Skip to main content
SpringerLink
Log in
Book cover

International Conference on Applied Human Factors and Ergonomics

AHFE 2017: Advances in Human Factors in Cybersecurity pp 269–280Cite as

Human Factors in Information Security Culture: A Literature Review

  • Conference paper
  • First Online:

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 593))

Abstract

Information security programs are instituted by organizations to provide guidance to their users who handle their data and systems. The main goal of these programs is to foster a positive information security culture within the organization. In this study, we present a literature review on information security culture by outlining the factors that contribute to the security culture of an organization and developing a framework from the synthesized research. The findings in this review can be used to further research in information security culture and can help organizations develop and improve their information security programs.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Adams, M., Makramalla, M.: Cybersecurity skills training: an attacker-centric gamified approach. Technol. Innov. Manag. Rev. 5(1), 5–14 (2015)

    Google Scholar 

  2. Safa, N.S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N.A., Herawan, T.: Information security conscious care behaviour formation in organizations. Comput. Secur. 53, 65–78 (2015)

    Article  Google Scholar 

  3. IBM: The 2015 IBM cyber security intelligence index. IBM Security Service (2015)

    Google Scholar 

  4. Acuña, D.C.: Effects of a comprehensive computer security policy on computer security culture. In: MWAIS 2016 Proceedings, Paper 10 (2016)

    Google Scholar 

  5. Alavi, R., Islam, S., Jahankhani, H., Al-Nemrat, A.: Analyzing human factors for an effective information security management system. Int. J. Secure Softw. Eng. (IJSSE) 4(1), 50–74 (2013)

    Article  Google Scholar 

  6. Öğütçü, G., Testik, Ö.M., Chouseinoglou, O.: Analysis of personal information security behavior and awareness. Comput. Secur. 56, 83–93 (2016)

    Article  Google Scholar 

  7. IBM: The 2013 IBM cyber security intelligence index. IBM Security Services (2013)

    Google Scholar 

  8. Hershberger, P.: Security Skills Assessment and Training: The “Make or Break” Critical Security Control. SANS Institute InfoSec Reading Room (2014)

    Google Scholar 

  9. Guo, K.H.: Security-related behavior in using information systems in the workplace: a review and synthesis. Comput. Secur. 32, 242–251 (2013)

    Article  Google Scholar 

  10. Da Veiga, A., Martins, N.: Information security culture and information protection culture: a validated assessment instrument. Comput. Law Secur. Rev. 31(2), 243–256 (2015)

    Article  Google Scholar 

  11. Hu, Q., Xu, Z., Dinev, T., Ling, H.: Does deterrence work in reducing information security policy abuse by employees? Commun. ACM 54(6), 54–60 (2011)

    Article  Google Scholar 

  12. Tang, M., Zhang, T.: The impacts of organizational culture on information security culture: a case study. Inf. Technol. Manag. 17, 1–8 (2016)

    Article  Google Scholar 

  13. Alhogail, A.R.E.E.J., Mirza, A.: A framework of information security culture change. J. Theoret. Appl. Inf. Technol. 64(2), 540–549 (2014)

    Google Scholar 

  14. Abraham, S.: Information security behavior: factors and research directions. In: AMCIS 2011 Proceedings – All Submissions, Paper 462 (2011)

    Google Scholar 

  15. Lebek, B., Uffen, J., Neumann, M., Hohler, B., Breitner, M.H.: Information security awareness and behavior: a theory-based literature review. Manag. Res. Rev. 37(12), 1049–1092 (2014)

    Google Scholar 

  16. AlHogail, A.: Design and validation of information security culture frame-work. Comput. Hum. Behav. 49, 567–575 (2015)

    Article  Google Scholar 

  17. D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf. Syst. Res. 20(1), 79–98 (2009)

    Article  Google Scholar 

  18. Sari, P.K.: A concept of information security management for higher education. In: International Conference on Technology and Operation Management, 3rd Bandung, pp. 469–477 (2012)

    Google Scholar 

  19. Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34(3), 523–548 (2010)

