Understanding and transforming organizational security culture

The paper is based on the findings and conclusions of research, observations and projects carried out in large organizations over the last two decades. It highlights failings and critical success factors in contemporary approaches to transform organizational culture. It draws on theory and research from the industrial safety field, and discusses its relevance in the information security field. The paper identifies the primary reasons why many contemporary enterprise security awareness programmes are ineffective. It discusses the nature of the problem and solution space, identifying the practical issues and opportunities, and gives recommendations on how future programmes can be improved. The paper identifies gaps in current research, including the need to confirm whether or not certain findings about incidents in safety field might be applicable to security incidents. It calls for a new approach to information security management that incorporates theory and techniques drawn from psychology and marketing.