A comprehensive framework for understanding security culture in organizations

Document Type

Conference Proceeding




Originally published as: Tolah, A., Furnell, S. M., & Papadaki, M. (2019, June). A Comprehensive Framework for Understanding Security Culture in Organizations. In: L. Drevin, & M. Theocharidou (Eds.), Information Security Education. Education in Proactive Information Security: 12th IFIP WG 11.8 World Conference, WISE 12, Lisbon, Portugal, June 25–27, 2019, Proceedings (pp. 143-156). Switzerland, Cham: Springer. Original publication available here


Organizational security is exposed to internal and external threats, with a greater level of vulnerabilities coming from the former. Drawing upon findings from prior works as a foundation, this study aims to highlight the significant factors that influence the security culture within organizations. Phase one of the study reports upon an interview-based investigation undertaken with thirteen experienced, knowledgeable security specialists from seven organizations. The main findings confirmed the importance of the identified factors from the previous work. The focus to emerge from the interviews concludes that continuously subjecting employees to targeted training and awareness development improves security culture. Indeed, there was a clear lack of awareness and compliance regarding the implementation and clarity of security policies in organizations. Also, the inefficient training program and limit to specific employees in organizations leads to a lack of awareness and compliance.