Issue link: https://insights.oneneck.com/i/1476862
9 The 7 dimensions of security culture In security, there are three interrelated pillars that organizations need to build and maintain: people, tools, and processes. The people-aspect, and in particular the understanding of how people use tools and processes, is little understood. There has been an increase in the scientific and professional literature exploring this area in recent years, however a critical observation is that these studies mainly focus on psychological factors, while neglecting sociological and organizational factors. Some academic research in this area includes DaVeiga and Martins' Information Security Culture Assessment Model and Rocha Flores and Ekstedt's Information Security Culture Model. The Security Culture Toolkit is more complete, because in addition to addressing the sociological, psychological and anthropological perspectives, our model includes human-aspects of security that are often omitted, such as organization communication processes, social roles and a more comprehensive understanding of norms, attitudes and cognitive processes. A lot of research is hindered by the fact that it only collects data from IT administrators or top-level managers and there is hardly any representation from the end-user community 8 . Because we measure the security culture of every employee in an organization (and perform analysis on how each of the dimensions of security culture influences end-user behavior in different organizational contexts), CLTRe plays an important role in putting empirical research of end- user behaviors, identification of their factors, and security culture in general at a higher level. Since employees are often not willing to admit to committing unethical behaviors, it is important to identify and use the appropriate research methodologies to capture these phenomena in a way that reflects reality. It is also worth noting that while organizational monitoring techniques can be used to collect data on employee behaviors, in practice such process is extremely costly and are not always possible. For instance, it is not practical to monitor behaviors such as writing down passwords or sharing passwords with friends 9 . Our security culture model is an important element of a wider Security Culture Framework. The model consists of seven dimensions: attitudes, behaviors, cognition, communication, compliance, norms, and responsibilities. These seven dimensions were identified, tested and validated by the CLTRe Research team (headed by our Chief Science Officer, Dr. Gregor Petrič) in conjunction with our research partners including the Research Center for Methodology and Informatics at the University of Ljubljana. Our measurement items assess a variability of different practices and activities of employees. The items are formed in a neutral manner so that even self- reported assessments provide a good measurement of culture. Modelling security culture