ABSTRACT
A strong information security culture in organizations contributes to reduce incidents related to leaks of sensitive and private information. Considering that one of the main factors that cause such leaks is human action, it is necessary to evaluate the current state of organizations’ culture. This work aims to identify methods for assessing the culture of information security in organizations and to characterize the current state of this topic. We conducted a survey using an evaluation instrument proposed in the literature that includes dimensions to assess the information security culture. The survey received 75 responses, mostly from employees of private institutions. We observed that there is a need for training of employees on information security, and there is incongruity between knowing, understanding and applying the procedures described in the information security policy. This work provided an understanding of the current status of the information security culture in organizations whose results can be expanded and used in future studies to improve security practices in organizations.
- Ibrahim Al-Mayahi and P Mansoor Sa’ad. 2013. Information security culture assessment: Case study. In 2013 IEEE Third International Conference on Information Science and Technology (ICIST). IEEE, 789–792.Google ScholarCross Ref
- Areej AlHogail and Abdulrahman Mirza. 2014. A proposal of an organizational information security culture framework. In Proceedings of International Conference on Information, Communication Technology and System (ICTS) 2014. IEEE, 243–250.Google ScholarCross Ref
- Iveruska Carmen Jatobá Bastos Arteiro. 2015. Como a cultura organizacional influencia iniciativas de gestão de processos de negócios: um estudo de caso exploratório. Master’s thesis. Universidade Federal de Pernambuco.Google Scholar
- Matheus Batista, Andréa Magdaleno, and Marcos Kalinowski. 2017. A Survey on the use of Social BPM in Practice in Brazilian Organizations. In Anais do XIII Simpósio Brasileiro de Sistemas de Informação. SBC, 436–443.Google Scholar
- Ann Cavoukian 2009. Privacy by design: The 7 foundational principles. Information and Privacy Commissioner of Ontario, Canada 5 (2009).Google Scholar
- Nic Chantler and Roderic Broadhurst. 2008. Social engineering and crime prevention in cyberspace. Proceedings of the Korean Institute of Criminology (2008), 65–92.Google ScholarCross Ref
- Adéle Da Veiga and Jan HP Eloff. 2010. A framework and assessment instrument for information security culture. Computers & Security 29, 2 (2010), 196–207.Google ScholarDigital Library
- Adéle Da Veiga and Nico Martins. 2015. Information security culture and information protection culture: A validated assessment instrument. Computer Law & Security Review 31, 2 (2015), 243–256.Google ScholarCross Ref
- SEBRAE-NA/ Dieese. 2013. Anuário do trabalho na micro e pequena empresa. www.sebrae.com.br/Sebrae/Portal%20Sebrae/Anexos/Anuario%20do%20Trabalho%20Na%20Micro%20e%20Pequena%20Empresa_2013.pdfGoogle Scholar
- Steve Easterbrook, Janice Singer, Margaret-Anne Storey, and Daniela Damian. 2008. Selecting empirical methods for software engineering research. In Guide to advanced empirical SE. Springer, London, 285–311.Google Scholar
- Marcelo Fonseca. 2017. Engenharia social: conscientizando o elo mais fraco da segurança da informação. Inteligência de Segurança-Unisul Virtual (2017).Google Scholar
- Edison Luiz Gonçalves Fontes. 2017. Segurança da informação. Saraiva Educação SA.Google Scholar
- GDPR. 2018. General Data Protection Regulation. https://eugdpr.org/.Google Scholar
- Francisco de Assis Fialho Henriques. 2017. A influência da Engenharia Social no fator humano das organizações. Master’s thesis. Universidade Federal de Pernambuco.Google Scholar
- Rebecca Herold. 2010. Managing an information security and privacy awareness and training program. CRC press.Google ScholarDigital Library
- Jule Hintzbergen, Kees Hintzbergen, André Smulders, and Hans Baars. 2018. Fundamentos de Segurança da Informação: com base na ISO 27001 e na ISO 27002. Brasport.Google Scholar
- Mark Kasunic. 2005. Designing an effective survey. Technical Report. Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst.Google Scholar
