Top

Published in:

2018 | OriginalPaper | Chapter

Human Factors in Information Security Culture: A Literature Review

Authors : Henry W. Glaspie, Waldemar Karwowski

Published in: Advances in Human Factors in Cybersecurity

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Information security programs are instituted by organizations to provide guidance to their users who handle their data and systems. The main goal of these programs is to foster a positive information security culture within the organization. In this study, we present a literature review on information security culture by outlining the factors that contribute to the security culture of an organization and developing a framework from the synthesized research. The findings in this review can be used to further research in information security culture and can help organizations develop and improve their information security programs.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Preserving Dignity, Maintaining Security and Acting Ethically

next chapter The Gender Turing Test

Adams, M., Makramalla, M.: Cybersecurity skills training: an attacker-centric gamified approach. Technol. Innov. Manag. Rev. 5(1), 5–14 (2015)

Safa, N.S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N.A., Herawan, T.: Information security conscious care behaviour formation in organizations. Comput. Secur. 53, 65–78 (2015)CrossRef

IBM: The 2015 IBM cyber security intelligence index. IBM Security Service (2015)

Acuña, D.C.: Effects of a comprehensive computer security policy on computer security culture. In: MWAIS 2016 Proceedings, Paper 10 (2016)

Alavi, R., Islam, S., Jahankhani, H., Al-Nemrat, A.: Analyzing human factors for an effective information security management system. Int. J. Secure Softw. Eng. (IJSSE) 4(1), 50–74 (2013)CrossRef

Öğütçü, G., Testik, Ö.M., Chouseinoglou, O.: Analysis of personal information security behavior and awareness. Comput. Secur. 56, 83–93 (2016)CrossRef

IBM: The 2013 IBM cyber security intelligence index. IBM Security Services (2013)

Hershberger, P.: Security Skills Assessment and Training: The “Make or Break” Critical Security Control. SANS Institute InfoSec Reading Room (2014)

Guo, K.H.: Security-related behavior in using information systems in the workplace: a review and synthesis. Comput. Secur. 32, 242–251 (2013)CrossRef

10.

Da Veiga, A., Martins, N.: Information security culture and information protection culture: a validated assessment instrument. Comput. Law Secur. Rev. 31(2), 243–256 (2015)CrossRef

11.

Hu, Q., Xu, Z., Dinev, T., Ling, H.: Does deterrence work in reducing information security policy abuse by employees? Commun. ACM 54(6), 54–60 (2011)CrossRef

12.

Tang, M., Zhang, T.: The impacts of organizational culture on information security culture: a case study. Inf. Technol. Manag. 17, 1–8 (2016)CrossRef

13.

Alhogail, A.R.E.E.J., Mirza, A.: A framework of information security culture change. J. Theoret. Appl. Inf. Technol. 64(2), 540–549 (2014)

14.

Abraham, S.: Information security behavior: factors and research directions. In: AMCIS 2011 Proceedings – All Submissions, Paper 462 (2011)

15.

Lebek, B., Uffen, J., Neumann, M., Hohler, B., Breitner, M.H.: Information security awareness and behavior: a theory-based literature review. Manag. Res. Rev. 37(12), 1049–1092 (2014)

16.

AlHogail, A.: Design and validation of information security culture frame-work. Comput. Hum. Behav. 49, 567–575 (2015)CrossRef

17.

D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf. Syst. Res. 20(1), 79–98 (2009)CrossRef

18.

Sari, P.K.: A concept of information security management for higher education. In: International Conference on Technology and Operation Management, 3rd Bandung, pp. 469–477 (2012)

19.

Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34(3), 523–548 (2010)

20.

Renaud, K.: Blaming noncompliance is too convenient: what really causes information breaches? IEEE Secur. Priv. 10(3), 57–63 (2012)CrossRef

21.

Haeussinger, F., Kranz, J.: Information security awareness: its antecedents and mediating effects on security compliant behavior. In: 34th International Conference on Information Systems (2013)

22.

Choi, M., Levy, Y., Hovav, A.: The role of user computer self-efficacy, cybersecurity countermeasures awareness, and cybersecurity skills influence on computer misuse. In: Proceedings of the Pre-International Conference of Information Systems (ICIS) SIGSEC–Workshop on Information Security and Privacy (WISP), December 2013

23.

Chen, Y., Ramamurthy, K., Wen, K.W.: Impacts of comprehensive information security programs on information security culture. J. Comput. Inf. Syst. 55(3), 11–19 (2015)

24.

Hu, Q., Dinev, T., Hart, P., Cooke, D.: Managing employee compliance with information security policies: the critical role of top management and organizational culture. Decis. Sci. 43(4), 615–660 (2012)CrossRef

25.

Parsons, K.M., Young, E., Butavicius, M.A., McCormac, A., Pattinson, M.R., Jerram, C.: The influence of organizational information security culture on information security decision making. J. Cogn. Eng. Decis. Mak. 9(2), 117–129 (2015)CrossRef

26.

Chen, Y., Ramamurthy, K., Wen, K.W.: Organizations’ information security policy compliance: stick or carrot approach? J. Manag. Inf. Syst. 29(3), 157–188 (2012)CrossRef

27.

