Assessing information security culture: The case of Malaysia public organization

摘要

In line with the growing number of reported cases of information security breaches, there is also a growing interest among researchers to study information security culture. To this effect, researchers have developed various models and frameworks for assessing and developing information security culture. However, most of these models or frameworks are not a silver bullet which can be easily applied to all organizational settings. The requirements and the characteristics of information security culture differ from one organization to other organization. On the basis of this background, this study was conducted with the aim of identifying the dimensions of information security culture in the context of Malaysian public organizations. The framework for assessing the information security culture was developed through extensive literature review and verified through experts' interviews. The framework consists of six components, namely, management support, policy and procedures, compliance, awareness, budget and technology. A corresponding scale was also developed to assess the information security culture and administered to Malaysian public organizations of the federal ministries. The respondents were requested to indicate the aspects that are considered crucial and important in developing an information security culture. A total of 293 IT directors responded to the survey. The results showed that all of the aforementioned components were indeed crucial and significant in developing information security culture. The contribution of the study can be described in three-folds, namely theoretical, practical and empirical. From a theoretical standpoint, it has developed an empirical based framework for assessing information security culture. From a practical standpoint, the scale or instrument developed in the study can be used to gauge the level of information security culture and finally from the empirical standpoint, it has provided additional empirical evidence on the status of information security culture in the Malaysian context.