Towards an organizational culture framework for information security practices

Abstract

In organizations, employee behaviour has a considerable impact on information security. The organizational culture (OC) that shapes acceptable employee behaviours is therefore significant. A large body of literature exists that calls for the cultivation of security culture to positively influence information security related behaviour of employees. However, there is little research examining OC that enables the implementation of information security. The authors address the unsubstantiated claim that there is an important relationship between OC and the ability to successfully implement information security. Findings suggest that security practices can be successfully implemented within eight organizational culture characteristics. Investigation of these organizational culture characteristics from a security perspective is an important step toward future empirical research aimed at understanding the relationship between OC and the implementation of systematic improvement of security practices. The research and practical implications of these findings are discussed, and future research areas are explored.