S., Liew, T.H., Norhashim, M.: Security monitoring and information security assurance behaviour among employees: an empirical analysis. Inf. Comput. Secur. 27, 165–188 (2019). https://doi.org/10.1108/ICS-10-2017-0073
Sommestad, T.: Work-related groups and information security policy compliance. Inf. Comput. Secur. 26, 533–550 (2018). https://doi.org/10.1108/ICS-08-2017-0054
Halevi, T, et al.: Cultural and psychological factors in cyber-security. In: Proceedings of the 18th International Conference on Information Integration and Web-Based Applications and Services, New York, NY, USA, pp. 318–324. Association for Computing Machinery (2016)
Dang-Pham, D., Pittayachawan, S., Bruno, V.: Applying network analysis to investigate interpersonal influence of information security behaviours in the workplace. Inf. Manag. 54, 625–637 (2017). https://doi.org/10.1016/j.im.2016.12.003
AlHogail, A.: Design and validation of information security culture framework. Comput. Hum. Behav. 49, 567–575 (2015). https://doi.org/10.1016/j.chb.2015.03.054
Montesdioca, G.P.Z., Maçada, A.C.G.: Measuring user satisfaction with information security practices. Comput. Secur. 48, 267–280 (2015). https://doi.org/10.1016/j.cose.2014.10.015
Gratian, M., Bandi, S., Cukier, M., Dykstra, J., Ginther, A.: Correlating human traits and cyber security behavior intentions. Comput. Secur. 73, 345–358 (2018). https://doi.org/10.1016/j.cose.2017.11.015
McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., Pattinson, M.: Individual differences and information security awareness. Comput. Hum. Behav. 69, 151–156 (2017). https://doi.org/10.1016/j.chb.2016.11.065
Topa, I., Karyda, M.: Identifying factors that influence employees’ security behavior for enhancing ISP compliance. In: Fischer-Hübner, S., Lambrinoudakis, C., Lopez, J. (eds.) TrustBus 2015. LNCS, vol. 9264, pp. 169–179. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22906-5_13
Snyman, D.P., Kruger, H., Kearney, W.D.: I shall, we shall, and all others will: paradoxical information security behaviour. Inf. Comput. Secur. 26, 290–305 (2018). https://doi.org/10.1108/ICS-03-2018-0034
Hwang, I., Cha, O.: Examining technostress creators and role stress as potential threats to employees’ information security compliance. Comput. Hum. Behav. 81, 282–293 (2018). https://doi.org/10.1016/j.chb.2017.12.022
Da Veiga, A., Martins, N.: Defining and identifying dominant information security cultures and subcultures. Comput. Secur. 70, 72–94 (2017). https://doi.org/10.1016/j.cose.2017.05.002
Amo, L.C., Cichocki, D.: Disgruntled yet deft with IT: employees who pose information security risk. In: Proceedings of the 2019 on Computers and People Research Conference, Nashville, TN, USA, pp. 122–124. ACM (2019)
Govender, S.G., Loock, M., Kritzinger, E.: Enhancing information security culture to reduce information security cost: a proposed framework. In: Castiglione, A., Pop, F., Ficco, M., Palmieri, F. (eds.) CSS 2018. LNCS, vol. 11161, pp. 281–290. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01689-0_22
Karjalainen, M., Siponen, M., Sarker, S.: Toward a stage theory of the development of employees’ information security behavior. Comput. Secur. 93, 101782 (2020). https://doi.org/10.1016/j.cose.2020.101782
Glaspie, H.W., Karwowski, W.: Human factors in information security culture: a literature review. In: Nicholson, D. (ed.) AHFE 2017. AISC, vol. 593, pp. 269–280. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-60585-2_25
Tariq, M.A., Brynielsson, J., Artman, H.: The security awareness paradox: a case study. In: 2014 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM 2014), China, pp. 704–711. IEEE (2014)
Bauer, S., Bernroider, E.W.N., Chudzikowski, K.: Prevention is better than cure! Designing information security awareness programs to overcome users’ non-compliance with information security policies in banks. Comput. Secur. 68, 145–159 (2017). https://doi.org/10.1016/j.cose.2017.04.009
Davis, F.D.: Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Q. 13, 319 (1989). https://doi.org/10.2307/249008
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Dornheim, P., Zarnekow, R. (2020). Factors Shaping Information Security Culture in an Internal IT Department. In: Stephanidis, C., et al. HCI International 2020 – Late Breaking Papers: Interaction, Knowledge and Social Media. HCII 2020. Lecture Notes in Computer Science(), vol 12427. Springer, Cham. https://doi.org/10.1007/978-3-030-60152-2_38
Download citation
DOI: https://doi.org/10.1007/978-3-030-60152-2_38
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-60151-5
Online ISBN: 978-3-030-60152-2
eBook Packages: Computer ScienceComputer Science (R0)