Return to search

A control framework for the assessment of information security culture

The modern organisation relies heavily on information to function effectively. With such reliance on information, it is vital that information be protected from both internal (employees) and external threats. The protection of information or information security to a large extent depends on the behaviour of humans (employees) in the organisation. The behaviour of employees is one of the top information security issues facing organisations as the human factor is regarded as the weakest link in the security chain. To address this human factor many researchers have suggested the fostering of a culture of information security so that information security becomes second nature to employees. Information security culture as defined for this research study exists in four levels namely artefacts, espoused values, shared tacit assumptions and information security knowledge. An important step in the fostering of an information security culture is the assessment of the current state of such a culture. Gaps in current approaches for assessing information security culture were identified and this research study proposes the use of a control framework to address the identified gaps. This research study focuses on the assessment of information security culture and addresses 5 research objectives namely 1) to describe information security culture in the field of information security, 2) to determine ways to foster information security culture in an organisation, 3) to demonstrate the gap in current approaches used to assess information security culture, 4) to determine the components that could be used for the assessment of information security culture for each of the culture’s underlying levels and 5) to describe a process for the assessment of information security culture for all four levels. This research study follows a qualitative approach utilising a design science strategy and multi-method qualitative data collection techniques including literature review, qualitative content analysis, argumentation, and modelling techniques. The research methods provide a means for the interpretation of the data and the development of the proposed control framework.

Identiferoai:union.ndltd.org:netd.ac.za/oai:union.ndltd.org:nmmu/vital:9818
Date January 2013
CreatorsOkere, Irene Onyekachi
PublisherNelson Mandela Metropolitan University, Faculty of Business and Economic Sciences
Source SetsSouth African National ETD Portal
LanguageEnglish
Detected LanguageEnglish
TypeThesis, Masters, MTech
Formatix, 165 leaves, pdf
RightsNelson Mandela Metropolitan University

Page generated in 0.0021 seconds