Abstract
Creating a good information security culture among employees within organizations is the cornerstone for a safe and robust cyberspace. Furthermore, a strong information security culture within organizations will assist in reducing the effects of human habits that lead to data breaches. This article seeks to conduct a scoping review of the scholarly literature on Cyber Resilience for Development (Cyber4Dev) security culture within the context of African countries. With limited scholarly articles available for Cyber4Dev, the review will focus on information security culture to adapt it to a Cyber4Dev security culture that organizations in Africa can replicate. Using the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) for the scoping review, this paper analysed 40 scholarly articles on information security culture to propose a Cyber4Dev security culture model for organizations applicable within an African context. Economic, social-culture and trust were identified as some of the factors to consider in an African context to promote an information security culture. Organisations can consider these factors as part of their information security programs. The model serves as reference for further research to explore the influence of the identified factors in an African context.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Sas, M., Hardyns, W., van Nunen, K., Reniers, G., Ponnet, K.: Measuring the security culture in organizations: a systematic overview of existing tools. Secur. J. 34(2), 340–357 (2021). https://doi.org/10.1057/s41284-020-00228-4. Palgrave Macmillan UK
Kurebwa, J., Magumise, E.: The effectiveness of cyber security frameworks in combating terrorism in Zimbabwe. Int. J. Cyber Res. Educ. 2, 1–16 (2019). https://doi.org/10.4018/ijcre.2020010101
Cyber4Dev: Project objectives – Cyber4d – Cyber Resilience for Development. https://cyber4dev.eu/project-activities/
Abdulrauf, L.A.: Giving ‘teeth’ to the African Union towards advancing compliance with data privacy norms. Inf. Commun. Technol. Law. 30, 87–107 (2021). https://doi.org/10.1080/13600834.2021.1849953
Obuhuma, J., Zivuku, S.: Social engineering based cyber-attacks in kenya. In: 2020 IST-Africa Conf. IST-Africa 2020, pp. 1–9 (2020)
Campbell, M.: What’s in a project name? - Cyber Resilience for Development [Cyber4Dev] (2019)
ITU: Global Cybersecurity Index, 2017. ITU Publications (2019)
Kshetri, N.: Cybercrime and cybersecurity in Africa. J. Glob. Inf. Technol. Manag. 22, 77–81 (2019). https://doi.org/10.1080/1097198X.2019.1603527
Nagyfejeo, E., Solms, B. Von: Why do national cybersecurity awareness programmes often fail? Int. J. Inf. Secur. Cybercrime. 9, 18–27 (2020). https://doi.org/10.19107/ijisc.2020.02.03
Alhogail, A.: Design and validation of information security culture framework. Comput. Human Behav. 49, 567–575 (2015). https://doi.org/10.1016/j.chb.2015.03.054
Da Veiga, A., Martins, N.: Information security culture and information protection culture: a validated assessment instrument. Comput. Law Secur. Rev. 31, 243–256 (2015). https://doi.org/10.1016/j.clsr.2015.01.005
Nasir, A., Arshah, R.A., Hamid, M.R.A., Fahmy, S.: An analysis on the dimensions of information security culture concept: a review. J. Inf. Secur. Appl. 44, 12–22 (2019). https://doi.org/10.1016/j.jisa.2018.11.003
Orehek, Š, Petrič, G.: A systematic review of scales for measuring information security culture. Inf. Comput. Secur. 29, 133–158 (2020). https://doi.org/10.1108/ICS-12-2019-0140
Da Veiga, A.: An approach to information security culture change combining ADKAR and the ISCA questionnaire to aid transition to the desired culture. Inf. Comput. Secur. 26, 584–612 (2018). https://doi.org/10.1108/ICS-08-2017-0056
Alnatheer, M.A.: Information security culture critical success factors. In: Proc. - 12th Int. Conf. Inf. Technol. New Gener. ITNG 2015, pp. 731–735 (2015). https://doi.org/10.1109/ITNG.2015.124
Da Veiga, A., Martins, N.: Improving the information security culture through monitoring and implementation actions illustrated through a case study. Comput. Secur. 49, 162–176 (2015). https://doi.org/10.1016/j.cose.2014.12.006
Connolly, L.Y., Lang, M., Wall, D.S.: Information security behavior: a cross-cultural comparison of irish and US employees. Inf. Syst. Manag. 36, 306–322 (2019). https://doi.org/10.1080/10580530.2019.1651113
