A framework and assessment instrument for information security culture

Computers and Security

Volumn 29, Issue 2, 2010, Pages 196-207

  Da Veiga, A ^a   Eloff, J H P ^a  

^a UNIVERSITY OF PRETORIA   (South Africa)

Author keywords

Assessment instrument; Framework; Human; Information security culture; Measure; Organisational behaviour; Organisational culture

Indexed keywords

ASSESSMENT INSTRUMENTS; EMPIRICAL STUDIES; INFORMATION ASSETS; INFORMATION SECURITY; MISBEHAVIOUR; ORGANISATIONAL BEHAVIOUR; ORGANISATIONAL CULTURE; SECURITY-AWARE;

MANAGEMENT; PERSONNEL;

NETWORK SECURITY;

EID: 74449092722     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2009.09.002     Document Type: Article

References (64)

1. Albrechtsen E. A qualitative study of users' views on information security. Computers and Security 26 (2007) 276-289
2. Andric M. Fighting the enemy within. IT WEB Special Report, vol. 95; April 2007. p. 54.
3. Baggett W.O. Creating a culture of security. The Internal Auditor 3 60 (2003) 37-41
4. Berry M.L., and Houston J.P. Psychology at work (1993), Brown and Benchmark, Wisconsin
5. Borck J.R. Enterprise strategies: advice for a secure enterprise: implement the basics and see that everyone uses them. InfoWorld 22 46 (2000) November
6. Brewerton P., and Millward L. Organizational research methods (2001), Sage, London
7. Cardinali R. Reinforcing our moral vision: examining the relationship between unethical behaviour and computer crime. Work Study 44 8 (1995) 11-18
8. COBIT security baseline - an information security survival kit (2004), IT Governance Institute, USA
9. Concise oxford dictionary, the (1983), Clarendon Press, Oxford
10. Connolly P.J. Security starts from within. InfoWorld 22 28 (2000) 39-40
11. Da Veiga A., and Eloff J.H.P. An information security governance framework. Information Systems Management 24 4 (2007)
12. Da Veiga A., Martins N., and Eloff J.H.P. Information security culture - validation of an assessment instrument. Southern African Business Review 11 1 (2007) 146-166
13. Detert J.R., Schroeder J., and Mauriel A. Framework for linking culture and improvement initiatives in organisations. The Academy of Management Review 25 4 (2000) 850-863
14. Dhillon G. Managing information system security (1997), Great Britain, MacMillan
15. Dillon W.R., Madden T.J., and Firtle N.H. Essentials of marketing research (1993), IL IRWIN, Boston
16. Furnell S. Malicious or misinformed? Exploring a contributor to the insider threat. Computer Fraud and Security 9 (2006) 8-12
17. Eloff J.H.P., and Eloff M. Integrated Information Security Architecture. Computer Fraud and Security 11 (2005) 10-16
18. Furnell S. IFIP workshop - information security culture. Computers and Security 26 (2007) 35
19. Furnham A, Gunter B. Corporate assessment: auditing a company's personality. London: Routledge.
20. Grant R. Building a strong security culture. Retrieved online on 16 January 2006 from (2005). http://www.citec.com.au/news/featureNews/2005/April/security_culture.sht ml?rate
21. Hellriegel D., Slocum Jr. J.W., and Woodman R.W. Organizational behavior. Eighth edition (1998), South-Western College Publishing
22. Helokunnas T., and Iivonen I. Information security culture in small and medium-sized enterprises. Retrieved online on 16 January 2006 from (2004). http://64.233.161.104/search?q=cache:BQkgIbn4EawJ:www.ebrc.info/kuvat/20 34.pdf+information%2Bsecurity%2Bculture&;hl=en
23. Information Security Forum. Information Security Culture - A preliminary investigation. s.l. 2000.
24. ISO/IEC 27002:2005. Information technology. Security techniques. Code of practice for information security management; 2005.
25. Kraemer S., Carayon P., and Clem J.F. Characterising violations in computer and information security systems. Retrieved online on 20 June 2007 from (2006). http://cqpi2.engr,wisc.edu/cis/docs/skiea2006.pdf
26. Kraemer S., and Carayon P. Human errors and violations in computer and information security: The viewpoint of network administrators and security specialists. Applied Ergonomics 38 (2007) 143-154
27. Kraut A.I. Organizational surveys (1996), Jossey-Bass, San Francisco
28. Kreitner R., and Kinicki A. Organizational behavior (1995), IRWIN Inc, Chicago
29. Krejcie R.V., and Daryle M.W. Determining sample size for research activities. Educational and Psychological Measurement 1970 30 (1970) 607-610
30. Kruger H.A., and Kearney W.D. A prototype for assessing information security awareness. Computers and Security 25 (2006) 289-296
31. Le Grand C., and Ozier W. Information Security Management Elements. Retrieved online on 20 March 2000 from (2000). http://www.itaudit.org/forum/auditcontrol/f305ac.htm
32. Lundy O., and Cowling A. Strategic human resource management (1996), Routledge, London
33. Magklaras G.B., and Furnell S.M. A preliminary model of end user sophistication for insider threat prediction in IT systems. Computers and Security 25 (2006) 27-35
34. Martins A., and Eloff J.H.P. Information security culture. IFIP/SEC2002. Security in the information society (2002), Kluwer Academic, Boston 203-214
35. Martins EC. Die invloed van organisasiekultuur op kreatiwiteit en innovasie in 'n universiteitbiblioteek. Pretoria: Universiteit van Suid Afrika; 2000 (M.Com thesis).
36. Martins A. Information security culture. Master's dissertation. Johannesburg: Rand Afrikaans University; 2002.
37. McIlwrath A. Information security and employee behaviour (2006), Gower, England
38. The promotion of a culture of security for information systems and networks in OECD countries (OECD), DSTI/ICCP/REG. 1/FINAL. 2005. Retrieved online on 30 August 2006 from (2005). http://www.oecd.org/document/42/0,2340, en_2649_34255_15582250_1_1_1_1,00.html
39. PriceWaterhouseCoopers. Information security breaches survey. Retrieved online on 12 March 2005 from (2004). http://www.dti.gov.uk/industry_files/pdf/isbs_2004v3.pdf
40. Puhakainen P. A design theory for information security awareness. Retrieved online on 31 July 2008 from (2006). http://herkules.oulu.fi/isbn9514281144/isbn9514281144.pdf
41. Robbins S.P. Organisational behaviour. 5th ed. (1997), Prentice Hall, New Jersey
42. Robbins S. Organisational behaviour. 9th ed. (2001), Prentice Hall, New Jersey
43. Robbins S., Odendaal A., and Roodt G. Organisational behaviour - global and southern African perspectives (2003), Pearson Education South Africa, Cape Town
44. Ruighaver A.B., Maynard S.B., and Chang S. Organisational security culture: extending the end-user perspective. Computers and Security 2007 26 (2006) 56-62
45. Schein E.H. Organizational culture and leadership (1985), Jossey-Bass, San Francisco
46. Schermelleh-Engel K., Moosbrugger H., and Muller H. Evaluating the fit of structural equation models: test of significance and descriptive goodness-of-fit measures. Methods of Psychological Research Online 8 2 (2003) 23-74
47. Schlienger T, Teufel S. Tool supported management of information security culture. In: 20th IFIP international information security conference. Makuhari-Messe, Chiba, Japan; 2005.
48. Siponen M, Pahnila S, Mahmood A. Employees' adherence to information security policies: an empirical study. In Proceedings of new approaches to security, privacy and trust in complex environments, FIP/SEC2007. Sandton, South Africa; 2007. pp. 133-44.
49. Stanton J.M., Stam K.R., Mastrangelo P., and Jolton J. Analysis of end user security behaviours. Computers and Security 2005 24 (2005) 124-133
50. Stewart J.N. Establishing an organization's security culture - part II. Retrieved online on 30 August 2006 from (2006). http://www.cisco.com/web/about/security/intelligence/05_08_security-cult ure_II.html
51. Straub D.W. Effective IS security: an empirical study. Information Systems Research 1 3 (1990) 255-276
52. Straub D., Boudreau M., and Gefen D. Validation guidelines for IS positivist research. Communications of the Association for Information Systems 13 24 (2004) 380-427
53. Survey tracker. Retrieved online on 23 January 2008 from (2008). http://www.surveytracker.com
54. Tudor J.K. Information security architecture - an integrated approach to security in an organisation (2000), Auerbach, London
55. Van der Merwe P., and Cantale S. Cyber-baddies make jay as CIOs snooze. Brainstorm 6 9 (2007) 59-66
56. Van Niekerk J., and Von Solms R. A holistic framework for the fostering of an information security sub-culture in organizations. Information Security South Africa - Proceedings of ISSA 2005, 4th Annual Information Security South Africa Conference. South Africa. Retrieved online on 16 March 2008 from (2005). http://icsa.cs.up.ac.za/issa/2005/Proceedings/Full/041_Article.pdf
57. Verizon. Data breach investigations report. Retrieved online on 9 July 2009 from (2009). http://www.verizonbusiness.com/resources/security/reports/2009databreach rp.pdf
58. Vroom C., and Von Solms R. Towards information security behavioural compliance. Computers and Security 23 3 (2004) 191-198
59. Walton R.W.C.B., and Walton-Mackenzie Limited. Balancing the insider and outsider threat. Computer Fraud and Security 2006 11 (2006) 8-11
60. Whitman M.E., and Mattord H.K. Principles of information security (2003), Kennesaw State University: Thomson Course Technology
61. Woon IMY, Tan GW, Low RT. A protection motivation theory approach to home wireless security. In Proceedings of the 26th international conference on information systems, Las Vegas; 2005. pp. 367-80.
62. Workman M, Bommer WH, Straub D. Security lapses and the omission of information security measures: A threat control model and empirical test, computers in human behaviour, Article in press - corrected proof. Retrieved online on 31 July 2008 from http://www.sciencedirect.com.
63. Yeats D., and Cadle J. Project management for information systems. 2nd ed. (1996), Pearson Professional, London
64. Zakaria O, Gani A. A conceptual checklist of information security culture. In: Proceedings of the 2nd European conference on information warfare and security, Reading, UK; 2003.