D’Arcy, J., Devaraj, S.: Employee misuse of information technology resources: testing a contemporary deterrence model. Decis. Sci. 43(6), 1091–1124 (2012)CrossRef

28.

Farahmand, F., Atallah, M.J., Spafford, E.H.: Incentive alignment and risk perception: an information security application. IEEE Trans. Eng. Manag. 60(2), 238–246 (2013)CrossRef

29.

Thomson, K., van Niekerk, J.: Combating information security apathy by encouraging prosocial organisational behaviour. Inf. Manag. Comput. Secur. 20(1), 39–46 (2012)CrossRef

30.

Vance, A., Siponen, M., Pahnila, S.: Motivating IS security compliance: insights from habit and protection motivation theory. Inf. Manag. 49(3), 190–198 (2012)CrossRef

31.

Ifinedo, P.: Information systems security policy compliance: an empirical study of the effects of socialisation, influence, and cognition. Inf. Manag. 51(1), 69–79 (2014)CrossRef

32.

Ifinedo, P.: Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Comput. Secur. 31(1), 83–95 (2012)CrossRef

33.

Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., Jerram, C.: Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Comput. Secur. 42, 165–176 (2014)CrossRef

34.

Safa, N.S., Von Solms, R., Furnell, S.: Information security policy compliance model in organizations. Comput. Secur. 56, 70–82 (2016)CrossRef

35.

Chen, Y., Zahedi, F.M.: Individuals’internet security perceptions and behaviors: polycontextual contrasts between The United States and China. MIS Q. 40(1), 205–222 (2016)

36.

Davinson, N., Sillence, E.: It won’t happen to me: promoting secure behaviour among internet users. Comput. Hum. Behav. 26(6), 1739–1747 (2010)CrossRef

37.

Guo, K.H., Yuan, Y., Archer, N.P., Connelly, C.E.: Understanding nonmalicious security violations in the workplace: a composite behavior model. J. Manag. Inf. Syst. 28(2), 203–236 (2011)CrossRef

38.

Dhillon, G., Syed, R., Pedron, C.: Interpreting information security culture: an organizational transformation case study. Comput. Secur. 56, 63–69 (2016)CrossRef

39.

Shropshire, J., Warkentin, M., Sharma, S.: Personality, attitudes, and intentions: predicting initial adoption of information security behavior. Comput. Secur. 49, 177–191 (2015)CrossRef

40.

Montesdioca, G.P.Z., Maçada, A.C.G.: Measuring user satisfaction with information security practices. Comput. Secur. 48, 267–280 (2015)CrossRef

41.

Da Veiga, A., Martins, N.: Improving the information security culture through monitoring and implementation actions illustrated through a case study. Comput. Secur. 49, 162–176 (2015)CrossRef

42.

Badie, N., Lashkari, A.H.: A new evaluation criteria for effective security awareness in computer risk management based on AHP. J. Basic Appl. Sci. Res. 2(9), 9331–9347 (2012)

43.

Parsons, K., McCormac, A., Pattinson, M., Butavicius, M., Jerram, C.: A study of information security awareness in Australian government organizations. Inf. Manag. Comput. Secur. 22(4), 334–345 (2014)CrossRef

44.

Metalidou, E., Marinagi, C., Trivellas, P., Eberhagen, N., Giannakopoulos, G., Skourlas, C.: Human factor and information security in higher education. J. Syst. Inf. Technol. 16(3), 210–221 (2014)CrossRef

45.

McBride, M., Carter, L., Warkentin, M.: Exploring the role of individual employee characteristics and personality on employee compliance with cybersecurity policies. Technical report, RTI International (2012)

46.

Hipsky, S., Younes, W.: Beyond concern: K-12 faculty and staff’s perspectives on privacy topics and cybersafety. Int. J. Inf. Commun. Technol. Educ. (IJICTE) 11(4), 51–66 (2015)CrossRef

47.

Chan, H., Mubarak, S.: Significance of information security awareness in the higher education sector. Int. J. Comput. Appl. 60(10), 23–31 (2012)

48.

Narain Singh, A., Gupta, M.P., Ojha, A.: Identifying factors of “organizational information security management”. J. Enterp. Inf. Manag. 27(5), 644–667 (2014)CrossRef

49.

Said, A.R., Abdullah, H., Uli, J., Mohamed, Z.A.: Relationship between organizational characteristics and information security knowledge management implementation. Procedia-Soc. Behav. Sci. 123, 433–443 (2014)CrossRef

50.

Knapp, K.J., Ferrante, C.J.: Information security program effectiveness in organizations: the moderating role of task interdependence. J. Organ. End User Comput. (JOEUC) 26(1), 27–46 (2014)CrossRef

51.

Flores, W.R., Antonsen, E., Ekstedt, M.: Information security knowledge sharing in organizations: investigating the effect of behavioral information security governance and national culture. Comput. Secur. 43, 90–110 (2014)CrossRef

Title: Human Factors in Information Security Culture: A Literature Review
Authors: Henry W. Glaspie
Waldemar Karwowski
Publisher: Springer International Publishing
Book: Advances in Human Factors in Cybersecurity
Print ISBN: 978-3-319-60584-5

Electronic ISBN: 978-3-319-60585-2

Copyright Year: 2018
DOI: https://doi.org/10.1007/978-3-319-60585-2_25

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner