Investigating the concept of information security culture

The concept of an ‘information security culture’ is relatively new. A review of published research on the topic suggests that it is not the information security panacea that has been suggested. Instead it tends to refer to a range of existing techniques for addressing the human aspect of information security, oversimplifying the link between culture and behaviour, exaggerating the ease with which a culture can be adjusted, and treating culture as a monolith, set from the top. Evidence for some of the claims is also lacking. The paper finds that the term ‘information security culture’ is ambiguous and vague enough to suggest the possibility of achieving an almost mystical state whereby behaviour consistent with information security is second nature to all employees, but when probed does not deliver. Instead, future research should be clear about what it considers information security culture to be, should provide evidence for claims, and should take complexity and context seriously.