Relationship between culture and Information Security Awareness

When it comes to cybersecurity, it is important to consider human behaviour as a part of a group as individuals play a significant role in creating and preventing incidents. Culture and interactions in work environments can participate in determining human behaviour.

Information Security Awareness (ISA) is essential for organizations, primarily to mitigate risks.  ISA refers to the extent to which employees understand the significance of their organization’s information security policies and the extent to which they comply with it.

Adequate security within an organization is firmly entrenched within its organizational culture. As such, organizations have a strong security culture when employees are aware of security risks and preventative measures and assume responsibility and take the required steps to improve the security of the organization.

In this article, Asleigh Wiley, Agata McCormac and Dragana Calic from the University of Adelaide in Australia explored the relationship between employee ISA and organizational and security culture.

Data was collected through an online survey administered over two weeks in July 2018. 508 Australians employees completed the online questionnaire.

The result showed a significant positive relationship between organizational culture, security culture, and ISA. Mostly, individuals from organizations with a more robust security culture were more likely to have better ISA. The study also found a more complex relationship between organizational culture, security culture and ISA. Security culture mediates the relationship between organizational culture and ISA. This result means that the relationship between organizational culture and ISA is strongly affected by security culture. This suggests that irrespective of an organization’s overall culture, a strong security culture may be a better predictor of employee ISA.

The findings in this study demonstrate that, rather than focussing on the broader organizational culture, organizations may achieve greater employee ISA by concentrating on understanding, developing and strengthening their organization’s security culture.

To cite: Wiley, A., McCormac, A. and Calic, D. (2020). More than the individual: Examining the relationship between culture and Information Security Awareness. Computers & Security, 88.