- Barbara A Kitchenham and Shari L Pfleeger. 2008. Personal opinion surveys. In Guide to advanced empirical software engineering. Springer, London, 63–92.Google Scholar
- LGPD. 2018. Lei Geral de Proteção de Dados Pessoais. http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htmGoogle Scholar
- Tong Li, Xiaowei Wang, and Yeming Ni. 2020. Aligning social concerns with information system security: A fundamental ontology for social engineering. Information Systems (2020), 101699.Google Scholar
- Rodrigo Machado, Diego Kreutz, Giulliano Paz, and Gustavo Rodrigues. 2019. Vazamentos de Dados: Histórico, Impacto Socioeconômico e as Novas Leis de Proteçao de Dados. In Anais da XVII Escola Regional de Redes de Computadores. SBC, 154–159.Google Scholar
- Adéle Martins and Jan Elofe. 2002. Information security culture. In Security in the information society. Springer, 203–214.Google Scholar
- Adéle Martins and J Eloff. 2002. Assessing Information Security Culture.. In ISSA. 1–14.Google Scholar
- Nico Martins and Adele Da Veiga. [n.d.]. The Value of Using a Validated Information Security Culture. ([n. d.]).Google Scholar
- N Martins, A Da Veiga, and Jan HP Eloff. 2007. Information security culture-validation of an assessment instrument. Southern African Business Review 11, 1 (2007), 147–166.Google Scholar
- McAfee. 2017. Grand Theft Data: Data exfiltration study: Actors, tactics, and detection. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-data-exfiltration.pdfGoogle Scholar
- Rodrigo Miani, Bruno Zarpelão, and Leonardo Mendes. 2015. Investigação sobre a Ausência de Validação nos Métodos Empregados para Quantificar Segurança da Informação. In Anais do XI Simpósio Brasileiro de Sistemas de Informação. SBC, 315–322.Google Scholar
- Kevin D Mitnick and William L Simon. 2003. A arte de enganar. São Paulo (2003).Google Scholar
- Kathryn Parsons, Dragana Calic, Malcolm Pattinson, Marcus Butavicius, Agata McCormac, and Tara Zwaans. 2017. The human aspects of information security questionnaire (HAIS-Q): two further validation studies. Computers & Security 66(2017), 40–51.Google ScholarDigital Library
- Sabina Mota Santos. 2014. Práticas de Segurança da Informação: um estudo de caso num centro hospitalar. Ph.D. Dissertation. Instituto Politécnico do Porto. Instituto Superior de Contabilidade e ….Google Scholar
- Security, Help Net. 2018. 2018 in numbers: Data breaches cost $654 billion, expose 2.8 billion data records in the U.S.http://bit.do/e25NV.Google Scholar
- Security, Risk Based. 2020. 2020 Q3 Report Data Breach Quick View. https://pages.riskbasedsecurity.com/hubfs/Reports/2020/2020%20Q3%20Data%20Breach%20QuickView%20Report.pdf.Google Scholar
- Francisco José Albino Faria Castro Silva. 2013. Classificação taxonómica dos ataques de Engenharia Social: caracterização da problemática da segurança de informação em Portugal relativamente à Engenharia Social. Ph.D. Dissertation.Google Scholar
- Harrison Stewart and Jan Jürjens. 2017. Information security management and the human aspect in organizations. Information & Computer Security(2017).Google Scholar
- Cheolho Yoon, Jae-Won Hwang, and Rosemary Kim. 2012. Exploring factors that influence students’ behaviors in information security. Journal of information systems education 23, 4 (2012), 407–416.Google Scholar
Recommendations
Information security culture: A management perspective
Information technology has become an integral part of modern life. Today, the use of information permeates every aspect of both business and private lives. Most organizations need information systems to survive and prosper and thus need to be serious ...
The impacts of organizational culture on information security culture: a case study
Information security cannot rely solely on technology. More attention must be drawn to the users' behavioral perspectives regarding information security. In this study, we propose that a culture encouraging employees to comply with information policies ...
Information Security Awareness at Saudi Arabians' Organizations: An Information Technology Employee's Perspective
Information security awareness is human and organizational attitudes which can be described as a behavior or an attitude of an organization and/or its members towards protecting the organization's information assets. The goal of this paper is to ...
Comments