The information security culture field is a complex research area that does not currently have a standardized term, definition, and measurement process for organizations of various sizes, industries, and locations. While information security culture is still a relatively new field, the field of organizational culture research is more established and can continue to offer theory...
Information security culture: A look ahead at measurement methods
Measuring the security culture in organizations: a systematic overview of existing tools
There has been an increase in research into the security culture in organizations in recent years. This growing interest has been accompanied by the development of tools to measure the level of security culture in order to identify potential threats and formulate solutions. This article provides a systematic overview of the existing tools. A total...
A systematic review of scales for measuring information security culture
Purpose – The concept of information security culture, which recently gained increased attention, aims to comprehensively grasp socio-cultural mechanisms that have an impact on organizational security. Different measurement instruments have been developed to measure and assess information security culture using survey-based tools. However, the content, breadth and face validity of these scales vary greatly. This...
“Repeat Offenders” in cyber security – Black hat Europe executive summit 2021 keynote
What is the problem with so-called “repeat offenders” We can answer that question in two ways. The easy way, and the right way. Let’s start with the simple answer. Many people would say that the problem with “repeat offenders” is repeat incidents, or at least repeat near misses. I know that’s the topic of discussion...
Cyber security behaviour in organisations
This review explores the academic and policy literature in the context of everyday cyber security in organisations. In so doing, it identifies four behavioural sets that influences how people practice cyber security. These are compliance with security policy, intergroup coordination and communication, phishing/email behaviour, and password behaviour. However, it is important to note that these...
Don’t click: towards an effective anti-phishing training. A comparative literature review
Email is of critical importance as a communication channel for both business and personal matters. Unfortunately, it is also often exploited for phishing attacks. To defend against such threats, many organizations have begun to provide anti-phishing training programs to their employees. A central question in the development of such programs is how they can be...
Measuring the security cult organizations: a systematic existing tools
There has been an increase in research into the security culture in organizations in recent years. This growing interest has been accompanied by the development of tools to measure the level of security culture in order to identify potential threats and formulate solutions. This article provides a systematic overview of the existing tools. A total...
Developing cybersecurity culture to influence employee behavior: A practice perspective
This paper identifies and explains five key initiatives that three Australian organizations have implemented to improve their respective cyber security cultures. The five key initiatives are: identifying key cyber security behaviors, establishing a ’cyber security champion’ network, developing a brand for the cyber team, building a cyber security hub, and aligning security awareness activities with...
Developing a cyber security culture: Current practices and future needs
While the creation of a strong security culture has been researched and discussed for decades, it continues to elude many businesses. Part of the challenge faced is distilling pertinent, recent academic findings and research into useful guidance. In this article, we aim to tackle this issue by conducting a state-of-the-art study into organisational cyber security...
If someone is watching, I’ll do what I’m asked: Mandatoriness, control, and information security
This research finds people are motivated to follow security procedures when they believe the procedures to be compulsory, and that both specifying policies and evaluating behaviors help position security policies as mandatory. It follows that specifying policies and evaluating behaviours is more likely to lead to security procedures being followed.
Cyber security culture in organisations
Drawn from multiple disciplines including organisational sciences, psychology, law and cyber security, this report aims to assist organisations looking to begin or enhance their own cyber security culture programme.
Variables influencing information security policy compliance: A systematic review of quantitative studies
This paper aims to pinpoint the variables that impact compliance with organizational information security policies and to determine their significance. A systematic review of empirical studies from existing literature was conducted, with the variables investigated in these studies and their reported effect sizes being extracted and analyzed. Over 60 variables related to security policy compliance...
Don’t make excuses! Discouraging neutralization to reduce IT policy violation
Past research on information technology (IT) security training and awareness has focused on informing employees about security policies and formal sanctions for violating those policies. However, research suggests that deterrent sanctions may not be the most powerful influencer of employee violations. Often, employees use rationalizations, termed neutralization techniques, to overcome the effects of deterrence when...
A path way to successful management of individual intention to security compliance: A role of organizational security climate
While organizations are making a considerable effort to leverage formal and informal control mechanisms (e.g., policies, procedures, organizational culture) to improve security, their impact and effectiveness is under scrutiny as employees seldom comply with information security procedures. Drawing upon Griffin and Neal's safety climate and performance model, we develop an information security climate model of...
Cyber security in the workplace: Understanding and promoting behaviour change
Cyber security and the role employees play in securing information are major concerns for businesses. The aim of this research is to explore employee security behaviours and design interventions that can motivate behaviour change. Previous research has focused on exploring factors that influence information security policy compliance; however there are several limitations with this approach....
Assessing the impact of security culture and the employee-organization relationship on IS security compliance
IS security advocates recommend strategies that shape user behavior as part of an overall information security management program. A major challenge for organizations is encouraging employees to comply with IS security policies. This paper examines the influence of security-related and employee organization relationship factors on users’ IS security compliance decisions. Specifically, we predict that security...
From culture to disobedience: Recognising the varying user acceptance of IT security
This article examines the levels of security acceptance that can exist amongst employees within an organisation, and how these levels relate to three recognised levels of corporate culture. It then proceeds to identify several factors that could be relevant to the development of culture, from traditional awareness-raising techniques through to context-aware promotion of security. ...
Transforming the “weakest link”: A human-computer interaction approach for usable and effective security
This paper argues that simply blaming users for security breaches will not lead to more effective security systems and that security designers must address the causes of undesirable user behaviour to design effective security systems. Focusing on passwords in particular, the paper's authors conclude that addressing the causes of undesirable security behaviours shouldn't be too...
Users are not the enemy
In the late 90's, it was largely considered users were unmotivated and lazy when it came to cyber security. This UCL research suggested, actually, users compromised security systems through lack of security knowledge and non-user centric security mechanisms. Researchers concluded users needed greater cyber security education and security mechanisms needed to be more user-centric in...