Title

What does security culture look like for small organizations?

Document Type

Conference Proceeding

Faculty

Computing, Health and Science

School

Computer and Security Science, Centre for Security Research

RAS ID

8454

Comments

This article was originally published as: Williams, P. (2009). What Does Security Culture Look Like For Small Organizations? Proceedings of the 7th Australian Information Security Management Conference, (pp.48--54). Perth, Western Australia. : SECAU _ Security Research Centre, ECU. Original article available here

Abstract

The human component is a significant factor in information security, with a large numbers of breaches occurring due to unintentional user error. Technical solutions can only protect information so far and thus the human aspect of security has become a major focus for discussion. Therefore, it is important for organisations to create a security conscious culture. However, currently there is no established representation of security culture from which to assess how it can be manoeuvred to improve the overall information security of an organization. This is of particular importance for small organizations who lack the resources in information security and for whom the culture of the organization exerts a strong influence. A review of multiple definitions and descriptions of security culture was made to assess and analyse the drivers and influences that exist for security culture in small organizations. An initial representation of the factors that should drive security culture, together with those that should only influence it, was constructed. At a fundamental level these drivers are related to a formulated response to security issues rather than a reaction to it, and should reflect the responsibility allocated in a secure environment. In contrast, the influences on security culture can be grouped by communities of practice, individual awareness and organizational management. The encapsulation of potential driving and influencing factors couched in information security terms rather than behavioural science terms, will allow security researchers to investigate how a security culture can be fostered to improve information security in small organizations.

DOI

10.4225/75/57b4029530dea

Access Rights

Free_to_read

 

Link to publisher version (DOI)

10.4225/75/57b4029530dea