Skip to main content
SpringerLink
Log in

Factors Shaping Information Security Culture in an Internal IT Department

  • Conference paper
  • First Online:
HCI International 2020 – Late Breaking Papers: Interaction, Knowledge and Social Media (HCII 2020)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 12427))

Included in the following conference series:

  • 3368 Accesses

Abstract

Companies are exposed to the risk of falling victim to cyber attacks every day and therefore invest in optimizing their information security (IS) level. In addition to technological investments, the focus is now increasingly on employees, as their attitude and behavior has a significant influence on the IS level of a company. There is already extensive research on the influencing factors and the establishment of an IS culture in companies. However, little attention has been paid to the group of IT employees, although it has been proven that their attitude, behavior and judgment regarding cyber attacks and IS in general differ from non-IT employees. Even within an IT department, one can expect to see different degrees of these factors, as a distinction must be made between IS employees and employees with traditional IT functions (software development, server operation, etc.).

Based on 25 recent IS studies, a literature review has identified four factors that influence the IS attitude and behavior of employees in an internal IT department and thus have an impact on the IS culture. These four components are IT tools, IS skill, appreciation and sub-cultures.

The results show that more qualitative research with a focus on employees of an IT department is necessary to advance the findings in the area of IS culture. In addition, CIOs and CISOs benefit from the results, as they specify fields of action that can be tested and optimized in their own organizations.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Allianz: Allianz Risk Barometer Report – Identifying the major business risks for 2020 (2020)

    Google Scholar 

  2. World Economic Forum: The Global Risks Report 2020 (2020)

    Google Scholar 

  3. International Data Group: Otto Beisheim School of Management – Wissenschaftliche Hochschule für Unternehmensführung, Bechtle AG (2020) CIO Agenda (2020)

    Google Scholar 

  4. Hooper, V., Blunt, C.: Factors influencing the information security behaviour of IT employees. Behav. Inf. Technol. 1–13, (2019). https://doi.org/10.1080/0144929X.2019.1623322

  5. Nel, F., Drevin, L.: Key elements of an information security culture in organisations. Inf. Comput. Secur. 27, 146–164 (2019). https://doi.org/10.1108/ICS-12-2016-0095

    Article  Google Scholar 

  6. Cram, W.A., D’Arcy, J., Proudfoot, J.G.: Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance. MISQ 43, 525–554 (2019). https://doi.org/10.25300/MISQ/2019/15117

  7. Da Veiga, A., Astakhova, L.V., Botha, A., Herselman, M.: Defining organisational information security culture—Perspectives from academia and industry. Comput. Secur. 92, 101713 (2020). https://doi.org/10.1016/j.cose.2020.101713

    Article  Google Scholar 

  8. Awawdeh, S.A., Tubaishat, A.: An information security awareness program to address common security concerns in IT unit. In: 2014 11th International Conference on Information Technology: New Generations, Las Vegas, NV, USA. IEEE, pp. 273–278 (2014)

    Google Scholar 

  9. Lin, C., Wittmer, J.L.S.: Proactive information security behavior and individual creativity: effects of group culture and decentralized IT governance. In: 2017 IEEE International Conference on Intelligence and Security Informatics (ISI). Univ Arizona, Artificial Intelligence Lab; Univ. Chinese Acad. Sci., pp 1–6 (2017)

    Google Scholar 

  10. Al-Mohannadi, H., Awan, I., Al Hamar, J., Al Hamar, Y., Shah, M., Musa, A.: Understanding awareness of cyber security threat among IT employees. In: 2018 6th International Conference on Future Internet of Things and Cloud Workshops (FiCloudW), Barcelona, pp. 188–192. IEEE (2018)

    Google Scholar 

  11. Nasir, A., Arshah, R.A., Hamid, M.R.A., Fahmy, S.: An analysis on the dimensions of information security culture concept: a review. J. Inf. Secur. Appl. 44, 12–22 (2019). https://doi.org/10.1016/j.jisa.2018.11.003

    Article  Google Scholar 

  12. Hutchinson, G., Ophoff, J.: A descriptive review and classification of organizational information security awareness research. In: Venter, H., Loock, M., Coetzee, M., Eloff, M., Eloff, J. (eds.) ISSA 2019. CCIS, vol. 1166, pp. 114–130. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-43276-8_9

