Issue link: https://insights.oneneck.com/i/1476862
13 The 7 dimensions of security culture Attitudes The feelings and beliefs that employees have toward the security protocols and issues. Commonly expressed in terms such as prefer, like, dislike, hate, and love, attitudes involve a preference for or against something. When we express our attitudes, we are expressing the relationship (either positive or negative) between the self and an attitude object 10, 11 . For example "I like my security badge," "I hate changing my password," or "I love my job." Because attitudes are evaluations, they can be assessed using any of the normal measuring techniques used by social psychologists 12 , such as self-report measures like questionnaires. Measuring attitudes in general has a long history since first attempts were published by Thurstone in 1929. Social psychology has discovered that our attitudes are made up of cognitive, affective, and behavioral components. Stangor provides the following illustrative example in his book, Principles of Social Psychology, "consider an environmentalist's attitude toward recycling, which is probably very positive: In terms of affect: They feel happy when they recycle. In terms of behavior: They regularly recycle their bottles and cans. In terms of cognition: They believe recycling is the responsible thing to do." He explains that although some attitudes are more likely to be based on feelings, some are more likely to be based on behaviors, and some are more likely to be based on beliefs 13 . Learned mostly through direct and indirect experiences with the attitude object 14 , an attitude is likely to be stronger if there is direct experience 15 . Psychology claims that while attitudes are enduring, they can also change. Various theories describe how attitudes can change, from learning theory to persuasion theory. Augoustinos et al. (2006) point out that attitudes need to be 'activated' (p.116) in an individual. This has significance for information security research as quite often participants may not have activated attitudes towards information security or the protection of information. They are more likely to have activated attitudes if they have direct experience of the topic (either in their organizational role or personal experience of an information security incident). Whilst psychology views that most attitudes are determined by affect, behavior, and cognition, it excludes the role of social context. Interestingly behavioral research in information security until recently disregarded an important finding from classical social psychology that not only can attitudes impact behavior, but behaviors also influence attitudes. If we engage in a behavior, and