Search results

The purpose of this paper is to analyse the impact of the processes of orientation and empowerment and the transfer of information in the learning culture.

The first hypothesis predicts that information mediates the relationship between orientation and empowerment processes and learning culture and the second hypothesis suggests that organisational size moderates the relationships between constructs. The empirical work is conducted in the wine industry in Spain through a structural equation analysis, partial least squares.

The hypothesis of mediation is confirmed; however, the hypothesis about size moderation is not confirmed.

The importance of the transfer of information in the foundation of a learning culture is highlighted and, therefore, its importance in the development of learning in organisations, especially in building learning organisations.

This research contributes to the literature on learning in organisations by sharing not only the characteristics that identify a learning culture, but also the mechanisms or processes through which a learning culture can be developed.

This paper aims to examine the influence of organization culture on the effectiveness of implementing information security management (ISM).

Based on a literature review, a model of the relationship between organizational culture and ISM was formulated, and both organizational culture characteristics and ISM effectiveness were measured empirically to investigate how various organizational culture traits influenced ISM principles, by administrating questionnaires to respondents in organizations with significant use of information systems.

Four regression models were derived to quantify the impacts of organizational culture traits on the effectiveness of implementing ISM. Whilst the control‐oriented organizational culture traits, effectiveness and consistency, have strong effect on the ISM principles of confidentiality, integrity, availability and accountability, the flexibility‐oriented organizational culture traits, cooperativeness and innovativeness, are not significantly associated with the ISM principles with one exception that cooperativeness is negatively related to confidentiality.

The sample is limited to the organizational factors in Taiwan. It is suggested to replicate this study in other countries to reconfirm the result before adopting its general implications. Owing to the highly intrusive nature of ISM surveys, a cautious approach with rapport and trust is a key success factor in conducting empirical studies on ISM.

A culture conducive to information security practice is extremely important for organizations since the human dimension of information security cannot totally be solved by technical and management measures. For understanding and improving the organization behavior with regard to information security, enterprises may look into organizational culture and examine how it affects the effectiveness of implementing ISM.

A research model was proposed to study the impacts of organizational factors on ISM, after a broad survey on related researches. The validated model and its corresponding study results can be referenced by enterprise managers and decision makers to make favorable tactics for achieving their goals of ISM – mitigating information security risks.

It is widely acknowledged that norms and culture influence decisions related to information security. The purpose of this paper is to investigate how work-related groups influence information security policy compliance intentions and to what extent this influence is captured by the Theory of Planned Behavior, an established model over individual decision-making.

A multilevel model is used to test the influence of work-related groups using a cluster sample of responses from 2,291 employees from 203 worksites, 119 organizations, 6 industries and 38 professions.

The results suggest that work-related groups influence individuals’ decision-making in the manner in which contemporary theories of information security culture posit. However, the influence is weak to modest and overshadowed by individual perceptions that are straightforward to measure.

This paper is limited to one national culture and four types of work-related groups. However, the results suggest that the Theory of Planned Behavior captures most of the influence that work-related groups have on decision-making. Future research on security culture and similar phenomena should take this into account.

Information security perceptions in work-related groups are diverse and information security decisions appear to be based on individual perceptions and priorities rather than groupthink or peer-pressure. Security management interventions may be more effective if they target individuals rather than groups.

This paper tests some of the basic ideas related to information security culture and its influence on individuals’ decision-making.

Employee behaviour is a continuous concern owing to the number of information security incidents resulting from employee behaviour. The purpose of this paper is to propose an approach to information security culture change management (ISCCM) that integrates existing change management approaches, such as the ADKAR model of Prosci, and the Information Security Culture Assessment (ISCA) diagnostic instrument (questionnaire), to aid in addressing the risk of employee behaviour that could compromise information security.

The ISCCM approach is constructed based on literature and the inclusion of the ISCA diagnostic instrument. The ISCA diagnostic instrument statements are also presented in this paper. The ISCCM approach using ISCA is illustrated using data from an empirical study.

The ISCCM approach was found to be useful in defining change management interventions for organisations using the data of the ISCA survey. Employees’ perception and acceptance of change to ensure information security and the effectiveness of the information security training initiatives improved significantly from the as-is survey to the follow-up survey.

The research illustrates the ISCCM approach and shows how it should be combined with the ISCA diagnostic instrument. Future research will focus on including a qualitative assessment of information security culture to complement the empirical data.

Organisations do not have to rely on or adapt organisational development approaches to change their information security culture – they can use the proposed ISCCM approach, which has been customised from information security and change management approaches, together with the presented ISCA questionnaire, to address information security culture change purposefully.

The proposed ISCCM approach can be applied to complement existing information security management approaches through a holistic and structured approach that combines the ADKAR model, Prosci’s approach of change management and the ISCA diagnostic instrument. It will enable organisations to focus on transitioning to a positive or desired information security culture that mitigates the risk of the human element in the protection of information.

The purpose of this paper is to investigate the occurrence of value conflicts between information security and other organizational values among white-collar workers. Further, analyzes are conducted of the relationship between white-collar workers’ perceptions of the culture of their organizations and value conflicts involving information security.

Descriptive analyses and regression analyses were conducted on survey data gathered among two samples of white-collar workers in Sweden.

Value conflicts regarding information security occur regularly among white-collar workers in the private and public sectors and within different business sectors. Variations in their occurrence can be understood partly as a function of employees’ work situations and the sensitivity of the information handled in the organization. Regarding how perceived organizational culture affects the occurrence of value conflicts, multivariate regression analysis reveals that employees who perceive their organizations as having externally oriented, flexible cultures experience value conflicts more often.

The relatively low share of explained variance in the explanatory models indicates the need to identify alternative explanations of the occurrence of value conflicts regarding information security.

Information security managers need to recognize that value conflicts occur regularly among white-collar workers in different business sectors, more often among workers in organizations that handle sensitive information, and most often among white-collar workers who perceive the cultures of their organizations as being externally oriented and flexible.

The study addresses a gap in the information security literature by contributing to the understanding of value conflicts between information security and other organizational values. This study has mapped the occurrence of value conflicts regarding information security among white-collar professionals and shows that the occurrence of value conflicts is associated with work situation, information sensitivity and perceived organizational culture.

The purpose of this paper is to report on the application of information culture analysis techniques in the workplace. The paper suggests that records managers should use ethnographic sensitivity, if they want to have a constructive dialogue with records creators and users, and effect positive change in their organisations.

Two pilot studies were conducted in university settings for the purpose of testing an information culture assessment toolkit. The university records managers who carried out the investigation approached the fieldwork ethnographically, in the sense that they were interested in the perspectives of their end users, and tried to understand their information cultures, rather than imposing their recordkeeping concepts and procedures.

Information culture analysis was of practical utility in large complex organisations, providing an insight into behaviours, motivations, and most importantly promoted reflection and dialogue among organisational actors.

The paper raises awareness of the diversity of professional skills and knowledge required by records practitioners. It emphasises that to remain relevant to their organisations, records managers have to be receptive and sensitive to cultural influences.

The purpose of this paper is to report on a study that investigated the information security culture in organisations in South Africa, with the aim of identifying key aspects of the culture. The unique aspects for building an information security culture were examined and presented in the form of an initial framework. These efforts are necessary to address the critical human aspect of information security in organisations where risky cyber behaviour is still experienced.

Literature was investigated with the focus on the main keywords security culture and information security. The information security culture aspects of different studies were compared and analysed to identify key elements of information security culture after which an initial framework was constructed. An online survey was then conducted in which respondents were asked to assess the importance of the elements and to record possible missing elements/aspects regarding their organisation’s information security culture to construct an enhanced framework.

A list of 21 unique security culture elements was identified from the literature. These elements/aspects were divided into three groups based on the frequency each was mentioned or discussed in studies. The number of times an element was found was interpreted as an indication of how important that element/aspect is. A further four aspects were added to the enhanced framework based on the results that emerged from the survey.

The value of this research is that an initial framework of information security culture aspects was constructed that can be used to ensure that an organisation incorporates all key aspects in its own information security culture. This framework was further enhanced from the results of the survey. The framework can also assist further studies related to the information security culture in organisations for improved security awareness and safer cyber behaviour of employees.

The concept of information security culture, which recently gained increased attention, aims to comprehensively grasp socio-cultural mechanisms that have an impact on organizational security. Different measurement instruments have been developed to measure and assess information security culture using survey-based tools. However, the content, breadth and face validity of these scales vary greatly. This study aims to identify and provide an overview of the scales that are used to measure information security culture and to evaluate the rigor of reported scale development and validation procedures.

Papers that introduce a new or adapt an existing scale of information security culture were systematically reviewed to evaluate scales of information security culture. A standard search strategy was applied to identify 19 relevant scales, which were evaluated based on the framework of 16 criteria pertaining to the rigor of reported operationalization and the reported validity and reliability of the identified scales.

The results show that the rigor with which scales of information security culture are validated varies greatly and that none of the scales meet all the evaluation criteria. Moreover, most of the studies provide somewhat limited evidence of the validation of scales, indicating room for further improvement. Particularly, critical issues seem to be the lack of evidence regarding discriminant and criterion validity and incomplete documentation of the operationalization process.

Researchers focusing on the human factor in information security need to reach a certain level of agreement on the essential elements of the concept of information security culture. Future studies need to build on existing scales, address their limitations and gain further evidence regarding the validity of scales of information security culture. Further research should also investigate the quality of definitions and make expert assessments of the content fit between concepts and items.

Organizations that aim to assess the level of information security culture among employees can use the results of this systematic review to support the selection of an adequate measurement scale. However, caution is needed for scales that provide limited evidence of validation.

This is the first study that offers a critical evaluation of existing scales of information security culture. The results have decision-making value for researchers who intend to conduct survey-based examinations of information security culture.

The Internet, World Wide Web, and related information technologies, originally developed in Western countries, have rapidly spread to a great variety of countries and cultures. Many of these technologies facilitate and mediate interpersonal communication, an activity whose modes and means bind closely to cultural values. This article provides a theoretical integration of a framework for culture values together with a model for understanding privacy and related issues that arise when personal information is shared or exchanged using information technology. The resulting hybrid framework can help understand and predict individuals’ culturally linked reactions to various communication‐related IT applications (e.g. e‐mail, e‐commerce sites, Web‐logs, bulletin boards, newsgroups) in diverse cultural contexts. An application of the framework to cultural settings in Middle Eastern nations concludes the article.

This chapter discusses the Maldives information culture as observed and defined from the results of a research project undertaken as a Master of Philosophy at Curtin University in Australia. A survey of one rural Maldives community and one urban Maldives community collected data on their information use, access and awareness. Additional qualitative in-depth interviews with key information stakeholders in the Maldives sought supplementary information on the prevailing information situation. We present a conceptual model of the Maldives information culture including seven key elements: indigenous knowledge, ICTs, information literacy, research and publication, libraries and information services, mass media and information policies. The Maldives information culture is ‘paperless’, not in the modern online sense, but more in terms of the Maldives population's high reliance on verbal information interchange for their everyday information needs. In the Maldives, broadcast media and verbal information exchange predominate over print media. In the Maldives, reading as a leisure activity is present to some degree, but reading as an intellectual activity is limited. Libraries are not commonly used as an information source. Adoption of ICTs is swift and promising. However, even if the Maldives population is literate in the local language, a significant group lacks the English language literacy to benefit from the online information environment. There are no major differences in the use of information between the rural and urban community; the difference is in the level of access to information sources and the respondents' information literacy skills.