Improving the information security culture through monitoring and implementation actions illustrated through a case study

Computers and Security

Volumn 49, Issue , 2015, Pages 162-176

  Da Veiga, Adéle ^a   Martins, Nico ^a  

^a UNIVERSITY OF SOUTH AFRICA   (South Africa)

Author keywords

Assessment; Awareness; Benchmark; Comparative analysis; Human element; Information security culture; Monitoring; Survey; Training

Indexed keywords

BENCHMARKING; MOBILE SECURITY; MONITORING; MULTIVARIANT ANALYSIS; PERSONNEL TRAINING; REGULATORY COMPLIANCE; SURVEYING;

ASSESSMENT; AWARENESS; COMPARATIVE ANALYSIS; HUMAN ELEMENT; INFORMATION SECURITY CULTURES;

SECURITY OF DATA;

EID: 84925656546     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2014.12.006     Document Type: Article

References (62)

1. E. Albrechtsen, and J. Hovden Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study Comput Secur 29 2010 432 445
2. D. Ashenden Information security management: a human challenge? Inf Secur Tech Rep 13 2008 195 201
3. D. Ashenden, and A. Sasse CISOs and organisational culture: their own worst enemy? Comput Secur 39 2013 396 405
4. M.L. Berry, and J.P. Houston Psychology at work 1993 Brown and Benchmark Publishers Wisconsin
5. P. Brewerton, and L. Millward Organizational research methods 2001 Sage Publications London
6. R.E. Crossler, A.C. Johnston, P.B. Lowry, Q. Hud, M. Warkentin, and R. Baskerville Future directions for behavioral information security Comput Secur 32 2013 90 101
7. A. Da Veiga, and J.H.P. Eloff An information security governance framework Inf Syst Manag 24 4 2007 361 372
8. A. Da Veiga, and J.H.P. Eloff A framework and assessment instrument for Information Security Culture Comput Secur 29 2010 196 207
9. A. Da Veiga, N. Martins, and J.H.P. Eloff Information security culture - validation of an assessment instrument South Afr Bus Rev 11 1 2007 147 166
10. W.R. Dillon, J.T. Madden, and N.H. Firtle Essentials of marketing research 1993 IRWIN Boston
11. S. Dojkovski, S. Lichtenstein, and M.J. Warren Fostering information security culture in small and medium size enterprises: an interpretive study in Australia ECIS 2007 Proceedings 2007 Paper 120, from http://aisel.aisnet.org/ecis2007/120
12. L. Drevin, H.A. Kruger, and T. Steyn Value-focused assessment of ICT security awareness in an academic environment Comput Secur 26 2007 36 43
13. W.R. Flores, E. Antonsen, and M. Ekstedt Information security knowledge sharing in organizations: investigating the effect of behavioral information security governance and national culture Comput Secur 43 2014 90 110
14. S. Furnell, and N. Clarke Power to the people? the evolving recognition of human aspects of security Comput Secur 31 2012 983 988
15. S. Furnell, and A. Rajendran Understanding the influences on information security behavior Comput Fraud Secur 2012; March 12 15
16. S. Furnell, and K. Thomson From culture to disobedience: recognising the varying user acceptance of IT security Comput Fraud Secur Feb 2009 5 10
17. N. Gaunt Practical approaches to creating a security culture Int J Med Inform 60 2 2000 151 157
18. T. Herath, and H.R. Rao Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness Decis Support Syst 47 2009 154 165
19. R. Herold Managing an information security and privacy awareness and training program 2nd ed. 2011 CRC Press Boca Rotan
20. G. Hofstede Culture's Consequences: International differences in work-related values 1980 Sage Publications Beverley Hills
21. D.C. Howell Fundamental statistics for the behavioral science 3rd ed. 1995 Wadsworth Inc California
22. P. Ifinedo Information systems security policy compliance: an empirical study of the effects of socialisation, influence, and cognition Inf Manag 51 2014 69 79
23. ISF (Information Security Forum) Information security culture - a preliminary investigation s.l 2000
24. ISO/IEC 27002:2013 Information technology - security techniques - code of practice for information security management 2013
25. M. Kajzer, J. D'Arcy, C.R. Crowell, A. Striegel, and D. Van Bruggen An exploratory investigation of message person congruence in information security awareness campaigns Comput Secur 43 2014 64 76
26. S. Kraemer, P. Carayon, and J. Clem Human and organizational factors in computer and information security: pathways to vulnerabilities Comput Secur 28 2009 509 520
27. R.V. Krejcie, and D.W. Morgan Determining sample size for research activities Educ Psychol Meas 30 1970 607 610
28. E. Kritzinger, and E. Smith Information security management: an information security retrieval and awareness model for industry Comput Secur 27 2008 224 231
29. R. Kuusisto, and I. Ilvonen Information security culture in small and medium-sized enterprises Front E-business Res 2003 from http://www.academia.edu/1075891/Information-security-culture-in-small-and-medium-size-enterprises
30. A. Martins Information security culture (M.Com thesis) 2002 Rand Afrikaans University Johannesburg
