Security culture encompasses all socio-cultural measures that support technical security measures, so that information security becomes a natural aspect in the daily activities of every employee. The cultural concept helps to increase trust between the different actors concerning information security within an organization. We start with the explanation of the "organizational culture concept", asking how it can be used to implement information security culture. To create, maintain and change security culture, certain measuring instruments are necessary. We discuss several ways and methods to analyze organizational culture. Furthermore we ask, to what extent they could be used in the context of security culture and what special problems might arise. Finally, the possible implementation is discussed in the context of an ongoing survey from which we present some results.
Key words:In this paper, we present a management process we have developed for an Information Security Culture. It is based theoretically on action research and practically on expert interviews and group discussions. A Decision Support System, which supports the process, allows quick survey of the existing Information Security Culture in an organization and analysis of the results, thus discovering strong and weak points. This tool recommends, based on stored measures and rules, actions to improve the weak points. It helps security officers to do their work and to improve the Information Security Culture in their organizations. The application of the process and the Decision Support System in a Private Bank is presented here and major findings are discussed.
BackgroundAvailability of information in hospitals is an important prerequisite for good service. Significant resources have been invested to improve the availability of information, but it is also vital that the security of this information can be guaranteed.ObjectiveThe goal of this study was to assess information security in hospitals through a questionnaire based on the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) standard ISO/IEC 27002, evaluating Information technology – Security techniques – Code of practice for information-security management, with a special focus on the effect of the hospitals’ size and type.MethodsThe survey, set up as a cross-sectional study, was conducted in January 2011. The chief information officers (CIOs) of 112 hospitals in German-speaking Switzerland were invited to participate. The online questionnaire was designed to be fast and easy to complete to maximize participation. To group the analyzed controls of the ISO/IEC standard 27002 in a meaningful way, a factor analysis was performed. A linear score from 0 (not implemented) to 3 (fully implemented) was introduced. The scores of the hospitals were then analyzed for significant differences in any of the factors with respect to size and type of hospital. The participating hospitals were offered a benchmark report about their status.ResultsThe 51 participating hospitals had an average score of 51.1% (range 30.6% - 81.9%) out of a possible 100% where all items in the questionnaire were fully implemented. Room for improvement could be identified, especially for the factors covering “process and quality management” (average score 1.3 ± 0.8 out of a maximum of 3) and “organization and risk management” (average score 1.3 ± 0.7 out of a maximum of 3). Private hospitals scored significantly higher than university hospitals in the implementation of “security zones” and “backup” (P = .008).ConclusionsHalf (50.00%, 8588/17,177) of all assessed hospital beds in German-speaking Switzerland are in hospitals that have a score of 49% or less of the maximum possible score in information security. Patient data need to be better protected because of the data protection laws and because sensitive, personal data should be guaranteed confidentiality, integrity, and availability.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.