1 |
Cultivating and assessing information security cultureDa Veiga, Adele 24 April 2009 (has links)
The manner in which employees perceive and interact (behave) with controls implemented to protect information assets is one of the main threats to the protection of such assets and the effective use of information security controls. Should the interaction not be conducive to the protection of the information assets, it could have a profound impact on the profit of an organisation, productive working hours could be lost, confidential information might be disclosed to unauthorised people and compliance with legal and regulatory regulations could be affected - all this, despite the fact that adequate technical and procedural controls might be in place. Current research highlights the importance of a strong information security culture to address the threat that employee behaviour poses to the protection of information assets. Various research perspectives propose how an acceptable level of information security culture should be cultivated, and how to assess this culture to determine whether it is on an acceptable level. These approaches are however not adequate to cultivate information security culture, as all the relevant information security components and the influences on the information security culture have to be considered. This leads to the question as to whether the assessment instruments proposed to assess the information security culture are indeed adequate and valid. The main contribution of this research relates to the development of an information security culture framework and process consisting of an assessment instrument to assess information security culture. In order to develop the information security culture framework, the researcher developed a Comprehensive Information Security Framework (CISF) that equips organisations with a holistic approach to the implementation of information security. The framework provides a single point of reference for the governance of information security. The Information Security Culture Framework (ISCF) is developed using the CISF as foundation. The ISCF can be used by organisations to cultivate an information security culture conducive to the protection of information assets. It considers all the components required for information security culture, namely information security, organisational culture and organisational behaviour. It integrates the aforementioned concepts and illustrates the influence between the components. The ISCF further serves as a basis for designing an information security culture assessment instrument. This instrument is incorporated as part of an Information Security Culture Assessment process (lSCULA) defined by the researcher. ISCULA provides management with the steps to conduct an information security culture assessment, as well as the steps to validate the assessment instrument. The application of ISCULA is tested in an empirical study conducted in an organisation. It illustrates how to validate an information security culture assessment instrument by ensuring that it is designed based on the ISCF and meets the statistical requirements for a valid and reliable assessment instrument. Both the ISCF and the ISCULA process can ultimately be deployed by organisations to minimise the threat that employee behaviour poses to the protection of information assets. / Thesis (PhD)--University of Pretoria, 2009. / Computer Science / unrestricted
|
2 |
Understanding Information Security Culture in an Organization: An Interpretive Case StudyBess, Donald Arlo 01 January 2012 (has links)
Information systems are considered to be a critical and strategic part of most organizations today. Because of this it has become increasingly important to ensure that there is an effective information security program in place protecting those information systems. It has been well established by researchers that the success of an information security program is heavily dependent upon the actions of the organizational members that interact with the information security program. Because of the interaction between people and the information security program an appropriate information security culture is required to effectively influence and control the actions of the members within that organization.
While the importance of an information security culture has been well established by researchers there has been little research conducted to date that assist in understanding and managing information security culture within organizations. To expand the body of knowledge in this area this study will explore the information security culture of a large organization using interpretive case study methodology. The use of semi-structured interviews to collect data has allowed the researcher to report back their interpretation of shared meanings, consciousness, language and artifacts observed while at the research site. Structuration theory was applied as a theoretical lens with which to better understand information security culture and explore ways in which organizations can better understand and manage information security culture.
We found structures of signification and legitimacy were the most influential on employee's behavior towards information security. While the structure of domination exerted minimal influence over employee's behavior.
This research study contributes to the existing body of knowledge regarding information security culture by examining the role of structural properties exhibited within information security culture. Structural properties of information security culture have not been adequately considered within the existing literature. By expanding our understanding of the role of social structures such as systems of meaning, power and legitimacy on information security culture researchers will have a deeper understanding of this phenomena call information security culture. This will enable us to better understand how to develop and manage an appropriate information security culture.
