A proposal of an organizational information security culture framework

Abstract

The efficiency of various technical information security controls is based on the `people' who interact with the information every day. Information security culture aims at protecting information assets by guiding how things are done in organization in regard to information security through influencing employees' security behavior. This paper review key frameworks that were proposed in the literature in the period between the years 2003 and 2013, to establish and maintain information security culture inside organizations. The review draws the attention to the need for more investigation in the field to provide comprehensive frameworks for information security culture within organization. This paper attempts to propose one. The framework incorporates key change management principles and has five main dimensions that represent strategy, technology, organization, people and environment issues that affect the effective information security culture.