skip to main content
10.1145/3466933.3466981acmotherconferencesArticle/Chapter ViewAbstractPublication PagessbsiConference Proceedingsconference-collections
research-article

Understanding the information security culture of organizations: Results of a Survey

Published:08 July 2021Publication History

ABSTRACT

A strong information security culture in organizations contributes to reduce incidents related to leaks of sensitive and private information. Considering that one of the main factors that cause such leaks is human action, it is necessary to evaluate the current state of organizations’ culture. This work aims to identify methods for assessing the culture of information security in organizations and to characterize the current state of this topic. We conducted a survey using an evaluation instrument proposed in the literature that includes dimensions to assess the information security culture. The survey received 75 responses, mostly from employees of private institutions. We observed that there is a need for training of employees on information security, and there is incongruity between knowing, understanding and applying the procedures described in the information security policy. This work provided an understanding of the current status of the information security culture in organizations whose results can be expanded and used in future studies to improve security practices in organizations.

References

  1. Ibrahim Al-Mayahi and P Mansoor Sa’ad. 2013. Information security culture assessment: Case study. In 2013 IEEE Third International Conference on Information Science and Technology (ICIST). IEEE, 789–792.Google ScholarGoogle ScholarCross RefCross Ref
  2. Areej AlHogail and Abdulrahman Mirza. 2014. A proposal of an organizational information security culture framework. In Proceedings of International Conference on Information, Communication Technology and System (ICTS) 2014. IEEE, 243–250.Google ScholarGoogle ScholarCross RefCross Ref
  3. Iveruska Carmen Jatobá Bastos Arteiro. 2015. Como a cultura organizacional influencia iniciativas de gestão de processos de negócios: um estudo de caso exploratório. Master’s thesis. Universidade Federal de Pernambuco.Google ScholarGoogle Scholar
  4. Matheus Batista, Andréa Magdaleno, and Marcos Kalinowski. 2017. A Survey on the use of Social BPM in Practice in Brazilian Organizations. In Anais do XIII Simpósio Brasileiro de Sistemas de Informação. SBC, 436–443.Google ScholarGoogle Scholar
  5. Ann Cavoukian 2009. Privacy by design: The 7 foundational principles. Information and Privacy Commissioner of Ontario, Canada 5 (2009).Google ScholarGoogle Scholar
  6. Nic Chantler and Roderic Broadhurst. 2008. Social engineering and crime prevention in cyberspace. Proceedings of the Korean Institute of Criminology (2008), 65–92.Google ScholarGoogle ScholarCross RefCross Ref
  7. Adéle Da Veiga and Jan HP Eloff. 2010. A framework and assessment instrument for information security culture. Computers & Security 29, 2 (2010), 196–207.Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Adéle Da Veiga and Nico Martins. 2015. Information security culture and information protection culture: A validated assessment instrument. Computer Law & Security Review 31, 2 (2015), 243–256.Google ScholarGoogle ScholarCross RefCross Ref
  9. SEBRAE-NA/ Dieese. 2013. Anuário do trabalho na micro e pequena empresa. www.sebrae.com.br/Sebrae/Portal%20Sebrae/Anexos/Anuario%20do%20Trabalho%20Na%20Micro%20e%20Pequena%20Empresa_2013.pdfGoogle ScholarGoogle Scholar
  10. Steve Easterbrook, Janice Singer, Margaret-Anne Storey, and Daniela Damian. 2008. Selecting empirical methods for software engineering research. In Guide to advanced empirical SE. Springer, London, 285–311.Google ScholarGoogle Scholar
  11. Marcelo Fonseca. 2017. Engenharia social: conscientizando o elo mais fraco da segurança da informação. Inteligência de Segurança-Unisul Virtual (2017).Google ScholarGoogle Scholar
  12. Edison Luiz Gonçalves Fontes. 2017. Segurança da informação. Saraiva Educação SA.Google ScholarGoogle Scholar
  13. GDPR. 2018. General Data Protection Regulation. https://eugdpr.org/.Google ScholarGoogle Scholar
  14. Francisco de Assis Fialho Henriques. 2017. A influência da Engenharia Social no fator humano das organizações. Master’s thesis. Universidade Federal de Pernambuco.Google ScholarGoogle Scholar
  15. Rebecca Herold. 2010. Managing an information security and privacy awareness and training program. CRC press.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Jule Hintzbergen, Kees Hintzbergen, André Smulders, and Hans Baars. 2018. Fundamentos de Segurança da Informação: com base na ISO 27001 e na ISO 27002. Brasport.Google ScholarGoogle Scholar
  17. Mark Kasunic. 2005. Designing an effective survey. Technical Report. Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst.Google ScholarGoogle Scholar
  18. Barbara A Kitchenham and Shari L Pfleeger. 2008. Personal opinion surveys. In Guide to advanced empirical software engineering. Springer, London, 63–92.Google ScholarGoogle Scholar
  19. LGPD. 2018. Lei Geral de Proteção de Dados Pessoais. http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htmGoogle ScholarGoogle Scholar
  20. Tong Li, Xiaowei Wang, and Yeming Ni. 2020. Aligning social concerns with information system security: A fundamental ontology for social engineering. Information Systems (2020), 101699.Google ScholarGoogle Scholar
  21. Rodrigo Machado, Diego Kreutz, Giulliano Paz, and Gustavo Rodrigues. 2019. Vazamentos de Dados: Histórico, Impacto Socioeconômico e as Novas Leis de Proteçao de Dados. In Anais da XVII Escola Regional de Redes de Computadores. SBC, 154–159.Google ScholarGoogle Scholar
  22. Adéle Martins and Jan Elofe. 2002. Information security culture. In Security in the information society. Springer, 203–214.Google ScholarGoogle Scholar
  23. Adéle Martins and J Eloff. 2002. Assessing Information Security Culture.. In ISSA. 1–14.Google ScholarGoogle Scholar
  24. Nico Martins and Adele Da Veiga. [n.d.]. The Value of Using a Validated Information Security Culture. ([n. d.]).Google ScholarGoogle Scholar
  25. N Martins, A Da Veiga, and Jan HP Eloff. 2007. Information security culture-validation of an assessment instrument. Southern African Business Review 11, 1 (2007), 147–166.Google ScholarGoogle Scholar
  26. McAfee. 2017. Grand Theft Data: Data exfiltration study: Actors, tactics, and detection. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-data-exfiltration.pdfGoogle ScholarGoogle Scholar
  27. Rodrigo Miani, Bruno Zarpelão, and Leonardo Mendes. 2015. Investigação sobre a Ausência de Validação nos Métodos Empregados para Quantificar Segurança da Informação. In Anais do XI Simpósio Brasileiro de Sistemas de Informação. SBC, 315–322.Google ScholarGoogle Scholar
  28. Kevin D Mitnick and William L Simon. 2003. A arte de enganar. São Paulo (2003).Google ScholarGoogle Scholar
  29. Kathryn Parsons, Dragana Calic, Malcolm Pattinson, Marcus Butavicius, Agata McCormac, and Tara Zwaans. 2017. The human aspects of information security questionnaire (HAIS-Q): two further validation studies. Computers & Security 66(2017), 40–51.Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Sabina Mota Santos. 2014. Práticas de Segurança da Informação: um estudo de caso num centro hospitalar. Ph.D. Dissertation. Instituto Politécnico do Porto. Instituto Superior de Contabilidade e ….Google ScholarGoogle Scholar
  31. Security, Help Net. 2018. 2018 in numbers: Data breaches cost $654 billion, expose 2.8 billion data records in the U.S.http://bit.do/e25NV.Google ScholarGoogle Scholar
  32. Security, Risk Based. 2020. 2020 Q3 Report Data Breach Quick View. https://pages.riskbasedsecurity.com/hubfs/Reports/2020/2020%20Q3%20Data%20Breach%20QuickView%20Report.pdf.Google ScholarGoogle Scholar
  33. Francisco José Albino Faria Castro Silva. 2013. Classificação taxonómica dos ataques de Engenharia Social: caracterização da problemática da segurança de informação em Portugal relativamente à Engenharia Social. Ph.D. Dissertation.Google ScholarGoogle Scholar
  34. Harrison Stewart and Jan Jürjens. 2017. Information security management and the human aspect in organizations. Information & Computer Security(2017).Google ScholarGoogle Scholar
  35. Cheolho Yoon, Jae-Won Hwang, and Rosemary Kim. 2012. Exploring factors that influence students’ behaviors in information security. Journal of information systems education 23, 4 (2012), 407–416.Google ScholarGoogle Scholar

Recommendations

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Sign in
  • Published in

    cover image ACM Other conferences
    SBSI '21: Proceedings of the XVII Brazilian Symposium on Information Systems
    June 2021
    453 pages
    ISBN:9781450384919
    DOI:10.1145/3466933

    Copyright © 2021 ACM

    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    • Published: 8 July 2021

    Permissions

    Request permissions about this article.

    Request Permissions

    Check for updates

    Qualifiers

    • research-article
    • Research
    • Refereed limited

    Acceptance Rates

    Overall Acceptance Rate181of557submissions,32%

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format