Organisational security culture: Extending the end-user perspective

doi:10.1016/j.cose.2006.10.008

Computers & Security

Volume 26, Issue 1, February 2007, Pages 56-62

https://doi.org/10.1016/j.cose.2006.10.008 Get rights and content

Abstract

The concept of security culture is relatively new. It is often investigated in a simplistic manner focusing on end-users and on the technical aspects of security. Security, however, is a management problem and as a result, the investigation of security culture should also have a management focus. This paper describes a framework of eight dimensions of culture. Each dimension is discussed in terms of how they relate specifically to security culture based on a number of previously published case studies. We believe that use of this framework in security culture research will reduce the inherent biases of researchers who tend to focus on only technical aspects of culture from an end-users perspective.

Introduction

It was not until the start of this century that researchers first began to recognise that an organisation's security culture might be an important factor in maintaining an adequate level of information systems security in that organisation (Schwarzwalder, 1999, Breidenbach, 2000, Von Solms, 2000, Andress and Fonseca, 2000, Beynon, 2001). None of these authors, however, presented a clear definition of what they meant with “a security culture”, nor were there any clear views on how to create this organisational culture to support security.

In the last few years, research in this new area of (information) security culture has been expanding rapidly. Unfortunately, a lot of this research still has a limited focus and often only concentrates on the attitudes and behaviour of end-users as well as on how management can influence these aspects of security culture to improve the end-user's adherence to security policies (Schlienger and Teufel, 2002, Ngo et al., 2005). Schlienger and Teufel (2003) more or less defines security culture as “all socio-cultural measures that support technical security measures”, which not only limits its focus to a small sub-dimension of information security, but also enforces the old belief that information security is mostly a technical problem. Information security is, in general, a management problem and the security culture reflects how management handles this problem. Subsequently, we will argue that technical security measures and security policies will often need to be (re)designed to support an organisation's security culture.

In this paper we propose that security policy development is just one of the areas that will be influenced by an organisation's culture. Nosworthy (2000), for instance, states that an organisation's culture has a strong influence on organisational security, as it may ‘hinder change’. Borck (2000) states that ‘beyond deploying the latest technology, effective security must involve the corporate culture as well’. There is strong suggestion from the literature that the study of security culture cannot be carried out in isolation of wider organisational culture. For example, in their review of organisational behavioural studies, Mowday and Sutton (1993) point out that contextual factors play a significant role in influencing individual and group behaviours within organisations. The contextual factors here often reflect the organisation's culture.

In the following sections we will describe how we used Detert et al.'s (2000) framework of eight ‘overarching, descriptive culture dimensions’ to explore the security culture within quite a few organisations with vastly different levels of security. As several of these case studies have been published previously (Shedden et al., 2006, Maynard and Ruighaver, 2006, Koh et al., 2005, Tan et al., 2003, Chia et al., 2003, Chia et al., 2002), we will concentrate on the resulting insights that these case studies have given us into each of these dimensions of an organisational security culture.

Section snippets

Exploring organisational security culture

Our initial research in organisational security culture adopted a framework with eight dimensions from Detert et al. (2000). Detert et al. (2000) synthesised the general dimensions of organisational culture using current organisational culture research on areas such as Organisational Culture and Leadership (Schein, 1992), Competing Values (Cameron and Freeman, 1991) and Organisational Culture Profile (Klein et al., 1995). Detert et al. (2000) illustrate their framework by linking it to a set of

Interpreting organisational security culture

In the remainder of this paper we give our current views of what the important aspects are of security culture for each of these dimensions. These views have been constructed over a number of years and have been influenced by the case studies the authors have completed in various aspects of security including governance and security culture (Shedden et al., 2006, Maynard and Ruighaver, 2006, Koh et al., 2005, Tan et al., 2003, Chia et al., 2003, Chia et al., 2002). In some of the case studies,

Conclusion

While there has been an abundance of research in the area of organisational security and how it should be improved, most only focus on certain aspects of security and not how these aspects should be assimilated (or integrated or taken into account) into an organisation's culture. Even our own research in security culture initially had a clear bias to end-user issues. However, the broad culture framework we adopted from organisational culture research has ensured that we not only recognised this

Tobias Ruighaver is a Senior Lecturer and Head of the Organisational Information Security Group in the Department of Information Systems at the University of Melbourne. His research interests are in the areas of Intrusion Detection, Forensic Investigations, Information Security Risk Assessment, Security Governance, and Security Culture.

