The 7 Dimensions of Security Culture

Issue link: https://insights.oneneck.com/i/1476862

Contents of this Issue


Page 36 of 43

37 The 7 dimensions of security culture Responsibilities How employees perceive their role as a critical factor in sustaining or endangering the security of the organization. Responsibility domain is mainly related to employees' practices and performance such as monitoring and control, reward and deterrence and acceptance of responsibility 88 . Employees should be aware that knowing and practicing secure behaviors is their responsibility 89 . Moreover, the protection of information should be part of the daily activities of the employees 90 . Employees need to be fully aware and committed to their role in the protection of the information in order to understand their responsibilities. Organizations cannot truly protect their assets without ensuring that employees understand their roles and responsibilities, and they are sufficiently trained to perform them 91 . Employees can have knowledge of security issues, positive attitudes and generally good awareness of security issues, but they also need to be fully aware of their responsibilities and roles in securing their organization so that they are proactively engaged into resisting and reporting security incidents. Every employee has a social and organizational role to play and these roles differ between employees and groups. Each employee has a set of expectations that are not general but tailored to each role. In other words, it is ineffective to target employees with security-related details that are irrelevant to their role 92 . Security responsibilities pertain to the social and organizational roles that employees have in the context of their organizational endeavors. Security research too frequently focuses exclusively on responsibilities of IT department and decision makers, while neglecting the responsibilities of 'ordinary' employees. The latter are usually not involved in the security issues, as research shows that only a small group of employees are involved in planning, managing and implementing security 93 . Consequently, employees do not feel that they play any important role in security issues and don't have any responsibility for security problems. Awareness of roles and responsibilities is thus an important part of security culture. Moreover, an employee's awareness of their own individual security responsibilities, and their understanding of the importance of their responsibilities for the information security of the organization, is a key component of information security awareness concept as defined by the Information Security Forum. Responsibilities can be influenced by clearly defining roles of employees regarding security. If the members of an organization do not understand their place in the security of the organization, they are less likely to follow the necessary steps and procedures to make the organization safe.

Articles in this issue

Archives of this issue

view archives of eBooks/eGuides - The 7 Dimensions of Security Culture