Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
A framework for fostering a dynamic information security culture
Cyber Security: A Peer-Reviewed Journal,
4
(2),
145-159
(2020)
Abstract
This paper proposes how organisations may attend to key factors influencing organisational culture to facilitate and nurture a well-prepared information security culture. Organisational culture is the formative part of organisational behaviour, establishing the social interaction norms, best practices and processes required to achieve organisational objectives. In defining what organisational culture is, and by recognising what a worthy culture should entail, companies may increase opportunities to detect problems, design solutions and develop healthier environments. Employees have accord in decision making and experience a shared understanding of how to accomplish organisational goals. The organisation’s cultural orientation dictates the acceptable system and leadership behaviours expected to effectively achieve enterprise strategy; ultimately, employee behaviour and interaction become defined by such orientation. Attempts to change organisational culture is problematic, since organisational culture often lives on long after founders depart, leaders exit, and products and services cease. Hence, organisational culture may become static. Understanding the organisation’s culture is valuable in managing responses to security challenges, since awareness of the organisation’s cultural profile helps in recognising the organisation’s readiness in dealing with dynamic security hazards. Information security culture, a sub-culture of organisational culture, represents the employee’s behaviour and attitude toward information security. The Information Security Culture Framework offers a model to assess the organisation’s status (resiliency and readiness) of its information security culture and mitigate security issues heightened by human error. Adopting a dynamic information security culture fosters beneficial change necessary to confront and diminish security threats. By promoting information security consciousness and focused security awareness to address dynamic information security threats, organisations may achieve a robust information security culture.
Keywords: organisational culture; information security culture; information security awareness; training; change management; human behaviour
The full article is available to subscribers to the journal.
Author's Biography
Renay Carver , PhD, CISM, CRISC, PMP, SSBB, CSM, CSP, POPM, SAFe is an accomplished operations and technology strategist with over 20 years’ experience leading diverse business teams and clients through transformational information security, risk and change strategic initiatives. As a skilled risk and cyber management practitioner, Renay has provided direct leadership executing cross-functional, large scale and complex business programmes for multinational organisations. In addition to a PhD in industrial/organisational psychology, Renay holds an MBA (Marketing) and an MS (Finance).
