A Conceptual Information Security Culture Framework for Higher Learning Institutions

Ocloo, Charles Mawutor; Veiga, Adéle Da; Kroeze, Jan H.

doi:10.1007/978-3-030-81111-2_6

Cited by 4 publications

(2 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Broadly, technical and other factors related to a system's design have not been studied in the context of ICS security culture as much as people-centric factors such as security training policy. This generally extends to the wider security culture literature, where technology aspects and their influence on security culture have had limited attention [41]. However, the unique operational nature of ICS, where patching is harder to implement, or passwords frequently need to be shared [29], often contrasts general security practices.…”

Section: Discussionmentioning

confidence: 90%

Security Culture in Industrial Control Systems Organisations: A Literature Review

Evripidou

Ani

Watson

et al. 2022

Human Aspects of Information Security and Assurance

View full text Add to dashboard Cite

Industrial control systems (ICS) are a key element of a country's critical infrastructure, which includes industries like energy, water, and transport. In recent years, an increased convergence of operational and information technology has been taking place in these systems, increasing their cyber risks, and making security a necessity. People are often described as one of the biggest security risks in ICS, and historic attacks have demonstrated their role in facilitating or deterring them. One approach to enhance the security of organisations using ICS is the development of a security culture aiming to positively influence employees' security perceptions, knowledge, and ultimately, behaviours. Accordingly, this work aims to review the security culture literature in organisations which use ICS and the factors that affect it, to provide a summary of the field. We conclude that the factors which affect security culture in ICS organisations are in line with the factors discussed in the general literature, such as security policies and management support. Additional factors related to ICS, such as safety culture, are also highlighted. Gaps are identified, with the limited research coverage being the most prominent. As such, proposals for future research are offered, including the need to conduct research with employees whose roles are not security related.

show abstract

Section: Discussionmentioning

confidence: 90%

Security Culture in Industrial Control Systems Organisations: A Literature Review

Evripidou

Ani

Watson

et al. 2022

Human Aspects of Information Security and Assurance

View full text Add to dashboard Cite

show abstract

“…Previous research has demonstrated that factors influencing compliance with regard to ISP can originate from employees’ behaviour (Angraini et al , 2021; Chen et al , 2020; Chin and Chua, 2021; Nord et al , 2020) and from the organisation (Ali et al , 2020a, 2020b; Amankwa et al , 2018; Da Veiga, 2018; Karlsson et al , 2018; Liu et al , 2020; Ocloo et al , 2021; Sommestad, 2018; Da Veiga et al , 2020). The study of Angraini et al (2021) discovered that corporate commitment had a substantial impact on attempts to encourage employee compliance with the ISPs in the organisation.…”

Section: Introductionmentioning

confidence: 99%

The determinants of an information security policy compliance culture in organisations: the combined effects of organisational and behavioural factors

Amankwa

Loock

Kritzinger

2022

ICS

View full text Add to dashboard Cite

Purpose This paper aims to examine the individual and combined effects of organisational and behavioural factors on employees’ attitudes and intentions to establish an information security policy compliance culture (ISPCC) in organisations. Design/methodology/approach Based on factors derived from the organisational culture theory, social bond theory and accountability theory, a testable research model was developed and evaluated in an online survey that involves the use of a questionnaire to collect quantitative data from 313 employees, from ten different organisations in Ghana. The data collected were analysed using the partial least squares-structural equation modelling approach, involving the measurement and structural model tests. Findings The study reveals that the individual measures of accountability – identifiability (2.4%), expectations of evaluation (38.8%), awareness of monitoring (55.7%) and social presence (−41.2%) – had weak to moderate effects on employees’ attitudes towards information security policy compliance. However, the combined effect showed a significant influence. In addition, organisational factors – supportive organisational culture (15%), security compliance leadership (2%) and user involvement (63%) – showed positive effects on employees’ attitudes. Further, employees’ attitudes had a substantial influence (65%), while behavioural intentions demonstrated a weak effect (24%) on the establishment of an ISPCC in the organisation. The combined effect also had a substantial statistical influence on the establishment of an ISPCC in the organisation. Practical implications Given the findings of the study, information security practitioners should implement organisational and behavioural factors that will have an impact on compliance, in tandem, with the organisational effort to build a culture of compliance for information security policies. Originality/value The study provides new insights on how to address the problem of non-compliance with regard to the information security policy in organisations through the combined application of organisational and behavioural factors to establish an information security policy compliance culture, which has not been considered in any past research.

show abstract

Perceptions and dilemmas around cyber-security in a Spanish research center after a cyber-attack

Navajas-Adán,

Badia-Gelabert,

Jiménez-Saurina

et al. 2024

Int. J. Inf. Secur.

View full text Add to dashboard Cite

Information and Communication Technologies and Internet networks are present in all aspects of social reality and are essential elements in research, development and innovation centers (R&D&I). Cyber-security is crucial for the progress of the research activities developed in these centers, especially given the exponential growth of cyber-attacks and incidents. The present study aims to assess from a socio-technical approach, how a serious cyber-attack on a Spanish research center has affected staff’s perceptions of information and communication systems (ICT) security. This study employed a mixed-methods research strategy, combining quantitative and qualitative methods to provide a comprehensive and nuanced understanding of ICT security perceptions among employees. First a quantitative scale was administered to 1,321 employees 3 years before the cyber-attack and 4 months afterward, to measure ICT security perceptions. Then, qualitative techniques (semi-structured interviews, focus groups, and micro-ethnography) were applied to gain a deeper understanding of the arguments underpinning cyber-security at the center after the attack. The results show that the event had an impact on employees’ perceptions, increasing the perceived importance of ICT security, with positive behavioral changes noted, but with doubts about their sustainability over time. Also, the need for cyber-security governance was critically contrasted with organizational reality. Finally, the compatibility of science and cyber-security was a central dilemma, which seems to confront antagonistic poles (research and security ICT) and justify the non-compliance with security protocols by part of the staff.

show abstract

A Conceptual Information Security Culture Framework for Higher Learning Institutions

Cited by 4 publications

References 34 publications

Security Culture in Industrial Control Systems Organisations: A Literature Review

Security Culture in Industrial Control Systems Organisations: A Literature Review

The determinants of an information security policy compliance culture in organisations: the combined effects of organisational and behavioural factors

Perceptions and dilemmas around cyber-security in a Spanish research center after a cyber-attack

Contact Info

Product

Resources

About