References (33)

O. Lau
The ten commandments of security
Computers and Security
(1998)
J. Nosworthy
Implementing information security in the 21st Century – do you have the balancing factors?
Computers and Security
(2000)
B. Von Solms
Information security – the third wave?
Computers and Security
(2000)
M. Andress et al.
Manage people to protect data
InfoWorld
(2000)
E.H. Baker et al.
Dysfunctional organisational control mechanisms: an example
Journal of Applied Management Studies
(1999)
D. Beynon
Talking heads
Computerworld
(2001)
J. Borck
Advice for a secure enterprise: implement the basics and see that everyone uses them
InfoWorld
(2000)
S. Breidenbach
How secure are you?
Information Week
(2000)
S.L. Brown et al.
Competing on the edge: strategy as structured chaos
(1998)
K. Cameron et al.
Cultural congruence, strength and type: relationships to effectiveness
Research in Organisational Change and Development
(1991)

Chia P, Maynard S, Ruighaver AB. Understanding organisational security culture. In: Sixth pacific Asia conference on...

P. Chia et al.

Understanding organisational security culture

Clark-Dickson P. Alarmed and dangerous; 2001 [e-Access March...

P. Connolly

Security starts from within

InfoWorld

(2000)

J. Detert et al.

A framework for linking culture and improvement initiatives in organisations

The Academy of Management Review

(2000)

R. Eisenberger et al.

The detrimental effects of reward: myth or reality?

American Psychologist

(1996)

Cited by (141)

Employees' intentions toward complying with information security controls in Saudi Arabia's public organisations
2022, Government Information Quarterly
Citation Excerpt :
In addition, enhancing motivational factors would contribute to achieving a high level of information security awareness (Alshaikh et al., 2018), which leads to a strong information security culture within an organisation. Several researchers stated that a proper motivation mechanism is an essential part of the information security culture for encouraging individuals to protect the organisation's assets and information (Dojkovski et al., 2010; Ruighaver et al., 2007; Ruighaver & Maynard, 2006). This requires the organisation's management to periodically evaluate its motivation mechanism in order to detect which factors impact employees' values and determine the best method for motivating them to comply with information security controls.
Ensuring employees' compliance with information security controls is a major challenge experienced by the management of information security in organisations. While the investment in information security has been increased recently, many organisations around the world have failed to avoid security threats and data breaches because of noncompliant employees. This study proposes a model to explore employees' differences and identifies the factors that can shape their perceptions and intentions toward compliance. The model was examined and validated in a Saudi Arabian government organisation using partial least square structural equation modelling. The results of this study support the validity of the research model and disclose the factors that have a significant influence on employees' intentions toward compliance, particularly in Saudi Arabia's public organisations. To the best of our knowledge, this is the first study to investigate employees' perceptions and intentions toward complying with information security controls in public organisations across all regions of Saudi Arabia. The study contributes to the information security management domain in terms of the model's validity, which can be used to explore the influence of the identified factors on employees' perceptions and intentions toward complying with information security controls in different cultural and environmental contexts.
Organizational and team culture as antecedents of protection motivation among IT employees
2022, Computers and Security
The rapid development of technology and information systems has led to higher information security-related issues in an organization. The age of remote working (i.e., telecommuting) has further increased information security related incidents that need to be adequately addressed. This paper extends the protection motivation theory by drawing insights from organizational and institutional theory literature to examine how organizational culture and subcultures such as team culture impact information security compliance. The primary objective of this study is to understand the impact of the dimensions of organizational culture and team culture on employees' perceived threats and coping motivation associated with information security compliance. The study applied structural equation modeling to analyze survey responses of 341 IT employees in the United States. The result of the study indicates that both organization and team culture impacts employees' perception to appraise threat and coping, which in turn impacts behavioral intention to comply with information security policies. The findings of this study contribute to the information security compliance research by demonstrating the importance of developing an information security culture within an organization and its subgroups.
What influences employees to follow security policies?
2022, Safety Science
Data and information play a critical role in cyber security policies in organizations, so it is essential to protect them. Companies invest in the latest and most secured softwares, and specialized IT employees to protect the firm’s data and information. Nevertheless, there are still incidents and huge losses of information because of the careless behaviour of the employees. Companies continue to spend considerable sums on security and yet remain in danger of attacks. By combining the value of congruence model (VC), the theory of planned behaviour model (TPB), and security conscious care behaviour we show that security behaviour can be influenced through effortless and low-cost measures that are a very advantageous solution for companies to protect their assets. With a sample of 193 respondents we demonstrate that companies need only to keep their employees motivated, happy, and satisfied in order to encourage them to adhere to the cyber security policies already in place. We show that information security awareness moderates the relationship between subjective norms and behaviour intention, and that job satisfaction moderates the relationship between behaviour intention and security behaviour. We show practical and theoretical implications based on our conclusions.
Enhancing End-User Roles in Information Security: Exploring the Setting, Situation, and Identity
2021, Computers and Security
Citation Excerpt :
Indeed, a rich body of work exists that defines organizational security culture (Van Niekerk and Von Solms, 2010), highlighting the structures that come together to form the security culture in organizations (Cram et al., 2017; Furnell, 2008; Furnell and Clarke, 2012; Mishra and Dhillon, 2006). Researchers have also argued for the importance of a management focus in developing a viable security culture (Ruighaver et al., 2007), including the importance of security culture in setting the tone in the organization (da Veiga et al., 2020). The literature has benefited from progress made in how security culture is defined, case study analysis (Da Veiga and Martins, 2015), and empirical work that examines the influence of security culture on security compliance (D'Arcy and Greene, 2014).
Managing employee behaviors is a continuous quest for management. The quest is even more intense in the information security space, where a seemingly unintentional activity could have a consequential effect on an organization's security. The information security literature has used many theoretical approaches to explain how to regulate employee security behaviors, including protection motivation and deterrence. However, a theoretical approach that has captured the focus in organizational literature for behavioral regulation and yet to be realized in the information security domain is work-related identities. Work-related identity regulation depends on settings and situations in which the individual is embedded. This study draws from the identity theory and information security literature to explore how factors in the information security setting (security threats, security policy, and organizational support) help foment work-related information security identity and security behaviors. Our findings show that these factors significantly increase the user's identification in their roles in information security, and in turn, security behaviors. This research has implications for research and practice.
Developing a modified total interpretive structural model (M-TISM) for organizational strategic cybersecurity management
2021, Technological Forecasting and Social Change
Cybersecurity is a serious issue that many organizations face these days. Therefore, cybersecurity management is very important for any organization. Organizations should learn to deal with these cyber threats through effective management across all business functions. The main purpose of this study is to identify the factors that affect cybersecurity within an organization and analyze relationships among these factors. The modified total interpretive structural modeling (M-TISM) technique is used to build a hierarchical model and define the common interactions between the factors. This study presents the impact of collaboration, training, resources and capabilities, information flow, technology awareness, and technological infrastructure on effective cybersecurity management. In addition, the study also explains the interrelationships among the identified factors in the M-TISM model.
Information security cultural differences among health care facilities in Indonesia
2021, Heliyon
Health information security (IS) breaches are increasing with the use of information technology for health care services, and a strong security culture is important for driving employees' information asset protection behavior.
This study aimed to analyze differences in information security cultures (ISCs) across health care providers based on factors drawn from the ISC model.
We used twelve factors to measure the ISCs of health care providers. This research applied a survey method with the Kruskal–Wallis H Test and the Mann–Whitney U Test as data analysis techniques. We collected the data through a questionnaire distributed to 470 employees of health care facilities (i.e. hospitals, community health centers, and primary care clinics) in Indonesia.
The results revealed the differences between health care provider types for 9 of the 12 security culture factors. Top management support, change management, and knowledge were the differentiating factors between all types of health care providers. Organizational culture and security compliance only differed in primary care clinics. Meanwhile, security behavior, soft issues and workplace independence, information security policies, training, and awareness only differed in hospitals.
The results indicated that each type of health care provider required different approaches to develop an ISC considering the above factors. They provided insight for top management to design suitable programs for cultivating ISCs in their institutions.

