To read the full version of this content please select one of the options below:

Key elements of an information security culture in organisations

Frans Nel (Department of Computer Science and Information Systems, North-West University, Potchefstroom, South Africa)
Lynette Drevin (Department of Computer Science and Information Systems, North-West University, Potchefstroom, South Africa)

Information and Computer Security

ISSN: 2056-4961

Article publication date: 28 May 2019

Issue publication date: 28 May 2019

Downloads
906

Abstract

Purpose

The purpose of this paper is to report on a study that investigated the information security culture in organisations in South Africa, with the aim of identifying key aspects of the culture. The unique aspects for building an information security culture were examined and presented in the form of an initial framework. These efforts are necessary to address the critical human aspect of information security in organisations where risky cyber behaviour is still experienced.

Design/methodology/approach

Literature was investigated with the focus on the main keywords security culture and information security. The information security culture aspects of different studies were compared and analysed to identify key elements of information security culture after which an initial framework was constructed. An online survey was then conducted in which respondents were asked to assess the importance of the elements and to record possible missing elements/aspects regarding their organisation’s information security culture to construct an enhanced framework.

Findings

A list of 21 unique security culture elements was identified from the literature. These elements/aspects were divided into three groups based on the frequency each was mentioned or discussed in studies. The number of times an element was found was interpreted as an indication of how important that element/aspect is. A further four aspects were added to the enhanced framework based on the results that emerged from the survey.

Originality/value

The value of this research is that an initial framework of information security culture aspects was constructed that can be used to ensure that an organisation incorporates all key aspects in its own information security culture. This framework was further enhanced from the results of the survey. The framework can also assist further studies related to the information security culture in organisations for improved security awareness and safer cyber behaviour of employees.

Keywords

Citation

Nel, F. and Drevin, L. (2019), "Key elements of an information security culture in organisations", Information and Computer Security, Vol. 27 No. 2, pp. 146-164. https://doi.org/10.1108/ICS-12-2016-0095

Publisher

:

Emerald Publishing Limited

Copyright © 2019, Emerald Publishing Limited