Security Culture

What is Security Culture.

Security Culture is a relative new area of Information Security. Not until the start of this century security researchers began to recognize that an organization's security culture might be an important factor in maintaining an adequate level of information systems security in that organization. None of the early researchers, however, presented a clear definition of what they meant with "a security culture", nor were there any clear views on how to create this organizational culture to support security.

Many recent papers on security culture still have a limited focus on how you can develop a culture to improve adherence to security policies. There is a wide spread belief that all you need is some awareness training to create a good security culture. Most web sites on security culture promote this view too. We know this to be wrong and have recently submitted a paper on the importance of using an ethical approach in acceptable use policies. But security culture is much more comprehensive than adherence to policies. In this section we will adopt a more holistic approach to developing a security culture aimed at improving an organizations information security from a management perspective.

How can you improve your organization's Information Security Culture? In this practical guide we will describe eight dimensions of security culture and show how you can and should align your information security culture to your general organizational culture. The model used in this section on Security Culture was adopted by Ruighaver, Maynard and Chia from a organizational culture model developed by Detert et. al. (Download the paper for a reference). We have used this model to explore the security culture within quite a few organizations with vastly different levels of security. Here, we report on the insights that this research has given us into each of these eight dimensions of organizational security culture.