16 Information security culture: a management perspective

Summary
Employees, whether intentionally or through negligence, often due to a lack of knowledge, are
the greatest threat to information security. The establishment of an organizational sub-culture of
information security is key to managing the human factors involved in information security.
This paper briefly examines the generic concept of corporate culture and then borrows from the
management and economical sciences to present a conceptual model of information security
culture. The purpose of the presented model is to facilitate conceptual thinking and
argumentation about information security culture.
Thesis
The authors argue that many organizations will be unable to do business without access to their
information resources. However, protecting these information resources often has no direct
return on investment. Securing information resources does not as a rule generate income for an
organization .Business people, therefore, rarely interested in how their information resources are
protected. From a business perspective, any solution would be adequate as long as it is costeffective and takes into account issues such as productivity and ease of use.
Purpose of paper
This paper presents a holistic, conceptual model of information security culture, for information
security practitioners and students. This paper is intended to clarify, and improve, the
understanding of existing concepts. It is hoped it will be of use to other information security
researchers when examining the human factors in information security.
Issue of security
In the case of information security, the required knowledge is not necessarily needed to perform
the employees normal job functions. Knowledge of information security is generally only
needed when it is necessary to perform the normal job functions in a way that is consistent with
good information security practices. It is wrong to assume that the average employee has the
necessary knowledge to perform his/her job in a secure manner. Security needs include (1)
shared tacit assumptions such as personal beliefs match the values espoused by the company,
(2) espoused values that personal beliefs adequately address the organizations security needs,
and (3) knowledge of how professionals perform tasks securely (defined as artifacts: that which
actually happens in an organization).
The authors refer to the elasticity in information security culture, with elasticity defined as the
measure of change in one variable caused by changes in others. The problem of universality of
these related variables is price and can only be done if the company has the necessary means of
effectuating change. This is coupled with the consent of how much security management is
demanding from employeeswhat is the employees compliance (what are employees willing
to supply to demands)and what is the minimal acceptable security baseline it can work with.
A strong information security culture is interpreted as a desirable culture that is conducive to
information security. A stable information security culture is one that refers to what is
predictable. The best information security culture is that which can be predicted.
Summary
The authors note that their paper is more theory than prognostication or fact, and as such has
limited hands-on use for those who are seeking information security. It is to be used to deduce
what may happen. As the authors noted: This might result in a culture that is slightly less

secure but more predictable. The contention of the paper is that it could assist in improving the
understanding of information security culture.