    Google Scholar 

  20. Renaud, K.: Blaming noncompliance is too convenient: what really causes information breaches? IEEE Secur. Priv. 10(3), 57–63 (2012)

    Article  Google Scholar 

  21. Haeussinger, F., Kranz, J.: Information security awareness: its antecedents and mediating effects on security compliant behavior. In: 34th International Conference on Information Systems (2013)

    Google Scholar 

  22. Choi, M., Levy, Y., Hovav, A.: The role of user computer self-efficacy, cybersecurity countermeasures awareness, and cybersecurity skills influence on computer misuse. In: Proceedings of the Pre-International Conference of Information Systems (ICIS) SIGSEC–Workshop on Information Security and Privacy (WISP), December 2013

    Google Scholar 

  23. Chen, Y., Ramamurthy, K., Wen, K.W.: Impacts of comprehensive information security programs on information security culture. J. Comput. Inf. Syst. 55(3), 11–19 (2015)

    Google Scholar 

  24. Hu, Q., Dinev, T., Hart, P., Cooke, D.: Managing employee compliance with information security policies: the critical role of top management and organizational culture. Decis. Sci. 43(4), 615–660 (2012)

    Article  Google Scholar 

  25. Parsons, K.M., Young, E., Butavicius, M.A., McCormac, A., Pattinson, M.R., Jerram, C.: The influence of organizational information security culture on information security decision making. J. Cogn. Eng. Decis. Mak. 9(2), 117–129 (2015)

    Article  Google Scholar 

  26. Chen, Y., Ramamurthy, K., Wen, K.W.: Organizations’ information security policy compliance: stick or carrot approach? J. Manag. Inf. Syst. 29(3), 157–188 (2012)

    Article  Google Scholar 

  27. D’Arcy, J., Devaraj, S.: Employee misuse of information technology resources: testing a contemporary deterrence model. Decis. Sci. 43(6), 1091–1124 (2012)

    Article  Google Scholar 

  28. Farahmand, F., Atallah, M.J., Spafford, E.H.: Incentive alignment and risk perception: an information security application. IEEE Trans. Eng. Manag. 60(2), 238–246 (2013)

    Article  Google Scholar 

  29. Thomson, K., van Niekerk, J.: Combating information security apathy by encouraging prosocial organisational behaviour. Inf. Manag. Comput. Secur. 20(1), 39–46 (2012)

    Article  Google Scholar 

  30. Vance, A., Siponen, M., Pahnila, S.: Motivating IS security compliance: insights from habit and protection motivation theory. Inf. Manag. 49(3), 190–198 (2012)

    Article  Google Scholar 

  31. Ifinedo, P.: Information systems security policy compliance: an empirical study of the effects of socialisation, influence, and cognition. Inf. Manag. 51(1), 69–79 (2014)

    Article  Google Scholar 

  32. Ifinedo, P.: Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Comput. Secur. 31(1), 83–95 (2012)

    Article  Google Scholar 

  33. Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., Jerram, C.: Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Comput. Secur. 42, 165–176 (2014)

    Article  Google Scholar 

  34. Safa, N.S., Von Solms, R., Furnell, S.: Information security policy compliance model in organizations. Comput. Secur. 56, 70–82 (2016)

    Article  Google Scholar 

  35. Chen, Y., Zahedi, F.M.: Individuals’internet security perceptions and behaviors: polycontextual contrasts between The United States and China. MIS Q. 40(1), 205–222 (2016)

    Google Scholar 

  36. Davinson, N., Sillence, E.: It won’t happen to me: promoting secure behaviour among internet users. Comput. Hum. Behav. 26(6), 1739–1747 (2010)

    Article  Google Scholar 

  37. Guo, K.H., Yuan, Y., Archer, N.P., Connelly, C.E.: Understanding nonmalicious security violations in the workplace: a composite behavior model. J. Manag. Inf. Syst. 28(2), 203–236 (2011)

