The Role of Security Culture

The Role of Security Culture

Jo Malcolmson (QinetiQ Ltd, UK)
DOI: 10.4018/978-1-4666-4526-4.ch012


This chapter provides a discussion of the importance of the wider organisational context that the network administrator needs to deal with by describing how the organisational culture can impact on the degree to which security can be successfully maintained. It starts with an acknowledgement of the general clusters of factors that affect security (technology, processes, organisational, and human), and focuses on the human element within these. The types of risk that arise from humans in the system are described, such as motivation, ability, awareness (and lack of awareness). Errors and purposeful violations are compared, and individual, organisational, and latent risk factors explained. The chapter’s key focus is the role of organisational culture. A general description of culture and its application in organisations leads into a discussion of security culture. A comparison is made between safety and security culture. Similarities are listed as the impacts of regulatory influence, reputational damage, having multiple causes, and the fact both are often driven by adverse events. Differences are examined. For example, the victim of a poor safety culture is often the perpetrator, whereas this is less often true in security violations. Intrinsic motivation and the impact of certain systems designs are further differences. Gaps in security culture research are noted as a lack of an accepted practical definition, a lack of an accepted way of measuring security culture that can be used outside narrow domains, research into engendering and enhancing security culture is narrowly focused on specific aspects of culture, and a lack of research relating security culture to organisational performance. A project to address some of these gaps by defining and measuring security culture is described. Qualitative and quantitative research was used to develop a questionnaire consisting of seven scales and fourteen sub-scales, each measuring a reliable and distinct factor. The content of these factors is noted, and a case study of the questionnaire’s application to facilitate the development of security culture is outlined. Two key benefits result from the use of the questionnaire: diagnosis of aspects of security culture that may need improvement and benchmarking within (and between) organisations.
Chapter Preview

Human Risks

The human in the system creates a number of types of risk. Whilst much has been written about outsiders who hack into organisations directly, they are not the focus of this chapter. Instead, I will focus on employees themselves. They may breach security either intentionally, or unintentionally, and knowingly or unknowingly. Both ability and motivational factors are important, and in addition to the impact of individuals, the impact of humans collectively must be considered. The organisational culture influences to what extent individuals deploy their abilities, and in what ways they are willing to do so.

Complete Chapter List

Search this Book: