Towards an organizational culture framework for information security practices

Strategic and Practical Approaches for Information Security Governance: Technologies and Applied Solutions

Volumn , Issue , 2012, Pages 296-315

  Lim, Joo Soon ^a   Chang, Shanton ^a   Ahmad, Atif ^a,b   Maynard, Sean ^a  

^a UNIVERSITY OF MELBOURNE   (Australia)

^b EDITH COWAN UNIVERSITY   (Australia)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 84898347739     PISSN: None     EISSN: None     Source Type: Book    
DOI: 10.4018/978-1-4666-0197-0.ch017     Document Type: Chapter

References (58)

1. Adams, A., & Sasse, M. A. (1999). Users are not the enemy: Why users compromise computer security mechanisms and how to take remedial measures. Communications of the ACM, 42(12), 41-46.
2. Briggs, R., Kolfschoten, G., Gert-Jan, V., & Douglas, D. (2006). Defining key concepts for collaboration engineering. In Americas Conference on Information Systems, AMCIS 2006 Proceedings, Acapulco, Mexico
3. Cameron, J., Pierce, W. D., Banko, K. M., & Gear, A. (2005). Achievement-based rewards and intrinsic motivation: A test of cognitive mediators. Journal of Educational Psychology, 97(4), 641-655. doi:10.1037/0022-0663.97.4.641
4. Cameron, K., & Freeman, S. (1991). Cultural congruence, strength and type: Relationships to effectiveness. Research in Organizational Change and Development, 5, 23-58.
5. Chang, S. E., & Lin, C. S. (2007). Exploring organizational culture for information security management. Industrial Management & Data Systems, 107(3), 438-458. doi:10.1108/02635570710734316
6. Chia, P. A., Maynard, S. B., & Ruighaver, A. B. (2002). Understanding organizational security culture. In Proceedings of PACIS 2002. Japan, 2002, Japan.
7. Deal, T. E., & Kennedy, A. A. (1982). Corporate culture. Reading, MA: Addison-Wesley.
8. Dean, J. W., & Bowen, D. E. (1994). Management theory and total quality: Improving research and practice through theory development. Academy of Management Review, 19, 392-418.
9. Deming, W. E. (1986). Out of the Crisis. Cambridge, MA: MIT Center for Advanced Engineering Study.
10. Denison, D. R. (1990). Corporate Culture and Organizational Effectiveness. New York. New York: Wiley.
11. Denison, D. R., & Mishra, A. (1995). Toward a theory of organizational culture and effectiveness. Organization Science, 6, 204-224. doi:10.1287/orsc.6.2.204
12. Detert, J. R., Schroeder, R. G., & Mauriel, J. J. (2000). A framework for linking culture and improvement initiatives in organisations. Academy of Management Review, 25(4), 850-863.
13. Dhillon, G. (1997). Managing Information System security. Houndmills, UK: Macmillan Press LTD.
14. Eisenhardt, K. M. (1989). Agency theory: An assessment and review. Academy of Management Review, 14(1), 57-74.
15. Fitzgerald, T. (2007). Building management commitment through security councils, or security council critical success factors. In Tipton, H. F. (Ed.), Information security management handbook (pp. 105-121). Hoboken, NJ: Auerbach Publications. doi:10.1201/9781439833032.ch10
16. Furnell, S., & Thompson, K. L. (2009). From culture to disobedience: Recognising the varying user acceptance of IT security. Computer Fraud & Security, 2, 5-10. doi:10.1016/S1361-3723(09)70019-3
17. Helokunnas, T., & Kuusisto, R. (2003). Information security culture in a value net. In Engineering Management Conference, 2003. IEMC'03. Managing Technologically Driven Organizations: The Human Side of Innovation and Change.
18. Hofstede, G., & Hofstede, G. N. (2005). Cultures and organisations: Software of the mind. New York, NY: McGraw-Hill.
19. Hofstede, G., Neuijen, B., Ohayv, D. D., & Sanders, G. (1990). Measuring organizational cultures: A qualitative and quantitative study across twenty cases. Administrative Science Quarterly, 35(2), 286-316. doi:10.2307/2393392
20. Klein, H. K., & Myers, M. D. (1999). A set of principles for conducting and evaluating interpretative field studies in Information Systems. Management Information Systems Quarterly, 23(1), 67-94. doi:10.2307/249410
21. Knapp, K. J., Marshall, T. E., Rainer, R. K., & Ford, F. N. (2006). Information security: Management's effect on culture and policy. Information and Computer Security, 14(1), 24-36. doi:10.1108/09685220610648355
22. Koh, K., Ruighaver, A. B., Maynard, S. B., & Ahmad, A. (2005). Security governance: Its impact on security culture. In Proceedings of the 3rd Australian Information Security Management Conference, Perth.
23. Kuusisto, R., Nyberg, K., & Virtanen, T. (2004). Unite security culture: May a unified security culture be plausible. In Proceedings of the 3rd European Conference on Information Warfare and Security, Royal Holloway, University of London, UK.
24. LaRose, R., Rifon, N. J., & Enbody, R. (2008). Promoting personal responsibility for Internet safety. Communications of the ACM, 51(3), 71-76. doi:10.1145/1325555.1325569
25. Lim, J. S., Ahmad, A., Chang, S., & Maynard, S. B. (2010). Embedding information security culture - emerging concerns and challenges. 14th Pacific Asia Conference on Information Systems. Taipei, Taiwan.
26. Lim, J. S., Chang, S., Maynard, S. B., & Ahmad, A. (2009). Exploring the relationship between organizational culture and information security culture. In 7th Australian Information Security Management Conference, SECAU Security Congress 2009, Perth, Western Australia.
