Understanding Information Security Culture: A Survey in Small and Medium Sized Enterprises

Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 275)


Information security is a relevant fact for current organizations. There are factors inextricably linked to this issue, and one cannot talk about information security in an organization without addressing and understanding the information security culture of that institution. Maximizing the organizational culture within an organization will enable the safeguard of information security. For that, we need to understand which the inhibiting and the enabling factors are. This paper contributes to point out those factors by presenting the results of a survey concerning information security culture in small and medium sized enterprises (SMEs). We discuss the results in the light of related literature, and we identify future works aiming to enhance information security within organizations.


Security Culture Information Security Small and Medium Sized Enterprises Information Security Culture 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Da Veiga, A.: Cultivating and Assessing Information Security Culture. University of Pretoria (2008)Google Scholar
  2. 2.
    Da Veiga, A., Eloff, J.H.P.: Information security culture – validation of an assessmentinstrument. Information Systems Management 24, 361–372 (2007)CrossRefGoogle Scholar
  3. 3.
    Martins, A., Eloff, J.H.P.: Information Security Culture. Paper presented at the 17th International Conference on Information Security (2002)Google Scholar
  4. 4.
    Maynard, S., Ruighaver, A.B.: Evaluating IS Security Policy Development. Paper presented at the Third Australian Information Warfare and Security Conference, Perth, Australia (2002)Google Scholar
  5. 5.
    Schlienger, T., Teufel, S.: Analyzing Information Security Culture: Increased Trust by an Appropriate Information Security Culture. Paper presented at the DEXA Workshops (2003)Google Scholar
  6. 6.
    van Niekerk, J., von Solms, R.: A holistic framework for the fostering of an information security sub-culture in organizations. Paper presented at the 4th Annual ISSA Conference South Africa (2005)Google Scholar
  7. 7.
    Eloff, M.M., von Solms, S.H.: Information Security management: A Hierarchical Approach for various frameworks. Computer & Security 19(3), 243–256 (2000)CrossRefGoogle Scholar
  8. 8.
    Dhillon, G.: Managing and controlling computer misuse. Information Management & Computer Security 7(4), 171–175 (1999)CrossRefGoogle Scholar
  9. 9.
    Lee, T.: Assessment of safety culture at a nuclear reprocessing plant. Work & Stress 12(3), 217–237 (1998)CrossRefGoogle Scholar
  10. 10.
    Hale, A.R.: Culture’s confusions. Safety Science 34, 1–14 (2000)CrossRefGoogle Scholar
  11. 11.
    Dhillon, G., Backhouse, J.: Information System Security Management in the New Millennium. Communications of ACM 43(7), 125–128 (2000)CrossRefGoogle Scholar
  12. 12.
    Wood, C.C.: Writing InfoSec Policies. Computers & Security 14(8), 667–674 (1995)CrossRefGoogle Scholar
  13. 13.
    Dimopoulos, V., Furnell, S.M., Jennex, M., Kritharas, I.: Approaches to IT Security in Small and Medium Enterprises. In: Proceedings of the 2nd Australian Information Security Management Conference 2004, Perth, Australia (2004)Google Scholar
  14. 14.
    Furnell, S.M., Gennatou, M., Dowland, P.S.: Promoting Security Awareness and Training within Small Organisations. In: Proceedings of the 1st Australian Information Security Management Workshop, Deakin University, Geelong, Australia (2000)Google Scholar
  15. 15.
    Helokunnas, T., Iivonen, I.: Information Security Culture in Small and Medium Size Enterprises. Seminar Presentation, Institute of Business Information Management. Tampere University of Technology, Finland (2003)Google Scholar
  16. 16.
    Taylor, M., Murphy, A.: SMEs and eBusiness. Journal of Small Business and Enterprise Development 11(3), 280–289 (2004)CrossRefGoogle Scholar
  17. 17.
    ISO/IEC 27002, Information technology — Security techniques — Information security management systems — Requirements, International Organization for Standardization/International Electrotechnical Commission (2005)Google Scholar
  18. 18.
    Guldenmund, F.W.: The nature of safety culture: a review of theory and research. Safety Science 34, 193–214 (2000)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.School of Technology and ManagementPolytechnic Institute of Bragança (IPB)BragançaPortugal

Personalised recommendations