An Identification of Variables Influencing the Establishment of Information Security Culture

  • Emad SherifEmail author
  • Steven Furnell
  • Nathan Clarke
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9190)


A significant volume of security breaches occur as a result of the human aspects and it is consequently important for these to be given attention alongside technical aspects. Many breaches occur due to human error. Researchers have argued that security culture stimulates appropriate employees’ security behavior towards adherence and therefore developing a culture of security can contribute in minimizing or avoiding security breaches. Although, research on the concept of security culture has received little attention this paper aims to address the security culture concept, and it’s relation to the national culture. Specifically, it is largely hypothesized that cultivating security culture can have a positive effect on employees’ security compliance. The purpose of this paper is to identify variables that influence cultivating a security culture. In order to do so, a comprehensive literature review has been conducted. The outcome of the literature analysis has identified potential variables that influence security culture (e.g. top management support, information security behavior, and awareness), and the paper subsequently outlines a framework for modeling security culture that indicates the relationship between these variables.


Security culture National culture Organizational culture Security policies Security compliance Security behavior 


  1. Alfawaz, S., Nelson, K.: Information security culture: a behaviour compliance conceptual framework. In: AISC, vol. 105 (2010)Google Scholar
  2. Ashenden, D.: Information Security management: A human challenge?, Information Security Technical report, 13(4), 195–201 (2008). Accessed 16 Sep 2014Google Scholar
  3. CARLA: What is Culture? University of Minnesota (2014). Accessed 16 Sep 2014
  4. Cheng, L., Li, Y., Li, W., Holm, E., Zhai, Q.: Understanding the violation of IS security policy in organizations: an integrated model based on social control and deterrence theory. Comput. Secur. 2013(39), 447–459 (2013)CrossRefGoogle Scholar
  5. Chipperfield, C., Furnell, S.: From security policy to practice: sending the right messages. Comput. Fraud Secur. 2010(3), 13–19 (2010)CrossRefGoogle Scholar
  6. Connolly, L. Lang, M.: Information systems security: the role of cultural aspects in organisational settings. In: AIS SIGSEC pre-ICIS Workshop on Information Security and Privacy (WISP) Milan, Italy, 14 December 2013Google Scholar
  7. Veiga, Da, Eloff, J.H.P.: A framework and assessment instrument for information security culture. Comput. Secur. 29(2), 196–207 (2010)CrossRefGoogle Scholar
  8. Damen, L.: Culture Learning The Fifth Dimension on the Language Classroom. Addison-Wesley, Reading (1987). Accessed 22 Aug 2014Google Scholar
  9. Dojkovski, S., Lichtenstein, S., Warren, M.J.: Fostering Information Security Culture in Small and Medium Size Enterprises: An Interpretive Study in Australia, pp. 1560–1571 (2007)Google Scholar
  10. Fagerstrom, A.: Creating, maintaining and managing an information security culture. MSc thesis, Arcada Finland (2013)Google Scholar
  11. Flores, W., Antonsen, E., Ekstedt, M.: Information security knowledge sharing in organizations: investigating the effect of behavioural information security governance and national culture. Comput. Secur. 43, 90–110 (2014)CrossRefGoogle Scholar
  12. Furnell, S.: Jumping security hurdles. Comput. Fraud Secur. 2010(6), 10–14 (2010)CrossRefGoogle Scholar
  13. Furnell, S., Clarke, N.: Organisational security culture: embedding security awareness, education and training. In: Proceedings of the 4th World Conference on Information Security Education (WISE 2005), Moscow, pp. 67–74 (2005)Google Scholar
  14. Furnell, S., Clarke, N.: Power to the people? The evolving recognition of human aspects of security. Comput. Secur. 31(8), 983–988 (2012)CrossRefGoogle Scholar
