Understanding the information security culture of organizations: Results of a Survey
Resumo
A strong information security culture in organizations contributes to reduce incidents related to leaks of sensitive and private information. Considering that one of the main factors that cause such leaks is human action, it is necessary to evaluate the current state of organizations’ culture. This work aims to identify methods for assessing the culture of information security in organizations and to characterize the current state of this topic. We conducted a survey using an evaluation instrument proposed in the literature that includes dimensions to assess the information security culture. The survey received 75 responses, mostly from employees of private institutions. We observed that there is a need for training of employees on information security, and there is incongruity between knowing, understanding and applying the procedures described in the information security policy. This work provided an understanding of the current status of the information security culture in organizations whose results can be expanded and used in future studies to improve security practices in organizations.
Palavras-chave:
Information Security, Culture, Survey, ISCA, Organizations.
Referências
Ibrahim Al-Mayahi and P Mansoor Sa’ad. 2013. Information security culture assessment: Case study. In 2013 IEEE Third International Conference on Information Science and Technology (ICIST). IEEE, 789–792.
Areej AlHogail and Abdulrahman Mirza. 2014. A proposal of an organizational information security culture framework. In Proceedings of International Conference on Information, Communication Technology and System (ICTS) 2014. IEEE, 243–250.
Iveruska Carmen Jatobá Bastos Arteiro. 2015. Como a cultura organizacional influencia iniciativas de gestão de processos de negócios: um estudo de caso exploratório. Master’s thesis. Universidade Federal de Pernambuco.
Matheus Batista, Andréa Magdaleno, and Marcos Kalinowski. 2017. A Survey on the use of Social BPM in Practice in Brazilian Organizations. In Anais do XIII Simpósio Brasileiro de Sistemas de Informação. SBC, 436–443.
Ann Cavoukian 2009. Privacy by design: The 7 foundational principles. Information and Privacy Commissioner of Ontario, Canada 5 (2009).
Nic Chantler and Roderic Broadhurst. 2008. Social engineering and crime prevention in cyberspace. Proceedings of the Korean Institute of Criminology (2008), 65–92.
Adéle Da Veiga and Jan HP Eloff. 2010. A framework and assessment instrument for information security culture. Computers & Security 29, 2 (2010), 196–207.
Adéle Da Veiga and Nico Martins. 2015. Information security culture and information protection culture: A validated assessment instrument. Computer Law & Security Review 31, 2 (2015), 243–256.
SEBRAE-NA/ Dieese. 2013. Anuário do trabalho na micro e pequena empresa. [link].
Steve Easterbrook, Janice Singer, Margaret-Anne Storey, and Daniela Damian. 2008. Selecting empirical methods for software engineering research. In Guide to advanced empirical SE. Springer, London, 285–311.
Marcelo Fonseca. 2017. Engenharia social: conscientizando o elo mais fraco da segurança da informação. Inteligência de Segurança-Unisul Virtual (2017).
Edison Luiz Gonçalves Fontes. 2017. Segurança da informação. Saraiva Educação SA.
GDPR. 2018. General Data Protection Regulation. https://eugdpr.org/.
Francisco de Assis Fialho Henriques. 2017. A influência da Engenharia Social no fator humano das organizações. Master’s thesis. Universidade Federal de Pernambuco.
Rebecca Herold. 2010. Managing an information security and privacy awareness and training program. CRC press.
Jule Hintzbergen, Kees Hintzbergen, André Smulders, and Hans Baars. 2018. Fundamentos de Segurança da Informação: com base na ISO 27001 e na ISO 27002. Brasport.
Mark Kasunic. 2005. Designing an effective survey. Technical Report. Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst.
Barbara A Kitchenham and Shari L Pfleeger. 2008. Personal opinion surveys. In Guide to advanced empirical software engineering. Springer, London, 63–92.
LGPD. 2018. Lei Geral de Proteção de Dados Pessoais. http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm
Tong Li, Xiaowei Wang, and Yeming Ni. 2020. Aligning social concerns with information system security: A fundamental ontology for social engineering. Information Systems (2020), 101699.
Rodrigo Machado, Diego Kreutz, Giulliano Paz, and Gustavo Rodrigues. 2019. Vazamentos de Dados: Histórico, Impacto Socioeconômico e as Novas Leis de Proteçao de Dados. In Anais da XVII Escola Regional de Redes de Computadores. SBC, 154–159.