    Chapter  Google Scholar 

  13. Gangire, Y., Da Veiga, A., Herselman, M.: A conceptual model of information security compliant behaviour based on the self-determination theory. In: 2019 Conference on Information Communications Technology and Society (ICTAS), Durban, South Africa, pp. 1–6. IEEE (2019)

    Google Scholar 

  14. Nasir, A., Abdullah Arshah, R., Rashid Ab Hamid, M.: The significance of main constructs of theory of planned behavior in recent information security policy compliance behavior study: a comparison among top three behavioral theories. IJET 7, 737 (2018). https://doi.org/10.14419/ijet.v7i2.29.14008

  15. Menard, P., Bott, G.J., Crossler, R.E.: User motivations in protecting information security: protection motivation theory versus self-determination theory. J. Manag. Inf. Syst. 34, 1203–1230 (2017). https://doi.org/10.1080/07421222.2017.1394083

    Article  Google Scholar 

  16. Da Veiga, A., Eloff, J.H.P.: A framework and assessment instrument for information security culture. Comput. Secur. 29, 196–207 (2010). https://doi.org/10.1016/j.cose.2009.09.002

    Article  Google Scholar 

  17. Tolah, A., Furnell, S.M., Papadaki, M.: A Comprehensive framework for cultivating and assessing information security culture, p. 13 (2017)

    Google Scholar 

  18. Van Niekerk, J.F., Von Solms, R.: Information security culture: a management perspective. Comput. Secur. 29, 476–486 (2010). https://doi.org/10.1016/j.cose.2009.10.005

    Article  Google Scholar 

  19. Webster, J., Watson, R.T.: Analyzing the past to prepare for the future: writing a literature review. MIS Q. 26, xiii–xxiii (2002)

    Google Scholar 

  20. Yilmaz, K.: Comparison of quantitative and qualitative research traditions: epistemological, theoretical, and methodological differences. Eur. J. Educ. 48, 311–325 (2013). https://doi.org/10.1111/ejed.12014

    Article  Google Scholar 

  21. Ahmad, Z., Ong, T.S., Liew, T.H., Norhashim, M.: Security monitoring and information security assurance behaviour among employees: an empirical analysis. Inf. Comput. Secur. 27, 165–188 (2019). https://doi.org/10.1108/ICS-10-2017-0073

    Article  Google Scholar 

  22. Sommestad, T.: Work-related groups and information security policy compliance. Inf. Comput. Secur. 26, 533–550 (2018). https://doi.org/10.1108/ICS-08-2017-0054

    Article  Google Scholar 

  23. Halevi, T, et al.: Cultural and psychological factors in cyber-security. In: Proceedings of the 18th International Conference on Information Integration and Web-Based Applications and Services, New York, NY, USA, pp. 318–324. Association for Computing Machinery (2016)

    Google Scholar 

  24. Dang-Pham, D., Pittayachawan, S., Bruno, V.: Applying network analysis to investigate interpersonal influence of information security behaviours in the workplace. Inf. Manag. 54, 625–637 (2017). https://doi.org/10.1016/j.im.2016.12.003

    Article  Google Scholar 

  25. AlHogail, A.: Design and validation of information security culture framework. Comput. Hum. Behav. 49, 567–575 (2015). https://doi.org/10.1016/j.chb.2015.03.054

    Article  Google Scholar 

  26. Montesdioca, G.P.Z., Maçada, A.C.G.: Measuring user satisfaction with information security practices. Comput. Secur. 48, 267–280 (2015). https://doi.org/10.1016/j.cose.2014.10.015

    Article  Google Scholar 

  27. Gratian, M., Bandi, S., Cukier, M., Dykstra, J., Ginther, A.: Correlating human traits and cyber security behavior intentions. Comput. Secur. 73, 345–358 (2018). https://doi.org/10.1016/j.cose.2017.11.015

    Article  Google Scholar 

  28. McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., Pattinson, M.: Individual differences and information security awareness. Comput. Hum. Behav. 69, 151–156 (2017). https://doi.org/10.1016/j.chb.2016.11.065

    Article  Google Scholar 

  29. Topa, I., Karyda, M.: Identifying factors that influence employees’ security behavior for enhancing ISP compliance. In: Fischer-Hübner, S., Lambrinoudakis, C., Lopez, J. (eds.) TrustBus 2015. LNCS, vol. 9264, pp. 169–179. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22906-5_13