    Article  Google Scholar 

  38. Dhillon, G., Syed, R., Pedron, C.: Interpreting information security culture: an organizational transformation case study. Comput. Secur. 56, 63–69 (2016)

    Article  Google Scholar 

  39. Shropshire, J., Warkentin, M., Sharma, S.: Personality, attitudes, and intentions: predicting initial adoption of information security behavior. Comput. Secur. 49, 177–191 (2015)

    Article  Google Scholar 

  40. Montesdioca, G.P.Z., Maçada, A.C.G.: Measuring user satisfaction with information security practices. Comput. Secur. 48, 267–280 (2015)

    Article  Google Scholar 

  41. Da Veiga, A., Martins, N.: Improving the information security culture through monitoring and implementation actions illustrated through a case study. Comput. Secur. 49, 162–176 (2015)

    Article  Google Scholar 

  42. Badie, N., Lashkari, A.H.: A new evaluation criteria for effective security awareness in computer risk management based on AHP. J. Basic Appl. Sci. Res. 2(9), 9331–9347 (2012)

    Google Scholar 

  43. Parsons, K., McCormac, A., Pattinson, M., Butavicius, M., Jerram, C.: A study of information security awareness in Australian government organizations. Inf. Manag. Comput. Secur. 22(4), 334–345 (2014)

    Article  Google Scholar 

  44. Metalidou, E., Marinagi, C., Trivellas, P., Eberhagen, N., Giannakopoulos, G., Skourlas, C.: Human factor and information security in higher education. J. Syst. Inf. Technol. 16(3), 210–221 (2014)

    Article  Google Scholar 

  45. McBride, M., Carter, L., Warkentin, M.: Exploring the role of individual employee characteristics and personality on employee compliance with cybersecurity policies. Technical report, RTI International (2012)

    Google Scholar 

  46. Hipsky, S., Younes, W.: Beyond concern: K-12 faculty and staff’s perspectives on privacy topics and cybersafety. Int. J. Inf. Commun. Technol. Educ. (IJICTE) 11(4), 51–66 (2015)

    Article  Google Scholar 

  47. Chan, H., Mubarak, S.: Significance of information security awareness in the higher education sector. Int. J. Comput. Appl. 60(10), 23–31 (2012)

    Google Scholar 

  48. Narain Singh, A., Gupta, M.P., Ojha, A.: Identifying factors of “organizational information security management”. J. Enterp. Inf. Manag. 27(5), 644–667 (2014)

    Article  Google Scholar 

  49. Said, A.R., Abdullah, H., Uli, J., Mohamed, Z.A.: Relationship between organizational characteristics and information security knowledge management implementation. Procedia-Soc. Behav. Sci. 123, 433–443 (2014)

    Article  Google Scholar 

  50. Knapp, K.J., Ferrante, C.J.: Information security program effectiveness in organizations: the moderating role of task interdependence. J. Organ. End User Comput. (JOEUC) 26(1), 27–46 (2014)

    Article  Google Scholar 

  51. Flores, W.R., Antonsen, E., Ekstedt, M.: Information security knowledge sharing in organizations: investigating the effect of behavioral information security governance and national culture. Comput. Secur. 43, 90–110 (2014)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Industrial Engineering and Management Systems, University of Central Florida, Orlando, FL, 32816-2993, USA

    Henry W. Glaspie & Waldemar Karwowski

Authors
  1. Henry W. Glaspie
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Waldemar Karwowski
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Henry W. Glaspie .

Editor information

Editors and Affiliations

  1. Soar Technology, Inc., Belle Isle, Florida, USA

    Denise Nicholson

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG

About this paper

Cite this paper

Glaspie, H.W., Karwowski, W. (2018). Human Factors in Information Security Culture: A Literature Review. In: Nicholson, D. (eds) Advances in Human Factors in Cybersecurity. AHFE 2017. Advances in Intelligent Systems and Computing, vol 593. Springer, Cham. https://doi.org/10.1007/978-3-319-60585-2_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-60585-2_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-60584-5

  • Online ISBN: 978-3-319-60585-2

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation