An information security framework for reducing information security costs and sustaining information security culture

Abstract

As the velocity and volume of data breaches increases, information security is a cornerstone to the sustainability of business functionality in organisations. The focus of traditional information security has been to address concerns through the implementation of technology. Nonetheless, the profound catalyst behind data breaches often stems from the influence of individuals on information security, necessitating human involvement to bolster the intricate array of information security technologies. Elevating the information security culture among staff members should stand as a pivotal impetus in tandem with the enhancement of information security technology. This leads to a greater need to focus on sociological solutions with lesser emphasis on technological solutions. This research aims to concentrate on mitigating the risks associated with information security breaches through the enhancement of information security culture, while decreasing the overall expenses tied to managing information security within organisations. The study was conducted using Design Science Research Methodology (DSRM), wherein artefacts, including three models, a framework and a supporting evaluation tool were developed. Through the DSRM process, these artefacts were evaluated, tested and iteratively improved. The results obtained from the assessments of the framework and tool demonstrated their efficacy in enabling organisations to derive value by assessing their security posture, prioritising cost-reduction endeavours, and formulating strategies to enhance information security culture. The practical significance of this research lies in the fact that the developed framework and tool offer a streamlined and comprehensive approach to appraising an organisation's information security status, particularly emphasising nontechnical aspects for improvement. What sets these artefacts apart is their unique integration of elements that emphasise the human impact on information security, aligning with both cost-reduction goals and the enhancement of security assessment within an organisation. Through testing, second iterations of the framework and tool were designed along with a web-based application for using the framework. Information was also gathered to be able to determine a roadmap to further improve the framework and tool over time.