The Influence of Data Protection Regulation on the Information Security Culture of an Organisation - A Case Study Comparing Legislation and Offices across Jurisdictions

Abstract

one could be related to legal and regulatory requirements. While employees must comply with organisational policies, external factors like data protection legislation might influence the manner in which employees protect information assets. This research sets out to investigate whether the information security culture level is consistent across offices of an organisation located in jurisdictions with and without data protection legislation and if the timeframe of the implemented data protection regulation might have had an impact. An information security culture survey was conducted in an organisation that follows a centralised approach to information security. Statistical analysis was conducted to compare the information security culture data of offices across six data protection jurisdictions where the organisation operates, namely Mauritius, Switzerland, Guernsey, South Africa, United Kingdom and Australia. It was found that the three offices (Mauritius, Switzerland and Guernsey), that had significantly more positive results, were all based in jurisdictions with implemented data protection legislation. However, the timeframe of the implemented data protection legislation did not seem to influence the information security culture mean scores, although the legislation incorporates the data protection principle of security. While data protection legislation might play a role to cultivate a more positive information security culture, other factors such as a large staff component could also play a role which can be further investigated.