Da Veiga, A.: Achieving a Security Culture, pp. 72–100 (2019). https://doi.org/10.4018/978-1-5225-7847-5.ch005
Mousavi, M.Z., Kumar, S.: Analysis of key factors for organization information security. In: Proc. Int. Conf. Mach. Learn. Big Data, Cloud Parallel Comput. Trends, Prespectives Prospect. Com. 2019, pp. 514–518 (2019). https://doi.org/10.1109/COMITCon.2019.8862191
Nel, F., Drevin, L.: Key elements of an information security culture in organisations. Inf. Comput. Secur. 27, 146–164 (2019). https://doi.org/10.1108/ICS-12-2016-0095
Mahfuth, A., Yussof, S., Baker, A.A., Ali, N.: A systematic literature review: Information security culture. Int. Conf. Res. Innov. Inf. Syst. ICRIIS. 1–6 (2017). https://doi.org/10.1109/ICRIIS.2017.8002442
Schia, N.N.: The cyber frontier and digital pitfalls in the Global South. Third World Q. 39, 821–837 (2018). https://doi.org/10.1080/01436597.2017.1408403
United Nations Economic Commission for Africa: Policy Brief Tackling the challenges of cybersecurity in Africa. www.economist.com/. (2014)
KnowBe4: African Cybersecurity Research Report. 1–8 (2019)
Check Point Research: Cyber Security Report 2020. Security 7, 1–15 (2020)
Bada, M., von Solms, B., Agrafiotis, I.: Reviewing national cybersecurity awareness in africa: an empirical study. In: Third Int. Conf. Cyber-Technologies Cyber-Systems, CYBER 2018, pp. 78–83 (2018)
Schelenz, L., Schopp, K.: Digitalization in Africa: interdisciplinary perspectives on technology, development, and justice. Int. J. Digit. Soc. 9, 1412–1420 (2018). https://doi.org/10.20533/ijds.2040.2570.2018.0175
Amankwa, E., Loock, M., Kritzinger, E.: Enhancing information security education and awareness: proposed characteristics for a model. In: 2nd Int. Conf. Inf. Secur. Cyber Forensics, InfoSec 2015, pp. 72–77 (2016). https://doi.org/10.1109/InfoSec.2015.7435509
Von Solms, B., Bada, M., Agrafiotis, I.: Reviewing national cybersecurity awareness for users and executives in Africa. Int. J. Adv. Secur. 12, 108–118 (2019)
Ndiege, J.R., Okello, G.: Towards information security savvy students in institutions of higher learning in Africa: a case of a university in Kenya. In: 2018 IST-Africa Week Conf. IST-Africa 2018, pp. 1–8 (2018)
Devi, A.: Cyber Crime and Cyber Security: Trends in Africa, pp. 160–171 (2017). https://doi.org/10.4018/978-1-5225-2154-9.ch011
EY: EY Global Information Security Survey 2020. How does security evolve from bolted on to built-in? (2020)
Nathan, A.J., Scobell, A.: 2020 Data Breach Investigations Report. Verizon (2020)
Malatji, M., Marnewick, A.L., von Solms, S.: Cybersecurity policy and the legislative context of the water and wastewater sector in South Africa. Sustain. 13, 1–33 (2021). https://doi.org/10.3390/su13010291
Tricco, A.C., et al.: A scoping review on the conduct and reporting of scoping reviews. BMC Med. Res. Methodol. 16, 1 (2016). https://doi.org/10.1186/s12874-016-0116-4
Tolah, A., Furnell, S.M., Papadaki, M.: An empirical analysis of the information security culture key factors framework. Comput. Secur. 108, 102354 (2021). https://doi.org/10.1016/j.cose.2021.102354
Woretaw, A., Lessa, L., Negash, S.: Factors hindering full-fledged information security in banking sector in Ethiopia: Emphasis on information security culture. In: 25th Am. Conf. Inf. Syst. AMCIS 2019. (2019)
da Veiga, A., Martins, N.: Defining and identifying dominant information security cultures and subcultures. Comput. Secur. 70, 72–94 (2017). https://doi.org/10.1016/j.cose.2017.05.002
Nasir, A., Arshah, R.A., Ab Hamid, M.R.: Information security policy compliance behavior based on comprehensive dimensions of information security culture: A conceptual framework. ACM Int. Conf. Proceeding Ser. Part F1282, 56–60 (2017). https://doi.org/10.1145/3077584.3077593
Chen, Y., Ramamurthy, K., Wen, K.W.: Impacts of comprehensive information security programs on information security culture. J. Comput. Inf. Syst. 55, 11–19 (2015). https://doi.org/10.1080/08874417.2015.11645767
Martins, N., Da Veiga, A.: An Information security culture model validated with structural equation modelling. In: Proc. 9th Int. Symp. Hum. Asp. Inf. Secur. Assur. HAISA 2015, pp. 11–21 (2015)
