Security Culture

What is Security Culture.

Security Culture is a relative new area of Information Security. Only at the start of this century security researchers first began to recognize that an organization's security culture might be an important factor in maintaining an adequate level of information systems security in that organization. None of the early researchers, however, presented a clear definition of what they meant with "a security culture", nor were there any clear views on how to create this organizational culture to support security.

Many recent papers on security culture still have a limited focus on how you can develop a culture to improve adherence to security policies. We believe this is wrong. We will adopt a more holistic approach to developing a security culture aimed at improving an organisations information security from a management perspective.

How can you improve your organisation's Information Security Culture? In this section we will describe eight dimensions of security culture and show how you can and should align your information security culture to your general organisational culture. The model used in this section on Security Culture was adopted by Ruighaver, Maynard and Chia from a organisational culture model developed by Detert et. al. (Download the paper for a reference). We have used this model to explore the security culture within quite a few organisations with vastly different levels of security. Here, we report on the insights that this research has given us into each of these eight dimensions of organisational security culture.