Defining organizational information security culture

Culture is one of the most challenging aspects to change in an organization. Information security culture is a dynamic phenomenon as it changes over time. Organizations have to focus on maintaining stability while also focusing on continuous development to ensure consistent protection of information resources in a changing environment.

 Information security culture is often present in an organization as dominant culture and as subcultures, where different departments or job levels can each have a unique information security culture. Counterculture may appear when a subculture of information security is not conducive to the protection of information. As such, organizations need to identify countercultures and take actions to align them with the dominant information security culture.

In this study, Adèle da Veiga and her colleagues set to understand and define the concept of information security culture through an industry perspective combining with existing theory. The authors proceeded with a literature review of the idea of information culture and complemented it with interviews with security experts.

The literature review highlight several factors that contribute to information security, such as:

  • External Factors: national culture, political and legal factors, etc.
  • Internal factors:
    • Management factors: Information security policies and procedures, information security management, etc.
    • Organizational factors: Internal state of the organisation, resources, etc.
    • Human (employees) Factors: personalities and values, needs, knowledge of information security, etc.
    • Factors of mutual trust of the employer, employees and customers: customers trust in the organisation, mutual trust between employers and employees and between employees.

The interviews with security experts provide elements in terms of the ideal characteristics and achievement of  an information security culture.

Through their literature review and interviews with security experts, the authors came up with the following definition of what constitutes information security culture:

Information security culture is contextualized to the behaviour of humans in an organizational context to protect information processed by the organization through compliance with the information security policy and procedures and an understanding of how to implement requirements in a cautious and attentive manner as embedded through regular communication, awareness, training and education initiatives.

The behaviour over time becomes part of the way things are done, i.e., second nature, as a result of employee assumptions, values and beliefs, their knowledge and attitude towards and perception of the protection of information assets.

The information security culture is directed by the vision of senior management together with management support in line with the information security policy and influenced through internal and external factors, supported by an adequate ICT environment, visible in the artefacts of the organisation and behaviour exhibited by employees, thereby creating an environment of trust with stakeholders and establishing integrity.

This article provides an integrated view of the concept of information security culture that can be used as a framework for academic research while being useful for industries to implement in organizations.

To cite: da Veiga, A., Astakhova, L. V., Both, A., and Herselman, M. (2020). Defining organisational information security culture—Perspectives from academia and industry. Computers and Security, 92.