    Chapter  Google Scholar 

  30. Snyman, D.P., Kruger, H., Kearney, W.D.: I shall, we shall, and all others will: paradoxical information security behaviour. Inf. Comput. Secur. 26, 290–305 (2018). https://doi.org/10.1108/ICS-03-2018-0034

    Article  Google Scholar 

  31. Hwang, I., Cha, O.: Examining technostress creators and role stress as potential threats to employees’ information security compliance. Comput. Hum. Behav. 81, 282–293 (2018). https://doi.org/10.1016/j.chb.2017.12.022

    Article  Google Scholar 

  32. Da Veiga, A., Martins, N.: Defining and identifying dominant information security cultures and subcultures. Comput. Secur. 70, 72–94 (2017). https://doi.org/10.1016/j.cose.2017.05.002

    Article  Google Scholar 

  33. Amo, L.C., Cichocki, D.: Disgruntled yet deft with IT: employees who pose information security risk. In: Proceedings of the 2019 on Computers and People Research Conference, Nashville, TN, USA, pp. 122–124. ACM (2019)

    Google Scholar 

  34. Govender, S.G., Loock, M., Kritzinger, E.: Enhancing information security culture to reduce information security cost: a proposed framework. In: Castiglione, A., Pop, F., Ficco, M., Palmieri, F. (eds.) CSS 2018. LNCS, vol. 11161, pp. 281–290. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01689-0_22

    Chapter  Google Scholar 

  35. Karjalainen, M., Siponen, M., Sarker, S.: Toward a stage theory of the development of employees’ information security behavior. Comput. Secur. 93, 101782 (2020). https://doi.org/10.1016/j.cose.2020.101782

    Article  Google Scholar 

  36. Glaspie, H.W., Karwowski, W.: Human factors in information security culture: a literature review. In: Nicholson, D. (ed.) AHFE 2017. AISC, vol. 593, pp. 269–280. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-60585-2_25

    Chapter  Google Scholar 

  37. Tariq, M.A., Brynielsson, J., Artman, H.: The security awareness paradox: a case study. In: 2014 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM 2014), China, pp. 704–711. IEEE (2014)

    Google Scholar 

  38. Bauer, S., Bernroider, E.W.N., Chudzikowski, K.: Prevention is better than cure! Designing information security awareness programs to overcome users’ non-compliance with information security policies in banks. Comput. Secur. 68, 145–159 (2017). https://doi.org/10.1016/j.cose.2017.04.009

    Article  Google Scholar 

  39. Davis, F.D.: Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Q. 13, 319 (1989). https://doi.org/10.2307/249008

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Technische Universität Berlin, Straße des 17. Juni 135, 10623, Berlin, Germany

    Peter Dornheim & Rüdiger Zarnekow

Authors
  1. Peter Dornheim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rüdiger Zarnekow
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Peter Dornheim .

Editor information

Editors and Affiliations

  1. University of Crete and Foundation for Research and Technology – Hellas (FORTH), Heraklion, Crete, Greece

    Constantine Stephanidis

  2. University of Central Florida, Orlando, FL, USA

    Gavriel Salvendy

  3. University of West Florida, Pensacola, FL, USA

    June Wei

  4. Tokyo University of Science, Tokyo, Japan

    Sakae Yamamoto

  5. Tokyo City University, Tokyo, Japan

    Hirohiko Mori

  6. Towson University, Towson, MD, USA

    Gabriele Meiselwitz

  7. Missouri University of Science and Technology, Rolla, MO, USA

    Fiona Fui-Hoon Nah

  8. Missouri University of Science and Technology, Rolla, MO, USA

    Keng Siau

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Dornheim, P., Zarnekow, R. (2020). Factors Shaping Information Security Culture in an Internal IT Department. In: Stephanidis, C., et al. HCI International 2020 – Late Breaking Papers: Interaction, Knowledge and Social Media. HCII 2020. Lecture Notes in Computer Science(), vol 12427. Springer, Cham. https://doi.org/10.1007/978-3-030-60152-2_38

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-60152-2_38

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-60151-5

  • Online ISBN: 978-3-030-60152-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation