№1, 2023

Rasmiyya Sh. Mahmudova

Nowadays, digitization of all areas of human activity leads to an increase in the number of information security incidents in organizations. From this point of view, the problem of information security culture in organizations becomes very relevant in modern times. Obviously, the majority of incidents related to information security violations in organizations are associated to the human factor. To overcome this problem, the research in the field of the evaluation of information security culture is urgent. Measuring and evaluating information security culture can enable an organization to identify its weaknesses in this area and take measures to eliminate them. This article examines various approaches to the concept of information security culture, and analyzes the affecting factors within the organization (management’s attitude towards information security, information security policy, information security awareness and employee’s behaviors). It also studies the documents adopted in the field of development and evaluation of information security culture in the European Union countries and the United States, and implemented projects. It analyzes proposed methods for measuring the information security culture in the organization using various methods. Moreover, the article reveals existing problems in this field and provides certain recommendations for their elimination. The methods of analysis and synthesis, comparison, generalization and systematic approach are used in this research (pp.66-74).

Keywords:Information security culture, Information protection, Organization’s information security, Cyber security culture, Information security policy, Security awareness
  • Astakhova, L.V., Lushnikova, S.S. (2019). Enterprise information security culture: a comparative analysis of foreign and Russian studies. Bulletin of the Ural Federal District. Information sphere security.1 (31), 37-47. (in Russian)
  • European Union Agency for Network and Information Security (ENISA, 2017). Cyber Security Culture in organisations, https://www.enisa.europa.eu/publications/cyber-security-culture-in-organisations/at_download/fullReport
  • Begishev, I.R. (2021). Cyber-Security Culture: Psychological and Legal Aspects. Psikhologiya i pravo = Psychology and Law, 11(4), pp. 207-220. https://doi.org/10.17759/psylaw.2021110415 (In Russian).
  • Schlienger, T., Teufel, S. (2002). Information Security Culture. The Socio-Cultural Dimension in Information Security Management. Security in the Information Society. IFIP Advances in Information and Communication Technology, 86, 191—201. https://doi.org/10.1007/978-0-387- 35586-3_46.
  • Helokunnas, T., Kuusisto, R. (2003). Information security culture in a value net. IEMC’03 Proceedings. Managing Technologically Driven Organizations: The Human Side of Innovation and Change. Albany, NY, USA (2–4 Nov. 2003). Chichester: J. Wiley and sons LTD. pp. 190–194.
  • Dhillon, G. (1999). Managing and controlling computer misuse. Information Management & Computer Security, 7(4), 171-175.
  • Mahmudova, R. (2013). Formation of information security culture in society. Problems of Information Society, №1 (7), s. 32-38. (in Azerbaijani)
  • Saleh AlDaajeh, Heba Saleous, Saed Alrabaee, Ezedin Barka, Frank Breitinger, Kim-Kwang Raymond Choo. (2022). The role of national cybersecurity strategies on the improvement of cybersecurity education. Computers & Security, 119, 102754.
  • Da Veiga, A. and Eloff, J.H.P. (2010). A framework and assessment instrument for information security culture. Computers and Security, 29,196–207.
  • Wiley, A., McCormac, A., Calic, D. (2020). More than the individual: Examining the relationship between culture and Information Security Awareness. Computers & Security, 88, 101640.
  • Schlienger, T., Teufel, S. (2003). Information security culture-from analysis to change. South African Computer Journal, 2003, 46–52.
  • Sherif, E. and Furnell, S. (2015). A Conceptual Model for Cultivating an Information Security Culture. International Journal for Information Security Research, 5(2), 565–573. https://doi.org/10.20533/ijisr.2042.4639.2015.0065.  
  • Parsons, K.M., et al. (2015). The Influence of Organizational Information Security Culture on Information Security Decision Making. Journal of Cognitive Engineering and Decision Making, 9(2), 117—129. https://doi.org/10.1177/1555343415575152.
  • Lunacek, O. (2017) Knowledge system new tool of the security experts education. 6th International Conference on Military Technologies, p. 430–434.
  • Rocha Flores, V., Antonsen, E., Ekstedt, M. (2014) Information security knowledge sharing in organizations: A study of the impact of behavioral information security management and national culture. Computers and Security, 43, 90-110. (in Russian)
  • Parsons, K., Kalik, D, Pattinson, M., Butavichyus, M., McCormack, A., Zwaans, T. (2017). Human aspects of information security questionnaire: Two additional verification studies. Computers and Security, 66, 40-51. (in Russian)
  • Stanton, J., Stam, C., Mastrangelo, P., Jolton, J. A. (2005). Analysis of end user security behavior. Computers and Security, 2 (24), 124-133. (in Russian)
  • Khan, B., Alghathbar, K. S., Nabi, S. I., Khan, M. K. (2011). Effectiveness of information security awareness methods based on psychological theories. African Journal of Business Management, 5 (26), 10862–10868. https://doi.org/ 10.5897/ajbm11.067.
  • Angelo Corallo, Mariangela Lazoi, Marianna Lezzi, Angela Luperto. (2022). Cybersecurity awareness in the context of the Industrial Internet of Things: A systematic literature review, Computers in Industry, 137, 103614.
  • Martins, A. & Eloff, J.H.P. (2002). Information security culture. Security in the Information Society, pp. 203 214. IFIP/SEC2002. Boston, MA: Kluwer Academic Publishers.
  • Mahmudova, R. (2022). Analysis of international experience in the formation of a culture of information security in society. Problems of Information Society, 13(1), 75–82. https://doi.org/10.25045/jpis.v13.i1.10 
  • Federal Information Security Management Act of 2022. (2022). 107-347, https://csrc.nist.gov/topics/laws-and-regulations/laws/fisma
  • National Initiative for Cybersecurity Education (NICE): Cybersecurity Workforce Framework. (2017). https://nvlpubs.nist.gov/nistpubs/specialpublications/nis t.sp.800-181.pdf
  • Astakhova, L. V. (2018). From culture to the cultural resourse of an organization’s information security. Bulletin of culture and arts, 3 (55), 85–101. (in Russian)
  • Adéleda Veiga, Liudmila V.Astakhova, Adéle Botha, Marlien Herselman. (2020). Defining organisational information security culture—Perspectives from academia and industry, Computers & Security, 92, 101713.
  • Vroom, C., Von Solms, R. (2004). Towards information security behavioural compliance. Computers & Security. 23 (3), 191–198. https://doi.org/ 10.1016/j.cose.2004.01.012.
  • Khan, B., Alghathbar, K. S., Nabi, S. I., Khan, M. K. (2011). Effectiveness of information security awareness methods based on psychological theories. African Journal of Business Management, 5 (26), 10862–10868. https://doi.org/10.5897/ajbm11.067.
  • Da Veiga, A., Martins, N., Eloff, J.H.P. (2007) Information security culture – validation of an assessment instrument. Southern African Business Review, 11(1), 147–166.
  • Martins, A. (2002). Information security culture. MCom dissertation, Rand Afrikaans University, Johannesburg.
  • Schulz von Thun. (1992). Miteinander reden. Reinbek bei Hamburg: Rowohlt Taschenbuch Verlag.
  • Sladkova, N.M., Ilchenko, O.A., Stepanenko, A.A., Shaposhnikov, V.A. (2021). Features of assessment of competences in information security of state and municipal employees. Issues of state and municipal management, 1, 122-149. (in Russian)
  • Alnatheer, Mohammed; Chan, Taizan; and Nelson, Karen. (2012). Understanding And Measuring Information Security Culture. PACIS 2012 Proceedings. 144. http://aisel.aisnet.org/pacis2012/144.
  • Ibrahim Al-Mayahi and Sa’ad P. Mansoor. (2013). Information Security Culture Assessment: Case Study. Third International Conference on Information Science and Technology, March 23-25, 2013, p.789-792; Yangzhou, Jiangsu, China.
  • Imamverdiyev, Y.N. (2015). Issues of information security culture in the e-government environment. Information technology problems, 1, 80-88. (in Azerbaijani)
  • Alguliev, R.M., Mahmudova, R.Sh. (2011). Structural Approach to the Formation of Information Culture of Individuals, Proceedings of the International Conference on Informatics Engineering and Information Science, Kuala Lumpur, Malaysia, part IV, 254, https://link.springer.com/book/10.1007/978-3-642-25483-3