Top

Published in:

2022 | OriginalPaper | Chapter

Designing Information Security Culture Artifacts to Improve Security Behavior: An Evaluation in SMEs

Author : Olfa Ismail

Published in: The Transdisciplinary Reach of Design Science Research

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

This article examines the relationship between the information system security culture and the security behaviors of users of the information system (IS). This research follows the design science in information systems research guidelines proposed by [43] to conceptualize the IS security culture in its context, where we propose a model based on Schein’s three-level culture model (1985) [15], and evaluated at the level of our research context, which is SMEs, through a qualitative study conducted with twenty-two users belonging to eight French small and medium-sized enterprises (SMEs). The results of this study show that there is a strong relationship between IS security culture and user behaviors related to IS security, in the sense that a positive security culture is conducive to the creation of security behaviors.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Towards Designing Smart Home Energy Applications for Effective Use

next chapter Toward a Method for Reviewing Software Artifacts from Practice

Silic, M., Lowry, P.B.: Using design-science based gamification to improve organizational security training and compliance. J. Manag. Inf. Syst. 37(1), 129–161 (2020)CrossRef

Tolah, A., Steven, M., Furnell, S., Papadaki, M.: Furnell, S., Papadaki, M.: An empirical analysis of the information security. Comput. Secur. 108, 102354 (2021). ISSN 0167-4048CrossRef

Martins, N., Da Veiga, A.: An information security culture model validated with structural equation modelling. In: Proceedings of the 9th International Symposium on Human Aspects of Information Security and Assurance, HAISA, pp. 11–21 (2015)

Wiley, A., McCormac, A., Calic, D.: More than the individual: examining the relationship between culture and information security awareness. Comput. Secur. 88, 101640 (2020)CrossRef

Parsons, K., Young, M., Butavicius, M.A., McCormac, A.: The influence of organizational information security culture on information security decision making. J. Cogn. Eng. Decis. Making 9(2), 117–129 (2015)CrossRef

D’Arcy, J., Greene, G.: The multifaceted nature of security culture and its influence on end user behavior. In: IFIP TC 8 International Workshop on Information Systems Security Research, pp. 145–157 (2009)

Alfawaz, S., Nelson, K., et Mohannak, K.: Information security culture : a behaviour compliance conceptual framework. In: Australasian Information Security Conference (AISC), Brisbane, Australia (2010)

D’Arcy, J., Greene, G.: Security culture and the employment relationship as drivers of employees’ security compliance. Inf. Manag. Comput. Secur. 22, 474–489 (2014)CrossRef

Labodi, C., Michelberger, P.: Necessity or challenge-information security for small and medium enterprises. Ann. Univ. Petrosani Econ. 10(3), 207–216 (2010)

10.

Lee, Y., Larsen, K.R.: Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software. Eur. J. Inf. Syst. 18(2), 177–187 (2009)CrossRef

11.

Helokunnas, T., Iivonen, L.: Information security culture in small and medium size enterprises. In: e-Business Research Forum. Tampere University of Technology, Tampere (2003)

12.

Hutchinson, D., Armitt, C., Edwards-Lear, D.: The application of an agile approach to it security risk management for SMES. In: Proceedings of the 12th Australian Information Security Management Conference, Perth, Australia, 1–3 December 2014 (2014)

13.

Ngo, L., Zhou W., Warren, M.: Understanding transition towards information security culture change. In: Proceeding of the 3rd Australian Computer, Network & Information Forensics Conference. Edith Cowan University, School of Computer and Information Science, pp. 67–73 (2005)

14.

Karlson, F., Astrom, J., Karlson, M.: Information security culture – state-of-the-art review between 2000 and 2013. Inf. Comput. Secur. 23(3), 246–285 (2015)CrossRef

15.

Schein, E.H.: Organizational culture and leadership, 358 p. Jossey-Bass Publishers, San Francisco (1985)

16.

Hofstede, G.H.: Cultures and Organizations: Software of the Mind. McGraw-Hill, New York (1997)

17.

Schein, E.H.: Organizational Culture and Leadership, vol. 2. Wiley, Hoboken (2010)

18.

Schlienger, T., Teufel, S.: Information security culture: the socio-cultural dimension in information security management, security in the information society: visions and perspectives. In: IFIP TC11 International Conference on Information Security (Sec2002). Kluwer Academic Publishers, Cairo (2002)

19.

Kokolakis, S., Karyda, M., Kiountouzis, E.: The insider threat to information systems and the effectiveness of ISO17799. Comput. Secur. 24(6), 472–484 (2005)CrossRef

20.

Tang, M., Li, M., Zhang, T.: The impacts of organizational culture on information security culture: a case study. Inf. Technol. Manage. 17(2), 179–186 (2015). https://doi.org/10.1007/s10799-015-0252-2CrossRef

21.

Solomon, G., Brown, I.: The influence of organizational culture and information security culture on employee compliance behaviour. J. Enterp. Inf. Manag. 34(4), 1203–1228 (2021)CrossRef

22.

Tolah, A., Furnell, S.M., Papadaki, M.: A comprehensive framework for cultivating and assessing information security culture. In: The Eleventh International Symposium on Human Aspects of Information Security & Assurance (HAISA), HAISA 2017, pp. 52–64 (2017)

23.

