Issue link: https://insights.oneneck.com/i/1476862
33 The 7 dimensions of security culture Norms The knowledge and adherence of unwritten rules of conduct in the organization, i.e. how security-related behaviors are perceived by employees as normal and accepted or unusual and unaccepted. Norms are widely understood to be one of the most important mechanisms that influence human behaviors 75 , thus a key element of security culture. Just as norms in general help people negotiate their daily activities, we can say that organizational norms guide people in their daily conduct at workplace. Sociological, socio-psychological and behavioral information security research find that norms guide employees in their use of organizational infrastructure and IT 76 , and emphasizes norms as one of key influences of end-user security behaviors and compliance 77 . Norms can be internalized by various sensemaking systems 78 . Theory of Planned Behavior is a socio- psychological theory that has been quickly adopted by the security field and shows that people generally orient their activities on the basis of reasoning, i.e. "if other people who are important to me think I should do X, then it is probably smart to do X" 79 . However, the concept of norms is multidimensional and is not just about what other important people think. It is helpful to differentiate between two general types of norms, social norms and personal norms: - Social norms can be defined as a set of (unwritten) rules that are based on common beliefs about how people act in a particular situation 80 . These are grounded in social interactions, and guide or restrain behavior through social sanctions, not the force of law. Social norms are enforced by informal rewards (like praise, reputation) and sanctions (ignorance, mocking). - Personal norms on the other hand are internalized social norms. They are grounded in one's beliefs and values and their rewards and sanctions are self-imposed. An individual who follows social norms, might do that in order to avoid sanction and not because he or she honestly believes that this is the right way of doing things. Conversely, an individual who follows personal norms does so because he or she believes that it is the normal and best way, and it is in line with his/her own values. Acting according to a personal norm becomes an end in itself rather than merely a tool in achieving certain goals or avoiding social sanctions 81 . Norms are very powerful, but also difficult to influence as they are relatively stable set of unwritten rules regarding what is good, right and important 82 . The task of a building security culture is thus to stimulate development of norms that support organizational security and ensure these norms become internalized. This way, adhering to a norm is intrinsically motivated and satisfying, and an individual will behave in line with norms even when there is no immediate social pressure or sanctions. This is because employees' values and behaviors are aligned with expectations that come from information security policies. Unlike social norms, personal norms are difficult to manipulate directly. Stimulating pressure of personal norms should come from an employee's inner self