|
3 |
Impact of organizational culture on on information security : A case of SMEs in NigeriaElehinle, Eniola January 2024 (has links)
Purpose: This thesis explores the impact of organizational culture on information security culture in small and medium-sized enterprises (SMEs) in Nigeria. It primarily examines the culture that can be improved within the SMEs to improve information security. Being a pioneer study for Nigeria, the study focuses more on identifying the existing organizational culture and information security culture subjected to three areas: knowledge, attitude, and behavior. Organizational culture continues to be an influencing factor in Information security. With SMEs just like other organizations continue to be affected by the negative consequences of cybersecurity attacks, this research aims to understand the role organizational culture plays in information security culture with a case study of small scale and medium businesses in Nigeria. Design: The research follows the implementation of two frameworks the OCAI and ISCF to diagnose the existing culture within SMEs in Nigeria and to also identify the existing security culture. The research answers the question of how organizational culture impacts security culture. The research method follows a qualitative approach with interviews conducted in three SMEs at their managerial level. Interview questions were designed based on the designed assessments of the OCAI framework and the ISCF. Ethical Considerations:: Interviews were conducted with consent and anonymity provided for participants. Also no details identifying a particular company was published. The interviews were analysed to come to a logical conclusion. Findings: Organization culture plays a role in strengthening the information security culture of an organization. The bulk of the direction of the organization rests upon the leadership and management. SMEs being smaller in size and close knitted need to pay attention to the unintended gap the dominate culture might be breeding information security and make an effort for change management. Originality: The study opens up a new body of knowledge within the Nigerian Cyber security body and amongst SMEs aiming to bring to light the impact of culture and how this can be leveraged to improve information security.
|
4 |
Establishing an information security awareness and cultureKorovessis, Peter January 2015 (has links)
In today’s business environment all business operations are enabled by technology. Its always on and connected nature has brought new business possibilities but at the same time has increased the number of potential threats. Information security has become an established discipline as more and more businesses realize its value. Many surveys have indicated the importance of protecting valuable information and an important aspect that must be addressed in this regard is information security awareness. The human component has been recognized to have an important role in information security since the only way to reduce security risks is through making employees more information security aware. This also means that employees take responsibility of their actions when dealing with information in their everyday activities. The research is concentrated mainly on information security concepts alongside their relation to the human factor with evidence that users remain susceptible to information security threats, thus illustrating the need for more effective user training in order to raise the level of security awareness. Two surveys were undertaken in order to investigate the potential of raising security awareness within existing education systems by measuring the level of security awareness amongst the online population. The surveys analyzed not only the awareness levels and needs of students during their study and their preparation towards entering the workforce, but also whether this awareness level changes as they progress in their studies. The results of both surveys established that the awareness level of students concerning information security concepts is not at a sufficient level for students entering university education and does not significantly change as they progress their academic life towards entering the workforce. In respect to this, the research proposes and develops the information security toolkit as a prototype awareness raising initiative. The research goes one step further by piloting and evaluating toolkit effectiveness. As an awareness raising method, the toolkit will be the basis for the general technology user to understand the challenges associated with secure use of information technology and help him assess its current knowledge, identify lacks and weaknesses and acquire the required knowledge in order to be competent and confident users of technology.
|
5 |
Strong Intents Against Weak Links : Towards a Holistic Integration of Behavioral Information Security in Organizations with Strategic IntentKoller, Teresa Marie, Ljung, Migle January 2021 (has links)
The human factor has been detected as the weakest link in the information security of organizations. Methods like training and awareness programs and the implementation of security policies have been developed, but they still seem to be less effective than desired. Authors have suggested integrating information security more holistically in organizations. In this study we discuss how strategic intent can influence an information security culture and improve information security behavior, thereby strengthening the weakest link. This thesis aims to develop a conceptual framework for organizations to integrate behavioral information security holistically with strategic intent. This thesis is based on a qualitative study with an abductive approach consisting of nine exploratory, semi-structured interviews. This way we could find today’s most prominent factors that might reinforce information security behavior in organizations and discuss the interrelations among those factors together with their potential facilitators and barriers. To improve behavioral InfoSec holistically in organizations, strategic Intent and InfoSec culture are promising factors. All factors have clear interrelations, but also potential facilitators and barriers.
|
6 |
Information Security Behavior: A Cross-Cultural Comparison of Irish and US EmployeesConnolly, Lena Y., Lang, M., Wall, D.S. 16 June 2020 (has links)
Yes / This study explores how aspects of perceived national culture affect the information security attitudes and behavior of employees. Data was collected using 19 semi-structured interviews in Ireland and the United States of America (US). The main findings are that US employees in the observed organizations are more inclined to adopt formalized information security policies and procedures than Irish employees, and are also more likely to have higher levels of compliance and lower levels of non-compliance.
