Abstract
Information security programs are instituted by organizations to provide guidance to their users who handle their data and systems. The main goal of these programs is to foster a positive information security culture within the organization. In this study, we present a literature review on information security culture by outlining the factors that contribute to the security culture of an organization and developing a framework from the synthesized research. The findings in this review can be used to further research in information security culture and can help organizations develop and improve their information security programs.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Adams, M., Makramalla, M.: Cybersecurity skills training: an attacker-centric gamified approach. Technol. Innov. Manag. Rev. 5(1), 5–14 (2015)
Safa, N.S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N.A., Herawan, T.: Information security conscious care behaviour formation in organizations. Comput. Secur. 53, 65–78 (2015)
IBM: The 2015 IBM cyber security intelligence index. IBM Security Service (2015)
Acuña, D.C.: Effects of a comprehensive computer security policy on computer security culture. In: MWAIS 2016 Proceedings, Paper 10 (2016)
Alavi, R., Islam, S., Jahankhani, H., Al-Nemrat, A.: Analyzing human factors for an effective information security management system. Int. J. Secure Softw. Eng. (IJSSE) 4(1), 50–74 (2013)
Öğütçü, G., Testik, Ö.M., Chouseinoglou, O.: Analysis of personal information security behavior and awareness. Comput. Secur. 56, 83–93 (2016)
IBM: The 2013 IBM cyber security intelligence index. IBM Security Services (2013)
Hershberger, P.: Security Skills Assessment and Training: The “Make or Break” Critical Security Control. SANS Institute InfoSec Reading Room (2014)
Guo, K.H.: Security-related behavior in using information systems in the workplace: a review and synthesis. Comput. Secur. 32, 242–251 (2013)
Da Veiga, A., Martins, N.: Information security culture and information protection culture: a validated assessment instrument. Comput. Law Secur. Rev. 31(2), 243–256 (2015)
Hu, Q., Xu, Z., Dinev, T., Ling, H.: Does deterrence work in reducing information security policy abuse by employees? Commun. ACM 54(6), 54–60 (2011)
Tang, M., Zhang, T.: The impacts of organizational culture on information security culture: a case study. Inf. Technol. Manag. 17, 1–8 (2016)
Alhogail, A.R.E.E.J., Mirza, A.: A framework of information security culture change. J. Theoret. Appl. Inf. Technol. 64(2), 540–549 (2014)
Abraham, S.: Information security behavior: factors and research directions. In: AMCIS 2011 Proceedings – All Submissions, Paper 462 (2011)
Lebek, B., Uffen, J., Neumann, M., Hohler, B., Breitner, M.H.: Information security awareness and behavior: a theory-based literature review. Manag. Res. Rev. 37(12), 1049–1092 (2014)
AlHogail, A.: Design and validation of information security culture frame-work. Comput. Hum. Behav. 49, 567–575 (2015)
D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf. Syst. Res. 20(1), 79–98 (2009)
Sari, P.K.: A concept of information security management for higher education. In: International Conference on Technology and Operation Management, 3rd Bandung, pp. 469–477 (2012)
Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34(3), 523–548 (2010)
Renaud, K.: Blaming noncompliance is too convenient: what really causes information breaches? IEEE Secur. Priv. 10(3), 57–63 (2012)
Haeussinger, F., Kranz, J.: Information security awareness: its antecedents and mediating effects on security compliant behavior. In: 34th International Conference on Information Systems (2013)
Choi, M., Levy, Y., Hovav, A.: The role of user computer self-efficacy, cybersecurity countermeasures awareness, and cybersecurity skills influence on computer misuse. In: Proceedings of the Pre-International Conference of Information Systems (ICIS) SIGSEC–Workshop on Information Security and Privacy (WISP), December 2013
Chen, Y., Ramamurthy, K., Wen, K.W.: Impacts of comprehensive information security programs on information security culture. J. Comput. Inf. Syst. 55(3), 11–19 (2015)
Hu, Q., Dinev, T., Hart, P., Cooke, D.: Managing employee compliance with information security policies: the critical role of top management and organizational culture. Decis. Sci. 43(4), 615–660 (2012)
Parsons, K.M., Young, E., Butavicius, M.A., McCormac, A., Pattinson, M.R., Jerram, C.: The influence of organizational information security culture on information security decision making. J. Cogn. Eng. Decis. Mak. 9(2), 117–129 (2015)
Chen, Y., Ramamurthy, K., Wen, K.W.: Organizations’ information security policy compliance: stick or carrot approach? J. Manag. Inf. Syst. 29(3), 157–188 (2012)
