Denning and identifying dominant information security cultures and subcultures

摘要

When considering an information security culture in an organisation, researchers have to consider the possibility of several information security subcultures that could be present in the organisation. This means that different geographical, ethnic or age groups of employees could have different assumptions, values and beliefs about the protection of information, resulting in unique information security subcultures. This research sets out to understand how dominant information security cultures and subcultures develop and how they can be influenced positively over time through targeted interventions. In support of this, a summary of the intrinsic and extrinsic factors that influence information security culture is presented. An empirical case study was conducted using a survey approach with a validated information security culture questionnaire to illustrate how to identify dominant information security cultures and subcultures. The survey was conducted at four intervals in the same organisation over a number of years to identify potential information security subcultures and to monitor the change, if targeted interventions for each are implemented. Using t-tests and ANOVA tests, a number of information security subcultures were identified, mostly evident across the organisation's office locations (which are separated geographically), as well as between employees that worked in the IT division compared to those who did not. The data indicate that the dominant information security culture and subcultures improved over time to a more positive information security culture after the implementation of targeted interventions. This illustrates how the identification and targeting of information security subcultures with customised interventions can influence the information security culture positively. By using information security interventions, organisations can target their high-risk subcultures and monitor the change over time through continuous assessment, thereby minimising the risk to information protection from a human perspective.