Human Factors in Information Security Culture

Nowadays, organizations collect, transmit, and use data to perform a variety of business-related functions. The proliferation of data makes organizations targets for cyber criminals. This threat has resulted in large investments in secure data storage, networks, and cyber-defense systems. In spite of these investments, cybercrime is still very prevalent with massive breaches being reported almost daily in the news media.

Despite of the significant expenses in tools and systems to fight cyber-attacks, there is very little investment in human factors and security culture. Information security is not just a technical issue, as it is well known that humans are the weak link in information security. Information system user’s misbehaviour is a direct reflection of the culture of information security in the organization. Because of this, organizations need to invest in building an information security culture that caters all personnel and leadership.

In this study, Henry Glaspie and Waldemar Karwowski of University of Central Florida provided a review of the factors that affect the human side of information security. Information security culture is defined as the “collection of perceptions, attitudes, values, assumptions, and knowledge that guide the human interaction with information assets in an organization with the aim of influencing employees’ security behaviour to preserve information security’’. The authors developed a 5 components conceptual factors that impacts information security culture:

(1) Information security policy: Most organizations are required to have some sort of information security policy in place. The policies set mandatory guidelines to influence positive organizational behaviour when using systems or working with data. When policies are ambiguous, complicated or vague for users to understand, attitudes towards compliance are negatively affected. Organizations should make their policies as understandable, relevant, and accessible as possible to all employees.

(2) Deterrence and incentives: Most information security policies informs about the penalties of noncompliance. In many organizations this punishment could range from remediation to termination. Organizations with higher severity in punishments for noncompliance were more likely to have a healthy organizational information security culture. Without clear and consistent consequences for noncompliance, users are likely to demonstrate risky or noncompliant behaviour. However, not all incentives positively influence performance especially the ones that are not efficient. Efficient incentives persuade a large number of heterogeneous users to act for the common cause.

(3) Attitudes and involvement: Positive employee attitudes about information security compliance and their involvement in the process are important in the development of an information security culture in an organization. There is a positive effect when employees participate in activities focused on a commitment to the organizations security goals and engage with colleagues in such matters.

(4) Training and awareness: Training and awareness is a fundamental aspect of all thriving information security cultures. It provides employees with the appropriate knowledge needed to properly use of systems. Information security managers must implement training and awareness programs focused on policies, roles, and responsibilities. Employees that lack proper awareness and training can expose the organization to security risks. Research has shown that despite the threats of cybercrime and insider breach that organizations face, the employee awareness levels are still lacking.

(5) Management support: Consistent top management support is essential to creating a supportive environment in the organization and providing the necessary support. This support includes budget, technology and human capital. Support and leadership from management are key contributors to successful implementation of information security efforts. It is then their responsibility to convey clarity and consistency in messages to employees about acceptable behaviour and the sanctions for negative actions.

Information security is important in every organization. Technology alone won’t achieve this goal. Humans play a vital role in information security. An organization’s information security program success depends on an appropriate user behaviour. In order to have a positive information security culture, organizations must ensure a mix of technical systems and human behavioral aspects of information security management.

Cite: W. Glaspie, H. and Karwowski, W. (2018). Human Factors in Information Security Culture: A Literature Review. 269-280. 10.1007/978-3-319-60585-2_25.