The concept of an “information security culture” is relatively new. A review of published research on the topic suggests that it is not the information security panacea that has been suggested. Instead, it tends to refer to a range of existing techniques for addressing the human aspect of information security, oversimplifying the link between culture and behaviour, exaggerating the ease with which a culture can be adjusted, and treating culture as a monolith, set from the top. Evidence for some of the claims is also lacking. This chapter finds that the term “information security culture” is ambiguous and vague enough to suggest the possibility of achieving an almost mystical state, whereby behaviour consistent with information security is second nature to all employees, but when probed does not deliver. Instead, future research should be clear about what it considers information security culture to be, should provide evidence for claims, and should take complexity and context seriously.
TopIntroduction
Information security culture has been defined in different ways. Some authors see an information security culture as a goal to be achieved. For example, von Solms (2000) calls for the creation of a culture of information security within organizations, “by instilling the aspects of information security to every employee as a natural way of performing his or her daily job” (p. 618). Similarly, Schlienger and Teufel (2002) suggest that “Security culture should support all activities in a way, that information security becomes a natural aspect in the daily activities of every employee” (p. 7). Other researchers with definitions along these lines include Vroom and von Solms (2004) and Thomson et al (2006). In contrast, Ngo et al (2005) allow for information security culture to refer to “how things are done (i.e. accepted behaviour and actions) by employees and the organisation as a whole, in relation to information security” (p. 68), not just a situation where behaviour is ‘naturally’ consistent with information security principles.
For Martins and Eloff (2002) an information security culture emerges from employee behaviour in relation to information security, which over time ends up being equated with the ‘ways things are done around here’. May (2003) equates an information security culture with internal acceptance of the idea that information security is vital for a successful business. Knapp et al (2006) build a security culture construct based on the extent to which employees value the importance of security, how the culture promotes good security practices, whether security has traditionally been considered an important organizational value that fosters security-minded thinking, and whether practicing good security is the accepted way of doing business and a key norm shared by organizational members.
As Ruighaver et al (2007) point out some authors’ use the term ‘information security culture’ without clarifying exactly what they mean by it. Despite this criticism Ruighaver et al do not go on to provide a definition. Instead, they declare that the concept of a security culture is too complex to be explained by a single framework, and hence are hesitant to even define it. In place of such a definition, Ruighaver et al recommend the use of Detert et al’s (2000) organizational culture framework for studying an organization’s security culture. This framework was developed as a synthesis of different organizational culture research, and consists of eight dimensions of organizational culture: 1) the basis of truth and rationality, 2) the nature of time and time horizon, 3) motivation, 4) stability versus change/innovation/personal growth, 5) orientation to work, task, co-workers, 6) isolation versus collaboration/cooperation, 7) control, coordination and responsibility, and 8) orientation and focus – internal and/or external.
The use of Detert et al’s framework as a theoretical resource by Ruighaver et al (and Chia et al 2002) is a deviation from the more frequent reference to Edgar Schein’s work on organizational culture (e.g. Schein, 1992) by information security culture researchers (e.g. Schlienger and Teufel 2002, 2003a, 2003b; Thomson et al 2006; Thomson and von Solms 2005; Vroom and von Solms 2004; Zakaria 2004). These researchers relate elements of information security culture to Schein’s distinction between three aspects of organizational culture: ‘artefacts and creations’, ‘collective values, norms and knowledge’, and ‘basic assumptions and beliefs’. Each of these aspects is seen as being interrelated with the next, and increasingly difficult for a researcher to access.