The 7 Dimensions of Security Culture

Issue link: https://insights.oneneck.com/i/1476862

Contents of this Issue


Page 16 of 43

17 The 7 dimensions of security culture Behaviors The actions and activities of employees that have direct or indirect impact on the security of the organization. Behaviors of employees when using information- communication devices are the most researched and theoretically discussed element of security culture and of behavioral information security research in general. Unsurprising as actions of employees are in the end those that are direct causes of security breaches and incidents 25 . Employees can execute activities of great threat to organizational assets 26 . Whether they act intentionally or unintentionally, in our industry, these employees are referred to as insider threats or insiders. Empirical research on end-user security behaviors and factors influencing them is still in its infancy 27 . Research in general shows that there are different types of users, where a large number of them behave in a non-malicious way, but also have low technical knowledge related to password creation and sharing, which shows that password ''hygiene'' is generally poor 28 . Most users reuse the same password from site to site, and most users rely on the same patterns when making passwords 29 . A 2018 study of 6.1 million passwords 30 , identified that the practice of using combinations of letters, numbers, and symbols that are adjacent to one another on the keyboard, like "qwerty" and "123456," is still alarmingly commonplace. However, behaviors also vary substantially across different organization types 31 . Other unintentional "misbehaviors" may include carelessly clicking on phishing links in emails and on websites, visiting non-work related websites using corporate computers, inadvertently posting confidential data onto unsecured servers or websites, or selecting a simple password. Another type of problematic end-user behavior in organizations recognized by information security behavioral research is "deviant behavior" 32 . Deviant behavior describes those actions which are intentional and are often labeled as sabotage, stealing, and industrial or political espionage. Behaviors are generally very difficult to change, but not impossible. Information security behavioral research has adopted a number of theories from social psychology to find the key factors that influence behaviors. The most popular is the Theory of Planned Behavior, where behavior is a function of a person's attitude toward the behavior, the norms that people around the person have (i.e. social pressure), and the person's own feeling of control over their behavior (i.e. how easy it is for the person to perform one behavior) 33 . Another popular theory is Protection Motivation Theory 34 , which delineates two main factors of behavior: Information security threat appraisal and self-efficacy. In addition, we can find further theories 35 that try to explain behavior change, but the field of behavioral information security research is at the moment not yet conclusive about the main factors. A lot of research is hindered by the fact that it only collects data from IT administrators or top-level

Articles in this issue

Archives of this issue

view archives of eBooks/eGuides - The 7 Dimensions of Security Culture