The Value of Using a Validated Information Security Culture

Abstract

It is crucial to understand the perceptions, attitudes and behaviour of an organisation’s employees in order to shape the information security culture into one in which the confidentiality and sensitivity of information are understood and handled accordingly. This can be done by conducting an Information Security Culture Assessment (ISCA). The key objective of ISCA is to reduce the risk that employee behaviour poses to the protection of information and to ultimately inculcate a compliance culture with fewer incidents.

This paper report on a case study in which the ISCA measurement instrument was deployed successfully in four assessments over a period of eight years. ISCA was expanded for the last two assessments to incorporate the measurement of the perception towards the protection of personal information and privacy, thereby introducing the definition of an information protection culture.

A factor and reliability analysis is also reported on as part of the research to revalidate the ISCA measurement instrument. The analysis indicated that the ISCA is valid and reliable when grouping the items into the newly identified factors.

The statistical analysis of the four assessments indicated significant improvements based on the corrective actions implemented by the Information Security Officer. The means of each of the dimensions in the 2006 assessment improved compared to the 2013 assessment following the implementation of specific training initiatives over a period of time. It was found that employees who attended training were more positive compared to employees who did not receive training and that the overall Information Security Culture means improved from one assessment to the next.