Key elements of an information security culture in organisations

An information classification model for public sector organizations in Sweden: a case study of a Swedish municipality

Purpose

The purpose of this study is to create an information classification model that is tailored to suit the specific needs of public sector organizations in Sweden.

Design/methodology/approach

To address the purpose of this research, a case study in a Swedish municipality was conducted. Data was collected through a mixture of techniques such as literature, document and website review. Empirical data was collected through interviews with 11 employees working within 7 different sections of the municipality.

Findings

This study resulted in an information classification model that is tailored to the specific needs of Swedish municipalities. In addition, a set of steps for tailoring an information classification model to suit a specific public organization are recommended. The findings also indicate that for a successful information classification it is necessary to educate the employees about the basics of information security and classification and create an understandable and unified information security language.

Practical implications

This study also highlights that to have a tailored information classification model, it is imperative to understand the value of information and what kind of consequences a violation of established information security principles could have through the perspectives of the employees.

Originality/value

It is the first of its kind in tailoring an information classification model to the specific needs of a Swedish municipality. The model provided by this study can be used as a tool to facilitate a common ground for classifying information within all Swedish municipalities, thereby contributing the first step toward a Swedish municipal model for information classification.

Predicting information security culture among employees of telecommunication companies in an emerging market

Purpose

The purpose of this study is to examine factors, which influence information security culture among employees of telecommunications companies. The motivation for this study was the rise in the number of data breach incidents caused by the organizations’ own employees.

Design/methodology/approach

A total of 139 usable responses were collected via a Web-based questionnaire survey from employees of Malaysian telecommunications companies. Data were analysed by using SmartPLS 3.

Findings

Security education, training and awareness (SETA) programmes and information security awareness were found to have a positive and significant impact on Information Security Culture. Additionally, self-reported employees’ security behaviour was found to act as a partial mediator on the relationship between information security awareness and information security culture.

Research limitations/implications

The study was cross-sectional in nature. Therefore, it could not measure changes in population over time.

Practical implications

The empirical data provides a new perspective on significant elements that influence information security culture in an emerging market. Organizations in the telecommunications industry can now recognize that SETA programmes and information security awareness have a significant impact on information security culture. Employees’ security behaviour also mediates the relationship between information security awareness and information security culture.

Originality/value

This is the first study to analyse the mediating effect of employees’ security behaviour on the relationship between information security awareness and information security culture in the Malaysian telecommunications context.

Holistic framework for evaluating and improving information security culture

Purpose

The objective of this research was to propose and validate a holistic framework for information security culture evaluation, built around a novel approach, which includes technological, organizational and social issues. The framework's validity and reliability were determined with the help of experts in the information security field and by using multivariate statistical methods.

Design/methodology/approach

The conceptual framework was constructed upon a detailed literature review and validated using a range of methods: first, measuring instrument was developed, and then content and construct validity of measuring instrument was confirmed via experts' opinion and by closed map sorting method. Convergent validity was confirmed by factor analysis, while the reliability of the measuring instrument was tested using Cronbach's alpha coefficient to measure internal consistency.

Findings

The proposed framework was validated based upon the results of empirical research and the usage of multivariate analysis. The resulting framework ultimately consists of 46 items (manifest variables), describing eight factors (first level latent variables), grouped into three categories (second level latent variables). These three categories were built around technological, organizational and social issues.

Originality/value

This paper contributes to the body of knowledge in information security culture by developing and validating holistic framework for information security culture evaluation, which does not observe information security culture in only one aspect but takes into account its organizational, sociological and technical component.