Abstract
All organisations possess a corporate culture, whether they are aware of it or not. This culture determines, to a large extent, the effectiveness of an organisation and the behaviour of employees within an organisation. As part of its corporate governance duties, senior management is responsible for the protection of the assets of its organisation. And as information is a vital asset to most organisations, senior management is ultimately responsible for the protection of information assets. An ideal corporate culture, in terms of information security, would be one where the second-nature behaviour of employees, determined by the culture, is to protect information assets. This paper will provide initial guidelines as to how to establish this culture by examining Schein’s model and by investigating how to start implementing Corporate Information Security Obedience.
Chapter PDF
Similar content being viewed by others
Key words
References
Canadian Labour Program. (2003). Work-life balance in Canadian workplaces. [online]. [cited 20 February 2004] Available from Internet: URL http://labour.hrdc-drhc.gc.ca/worklife/moving-beyond-policiesen.cfm
Deloitte & Touche. (May, 2002). Management briefing-information security. [online]. [cited 13 January 2003] Available from Internet: URL http://www.deloitte.com/dtt/cda/doc/content/info_security(1).pdf
Drennan, D. (1992). Transforming company culture. Berkshire, England: MacGraw-Hill.
Gaines, C. (2002, April 22). The benefits of the BS7799 certification with particular reference to e-commerce applications. IT Security [online]. [cited 4 August 2002] Available from Internet: URL http://www.itsecurity.com/papers/insight1.htm
Goal/QPC (2003). Journal of innovative management [online]. [cited 4 February 2004] Available from Internet: URL http://www.goalqpc.com/2003/Journalfiles/currentissue.htm
Gordon, G. (May 12, 2002). Dozens of threats beset your data. Sunday Times, Business Surveys [online]. [cited 17 July 2002] Available from Internet: URL http://www.suntimes.co.za/2002/05/12/business/surveys/internet/survey10.asp
Gordon and Glickson LLC. (2001). Comprehensive information security policies: meeting an organization’s privacy and security needs. [online]. [cited 23 March 2003] Available from Internet: http://www.ggtech.com/
Hagberg Consulting Group (2002). Corporate culture/organisational culture: understanding and assessment [online]. [cited 25 January 2003] Available from Internet: URL http://www.hcgnet.com/html/articles/understanding-Culture.html
Höne, K. (2003). Abstract of ‘effective information security policies-the why, what and how’. [CD-ROM]. South Africa: ISSA 2003.
King Committee on Corporate Governance. (2001). King report on corporate governance for South Africa 2001. [online]. [cited 3 March 2002] Available from Internet: URL http://www.iodsa.co.za/IoD%20Draft%20King%20Report.pdf
Krige, W. (1999). The usage of audit logs for effective information security management. Unpublished master’s thesis. Port Elizabeth Technikon, Port Elizabeth, South Africa.
Lane, V.P. (1985). Security of computer based information systems. London: Macmillan.
Martins, A. & Eloff, J. (2002). Information Security Culture. IFIP TC11, 17th International Conference on Information Security, Ain Shams University, Cairo, Egypt, Kluwer Academic Publishers Group.
Planting, S. (2001, March 9). Giving boards a workout-the fish rots from the head. Future Organisation [online]. [cited 27 April 2002] Available from Internet: URL http://www.futureorganisation.co.za/2001/03/09/reviewb.htm
PriceWaterhouseCoopers (2002). Information security breaches survey technical report. [online]. [cited 5 January 2003] Available from Internet: URL http://www.security-survey.co.uk
Schafer, M. (February 2003). The human-capital balancing act. Optimize Magazine: issue 16 [online]. [cited 13 February 2003] Available from Internet: URL http://www.optimizemag.com/issue/016/culture.htm
Schein, E.H. (1999). The corporate culture survival guide. San Francisco, California, United States of America: Jossey-Bass Publishers.
Schein, E.H. (1992). Organisational leadership and culture. [online]. [cited 12 January 2004] Available from Internet: URL http://www.tnellen.com/ted/tc/schein.html
Smith, M.R. (1989). Commonsense computer security. London: McGraw-Hill.
Spafford, E.H. (1998). It’s about more than computers. CERIAS [online]. [cited 12 February 2003] Available from Internet: URL http://www.cerias.purdue.edu/training_and_awarness/products/brochure_001.pdf
Spotlight (2002). Schein interview. [online]. [cited on 12 February 2004] Available from Internet: URL http://www.boys-camp-southafrica.de/files/Edgar%20Schein.pdf
Thomson, K-L & von Solms, R. (2003). Integrating information security into corporate culture. Unpublished master’s thesis. Port Elizabeth Technikon, Port Elizabeth, South Africa.
Whitman, M.E. & Mattord, H.J. (2003). Principles of Information Security. Kennesaw State University: Thomson Course Technology.
World Bank Group. (September 20, 1999). Corporate governance: a framework for implementation-overview. [online]. [cited 23 December 2002] Available from Internet: URL http://www.worldbank.org/html/fpd/privatesector/cg/docs/gcgfbooklet.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer Science + Business Media, Inc.
About this paper
Cite this paper
Thomson, KL., von Solms, R. (2004). Towards Corporate Information Security Obedience. In: Deswarte, Y., Cuppens, F., Jajodia, S., Wang, L. (eds) Information Security Management, Education and Privacy. IFIP International Federation for Information Processing, vol 148. Springer, Boston, MA. https://doi.org/10.1007/1-4020-8145-6_2
Download citation
DOI: https://doi.org/10.1007/1-4020-8145-6_2
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4020-8144-6
Online ISBN: 978-1-4020-8145-3
eBook Packages: Springer Book Archive