The objective of this paper is to propose a framework to cultivate an information security culture within an organisation and to illustrate how to use it. An empirical study is performed to aid in validating the proposed Information Security Culture Framework.
| Construct | Cites | Category | Questions given? | Content validity | Pretests | Response type | Notes |
|---|---|---|---|---|---|---|---|
| Leadership and Governance | Da Veiga et al., 2007 | no | none | none | no | ||
| Security Management and Operations | Da Veiga et al., 2007 | no | none | none | no | ||
| Security Policies | Da Veiga et al., 2007 | no | none | none | no | ||
| Security Programme Management | Da Veiga et al., 2007 | no | none | none | no | ||
| User Security Management | Da Veiga et al., 2007 | no | none | none | no | ||
| Technology Protection and Operations | Da Veiga et al., 2007 | no | none | none | no | ||
| Change | Da Veiga et al., 2007 | no | none | none | no |
A. Da Veiga and J. H. P. Eloff. A framework and assessment instrument for information security culture. Computers & Security, 29(2):196–207, March 2010. doi:10.1016/j.cose.2009.09.002.
@article{daveiga_framework_2010a,
abstract = {An organisation's approach to information security should focus on employee behaviour, as the organisation's success or failure effectively depends on the things that its employees do or fail to do. An information security-aware culture will minimise risks to information assets and specifically reduce the risk of employee misbehaviour and harmful interaction with information assets. Organisations require guidance in establishing an information security-aware or implementing an acceptable information security culture. They need to measure and report on the state of information security culture in the organisation. Various approaches exist to address the threats that employee behaviour could pose. However, these approaches do not focus specifically on the interaction between the behaviour of an employee and the culture in an organisation. Organisations therefore have need of a comprehensive framework to cultivate a security-aware culture. The objective of this paper is to propose a framework to cultivate an information security culture within an organisation and to illustrate how to use it. An empirical study is performed to aid in validating the proposed Information Security Culture Framework.},
author = {Da Veiga, A. and Eloff, J. H. P.},
doi = {10.1016/j.cose.2009.09.002},
issn = {0167-4048},
journal = {Computers \& Security},
month = {March},
number = {2},
pages = {196-207},
title = {A Framework and Assessment Instrument for Information Security Culture},
volume = {29},
year = {2010}
}