  15. Furnell, S., Rajendran, A.: Understanding the influences on information security behaviour. Comput. Fraud Secur. 2012(3), 12–15 (2012)CrossRefGoogle Scholar
  16. Furnell, S., Thomson, K.L.: From culture to disobedience: Recognising the varying user acceptance of IT security. Comput. Fraud Secur. 2009(2), 5–10 (2009)CrossRefGoogle Scholar
  17. Gabriel, T., Furnell, S.: Selecting security champions. Comput. Fraud Secur. 2011(8), 8–12 (2011)CrossRefGoogle Scholar
  18. Greene, G., D’Arcy, J.: Assessing the impact of security culture and the employee-organization relationship in IS security compliance. In: Proceedings of the 5th Annual Symposium on Information Assurance, New York, pp. 42–49 (2010)Google Scholar
  19. Gulev, R.: Are national and organizational cultures isomorphic? evidence from a four country comparative study. Managing Glob. Transitions 7, 259–279 (2009)Google Scholar
  20. Herath, T., Rao, H.R.: Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis. Support Syst. 47(2), 154–165 (2009)CrossRefGoogle Scholar
  21. Hofstede, G.: National cultures and corporate cultures. In: Samovar, L.A., Porter, R.E. (eds.) Communication Between Cultures. Wadsworth, Belmont (1984). Accessed 28 Sep 14Google Scholar
  22. Johnson, M.E., Goetz, E.: Embedding information security into the organization. IEEE Secur. Priv. Mag. 5(3), 16–24 (2007)CrossRefGoogle Scholar
  23. Malcolmson, J.: What is Security Culture? Does it differ in content from general Organisational Culture? IEEE Cody Technology Park, Farnborough, Hants (2009)Google Scholar
  24. Martinez-Moyano, I.J., Conrad, S.H., Andersen, D.F.: Modeling behavioral considerations related to information security. Comput. Secur. 30(6-7), 397–409 (2011)Google Scholar
  25. Ngo, L., Zhou, W., Warren, M.: Understanding transition towards information security culture change. In: Proceedings of 3rd Australian Information Security Management Conference, pp. 67–73 (2005)Google Scholar
  26. O’Brien, J., Islam, S., Bao, S., Weng, F., Xiong, W., Ma, A.: Information Security Culture: Literature Review. Unpublished Working Paper, University of Melbourne (2013)Google Scholar
  27. Padayachee, K.: Taxonomy of compliant information security behavior. Comput. Secur. 31(5), 673–680 (2012)CrossRefGoogle Scholar
  28. Ponemon Institute: 2013 Cost of Data Breach Study: Global Analysis. Symantec (2013). Accessed 28 Sep 14
  29. Roer, K.: How to build and maintain security culture (2014). Accessed 19 Sep 2014
  30. Ross, S.J.: Creating a Culture of Security. In: ISACA (2011). Accessed 19 Sep 2014
  31. Ruighaver, A.B., Maynard, S.B., Chang, S.: Organisational security culture: extending the end-user perspective. Comput. Secur. 26(1), 56–62 (2007)CrossRefGoogle Scholar
  32. Thomson, K.-L., von Solms, R.: Information security obedience: a definition. Comput. Secur. 24(1), 69–75 (2004)CrossRefGoogle Scholar
  33. Schein, E.: The Corporate Culture Survival Guide. Jossey-Bass Inc, San Francisco (1999)Google Scholar
  34. Übelacker, S.: Security-aware organisational cultures a starting point for mitigating socio-technical risks socio-technical risk management/motivation. In: RiskKom Workshop INFORMATIK 2013, Koblenz, Germany (2013)Google Scholar
  35. Van Niekerk, J.F., Von Solms, R.: Information security culture: A management perspective. Comput. Secur. 29(4), 476–486 (2010)CrossRefGoogle Scholar
  36. Vance, A., Siponen, M., Pahnila, S.: Motivating IS security compliance: insights from habit and protection motivation theory. Inf. Manag. 49, 190–198 (2012)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Computer Centre for Security, Communications and Network ResearchUniversity of PlymouthPlymouthUK
  2. 2.Centre for Research in Information and Cyber SecurityNelson Mandela Metropolitan UniversityPort ElizabethSouth Africa
  3. 3.Security Research InstituteEdith Cowan UniversityPerthAustralia

Personalised recommendations