In organizations, employee behaviour has a considerable impact on information security. The organizational culture (OC) that shapes acceptable employee behaviours is therefore significant. A large body of literature exists that calls for the cultivation of security culture to positively influence information security related behaviour of employees. However, there is little research examining OC that enables the implementation of information security. The authors address the unsubstantiated claim that there is an important relationship between OC and the ability to successfully implement information security. Findings suggest that security practices can be successfully implemented within eight organizational culture characteristics. Investigation of these organizational culture characteristics from a security perspective is an important step toward future empirical research aimed at understanding the relationship between OC and the implementation of systematic improvement of security practices. The research and practical implications of these findings are discussed, and future research areas are explored.
TopIntroduction
Security threats from insiders in an organization are recognized as a major concern in the implementation of information security practices (Straub, 1986; Workman, Bommer, & Straub, 2008). According to the annual CSI Computer Crime and Security Survey (2007), insider threat was cited by 59 percent of respondents, overtaking virus attacks as the most reported security incident (Richardson, 2007) . Recent studies support this new trend (Furnell & Thompson, 2009). This indicates the need to look at human behavior within organizations. In addition, research shows that within organizations, it is OC that has an impact on employees’ behaviors. OC has this impact because it is a set of shared values, beliefs, and practices that shape and direct the attitudes and behaviors (Schein, 1992). Therefore several researchers have suggested that the impact of OC in influencing the security behavior of employees must be considered (Dhillon, 1997; Von Solms, B., 2000). Subsequently, the importance of OC in information security has stimulated in-depth research in the hope that findings will assist in influencing the security behavior of employees.
Over the past decade, information security culture (ISC) remains among the top ranked concerns of information security researchers and industries practitioners (Lim, Chang, Maynard, & Ahmad, 2009; Lim, Ahmad, Chang, & Maynard, 2010). Many academic researchers argue that ISC is vital in protecting organizational information and that security behavior should be inculcated in the routine activities of each employee as a way forward in addressing information security problems (Von Solms, B., 2000; Schlienger & Teufel, 2002, 2003). As for industry practitioners, the Organization for Economic Co-operation and Development (OECD) Council and SANS has specially drawn the guidelines for moving toward a culture of information security (OECD, 2002, 2005; SANS, 2005) for the same purpose.
However, although many organizations acknowledge the importance of OC in information security behavior, many researchers have found that the OC in these organizations had not provided adequate support to security practices. For example, Knapp et al (2006) found that security training is not an integral part of most organizations and Helokunnas & Kuusisto (2003) found that none of the small to medium sized enterprises in their study had fully cultivated an ISC. These findings indicate that further empirical work is needed to investigate the cultural characteristics that provide support to security practices.
Broadly speaking, ISC has been studied in the light of various concepts and models of organizational theory. It has been researched from the perspective of Schein’s (1992) three layered model (Schlienger & Teufel, 2002, 2003; Zakaria & Gani, 2003); Habermas’s theory (Kuusisto, Nyberg, & Virtanen, 2004); organizational behaviors (Martins & Eloff, 2002; Veiga & Eloff, 2009); Detert Schroeder, & Mauriel’s (2000) model (Chia, Maynard, & Ruighaver, 2002; Ruighaver, Maynard, & Chang, 2007); and conceptual frameworks (Lim et al., 2009; Lim et al., 2010). While such concepts and models are valuable and provide further understanding of ISC, we conclude from our review that little work has looked at cultural characteristics that enable the implementation of information security practices in organizations.