27. Martins, A., & Eloff, J. (2002). Information security culture. In IFIP TC11 International Conference on Information Security, Cairo, Egypt
28. Maynard, S. B., & Ruighaver, A. B. (2006). What makes a good information security policy: A preliminary framework for evaluating security policy quality. In Proceedings of the Fifth Annual Security Conference, Las Vegas, Nevada USA.
29. O'Reilly, C. A., Chatman, J. R., & Caldwell, D. F. (1991). People and organizational culture: A profile comparison approach to assessing personorganization fit. Academy of Management Journal, 34(3), 487-516. doi:10.2307/256404
30. OECD. (2002). OECD guidelines for the security of information systems and networks: Towards a culture of security. Recommendation of the OECD Council, 1037th Session on 25 July 2002.
31. OECD. (2005). The promotion of a culture of security for Information Systems and networks in OECD countries (16-December-2005). Retrieved 9 March 2009, from www.oecd.org/document/42/0,2340,en_2649_34255_15582250_1_1_1_1,00.html
32. Ozkana, S., & Karabacaka, B. (2010). Collaborative risk method for information security management practices: A case context within Turkey. International Journal of Information Management, 30, 567-572. doi:10.1016/j.ijinfomgt.2010.08.007
33. Reynolds, P. D. (1986). Organizational culture as related to industry, position, and performance: A preminary report. Journal of Management Studies, 23(3), 333-345. doi:10.1111/j.1467-6486.1986. tb00958.x
34. Richardson, R. (2007). 2007 CSI computer crime & security survey. Retrieved 9 March, 2009, from http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf
35. Robbins, S. P. (1989). Organizational behavior: Concepts, controversies, and applications (4th ed.). New Jersey: Prentice Hall.
36. Ruighaver, A. B., Maynard, S. B., & Chang, S. (2007). Organisational security culture: Extending the end-user perspective. Computers & Security, 26(1), 56-62. doi:10.1016/j.cose.2006.10.008
37. SANS. (2005). Developing a security-awareness culture. Improving security decision making, (pp. 1-22).
38. Saphier, J., & King, M. (1985). Good seeds grow in strong cultures. Educational Leadership, 43(6), 67-74.
39. Schein, E. H. (1992). Organizational culture and leadership. San Francisco, CA: Jossey-Bass.
40. Schlienger, T., & Teufel, S. (2002). Information security culture - The social-cultural dimension in information security management. In IFIP TC11 International Conference on Information Security, Cairo, Egypt.
41. Schlienger, T., & Teufel, S. (2003). Information security culture - From analysis to change.
42. Shedden, P., Ahmad, A., & Ruighaver, A. B. (2006). Risk management standard-The perception of ease of use. In Proceedings of the Fifth Annual Security Conference, Las Vegas, Nevada, USA.
43. Siponen, M., & Willison, R. (2009). Information security management standards: Problems and solutions. Information & Management, 46, 267-270. doi:10.1016/j.im.2008.12.007
44. Stan, S. (2007). Beyond information security awareness training: It is time to change the culture. In Tipton, H. F. (Ed.), Information security management handbook (pp. 555-565). Hoboken, NJ: Auerbach Publications.
45. Straub, D. W. (1986). Deterring computer abuse: The effectiveness of deterrent countermeasures in the computer security environment. Bloomington, IN: Indiana University School of Business.
46. Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: Security planning models for management decision making. Management Information Systems Quarterly, 22(4), 441-469. doi:10.2307/249551
47. Tan, T. C., Ruighaver, A. B., & Ahmad, A. (2003). Incident handling: Where the need for planning is often not recognised.
48. Thomson, K., von Solms, R., & Louw, L. (2006). Cultivating an organizational information security culture. Computer Fraud & Security, (10): 7-11. doi:10.1016/S1361-3723(06)70430-4
49. Van Niekerk, J., & Von Solms, R. (2006). Understanding information security culture: A conceptual framework. Information Security South Africa. Johannesburg, South Africa: ISSA.
50. Veiga, A. D., & Eloff, J. H. P. (2009). A framework and assessment instrument for information security culture. Computers & Security, 29, 196-207. doi:10.1016/j.cose.2009.09.002
51. Von Solms, B. (2000). Information security --The third wave? Computers & Security, 19(7), 615-620. doi:10.1016/S0167-4048(00)07021-8
52. Von Solms, B. (2001). Information Security -- A multidimensional discipline. Computers & Security, 20(6), 504-508. doi:10.1016/S0167-4048(01)00608-3
53. Vroom, C., & von Solms, R. (2004). Towards information security behavioural compliance. Computers & Security, 23(3), 191-198. doi:10.1016/j. cose.2004.01.012
54. Walsham, G. (1995). Interpretive case studies in IS research: Nature and method. European Journal of Information Systems, 4, 74-81. doi:10.1057/ejis.1995.9
55. Wood, C. C. (2000). Integrated approach includes information security. Security: For Buyers of Products. Systems & Services, 37(2), 43-44.
56. Workman, M., Bommer, W., & Straub, D. (2008). Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior.
57. Yin, R. K. (1994). Case study research: Design and methods (2nd ed.). Thousand Oaks, CA: Sage Publications.
58. Zakaria, O., & Gani, A. (2003). A conceptual checklist of information security culture. In 2nd European Conference on Information Warfare and Security, Reading, UK.