Adéle Martins and Jan Elofe. 2002. Information security culture. In Security in the information society. Springer, 203–214.
Adéle Martins and J Eloff. 2002. Assessing Information Security Culture.. In ISSA. 1–14.
Nico Martins and Adele Da Veiga. [n.d.]. The Value of Using a Validated Information Security Culture. ([n. d.]).
N Martins, A Da Veiga, and Jan HP Eloff. 2007. Information security culture-validation of an assessment instrument. Southern African Business Review 11, 1 (2007), 147–166.
McAfee. 2017. Grand Theft Data: Data exfiltration study: Actors, tactics, and detection. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-data-exfiltration.pdf
Rodrigo Miani, Bruno Zarpelão, and Leonardo Mendes. 2015. Investigação sobre a Ausência de Validação nos Métodos Empregados para Quantificar Segurança da Informação. In Anais do XI Simpósio Brasileiro de Sistemas de Informação. SBC, 315–322.
Kevin D Mitnick and William L Simon. 2003. A arte de enganar. São Paulo (2003).
Kathryn Parsons, Dragana Calic, Malcolm Pattinson, Marcus Butavicius, Agata McCormac, and Tara Zwaans. 2017. The human aspects of information security questionnaire (HAIS-Q): two further validation studies. Computers & Security 66(2017), 40–51.
Sabina Mota Santos. 2014. Práticas de Segurança da Informação: um estudo de caso num centro hospitalar. Ph.D. Dissertation. Instituto Politécnico do Porto. Instituto Superior de Contabilidade e ….
Security, Help Net. 2018. 2018 in numbers: Data breaches cost $654 billion, expose 2.8 billion data records in the U.S. http://bit.do/e25NV.
Security, Risk Based. 2020. 2020 Q3 Report Data Breach Quick View. [link].
Francisco José Albino Faria Castro Silva. 2013. Classificação taxonómica dos ataques de Engenharia Social: caracterização da problemática da segurança de informação em Portugal relativamente à Engenharia Social. Ph.D. Dissertation.
Harrison Stewart and Jan Jürjens. 2017. Information security management and the human aspect in organizations. Information & Computer Security(2017).
Cheolho Yoon, Jae-Won Hwang, and Rosemary Kim. 2012. Exploring factors that influence students’ behaviors in information security. Journal of information systems education 23, 4 (2012), 407–416.
Areej AlHogail and Abdulrahman Mirza. 2014. A proposal of an organizational information security culture framework. In Proceedings of International Conference on Information, Communication Technology and System (ICTS) 2014. IEEE, 243–250.
Iveruska Carmen Jatobá Bastos Arteiro. 2015. Como a cultura organizacional influencia iniciativas de gestão de processos de negócios: um estudo de caso exploratório. Master’s thesis. Universidade Federal de Pernambuco.
Matheus Batista, Andréa Magdaleno, and Marcos Kalinowski. 2017. A Survey on the use of Social BPM in Practice in Brazilian Organizations. In Anais do XIII Simpósio Brasileiro de Sistemas de Informação. SBC, 436–443.
Ann Cavoukian 2009. Privacy by design: The 7 foundational principles. Information and Privacy Commissioner of Ontario, Canada 5 (2009).
Nic Chantler and Roderic Broadhurst. 2008. Social engineering and crime prevention in cyberspace. Proceedings of the Korean Institute of Criminology (2008), 65–92.
Adéle Da Veiga and Jan HP Eloff. 2010. A framework and assessment instrument for information security culture. Computers & Security 29, 2 (2010), 196–207.
Adéle Da Veiga and Nico Martins. 2015. Information security culture and information protection culture: A validated assessment instrument. Computer Law & Security Review 31, 2 (2015), 243–256.
SEBRAE-NA/ Dieese. 2013. Anuário do trabalho na micro e pequena empresa. [link].
Steve Easterbrook, Janice Singer, Margaret-Anne Storey, and Daniela Damian. 2008. Selecting empirical methods for software engineering research. In Guide to advanced empirical SE. Springer, London, 285–311.
Marcelo Fonseca. 2017. Engenharia social: conscientizando o elo mais fraco da segurança da informação. Inteligência de Segurança-Unisul Virtual (2017).
