Search results

The objective of this research was to propose and validate a holistic framework for information security culture evaluation, built around a novel approach, which includes technological, organizational and social issues. The framework's validity and reliability were determined with the help of experts in the information security field and by using multivariate statistical methods.

The conceptual framework was constructed upon a detailed literature review and validated using a range of methods: first, measuring instrument was developed, and then content and construct validity of measuring instrument was confirmed via experts' opinion and by closed map sorting method. Convergent validity was confirmed by factor analysis, while the reliability of the measuring instrument was tested using Cronbach's alpha coefficient to measure internal consistency.

The proposed framework was validated based upon the results of empirical research and the usage of multivariate analysis. The resulting framework ultimately consists of 46 items (manifest variables), describing eight factors (first level latent variables), grouped into three categories (second level latent variables). These three categories were built around technological, organizational and social issues.

This paper contributes to the body of knowledge in information security culture by developing and validating holistic framework for information security culture evaluation, which does not observe information security culture in only one aspect but takes into account its organizational, sociological and technical component.

The purpose of this paper is to report on a study that investigated the information security culture in organisations in South Africa, with the aim of identifying key aspects of the culture. The unique aspects for building an information security culture were examined and presented in the form of an initial framework. These efforts are necessary to address the critical human aspect of information security in organisations where risky cyber behaviour is still experienced.

Literature was investigated with the focus on the main keywords security culture and information security. The information security culture aspects of different studies were compared and analysed to identify key elements of information security culture after which an initial framework was constructed. An online survey was then conducted in which respondents were asked to assess the importance of the elements and to record possible missing elements/aspects regarding their organisation’s information security culture to construct an enhanced framework.

A list of 21 unique security culture elements was identified from the literature. These elements/aspects were divided into three groups based on the frequency each was mentioned or discussed in studies. The number of times an element was found was interpreted as an indication of how important that element/aspect is. A further four aspects were added to the enhanced framework based on the results that emerged from the survey.

The value of this research is that an initial framework of information security culture aspects was constructed that can be used to ensure that an organisation incorporates all key aspects in its own information security culture. This framework was further enhanced from the results of the survey. The framework can also assist further studies related to the information security culture in organisations for improved security awareness and safer cyber behaviour of employees.

The purpose of this paper is to explore the concept of information culture in Mainland China and apply the information culture framework to an organizational setting.

The foundation for the research is provided by a review of Chinese and English language literature and a case study of a university library was conducted, involving semi-structured interviews.

The information culture framework facilitated identification of factors not recognized in previous information culture research, including uniquely Chinese factors of egocentrism, guanxi (relationships), mianzi (face), hexie (harmony) and renqing (mutual benefit). A further finding highlighted the profound differences between archives and library institutions in China.

The paper provides the first step toward further exploring features of Chinese organizational culture which will not only influence information management practices but also highlight the issues relating to collaboration between libraries and archives in China.

The purpose of this article is to examine the information culture of a medium-sized municipality in Belgium. Public information/records is/are one of the most important instruments of citizens' control of public authorities. The principle of Public Access gives citizens a right to access public records, while the Privacy Act protects the integrity of the citizens. Municipalities are institutions that intensely interact with the citizens. Therefore, the way they handle the information that is generated during this interaction is of crucial importance to the efficient service delivery, safeguarding the rights of the citizens that they serve and for sustaining the open governance structure that promotes the principles of accountability and transparency.

The author employed a case study approach in order to establish the attitudes and norms the organizational employees had towards the management of information/records. She also applied the information culture assessment framework developed by Oliver during the design of the research questions.

Information culture affects the way public information/records are managed. Though investments are being made in information systems to facilitate the capture and management of information/records, the people issues are equally as crucial. E-Government development will require an information culture that promotes effective creation, use and management of information, if its goal of efficient and transparent public administrations is to be achieved.

The originality of this study lies in the application of the information culture assessment framework that was developed by Oliver. The framework facilitates the formulation of questions using its three layers to tease out the information required by a researcher in an attempt to draw conclusions regarding the attitudes, norms and the value the interviewees attach to information/records.

The purpose of this paper is to report findings from an investigation on the information culture and recordkeeping in two Chinese companies, exploring the interaction between information culture and recordkeeping.

On the basis of systematic literature review, this research investigates the information culture and recordkeeping in two Chinese companies by conducting in-depth interviews with the staff of the two companies.

The attitude of the leadership and the staff towards records and information is different in the result-oriented information culture and rule-following culture. If a company aims to stay innovative and competitive, an information culture that can facilitate the good governance of records and information should be developed, and information professionals can play a key role in working towards this.

As a qualitative study of information culture and recordkeeping in Chinese companies, this paper provides the insight into the interaction between information culture and recordkeeping, demonstrates the impact of information culture on information governance and identifies the factors influencing information culture in an organization.

The frequent and increasingly potent cyber-attacks because of lack of an optimal mix of technical as well as non-technical IT controls has led to increased adoption of security governance controls by organizations. The purpose of this paper, thus, is to construct and empirically validate an information security governance (ISG) process model through the plan–do–check–act (PDCA) cycle model of Deming.

This descriptive research using an interpretive paradigm follows a qualitative methodology using expert interviews of five respondents working in the ISG domain in United Arab Emirates (UAE) to validate the theoretical model.

