Information security culture and information protection culture: A validated assessment instrument

Abstract

A strong information protection culture is required in organisations where the confidentiality, sensitivity and privacy of information are understood and handled accordingly. This is necessary to reduce the risk of human behaviour to the protection of information as well as to uphold privacy requirements from a regulatory perspective. This research explores the concept of an information security culture and how information privacy can be incorporated to define an information protection culture. Next, the researchers explain information attributes relating to information security and information privacy to derive information attributes that can be considered when referring to an information protection culture. The information attributes are used to evaluate an existing information security culture assessment instrument that can potentially be used to assess an information protection culture. The research reveals that the information security culture assessment (ISCA) instrument can be used, but that it can be further improved by incorporating additional privacy concepts. An information protection culture assessment (IPCA) is conducted as part of a case study in an organisation. This allowed for a factor and reliability analysis to validate the IPCA. The analysis indicated that the IPCA is valid and reliable when grouping the items into the newly identified factors, but can further be enhanced by aligning it to information privacy attributes.