Exploring the relationship between organizational culture and information security culture

  title={Exploring the relationship between organizational culture and information security culture},
  author={Joo Soon Lim and Shanton Chang and Sean B. Maynard and Atif Ahmad},
Managing Information Security is becoming more challenging in today’s business because people are both a cause of information security incidents as well as a key part of the protection from them. As the impact of organizational culture (OC) on employees is significant, many researchers have called for the creation of information security culture (ISC) in organizations to influence the actions and behaviour of employees towards better organizational information security. Although researchers… 

Tables from this paper

Towards an organizational culture framework for information security practices

The authors address the unsubstantiated claim that there is an important relationship between OC and the ability to successfully implement information security and suggest that security practices can be successfully implemented within eight organizational culture characteristics.

Embedding Information Security Culture Emerging Concerns and Challenges

It is argued that embedding ISC should not only focus on employee behaviour, but rather in a holistic manner that includes senior management support and involvement to instil awareness through mandatory training with a clear assignment of responsibility and constant enforcement of security policies and procedures.

Information Security Culture : Definition , Frameworks and Assessment

One research team was found to contribute the most to the ISC research field by providing the most comprehensive ISC definition; developing a comprehensive framework for establishing ISC in an organisation; as well as providing a validated process for assessing current state of security culture.

A systematic literature review: Information security culture

There is a need for more studies to identity the security knowledge that needs to be incorporated into organizations and to find instances of best practice for building an information security culture within organizations.

Cultivating and Assessing an Organizational Information Security Culture; an Empirical Study

The ISCF could be used by all types of organizations in order to assess whether an acceptable level of information security culture has been implemented and, if not, corrective actions are suggested.

Information Security Subcultures in Information Security Management: A Conceptual Framework

This paper addresses information security from the management point of view paying close attention to the information security subculture as seen in the organizations and looks into different methods that the security subcultures can be studied in relation to information security management.

A proposal of an organizational information security culture framework

  • A. AlhogailA. Mirza
  • Computer Science, Business
    Proceedings of International Conference on Information, Communication Technology and System (ICTS) 2014
  • 2014
This paper review key frameworks that were proposed in the literature in the period between the years 2003 and 2013 to establish and maintain information security culture inside organizations and proposes a framework that incorporates key change management principles.

Investigation of cultural aspects within information systems security research

  • L. ConnollyM. Lang
  • Computer Science
    2012 International Conference for Internet Technology and Secured Transactions
  • 2012
It is suggested that IS scholars should take a new approach in investigation of the problem of human factors in the field of Information Systems Security; that is, the study of ISC should be separated from other aspects of culture as prior research suggests that the various aspects interact and influence each other.


An ISC framework for Malaysian Public Sector organizations is proposed, which consists of six dimensions, namely, management support, policy and procedures, compliance, awareness, budget and technology.

Information security culture: A definition and a literature review

  • A. AlhogailA. Mirza
  • Computer Science
    2014 World Congress on Computer Applications and Information Systems (WCCAIS)
  • 2014
The review identified 62 papers that were published in that period (2003-2013) were focused on information security culture in organizations as a main topic of that paper and the need for more investigation in the field to provide a comprehensive framework of the establishment of information securityculture within organization is drawn.



Analyzing information security culture: increased trust by an appropriate information security culture

  • T. SchliengerS. Teufel
  • Computer Science
    14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings.
  • 2003
This work starts with the explanation of the "organizational culture concept," asking how it can be used to implement information security culture, and discusses several ways and methods to analyze organizational culture.

Understanding Information Security Culture: A Conceptual Framework

This paper briefly introduces Schein’s model, and incorporates the important role knowledge plays in information security into this definition, and a conceptual framework to aid understanding of the interactions between the various elements of such a culture.

Information Security Cultures of Four Professions: A Comparative Study

This article provides a comparative description of the security cultures of four professions - information systems, accounting, marketing and human resources - based on semi- structured interviews of respondents from each of the professions to confirm the existence of differences in security cultures across professions.

Information security culture - from analysis to change

A management model for creating, changing and maintaining Information Security Culture will be developed and this model will then be used to define explicit sociocultural measures, based on the concept of internal marketing.

Towards information security behavioural compliance

Security Governance: Its Impact on Security Culture

The results indicate that although the structural and functional mechanisms in security Governance are influencing factors, it is the extent of social participation that may be the major contributing component in security governance that influences the levels of responsibility and sense of ownership that IT security personnel have over the management of security within an organisation.

Information Security Culture

The concept of information security culture and a assessment approach developed to implement and improve such a culture are discussed.

Information Security Culture: The Socio-Cultural Dimension in Information Security Management

The concept of corporate culture is explained and shown exemplary on the example of the security culture, how the cultural theory can help to increase the overall security of an organization.

Organisational security culture: Extending the end-user perspective

Information security: management's effect on culture and policy

Evidence suggests that top management support is a significant predictor of an organization's security culture and level of policy enforcement.