|
7 |
Enhancing information security in organisations in QatarAl-Hamar, Aisha January 2018 (has links)
Due to the universal use of technology and its pervasive connection to the world, organisations have become more exposed to frequent and various threats. Therefore, organisations today are giving more attention to information security as it has become a vital and challenging issue. Many researchers have noted that the significance of information security, particularly information security policies and awareness, is growing due to increasing use of IT and computerization. In the last 15 years, the State of Qatar has witnessed remarkable growth and development of its civilization, having embraced information technology as a base for innovation and success. The country has undergone tremendous improvements in the health care, education and transport sectors. Information technology plays a strategic role in building the country's knowledge-based economy. Due to Qatar s increasing use of the internet and connection to the global environment, it needs to adequately address the global threats arising online. As a result, the scope of this research is to investigate information security in Qatar and in particular the National Information Assurance (NIA) policy. There are many solutions for information security some technical and some non-technical such as policies and making users aware of the dangers. This research focusses on enhancing information security through non-technical solutions. The aim of this research is to improve Qatari organisations information security processes by developing a comprehensive Information Security Management framework that is applicable for implementation of the NIA policy, taking into account Qatar's culture and environment. To achieve the aim of this research, different research methodologies, strategies and data collection methods will be used, such as a literature review, surveys, interviews and case studies. The main findings of this research are that there is insufficient information security awareness in organisations in Qatar and a lack of a security culture, and that the current NIA policy has many barriers that need to be addressed. The barriers include a lack of information security awareness, a lack of dedicated information security staff, and a lack of a security culture. These barriers are addressed by the proposed information security management framework, which is based on four strategic goals: empowering Qataris in the field of information security, enhancing information security awareness and culture, activating the Qatar National Information Assurance policy in real life, and enabling Qatar to become a regional leader in information security. The research also provides an information security awareness programme for employees and university students. At the time of writing this thesis, there are already indications that the research will have a positive impact on information security in Qatar. A significant example is that the information security awareness programme for employees has been approved for implementation at the Ministry of Administrative Development Labour and Social Affairs (ADLSA) in Qatar. In addition, the recommendations proposed have been communicated to the responsible organisations in Qatar, and the author has been informed that each organisation has decided to act upon the recommendations made.
|
8 |
Information Security Culture and Threat Perception : Comprehension and awareness of latent threats in organisational settings concerned with information securityLambe, Erik January 2018 (has links)
A new challenge for organisations in the 21st century is how they should ensure information security in a time and environment where the widespread use of Information Communication Technologies (ICTs), such as smartphones, means that information has been made vulnerable in numerous new ways. Recent research on information security has focused on information security culture and how to successfully communicate security standards within an organisation. This study aims to examine how latent threats to information security are conceptualised and examined within an organisation in which information security is important. Since threats posed by ICTs are said to be latent, this study wishes to explore in what ways an inclusion of threat conceptualisation can have in understanding what constitutes an efficacious information security culture when the intention is to ensure information security. The study focuses on the Swedish armed forces, and compare how threats to information security posed by interaction with private ICTs are communicated in information security policies and how they are conceptualised by the members of the organisation. Through interviews conducted with service members, the findings of this study indicate that it is possible to successfully communicate the contents of information security policies without mandating the members of the organisation to read the sources themselves. Furthermore, the study identified a feature of information security culture, in this paper called supererogatory vigilance to threats to information security, which might be of interest for future studies in this area, since it offers adaptive protection to new threats to information security that goes beyond what the established sources protects against.
|
9 |
Framework for Adoption of Information and Communication Technology security culture in SMMEs in Gauteng Province, South AfricaMokwetli, M. A. January 2019 (has links)
M. Tech. (Department of Information Technology, Faculty of Applied and Computer Sciences), Vaal University of Technology. / Information and Communication Technology (ICT) has become prevalent in our everyday business and personal lives. As such, users and organisations must know how to protect themselves against human errors that led to more companies losing or sharing information that should not be shared. The issue emanates from lack of ICT security culture both in individuals and organisations. This research is based on a wide theoretical review that is focused on proposing a conceptual model on technological, environmental and organisational factors that influence the adoption of ICT security culture and implementation in Small Medium and Micro Enterprises (SMMEs). Factors or determinants that influence the adoption of ICT security culture in SMMEs in the Gauteng province were investigated. Questionnaires were distributed to examine the perception of ICT security culture adoption among SMMEs in the Gauteng province South Africa. A sample of 647 individuals from different SMMEs in the Gauteng province returned the questionnaire. The results of the research study show that technological context (perceived benefits), environmental context (government regulations) and organisational context (management support) determinants have direct influence on the ICT security culture adoption. The recommendation is that information security awareness programmes must be put in place. Further research is recommended using more determinants that might have a positive impact toward the adoption of the ICT security culture. In order to minimize data breaches due to human error it is recommended that SMMEs around Gauteng Province in South Africa adopt the framework as outlined in this research study.
|
10 |
Cultura de segurança da informação: um processo de mudança organizacional na PetrobrásVieira, Patrícia dos Santos 21 December 2009 (has links)
Submitted by paulo junior (paulo.jr@fgv.br) on 2010-03-09T21:17:23Z
No. of bitstreams: 1
Patricia dos Santos.pdf: 977688 bytes, checksum: 9e6fe91d2790db95dce8e99b8103981a (MD5) / Approved for entry into archive by paulo junior(paulo.jr@fgv.br) on 2010-03-09T21:17:38Z (GMT) No. of bitstreams: 1
Patricia dos Santos.pdf: 977688 bytes, checksum: 9e6fe91d2790db95dce8e99b8103981a (MD5) / Made available in DSpace on 2010-03-11T18:01:15Z (GMT). No. of bitstreams: 1
Patricia dos Santos.pdf: 977688 bytes, checksum: 9e6fe91d2790db95dce8e99b8103981a (MD5)
Previous issue date: 2009-12-21 / This study aims to verify whether and to what degree the criteria proposed by Kotter to the implantation of an information security culture were attended at Petrobras. Petrobras, for several years, was an oil country-wide state company. As in several other companies, with the internationalization process, more players with interests in valuable information started interacting with the company. The necessity of conducting a change management process to implant an information security culture was verified. The model defined by Kotter has eight steps that, if followed, guarantee a successful change. In order to achieve the study’s purpose, bibliographic research and Petrobras’ files and documents research and field research were done. The period of study was from 2002 until 2009. The process evaluation has shown some fails at the steps defined by Kotter. It is possible to mention: high complacency; sense of urgency attributed only in the first moment; long-term vision was not widely declared; the reason of change was not explicit throughout time; information security organization structure in the fields is still deficient; there was not complete alignment of the company’s management systems; the existence of structures and systems that make the evaluation of the actions and the recognition of the people involved in the cultural change process more difficult; and lack of worrying in commemorating short-term achievements. / O estudo objetivou verificar até que ponto foi atendido o critério proposto por Kotter para a implantação de uma cultura de segurança da informação na Petrobras. A Petrobras, durante muitos anos, foi uma empresa estatal de petróleo com atuação nacional. Assim como diversas outras empresas, com o advento do processo de internacionalização, mais atores com interesses por informações valiosas começaram a interagir com a empresa. Verificava-se a necessidade de conduzir um processo de gestão da mudança para implantar uma cultura de segurança da informação. O modelo definido por Kotter possui oito etapas que, se seguidas, podem garantir uma mudança bem-sucedida. Para atingir o objetivo do estudo, utilizou-se pesquisa bibliográfica, pesquisa documental em arquivos e documentos da Petrobras e pesquisa de campo. O período analisado foi de 2002 a 2009. A avaliação do processo indicou que algumas falhas foram encontradas nas etapas definidas por Kotter. Pode-se citar: complacência alta; senso de urgência atribuído somente no primeiro momento; visão de longo prazo não foi amplamente declarada; o porquê da mudança, ao longo do tempo, não ficou explícito; estrutura organizacional de segurança da informação nas áreas ainda é deficiente; não houve total alinhamento dos sistemas de gestão da empresa; existência de estruturas e sistemas que dificultam a avaliação das ações e reconhecimento dos envolvidos no processo de mudança cultural e pouca preocupação em comemorar as conquistas de curto prazo.
|
Page generated in 0.1404 seconds