Alnatheer, M., Chan, T., Nelson, K.: Understanding and measuring information security culture. In: Pacific Asia Conference on Information Systems, p.144 (2012)

24.

Da Veiga, A., Martins, N.: Defining and identifying dominant information security cultures and subcultures. Comput. Secur. 70, 72–94 (2017)CrossRef

25.

Haeussinger, F., Kranz, J.: Information security awareness: its antecedents and mediating effects on security compliant behavior. In: Proceedings of the International Conference on Information Systems ICIS 2013, Milan, Italy (2013)

26.

D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse. Inf. Syst. Res. 20(1), 79–98 (2009)CrossRef

27.

Kuusisto, T., Ilvonen, I.: Information security culture in small and medium size entreprises. Frontiers of E-business research, Tampere University of Technology: University of Tampere, Finland (2003)

28.

Dojkovski S., Warren, M., Lichtenstein, S. : Information security culture in small and medium sized enterprises: a socio-cultural framework. In: Proceedings of the 6th Australian Conference on Information Warfare and Security, 24–25 November 2005. Deakin University, Geelong (2005)

29.

Dojkovski, S., Lichtenstein, S., Warren, M.: Fostering information security culture in small and medium size enterprises: an interpretive study in Australia. In: European Conference on Information Systems (ECIS) (2007)

30.

Williams, P.A.: What does security culture look like for small organizations? In: Proceedings of the 7th Australian Information Security Management Conference (2009)

31.

Kaur, J., Mustafa, N.: Examining the effects of knowledge, attitude and behaviour on information security awareness: a case on SME. In: 3rd International Conference on Research and Innovation in Information Systems (2013)

32.

Lopes, I., Oliveira, P.: Understanding information security culture: a survey in small and medium sized enterprises. In: Rocha, Á., Correia, A.M., Tan, F.B., Stroetmann, K.A. (eds.) New Perspectives in Information Systems and Technologies, Volume 1. AISC, vol. 275, pp. 277–286. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-05951-8_27CrossRef

33.

Santos-Olmo, A., Sánchez, L.E., Caballero, I., Camacho, S., Fernandez-Medina, E.: The importance of the security culture in SMEs as regards the correct management of the security of their assets. Future Internet 8, 30 (2016)CrossRef

34.

Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., Jerram, C.: Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Comput. Secur. 42, 165–176 (2014)CrossRef

35.

Davis, F.D., Bagozzi, R.P., Warshaw, P.R.: User acceptance of computer technology: a comparison of two theoretical models. Manage. Sci. 35(8), 982–1002 (1989)

36.

Ajzen, I.: The theory of planned behavior. Organ. Behav. Hum. Decis. Process. 50(2), 179–211 (1991)CrossRef

37.

Barlette, Y.: Les comportements sécuritaires des acteurs dans les Systèmes d’Information des PME. Doctoral thesis in management sciences from the University of Montpelier I, 383 p. (2006)

38.

Padayachee, K.: Taxonomy of compliant information security behavior. Comput. Secur. 31(5), 673–680 (2012)CrossRef

39.

Alhogail, A., Mirza, A.: Information security culture: a definition and a literature review. In: Computer Applications and Information Systems, pp. 1–7 (2014)

40.

Da Veiga, A., Eloff, J.H.P.: A framework and assessment instrument for information security culture. Comput. Secur. 29, 196–207 (2010)

41.

Van Niekerk, J.F., Von Solms, R.: Information security culture: a management perspective. Comput. Secur. 29, 476–486 (2010)

42.

Nasir, A., Arshah, R.A., Ab Hamid, M.R.: A dimension-based information security culture model and its relationship with employees’ security behavior: a case study in Malaysian higher educational institutions. Inf. Secur. J.: Glob. Perspect. 28(3), 55–80 (2019)

43.

Hevner, A.R., March, S.T., Park, J., Ram, S.: Design science in information systems research. MIS Q. 28(1), 75–105 (2004)

44.

Denning, P.J.: A new social contract for research. Commun. ACM 40(2), 132–134, (1997)

45.

Tsichritzis, D.: The dynamics of innovation in beyond calculation: the next fifty years of computing. In: Denning, P.J., Metcalfe, R.M. (eds.) Copernicus Books, NewYork, pp. 259–265 (1998)

46.

Lee, A.: Inaugural editor’s comments. MIS Q. 23(1), v–xi (1999)

47.

Igalens, J., Roussel, O.: Méthodes de recherches en gestion des ressources humaines, Paris, Economica, Recherches en gestion (1998)

48.

Flores, W.R., Ekstedt, M.: Shaping intention to resist social engineering through transformational leadership information security culture and awareness. Comput. Secur. 59, 26–44 (2016). ISSN 0167-4048

49.

Connolly, L.Y., Lang, M., Gathegi, J., Tygar D.J.: Organizational culture, procedural countermeasures, and employee security behaviour: a qualitative study. Inf. Comput. Secur. 25, 118–136 (2017)

Title: Designing Information Security Culture Artifacts to Improve Security Behavior: An Evaluation in SMEs
Author: Olfa Ismail
Publisher: Springer International Publishing
Book: The Transdisciplinary Reach of Design Science Research
Print ISBN: 978-3-031-06515-6

Electronic ISBN: 978-3-031-06516-3

Copyright Year: 2022
DOI: https://doi.org/10.1007/978-3-031-06516-3_24

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"