The effect that an organisations security culture has on the security of the organisation is profound. This area of research investigates security culture and its relationship to organisation culture, and to security practice within organisations. Security Culture can be defined as everything that people have, people think, and people do around security as members of the organisation.
What is Security Culture
In the last few years, research in security culture has been expanding rapidly. Much of this research however has a limited focus and often only concentrates on the attitudes and behaviour of end-users as well as on how management can influence these aspects of security culture to improve the end-user's adherence to security policies. However the impact of security culture in an organisation goes further than just the influence on security policy. The fact that many security incidents experienced by organisations are caused by their employees is a compelling argument for organisations to be concerned with security culture. The presence of a good security culture in an organisation should help to empower employees with regards to information security. In terms of research, the concept of security culture, whilst it has been discussed for over a decade, is still in its infancy. As such, there are many definitions as to what security culture is: "the totality of pattern of beliefs, values and practices that contribute to the protection of all kind of information" (Dhillon 1995), "the way that things are done" (Martins & Eloff 2002), "all socio-cultural measures that support technical security measures" (Schlienger 2003). More recently, security culture has been defined more in terms of security related values, beliefs and actions in relation to the protection of organizational information (Ramachandran, 2007).
Measuring Security Culture
Given that security culture helps to guide employee behaviour towards what security practices are required by the organisation, and that little research has been completed that determines the relationship between security culture and security practices, it is little wonder that presently there is no way of measuring an organisations security culture. Work is currently in progress on determining the relationship between security and organisational culture, and between organisational culture and organisational security practices (see Lim et al. 2010, 2012).
Publications
Lim, Joo Soon; Chang, Shanton; Ahmad, Atif; Maynard, Sean (2012) "Towards A Cultural Framework for Information Security Practices". In (Eds.) M. Gupta, J. Walp and R. Sharman, "Strategic and Practical Approaches for Information Security Governance: Technologies and Applied Solutions". IGI Global.
Lim, Joo Soon; Ahmad, Atif; Chang, Shanton; and Maynard, Sean (2010), "Embedding Information Security Culture Emerging Concerns and Challenges". PACIS 2010 Proceedings. Paper 43, pages 463-474.
Lim JS, Chang S, Maynard S & Ahmad A. (2009). Exploring the Relationship between Organizational Culture and Information Security Culture. 7th Australian Information Security Management Conference. 88-97. Churchlands, Australia: Edith Cowan University.
Ruighaver, A.B.; Maynard, S.B. and Chang, S. (2007) "Organisational security culture: Extending the end-user perspective". Computers & Security, Volume 26, Issue 1, February 2007, Pages 56-62.
Ruighaver, A.B. and Maynard, S. (2006) "Organizational Security Culture: More Than Just an End-User Phenomenon". Proceedings of the 21st IFIP TC-11 International Information Security Conference (IFIP/SEC 2006), May 22 2006, Karlstad, Sweden, pages 425-430.
Koh, K., Ruighaver, A.B., Maynard, S., Ahmad, A. (2005) "Security Governance: Its Impact on Security Culture", Proceedings of the 3rd Australian Information Security Management Conference, Perth, Sep 30, 2005.
Chia, P., Maynard, S., and Ruighaver, A.B. (2003) "Understanding Organisational Security Culture" in Information Systems: The Challenges of Theory and Practice, Hunter, M. G. and Dhanda, K. K. (eds), Information Institute, Las Vegas, USA, pages 335 - 365.
Chia, P. Maynard, S., and Ruighaver, A.B. (2002) "Understanding Organisational Security Culture". Sixth Pacific Asia Conference on Information Systems, Tokyo, Japan, pages 731-740, 2-3 September 2002.
Chia, P., Maynard, S., and Ruighaver, A.B. (2002) "Exploring Organizational Security Culture: developing a comprehensive research model". IS ONE World Conference, Las Vegas, Nevada USA, 4-5 April 2002.