Abstract
A security culture can be a competitive advantage when employees uphold strong values for the protection of information and exhibit behavior that is in compliance with policies, thereby introducing minimal incidents and breaches. The security culture in an organization might, though, not be similar among departments, job levels, or even generation groups. It can pose a risk when it is not conducive to the protection of information and when security incidents and breaches occur due to employee error or negligence. This chapter aims to give organizations an overview of the concept of security culture, the factors that could influence it, an approach to assess the security culture, and to prioritize and tailor interventions for high-risk areas. The outcome of the security culture assessment can be used as input to define security awareness, training, and education programs aiding employees to exhibit behavior that is in compliance with security policies.
TopIntroduction
The protection of information in an organization is a combined effort of technological, procedural as well as human-related controls (ENISA, 2017). Management that understands the behavioral and cultural aspects of their organization can use it to reduce the risk end-users could pose to information protection (Whittman & Mattord, 2012). One of the human or behavioral controls that organizations can focus on is to inculcate a strong security culture (AlHogail, 2015; ENISA, 2017; Geeling, Brown, & Weimann, 2016). A strong security culture is a culture where information is protected throughout its lifecycle when employees process and interact with it, introducing minimal risk from accidental or ignorant behavior as part of everyday practice in the organization (Da Veiga & Martins, 2015a).
A strong or positive security culture in an organization is essential to mitigate risk from a human perspective in order to secure information (AlHogail, 2015; ENISA, 2017). This will contribute to reducing the risk of employee misbehavior, increase the overall security policy and regulatory compliance, improve the organization's security stance and aim to minimize financial loss due to security incidents or breaches related to employee behavior (Mahfuth, Yussof, Baker & Ali, 2017; Van Niekerk & Von Solms, 2010; Verizon, 2017). It is critical to evaluate the security culture continuously and to address identified gaps to improve employees' compliance with security policies and requirements. Organizations can achieve this by regularly conducting an assessment of the security culture, monitoring the change and implementing corrective actions to influence the culture positively (Da Veiga & Martins, 2015a).
This chapter defines the concept of a security culture in the context of an information security and cybersecurity culture. An overview of the development of it in an organization is discussed, focusing on the internal factors that could potentially influence the security culture. A security culture assessment approach is discussed with practical advice to roll out such an assessment in an organization. The emphasis is on understanding what the as-is security culture is in order to implement corrective actions to influence it positively. Examples are given of how to analyze the data, which management can use to define change management plans using methods such as awareness, training and education.
Key Terms in this Chapter
Security Culture: A security culture can be seen as the unconscious manner in which things are done in an organization to secure information. The security culture is synonymous with the information security culture and includes cybersecurity culture in the context of an organization.
Cybersecurity Culture: The cybersecurity culture is the unconscious way things are done by users to protect information in cyberspace. This culture extends to home users, employees in organizations or entities, users in communities as well as users from a national or international context.
Information Security Culture Assessment (ISCA): A validated security culture questionnaire with ten constructs to assess the security culture in an organization.
Information Security Culture: The information security culture is the unconscious way things are done by employees to protect information throughout its life cycle and in various formats, typically in the context of an organization or entity. The information security culture includes cybersecurity culture in the context of an organization.