Abstract
The current study originated from the realisation that information security is no
longer solely dependent on technology. Information security breaches are often
caused by users, most of the time internal to the organisation, who compromise
the technology-driven solutions. This interaction between people and the
information systems is seemingly the weakest link in information security.
A people-oriented approach is needed to address this problem. Incorporating the
human element into information security could be done by creating an
information security culture. This culture can then focus on the behaviour of
users in the information technology environment.
The study is therefore principally aimed at making a contribution to information
security by addressing information security culture and, for this reason,
culminates in the development of an information security culture model and
assessment approach. While developing the model, special care was taken to
incorporate the behaviour of people in the working environment and hence
organisational behaviour coupled with issues concerning information security
culture that need to be addressed. An information security culture assessment
approach is developed consisting of a questionnaire to assess whether an
organisation has an adequate level of information security culture. The
assessment approach is illustrated through a case study.
Below is an overview of the framework within which the research was conducted:
The dissertation consists of four parts. Chapters 1 and 2 constitute Part 1:
Introduction and background. Chapter 1 serves as an introduction to the
research study by providing the primary motivation for the study and defining the
problems and issues to be addressed. In addition, the chapter is devoted to
defining a set of standard terms and concepts used throughout the study. The
chapter concludes with an overview of the remaining chapters.
Chapter 2 gives some background to information security culture and discusses
its evolution to date. There is a new trend in information security to incorporate
the human element through an information security culture. Information security
is divided into two different levels. Level 1 focuses on the human aspects of
information security, such as the information security culture, and level 2
incorporates the technical aspects of information security.
Part 2: Information security culture model is covered in chapters 3, 4 and 5. In
chapter 3, the concept of information security culture is researched. Different
perspectives are examined to identify issues that need to be considered when
addressing information security culture. A definition of information security culture
is constructed based on organisational culture.
Chapter 4 is devoted to developing a model that can be used to promote an
information security culture. This model incorporates the concept of
organisational behaviour as well as the issues identified in chapter 3.
Chapter 5 builds upon the information security culture model and aims to identify
practical tasks to address in order to implement the model.
In Part 3: Assessing information security culture, chapters 6 to 10, attention
is given to the assessment of an information security culture, giving management
an indication of how adequately the culture is promoted through the model.
Chapter 6 considers the use of available approaches such as ISO17799 to aid in
promoting and assessing an information security culture. This approach is
evaluated against the definition of information security culture and the information
security culture model in order to determine whether it could assess information
security culture in an acceptable manner.
The next four chapters, namely chapters 7 to 10, are devoted to the development
of an information security culture assessment approach consisting of four
phases. Chapter 7 discusses phase 1. In this phase a questionnaire is
developed based on the information security culture model.
Chapter 8 uses the information security culture questionnaire as part of a survey
in a case study. This case study illustrates phase 2 as well as what information
can be obtained through the questionnaire. In chapter 9 the data obtained
through the survey is analysed statistically and presented (phase 3). The level of
information security culture is then discussed in chapter 10, with interpretations
and recommendations to improve the culture (phase 4).
Chapter 11 in Part 4: Conclusion serves as a concluding chapter in which the
usefulness and limitations of the proposed model and assessment approach are
highlighted. The research study culminates in a discussion of those aspects of
information security culture that could bear further research.
Prof. J.H.P. Eloff