earticle

영어

An information security-aware culture will minimize internal threats to information assets through the construction of appropriate information security beliefs and values that guide employee behavior when interacting with information assets and information technology systems. This paper aims to illustrate the application of the Information Security Culture Framework (ISCF) to asses and cultivate an information security aware culture within an organization through an empirical study. The ISCF is a comprehensive framework that consists of five dimensions (Strategy, Technology, Organization, People, and Environment) and integrates change management and the human factor in information security. The empirical study includes three case studies, selected to demonstrate the effectiveness of ISCF in describing and explaining the organizational information security culture. A sequential mixed method, to collect quantitative survey data and qualitative interview data, is used to demonstrate the validity and reliability of the framework. The ISCF therefore could be used by all types of organizations in order to assess whether an acceptable level of information security culture has been implemented and, if not, corrective actions are suggested.