Information Security Culture: A Comparative Analysis of Four Assessments

Abstract

An Information Security Culture Assessment (ISCA) aids in identifying what components an organisation needs to enhance or impede to improve the protection of the organisation's information. The objective of the ISCA, developed in previous research by the authors, is to assess the current information security culture level in organisations using a survey approach. This paper discusses a case study of one of the international financial institutions where the ISCA was conducted four times over a period of eight years, across twelve countries. The research indicated that the information security culture improved from one assessment to the next, with the most positive results obtained in 2013. The Group Information Security Officer concentrated on training as the main improvement action in each country, in line with the recommendations of each assessment. It was found that the results of employees who received prior information security training were significantly more positive than those of employees who did not. The overall information security culture, from a dimensional and biographical perspective, also improved from one assessment to the next. The output of the ISCA can aid management in directing and prioritising information security awareness and training in terms of topics and biographical groups in the organisation. It provides insight into an approach that organisations can consider to address the risk to the protection of information, from an employee perspective. The trends identified in the case study also aid in understanding how an adequate information security culture can be inculcated in an organisation.