Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
Niidae Wiki
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Information security
(section)
Page
Discussion
English
Read
Edit
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
View history
General
What links here
Related changes
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Culture == Describing more than simply how security aware employees are, information security culture is the ideas, customs, and social behaviors of an organization that impact information security in both positive and negative ways.<ref>{{cite web|url=https://securitycultureframework.net/definition-of-security-culture/|title=Definition of Security Culture|date=9 April 2014|website=The Security Culture Framework|access-date=January 27, 2019|archive-date=January 27, 2019|archive-url=https://web.archive.org/web/20190127205759/https://securitycultureframework.net/definition-of-security-culture/|url-status=dead}}</ref> Cultural concepts can help different segments of the organization work effectively or work against effectiveness towards information security within an organization. The way employees think and feel about security and the actions they take can have a big impact on information security in organizations. Roer & Petric (2017) identify seven core dimensions of information security culture in organizations:<ref>{{Cite book|title=The 2017 Security Culture Report - In depth insights into the human factor|last1=Roer|first1=Kai|last2=Petric|first2=Gregor|publisher=CLTRe North America, Inc|year=2017|isbn=978-1544933948|pages=42β43}}</ref> * Attitudes: employees' feelings and emotions about the various activities that pertain to the organizational security of information.<ref>{{Cite book|date=2018-03-21|editor-last=Akhtar|editor-first=Salman|title=Good Feelings|publisher=Routledge|url=http://dx.doi.org/10.4324/9780429475313|doi=10.4324/9780429475313|isbn=9780429475313}}</ref> * Behaviors: actual or intended activities and risk-taking actions of employees that have direct or indirect impact on information security. * Cognition: employees' awareness, verifiable knowledge, and beliefs regarding practices, activities, and [[self-efficacy]] relation that are related to information security. * Communication: ways employees communicate with each other, sense of belonging, support for security issues, and incident reporting. * Compliance: adherence to organizational security policies, awareness of the existence of such policies and the ability to recall the substance of such policies. * Norms: perceptions of security-related organizational conduct and practices that are informally deemed either normal or deviant by employees and their peers, e.g. hidden expectations regarding security behaviors and unwritten rules regarding uses of information-communication technologies. * Responsibilities: employees' understanding of the roles and responsibilities they have as a critical factor in sustaining or endangering the security of information, and thereby the organization. Andersson and Reimers (2014) found that employees often do not see themselves as part of the organization Information Security "effort" and often take actions that ignore organizational information security best interests.<ref name="Andersson & Reimers 2014">Anderson, D., Reimers, K. and Barretto, C. (March 2014). Post-Secondary Education Network Security: Results of Addressing the End-User Challenge.publication date Mar 11, 2014 publication description INTED2014 (International Technology, Education, and Development Conference)</ref> Research shows information security culture needs to be improved continuously. In ''Information Security Culture from Analysis to Change'', authors commented, "It's a never ending process, a cycle of evaluation and change or maintenance." To manage the information security culture, five steps should be taken: pre-evaluation, strategic planning, operative planning, implementation, and post-evaluation.<ref name="Schlienger, Thomas 2003">{{cite journal|last1=Schlienger|first1=Thomas|last2=Teufel|first2=Stephanie|date=December 2003|title=Information security culture - from analysis to change|journal=South African Computer Society (SAICSIT)|volume=2003|issue=31|pages=46β52|hdl=10520/EJC27949}}</ref> * Pre-evaluation: to identify the awareness of information security within employees and to analyze current security policy * Strategic planning: to come up a better awareness-program, we need to set clear targets. Clustering people is helpful to achieve it * Operative planning: create a good security culture based on internal communication, management buy-in, security awareness, and training programs * Implementation: should feature commitment of management, communication with organizational members, courses for all organizational members, and commitment of the employees<ref name="Schlienger, Thomas 2003" /> * Post-evaluation: to better gauge the effectiveness of the prior steps and build on continuous improvement
Summary:
Please note that all contributions to Niidae Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Encyclopedia:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Search
Search
Editing
Information security
(section)
Add topic