31. A. Martins, and J.H.P. Eloff Information security culture IFIP/SEC2002, in Security in the information society 2002 Kluwer Academic Boston 203 214
32. N. Martins, and E. Martins Organisational culture S.P. Robbins, A. Odendaal, G. Roodt, Organisational behaviour global and Southern African perspectives 2003 Pearson Education South Africa Cape Town
33. J.D. Nosworthy Implementing information security in the 21st century - do you have the balancing factors? Comput Secur 19 4 2000 337 347
34. OECD (Organisation for Economic Cooperation and Development) The promotion of a culture of security for information systems and networks in OECD countries 2005 from www.oecd.org/document/42/0,2340,en-2649-34255-15582250-1-1-1-1,00.html
35. Oxford. See the Concise Oxford Dictionary.
36. K. Padayachee Taxonomy of compliant information security behavior Comput Secur 31 2012 673 680
37. K. Parsons, A. McCormac, M. Butavicius, and L. Ferguson Command human factors and information Security: individual, culture and security environment 2010 Control, Communications and Intelligence Division. Defence Science and Technology Organisation
38. K. Parsons, A. McCormac, M. Butavicius, M. Pattinson, and C. Jerram Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q) Comput Secur 42 2014 165 176
39. Ponemon Institute Independently Conducted by Ponemone Institute LLC. Cost of data breach study: global analysis benchmark research sponsored by Symantec 2013 from http://www.symantec.com/about/news/resources/press-kits/detail.jsp?pkid=ponemon-2013
40. PricewaterhouseCoopers (PwC) The global state of information security survey 2014 from http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml
41. Y. Rezgui, and A. Marks Information security awareness in higher education: an exploratory study Comput Secur 27 2008 241 253
42. A.B. Ruighaver, and S. Maynard Organizational security culture: more than just an end-user phenomenon Proceedings of the 21st IFIP TC-11 International Information Security Conference (IFIP/SEC 2006); Karlstad, Sweden 2006 425 430
43. E.H. Schein Organizational culture and leadership 1985 Jossey-Bass San Francisco
44. T. Schlienger, and S. Teufel Information security culture. In security in the Information Society IFIP/SEC2002 2002 Kluwer Academic Boston 191 201
45. T. Schlienger, and S. Teufel Tool supported management of information security culture IFIP International Information Security Conference (20th: 2005: Makuhari-Messe, Chiba). Japan 2005
46. M. Siponen, S. Pahnila, and A. Mahmood Employees' adherence to information security policies: an empirical study Proceedings of New Approaches to Security, Privacy and Trust in Complex Environments. Sandton, South Africa: FIP/SEC2007 2007 133 144
47. SPSS Statistics SPSS version 21.0 for Microsoft Windows platform 2012 SPSS Inc; Chicago
48. SPSS version 22 2013 IBM Software Group, ATTN Licensing, 200 W. Madison St. Chicago, IL; 60606, U.S.A
49. J.M. Stanton, K.R. Stama, P. Mastrangelob, and J. Joltonb Analysis of end user security behaviors Comput Secur 24 2005 124 133
50. D.W. Straub Effective IS security: an empirical study Inf Syst Res 1 1990 255 276
51. D. Straub, M. Boudreau, and D. Gefen Validation guidelines for IS positivist research Commun Assoc Inf Syst 13 24 2004 380 427
52. Survey tracker 2014 Training Technologies Inc from https://www.surveytracker.com/
53. The Concise Oxford Dictionary 1983 Clarendon Press Oxford 2005
54. K. Thomson, and R. Von Solms Information security obedience: a definition Comput Secur 24 1 2005 69 75
55. K. Thomson, R. Van Solms, and L. Louw Cultivating an organisational information security culture Comput Fraud Secur 2006; October 7 11
56. J. Van Niekerk, and R. Von Solms An holistic framework for the fostering of an information security sub-culture in organizations Information Security South Africa - Proceedings of ISSA 2005, 4th Annual Information Security South Africa Conference. South Africa 2005
57. J. Van Niekerk, and R. Von Solms Information security culture: a management perspective Comput Secur 29 2010 476 486
58. J. Van Niekerk, and R. Von Solms Understanding information security culture: a conceptual framework Information Security South Africa - Proceedings of ISSA 2006, 5th Annual Information Security South Africa Conference. South Africa 2006
59. R. Von Solms, and B. Von Solms From policies to culture Comput Secur 23 2004 275 279
60. C. Vroom, and R. Von Solms Towards information security behavioural compliance Comput Secur 23 3 2004 191 198
61. C.P.M. Wiley, and S.M. Brooks The high-performance organizational climate: how workers describe top-performing units N.M. Ashkanasy, C.P.M. Wilderom, M.F. Peterson, Handbook of organisational culture and climate 2000 Sage Publications California p117 192
62. O. Zakaria, and A. Gani A conceptual checklist of information security culture Proceedings of the 2nd European Conference on Information Warfare and Security. Reading, UK 2003