Determining a standard for information security culture
Abstract
Information is a valuable asset and many organisations cannot survive or function without it. Protecting the information becomes very important. Statistics show that a large percentage of organisations are threatened by security breaches, with most anticipating more frequent attacks. The importance of an information security solution in an organisation cannot be overstated. An organisation's success or failure in implementing information system security depends on the actions of its employees. To reduce the risk of security failures, organisations should focus more
on employee behaviour. Cultivating an information security aware culture will decrease risk to information assets. it. The primary objective (aim) of this study is to investigate a measuring mechanism and acceptable standards for information security culture in order to improve organisational culture using appropriate methods in awareness and training programmes. This study uses different studies presented in literature to identify a number of aspects, methods and topics: * 21 information security culture aspects: policy, compliance, managerial trust/information security leadership, education and training, information security awareness, information asset management, information monitoring and audit, business continuity plan/incident management, information security programme, change management, communication, management's perspective, strategy, delegation of responsibility, risk analysis, ROI (Return on Investment), legal and regulatory, ethical conduct, accountability, fairness towards employees, fulfilment of personal needs of employee; * five training and awareness delivery methods: formal training sessions, informal training, short messages around the office, employee sitting in front of computer, and other; * 18 important topics that should be included in an awareness and training programme: the need of an anti-virus program, the need of updating virus definitions, regularly scan a computer and storage devices, use a personal firewall, install software patches, use
pop-up blockers, the risk of downloading programs or files, risks of peer-to-peer (P2P)
file sharing, the risk of clicking on e-mail links, the risk of e-mailing passwords, the risk of
e-mail attachments, regularly backup important files, the risk of smartphone viruses, the
need of anti-virus program for a smart phone, the characteristics of a strong password,
use different passwords for different systems, change passwords regularly, and legal,
regulatory and ethical issues of information security. In an online questionnaire, respondents were asked to rate the importance of each of the information security culture aspects. This provided a minimum acceptable baseline for each aspect – a level of each aspect that any organisation should have as minimum. The respondents were also asked to choose the best delivery method for each aspect, providing a list of preferred delivery methods for each of the culture aspects. Important topics were also
discussed and respondents rated the importance of each, assessing which are the most important. Additional open-ended questions allowed them to include other security culture aspects, delivery methods and important topics not named in the questionnaire. Additional open-ended questions also allowed for comments and feedback. The results from the questionnaire were used to create a framework that presents all the results
in table format. It was also used to create a mobile application that an organisation can use to measure the strength of their information security culture and each individual security culture aspect. It provides advice on which delivery methods can be used for each security culture aspect, and gives information on the important topics.