Hogail, A. Al: Cultivating and assessing an organizational information security culture; an empirical study. Int. J. Secur. its Appl. 9, 163–178 (2015). https://doi.org/10.14257/ijsia.2015.9.7.15
Dang-Pham, D., Pittayachawan, S., Bruno, V.: Investigating the formation of information security climate perceptions with social network analysis: A research proposal. In: Pacific Asia Conf. Inf. Syst. PACIS 2015 - Proc. (2015)
Da Veiga, A.: Comparing the information security culture of employees who had read the information security policy and those who had not Illustrated through an empirical study. Inf. Comput. Secur. 24, 139–151 (2016). https://doi.org/10.1108/ICS-12-2015-0048
Da Veiga, A.: The influence of information security policies on information security culture: Illustrated through a case study. In: Proc. 9th Int. Symp. Hum. Asp. Inf. Secur. Assur. HAISA 2015, pp. 22–33 (2015)
Mokwetli, M., Zuva, T.: Adoption of the ICT security culture in SMME’s in the gauteng province, South Africa. In: 2018 Int. Conf. Adv. Big Data, Comput. Data Commun. Syst. icABCD 2018. (2018). https://doi.org/10.1109/ICABCD.2018.8465139
Uchendu, B., Nurse, J.R.C., Bada, M., Furnell, S.: Developing a cyber security culture: current practices and future needs. Comput. Secur. 109, 102387 (2021). https://doi.org/10.1016/j.cose.2021.102387
Arbanas, K., Spremic, M., Zajdela Hrustek, N.: Holistic framework for evaluating and improving information security culture. Aslib J. Inf. Manag. 73, 699–719 (2021). https://doi.org/10.1108/AJIM-02-2021-0037
Da Veiga, A.: An information security training and awareness approach (ISTAAP) to instil an information security-positive culture. In: Proc. 9th Int. Symp. Hum. Asp. Inf. Secur. Assur. HAISA 2015, pp. 95–107 (2015)
Da Veiga, A., Astakhova, L.V., Botha, A., Herselman, M.: Defining organisational information security culture—Perspectives from academia and industry. Comput. Secur. 92, 101713 (2020). https://doi.org/10.1016/j.cose.2020.101713
Nasir, A., Abdullah Arshah, R., Ab Hamid, M.R.: A dimension-based information security culture model and its relationship with employees’ security behavior: A case study in Malaysian higher educational institutions. Inf. Secur. J. 28, 55–80 (2019). https://doi.org/10.1080/19393555.2019.1643956
Tang, A., Han, J., Chen, P.: A comparative analysis of architecture frameworks. In: Proc. - Asia-Pacific Softw. Eng. Conf. APSEC, pp. 640–647 (2004). https://doi.org/10.1109/APSEC.2004.2
Hassan, N.H., Maarop, N., Ismail, Z., Abidin, W.Z.: Information security culture in health informatics environment: A qualitative approach. Int. Conf. Res. Innov. Inf. Syst. ICRIIS. 1–6 (2017). https://doi.org/10.1109/ICRIIS.2017.8002450
AlKalbani, A., Deng, H., Kam, B.: Organisational security culture and information security compliance for e-government development: The moderating effect of social pressure (2015)
Nasir, A., Arshah, R.A., Hamid, M.R.A.: Information security culture for guiding employee’s security behaviour: a pilot study. In: 2020 6th IEEE Int. Conf. Inf. Manag. ICIM 2020, pp. 205–209 (2020). https://doi.org/10.1109/ICIM49319.2020.244699
DaVeiga, A.: An approach to information security culture change combining ADKAR and the ISCA questionnaire to aid transition to the desired culture. Inf. Comput. Secur. 26, 584–612 (2018). https://doi.org/10.1108/ICS-08-2017-0056
Govender, S., Kritzinger, E., Loock, M.: The influence of national culture on information security culture. In: 2016 IST-Africa Conf. IST-Africa 2016, pp. 1–9 (2016). https://doi.org/10.1109/ISTAFRICA.2016.7530607
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 IFIP International Federation for Information Processing
About this paper
Cite this paper
Reppoh, V., da Veiga, A. (2022). Cyber4Dev Security Culture Model for African Countries. In: Clarke, N., Furnell, S. (eds) Human Aspects of Information Security and Assurance. HAISA 2022. IFIP Advances in Information and Communication Technology, vol 658. Springer, Cham. https://doi.org/10.1007/978-3-031-12172-2_13
Download citation
DOI: https://doi.org/10.1007/978-3-031-12172-2_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-12171-5
Online ISBN: 978-3-031-12172-2
eBook Packages: Computer ScienceComputer Science (R0)