A Framework for Understanding and Establishing an Effective Information Security Culture

Abstract

A challenge facing organisations is information security, as security breaches pose a serious threat to sensitive information. Organisations face security risks in relation to their information assets, which also stems from their own employees. Individuals who work in organisations can cause serious risks, even though investments are generally provided to improve security control measures and other devices. Organisations need to focus on employee actions and behaviour to limit security failures, as they aim to establish effective security culture with employees acting as a natural safeguard for information assets. However, the literature review highlights the lack of prior research models that are able to direct organisations with effective security culture, which is why the current research was conducted to provide a comprehensive framework that demonstrates the key factors that affect security culture. The main objective was to implement a reliable and valid framework capable of focusing on human behaviour and directing organisations in their assessment and improvement of security culture. The current research developed a comprehensive Information Security Culture and key Factors Framework (ISCFF) that correlates between human factors and security culture, which determined how information assets’ security is enhanced. The framework provided a level of structured direction to enhance security management and security culture assessment controls. The development of framework is based on Alnatheer’s (2012) model and a review of academic literature in a security culture. In the framework, a security culture comprised of various factors in three categories: influential factors, organisational behaviour factors that influence a security culture and reflection factors, which constitute a security culture. First category includes (top management, security policy, security education and training, security risk analysis and assessment, and ethical conduct); second category includes (personality traits and job satisfaction); and third category includes (security awareness, security ownership, and security compliance). The framework was validated, using a pragmatic approach with mixed-methods that comprised qualitative and quantitative research, with the findings confirmed the significance of the research identified factors in the development of security culture. A semi-structure interview-based investigation was conducted with thirteen experienced security specialists from seven organisations. The findings of interviews concluded that the continuous guidance of employees towards relevant security training sessions and security awareness development to enhance security culture. Additionally, an exploratory survey with 266 valid responses demonstrated the framework levels of validity and reliability through the use of an exploratory factor analysis (EFA), and a confirmatory factor analysis (CFA). Different hypothetical correlations were analysed through the use of structural equation modelling (SEM), with indirect exploratory effect of the moderators achieved through a multi-group analysis (MGA). This research has shown that the framework has validity and achieved an acceptable fit with the data, to initiate and maintain organisational security culture. This research fills an important gap on the significant relationship between personality traits and security culture. It also contributes to improve the knowledge of information security management through the introduction of a comprehensive information security culture and key factors framework in practice, which functions in the cultivation and maintenance of quality security culture. The framework factors are vital in justifying security culture acceptance. The framework is ultimately able to be used by organisations to construct their security culture through a process of enabling employees, directing their assumption and reducing the levels of insider threat. The framework can be used to improve the possibility to measure an organisational security culture and how to assess it. It helps in the design of employee security training for security awareness-advancement that will enhance the security culture.