Edison Luiz Gonçalves Fontes. 2017. Segurança da informação. Saraiva Educação SA.
GDPR. 2018. General Data Protection Regulation. https://eugdpr.org/.
Francisco de Assis Fialho Henriques. 2017. A influência da Engenharia Social no fator humano das organizações. Master’s thesis. Universidade Federal de Pernambuco.
Rebecca Herold. 2010. Managing an information security and privacy awareness and training program. CRC press.
Jule Hintzbergen, Kees Hintzbergen, André Smulders, and Hans Baars. 2018. Fundamentos de Segurança da Informação: com base na ISO 27001 e na ISO 27002. Brasport.
Mark Kasunic. 2005. Designing an effective survey. Technical Report. Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst.
Barbara A Kitchenham and Shari L Pfleeger. 2008. Personal opinion surveys. In Guide to advanced empirical software engineering. Springer, London, 63–92.
LGPD. 2018. Lei Geral de Proteção de Dados Pessoais. http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm
Tong Li, Xiaowei Wang, and Yeming Ni. 2020. Aligning social concerns with information system security: A fundamental ontology for social engineering. Information Systems (2020), 101699.
Rodrigo Machado, Diego Kreutz, Giulliano Paz, and Gustavo Rodrigues. 2019. Vazamentos de Dados: Histórico, Impacto Socioeconômico e as Novas Leis de Proteçao de Dados. In Anais da XVII Escola Regional de Redes de Computadores. SBC, 154–159.
Adéle Martins and Jan Elofe. 2002. Information security culture. In Security in the information society. Springer, 203–214.
Adéle Martins and J Eloff. 2002. Assessing Information Security Culture.. In ISSA. 1–14.
Nico Martins and Adele Da Veiga. [n.d.]. The Value of Using a Validated Information Security Culture. ([n. d.]).
N Martins, A Da Veiga, and Jan HP Eloff. 2007. Information security culture-validation of an assessment instrument. Southern African Business Review 11, 1 (2007), 147–166.
McAfee. 2017. Grand Theft Data: Data exfiltration study: Actors, tactics, and detection. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-data-exfiltration.pdf
Rodrigo Miani, Bruno Zarpelão, and Leonardo Mendes. 2015. Investigação sobre a Ausência de Validação nos Métodos Empregados para Quantificar Segurança da Informação. In Anais do XI Simpósio Brasileiro de Sistemas de Informação. SBC, 315–322.
Kevin D Mitnick and William L Simon. 2003. A arte de enganar. São Paulo (2003).
Kathryn Parsons, Dragana Calic, Malcolm Pattinson, Marcus Butavicius, Agata McCormac, and Tara Zwaans. 2017. The human aspects of information security questionnaire (HAIS-Q): two further validation studies. Computers & Security 66(2017), 40–51.
Sabina Mota Santos. 2014. Práticas de Segurança da Informação: um estudo de caso num centro hospitalar. Ph.D. Dissertation. Instituto Politécnico do Porto. Instituto Superior de Contabilidade e ….
Security, Help Net. 2018. 2018 in numbers: Data breaches cost $654 billion, expose 2.8 billion data records in the U.S. http://bit.do/e25NV.
Security, Risk Based. 2020. 2020 Q3 Report Data Breach Quick View. [link].
Francisco José Albino Faria Castro Silva. 2013. Classificação taxonómica dos ataques de Engenharia Social: caracterização da problemática da segurança de informação em Portugal relativamente à Engenharia Social. Ph.D. Dissertation.
Harrison Stewart and Jan Jürjens. 2017. Information security management and the human aspect in organizations. Information & Computer Security(2017).
Cheolho Yoon, Jae-Won Hwang, and Rosemary Kim. 2012. Exploring factors that influence students’ behaviors in information security. Journal of information systems education 23, 4 (2012), 407–416.
Publicado
07/06/2021
Como Citar
SANTOS, Pedro; PEIXOTO, Mariana; VILELA, Jéssyka.
Understanding the information security culture of organizations: Results of a Survey. In: SIMPÓSIO BRASILEIRO DE SISTEMAS DE INFORMAÇÃO (SBSI), 17. , 2021, Uberlândia.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2021
.