The findings of this paper suggest the primacy of the PDCA Deming cycle for initiating ISG through a risk-based approach assisted by industry-wide best practices in ISG. Regarding selection of ISG frameworks, respondents preferred to have ISO 27K supported by NIST as the core framework with other relevant ISG frameworks/standards forming the peripheral layer. The implementation focus of the ISG model is on mapping ISO 27K/NIST IT controls relevant IT controls selected from ISG frameworks from a horizontal and vertical perspective. Respondents asserted the automation of measurement and control mechanism through automation to assist in the feedback loop of the PDCA cycle.

The validated model helps academics and practitioners gain insight into the methodology of the phased implementation of an information systems governance process through the PDCA model, as well as the positioning of ITG and ITG frameworks in ISG. Practitioners can glean valuable insights from the empirical section of the research where experts detail the success factors, the sequential steps and justification of these factors in the ISG implementation process.

Organisational culture plays an important role in influencing employee compliance with information security policies. Creating a subculture of information security can assist in facilitating compliance. The purpose of this paper is to explain the nature of the combined influence of organisational culture and information security culture on employee information security compliance. This study also aims to explain the influence of organisational culture on information security culture.

A theoretical model was developed showing the relationships between organisational culture, information security culture and employee compliance. Using an online survey, data was collected from a sample of individuals who work in organisations having information security policies. The data was analysed with Partial Least Square Structural Equation Modelling (PLS-SEM) to test the model.

Organisational culture and information security culture have significant, yet similar influences on employee compliance. In addition, organisational culture has a strong causal influence on information security culture.

Control-oriented organisational cultures are conducive to information security compliant behaviour. For an information security subculture to be effectively embedded in an organisation's culture, the dominant organisational culture would have to be considered first.

This research provides empirical evidence that information security subculture is influenced by organisational culture. Compliance is best explained by their joint influence.

The concept of information security culture, which recently gained increased attention, aims to comprehensively grasp socio-cultural mechanisms that have an impact on organizational security. Different measurement instruments have been developed to measure and assess information security culture using survey-based tools. However, the content, breadth and face validity of these scales vary greatly. This study aims to identify and provide an overview of the scales that are used to measure information security culture and to evaluate the rigor of reported scale development and validation procedures.

Papers that introduce a new or adapt an existing scale of information security culture were systematically reviewed to evaluate scales of information security culture. A standard search strategy was applied to identify 19 relevant scales, which were evaluated based on the framework of 16 criteria pertaining to the rigor of reported operationalization and the reported validity and reliability of the identified scales.

The results show that the rigor with which scales of information security culture are validated varies greatly and that none of the scales meet all the evaluation criteria. Moreover, most of the studies provide somewhat limited evidence of the validation of scales, indicating room for further improvement. Particularly, critical issues seem to be the lack of evidence regarding discriminant and criterion validity and incomplete documentation of the operationalization process.

Researchers focusing on the human factor in information security need to reach a certain level of agreement on the essential elements of the concept of information security culture. Future studies need to build on existing scales, address their limitations and gain further evidence regarding the validity of scales of information security culture. Further research should also investigate the quality of definitions and make expert assessments of the content fit between concepts and items.

Organizations that aim to assess the level of information security culture among employees can use the results of this systematic review to support the selection of an adequate measurement scale. However, caution is needed for scales that provide limited evidence of validation.

This is the first study that offers a critical evaluation of existing scales of information security culture. The results have decision-making value for researchers who intend to conduct survey-based examinations of information security culture.

This paper aims to present the development of a framework for evaluating group behaviour in information security in practice.

Information security behavioural threshold analysis is used as the theoretical foundation for the proposed framework. The suitability of the proposed framework is evaluated based on two sets of qualitative measures (general frameworks and information security frameworks) which were identified from literature. The successful evaluation of the proposed framework, guided by the identified evaluation measures, is presented in terms of positive practical applications, as well as positive peer review and publication of the underlying theory.

A methodology to formalise a framework to analyse group behaviour in information security can successfully be applied in a practical environment. This application takes the framework from only a theoretical conceptualisation to an implementable solution to evaluate and positively influence information security group behaviour.

Behavioural threshold analysis is identified as a practical mechanism to evaluate information security group behaviour. The suggested framework, as implemented in a management decision support system (DSS), allows practitioners to assess the security behaviour and awareness in their organisation. The resulting information can be used to exert an influence for positive change in the information security of the organisation.

A novel conceptual mapping of two sets of qualitative evaluation measures is presented and used to evaluate the proposed framework. The resulting framework is made practical through its encapsulation in a DSS.

This study aims to increase the understanding of the connection between effective leadership behaviours and information culture in the higher education institution (HEI).

A qualitative case study was conducted at one department of an HEI in Estonia. This study used semi-structured interviews and document analysis for data collection. The hypothesis-generating technique applying grounded theory analysis was used for data analysis.

The information culture of the department was a multiple culture with mixed attributes from the relationship-based culture and the risk-taking culture. Six main effective leadership behaviours within the department were identified, namely, communicating well about the direction the department is going, having a clear sense of direction and strategic vision, providing resources for and adjusting workloads to stimulate scholarship and research, making academic appointments that enhance department’s reputation, allowing the opportunity to participate in key decisions and encouraging open communication and creating a positive and collegial work atmosphere. The main hypotheses that illustrate the influence of effective leadership behaviours on information culture were generated.

The findings of this study can inform the training of future leaders in HEIs.

There is a lack of research in higher education that focuses on the relationship between leadership and information culture, and this research fills this gap.