D’Arcy, J., Devaraj, S.: Employee misuse of information technology resources: testing a contemporary deterrence model. Decis. Sci. 43(6), 1091–1124 (2012)
Farahmand, F., Atallah, M.J., Spafford, E.H.: Incentive alignment and risk perception: an information security application. IEEE Trans. Eng. Manag. 60(2), 238–246 (2013)
Thomson, K., van Niekerk, J.: Combating information security apathy by encouraging prosocial organisational behaviour. Inf. Manag. Comput. Secur. 20(1), 39–46 (2012)
Vance, A., Siponen, M., Pahnila, S.: Motivating IS security compliance: insights from habit and protection motivation theory. Inf. Manag. 49(3), 190–198 (2012)
Ifinedo, P.: Information systems security policy compliance: an empirical study of the effects of socialisation, influence, and cognition. Inf. Manag. 51(1), 69–79 (2014)
Ifinedo, P.: Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Comput. Secur. 31(1), 83–95 (2012)
Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., Jerram, C.: Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Comput. Secur. 42, 165–176 (2014)
Safa, N.S., Von Solms, R., Furnell, S.: Information security policy compliance model in organizations. Comput. Secur. 56, 70–82 (2016)
Chen, Y., Zahedi, F.M.: Individuals’internet security perceptions and behaviors: polycontextual contrasts between The United States and China. MIS Q. 40(1), 205–222 (2016)
Davinson, N., Sillence, E.: It won’t happen to me: promoting secure behaviour among internet users. Comput. Hum. Behav. 26(6), 1739–1747 (2010)
Guo, K.H., Yuan, Y., Archer, N.P., Connelly, C.E.: Understanding nonmalicious security violations in the workplace: a composite behavior model. J. Manag. Inf. Syst. 28(2), 203–236 (2011)
Dhillon, G., Syed, R., Pedron, C.: Interpreting information security culture: an organizational transformation case study. Comput. Secur. 56, 63–69 (2016)
Shropshire, J., Warkentin, M., Sharma, S.: Personality, attitudes, and intentions: predicting initial adoption of information security behavior. Comput. Secur. 49, 177–191 (2015)
Montesdioca, G.P.Z., Maçada, A.C.G.: Measuring user satisfaction with information security practices. Comput. Secur. 48, 267–280 (2015)
Da Veiga, A., Martins, N.: Improving the information security culture through monitoring and implementation actions illustrated through a case study. Comput. Secur. 49, 162–176 (2015)
Badie, N., Lashkari, A.H.: A new evaluation criteria for effective security awareness in computer risk management based on AHP. J. Basic Appl. Sci. Res. 2(9), 9331–9347 (2012)
Parsons, K., McCormac, A., Pattinson, M., Butavicius, M., Jerram, C.: A study of information security awareness in Australian government organizations. Inf. Manag. Comput. Secur. 22(4), 334–345 (2014)
Metalidou, E., Marinagi, C., Trivellas, P., Eberhagen, N., Giannakopoulos, G., Skourlas, C.: Human factor and information security in higher education. J. Syst. Inf. Technol. 16(3), 210–221 (2014)
McBride, M., Carter, L., Warkentin, M.: Exploring the role of individual employee characteristics and personality on employee compliance with cybersecurity policies. Technical report, RTI International (2012)
Hipsky, S., Younes, W.: Beyond concern: K-12 faculty and staff’s perspectives on privacy topics and cybersafety. Int. J. Inf. Commun. Technol. Educ. (IJICTE) 11(4), 51–66 (2015)
Chan, H., Mubarak, S.: Significance of information security awareness in the higher education sector. Int. J. Comput. Appl. 60(10), 23–31 (2012)
Narain Singh, A., Gupta, M.P., Ojha, A.: Identifying factors of “organizational information security management”. J. Enterp. Inf. Manag. 27(5), 644–667 (2014)
Said, A.R., Abdullah, H., Uli, J., Mohamed, Z.A.: Relationship between organizational characteristics and information security knowledge management implementation. Procedia-Soc. Behav. Sci. 123, 433–443 (2014)
Knapp, K.J., Ferrante, C.J.: Information security program effectiveness in organizations: the moderating role of task interdependence. J. Organ. End User Comput. (JOEUC) 26(1), 27–46 (2014)
Flores, W.R., Antonsen, E., Ekstedt, M.: Information security knowledge sharing in organizations: investigating the effect of behavioral information security governance and national culture. Comput. Secur. 43, 90–110 (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Glaspie, H.W., Karwowski, W. (2018). Human Factors in Information Security Culture: A Literature Review. In: Nicholson, D. (eds) Advances in Human Factors in Cybersecurity. AHFE 2017. Advances in Intelligent Systems and Computing, vol 593. Springer, Cham. https://doi.org/10.1007/978-3-319-60585-2_25
Download citation
DOI: https://doi.org/10.1007/978-3-319-60585-2_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-60584-5
Online ISBN: 978-3-319-60585-2
eBook Packages: EngineeringEngineering (R0)