Issue link: https://insights.oneneck.com/i/1476862
34 The 7 dimensions of security culture and that is usually not easily accessible. Studies show that personal norms are influenced by external sources such as social norms as well as factors such as awareness of consequences and ascription of personal responsibility 83 . Therefore, instead of directly appealing to employees' moral obligation, an organization may, via social norms, persuade its employees to behave accordingly. Organizational norms are relatively stable social structures, but they can be changed. One important contextual factor is the general organizational culture, which first needs to establish an adequate moral climate 84 , because human behavior is strongly affected by culturally transferred norms and values 85 . When policies are clearly communicated and accepted by the group, they help consolidate such pronouncements into normatively acceptable behavior. Behavioral security research offers methods to measure norms, but they are somewhat limited, as these methods do not reveal the values behind norms. For example, an organization might develop a norm that it is completely acceptable to share passwords among employees when needed. Such norms will increase problematic end-user behavior. On the other hand, if organization has norms that instruct employees to mock people who write passwords on Post-It notes, such norms will probably positively influence end-user security behaviors, but have lasting damage to communication channels, employee attitudes and possibly responsibilities and compliance too. It is important to measure not only the presence of norms, but what kind of norms are present and how powerful are they. Measuring norms in organizations is a key element of security culture program. This is as important as measuring behaviors, cognitions and other dimensions of security culture, if not more so. When a measurement tool detects a decline in norms that support security of organization, such change usually precedes changes in behaviors. Such observation is alarming but also allows management to inflict necessary changes before the changes in behaviors occur. Studies show that personal norms are influenced by external sources such as social norms as well as factors such as awareness of consequences and ascription of personal responsibility 86 . Therefore, instead of directly appealing to employees' moral obligation, an organization may, via social norms, persuade its employees to behave accordingly.