The Influence of Information Security Policies on Information Security Culture: Illustrated through a case study

Abstract

An information security-positive culture is required in organisations where employees process information in line with its confidentiality, sensitivity and privacy requirements. The information security policy serves as a critical cornerstone in guiding employee behaviour to direct the protection of information. Employees must be aware of and understand the information security policy requirements they have to abide by in order to process information securely and thereby contribute to an information security-positive culture. This study outlines a case study over eight years in which empirical research was conducted to examine the level of information security culture between employees who had read the information security policy and employees who had not read the policy. It was found that the overall information security culture average scores were significantly more positive for employees who read the information security policy when compared with employees who had not, illustrating the positive impact of the policy on the information security culture in the context of an Information Security Culture Assessment (ISCA). The study confirms theoretical research stating the importance of information security policies as part of an information security programme and the governance of information to instil an information security positive culture.