Institutional Repository

Improving the information security culture through monitoring and implementation actions illustrated through a case study.

Show simple item record

dc.contributor.author Da Veiga, Adele
dc.contributor.author Martins, Nico
dc.date.accessioned 2016-11-07T12:28:05Z
dc.date.available 2016-11-07T12:28:05Z
dc.date.issued 2015
dc.identifier.citation 34. Da Veiga, A. & Martins, N.(2015). Improving the information security culture through monitoring and implementation actions illustrated through a case study. Computers and Security, 49, 162-176. http://dx.doi.org/10.1016/j.cose.2014.12.006. en
dc.identifier.issn 1872-6208
dc.identifier.uri http://hdl.handle.net/10500/21765
dc.identifier.uri http://dx.doi.org/10.1016/j.cose.2014.12.006
dc.description.abstract The human aspect, together with technology and process controls, needs to be considered as part of an information security programme. Current and former employees are still regarded as one of the root causes of information security incidents. One way of addressing the human aspect is to embed an information security culture where the interaction of employees with information assets contributes to the protection of these assets. In other words, it is critical to improve the information security culture in organisations such that the behaviour of employees is in compliance with information security and related information processing policies and regulatory requirements. This can be achieved by assessing, monitoring and influencing an information security culture. An information security culture can be assessed by using an approach such as an information security culture assessment (ISCA). The empirical data derived from an ISCA can be used to influence the information security culture by focussing on developmental areas, of which awareness and training programmes are a critical facet. In this paper we discuss a case study of an international financial institution at which ISCA was conducted at four intervals over a period of eight years, across twelve countries. Comparative and multivariate analyses were conducted to establish whether the information security culture improved from one assessment to the next based on the developmental actions implemented. One of the key actions implemented was training and awareness focussing on the critical dimensions identified by ISCA. The information security culture improved from one assessment to the next, with the most positive results in in the fourth assessment. This research illustrates that the theoretical ISCA tool previously developed can be implemented successfully in organisations to positively influence the information security culture. Empirical evidence is provided supporting the effectiveness of ISCA in the context of identified shortcomings in the organisation’s information security culture. In addition, empirical evidence is presented indicating that information security training and awareness is a significant factor in positively influencing an information security culture when applied in the context of ISCA. en
dc.language.iso en en
dc.publisher Elsevier en
dc.subject Information Security Culture en
dc.subject Assessment en
dc.subject Training en
dc.subject Awareness en
dc.subject Monitoring en
dc.subject Benchmark en
dc.subject Comparative Analysis en
dc.subject Survey en
dc.subject Human Element en
dc.title Improving the information security culture through monitoring and implementation actions illustrated through a case study. en
dc.type Article en
dc.description.department Industrial and Organisational Psychology en


Files in this item

This item appears in the following Collection(s)

Show simple item record

Search UnisaIR


Browse

My Account

Statistics