View all citing articles on Scopus

Sean Maynard is a lecturer in the Department of Information Systems at the University of Melbourne. His primary research areas are in the area of information systems security, in particular focusing on the Evaluation of Security Policy Quality and on the investigation of Security Culture within organisations. He has also conducted research into the Evaluation of Decision Support Systems, and on early research in the use of computing technology to aid senior management (EIS).

Shanton Chang is a lecturer in Change Management and Social Impacts of Information Systems at the Department of Information Systems, University of Melbourne. He completed his Ph.D. in Managing Multicultural Workforces at Monash University. His current primary areas of research include the Social Aspects of Broadband Technology Adoption and Appropriation, Online Behaviour and Online Prosumers, and the Relationship between Cultures and Information Technology.

View full text

Organisational security culture: Extending the end-user perspective

Abstract

Introduction

Section snippets

Exploring organisational security culture

Interpreting organisational security culture

Conclusion

Computers and Security

Computers and Security

Computers and Security

Manage people to protect data

InfoWorld

Dysfunctional organisational control mechanisms: an example

Journal of Applied Management Studies

Talking heads

Computerworld

Advice for a secure enterprise: implement the basics and see that everyone uses them

InfoWorld

How secure are you?

Information Week

Competing on the edge: strategy as structured chaos

Cultural congruence, strength and type: relationships to effectiveness

Research in Organisational Change and Development

Understanding organisational security culture

Security starts from within

InfoWorld

A framework for linking culture and improvement initiatives in organisations

The Academy of Management Review

The detrimental effects of reward: myth or reality?

American Psychologist