Institutional Repository
Improving the information security culture through monitoring and implementation actions illustrated though a case study
JavaScript is disabled for your browser. Some features of this site may not work without it.
| dc.contributor.author | Da Veiga, Adele
|
|
| dc.contributor.author | Martins, Nico
|
|
| dc.date.accessioned | 2018-01-25T12:36:53Z | |
| dc.date.accessioned | 2020-10-30T07:52:13Z | |
| dc.date.available | 2020-10-30T07:52:13Z | |
| dc.date.issued | 2015-01-05 | |
| dc.identifier.citation | Adéle da Veiga, Nico Martins, Improving the information security culture through monitoring and implementation actions illustrated through a case study, Computers & Security, Volume 49, March 2015, Pages 162-176, http://dx.doi.org/10.1016/j.cose.2014.12.006 | en |
| dc.identifier.issn | 0167-4048 | |
| dc.identifier.uri | http://hdl.handle.net/10500/26784 | |
| dc.description.abstract | The human aspect, together with technology and process controls, needs to be considered as part of aninformation securityprogramme.Current and former employees are still regarded as one of the root causes of information security incidents. One way of addressing the human aspect is to embed an information security culture where the interaction of employees with information assets contributes to the protection of these assets. In other words, it is critical to improve the information security culture in organisations such that the behaviour of employees is in compliancewith information security and related information processing policies andregulatoryrequirements.This canbe achievedby assessing,monitoringandinfluencingan information security culture. An information security culture can be assessed by using an approach such as an information security culture assessment (ISCA). The empirical data derived froman ISCAcan be used to influence the information security culture by focussing on developmental areas, of which awareness and training programmes are a critical facet. In this paperwediscuss a case study of an international financial institution at which ISCA was conducted at four intervals over a period of eight years, across twelve countries. Comparative and multivariate analyses were conducted to establishwhether the information security culture improved from one assessment to the next based on the developmental actions implemented. One of the key actions implemented was training and awareness focussing on the critical dimensions identified by ISCA. The information security culture improved fromone assessment to the next, with the most positive results in the fourth assessment. This research illustrates that the theoretical ISCA tool previously developed can be implemented successfully in organisations to positively influence the information security culture. Empirical evidence is provided supporting the effectiveness of ISCA in the context of identified shortcomings in the organisation's information security culture. In addition, empirical evidence is presented indicating that information security training and awareness is a significant factor in positively influencing an information security culture when applied in the context of ISCA. | en |
| dc.language.iso | en | en |
| dc.publisher | Elsevier | en |
| dc.subject | information security culture | en |
| dc.subject | assessment | en |
| dc.subject | tracking | en |
| dc.subject | awareness | en |
| dc.subject | monitoring | en |
| dc.subject | benchmark | en |
| dc.subject | comparative analysis | en |
| dc.subject | survey | en |
| dc.subject | human factor | en |
| dc.title | Improving the information security culture through monitoring and implementation actions illustrated though a case study | en |
| dc.type | Postprint Article | en |
| dc.description.department | College of Engineering, Science and Technology | en |
| dc.description.embargo | 20150105 |
