Improving the information security culture through monitoring and implementation actions illustrated though a case study

Thumbnail Image

Files

Improving the IS culture through monitoring and _Computers and Security 2015.pdf (787.74 KB)

Authors

Da Veiga, Adele
Martins, Nico

Issue Date

2015-01-05

Type

Postprint Article

Language

en

Keywords

information security culture , assessment , tracking , awareness , monitoring , benchmark , comparative analysis , survey , human factor

Research Projects

Organizational Units

Journal Issue

Alternative Title

Abstract

The human aspect, together with technology and process controls, needs to be considered as part of aninformation securityprogramme.Current and former employees are still regarded as one of the root causes of information security incidents. One way of addressing the human aspect is to embed an information security culture where the interaction of employees with information assets contributes to the protection of these assets. In other words, it is critical to improve the information security culture in organisations such that the behaviour of employees is in compliancewith information security and related information processing policies andregulatoryrequirements.This canbe achievedby assessing,monitoringandinfluencingan information security culture. An information security culture can be assessed by using an approach such as an information security culture assessment (ISCA). The empirical data derived froman ISCAcan be used to influence the information security culture by focussing on developmental areas, of which awareness and training programmes are a critical facet. In this paperwediscuss a case study of an international financial institution at which ISCA was conducted at four intervals over a period of eight years, across twelve countries. Comparative and multivariate analyses were conducted to establishwhether the information security culture improved from one assessment to the next based on the developmental actions implemented. One of the key actions implemented was training and awareness focussing on the critical dimensions identified by ISCA. The information security culture improved fromone assessment to the next, with the most positive results in the fourth assessment. This research illustrates that the theoretical ISCA tool previously developed can be implemented successfully in organisations to positively influence the information security culture. Empirical evidence is provided supporting the effectiveness of ISCA in the context of identified shortcomings in the organisation's information security culture. In addition, empirical evidence is presented indicating that information security training and awareness is a significant factor in positively influencing an information security culture when applied in the context of ISCA.

Description

Citation

Adéle da Veiga, Nico Martins, Improving the information security culture through monitoring and implementation actions illustrated through a case study, Computers & Security, Volume 49, March 2015, Pages 162-176, http://dx.doi.org/10.1016/j.cose.2014.12.006

Publisher

Elsevier

License

Journal

Volume

Issue

URI

https://uir.unisa.ac.za/handle/10500/26784

PubMed ID

DOI

ISSN

0167-4048

EISSN

Collections

Research Outputs (School of Computing)
Open Research Collection