Critical analysis of information security culture definitions

Zainab Ruhwanya; Jacques Ophoff

doi:10.1007/978-3-030-57404-8_27

Critical analysis of information security culture definitions

Zainab Ruhwanya^*, Jacques Ophoff

^*Corresponding author for this work

Division of Cybersecurity

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

2 Citations (Scopus)

435 Downloads (Pure)

Abstract

This article aims to advance the understanding of information security culture through a critical reflection on the wide-ranging definitions of information security culture in the literature. It uses the hermeneutic approach for conducting literature reviews. The review identifies 16 definitions of information security culture in the literature. Based on the analysis of these definitions, four different views of culture are distinguished. The shared values view highlights the set of cultural value patterns that are shared across the organization. An action-based view highlights the behaviors of individuals in the organization. A mental model view relates to the abstract view of the individual’s thinking on how information security culture must work. Finally, a problem-solving view emphasizes a combination of understanding from shared value-based and action-based views. The paper analyzes and presents the limitations of these four views of information security culture definitions.

Original language	English
Title of host publication	Human Aspects of Information Security and Assurance
Subtitle of host publication	14th IFIP WG 11.12 International Symposium, HAISA 2020, Mytilene, Lesbos, Greece, July 8–10, 2020, Proceedings
Editors	Nathan Clarke, Steven Furnell
Place of Publication	Cham
Publisher	Springer
Pages	353-365
Number of pages	13
ISBN (Electronic)	9783030574048
ISBN (Print)	9783030574031
DOIs	https://doi.org/10.1007/978-3-030-57404-8_27
Publication status	Published - 21 Aug 2020
Event	14th International Symposium on Human Aspects of Information Security & Assurance - Online/Virtual, Mytilene, Greece Duration: 8 Jul 2020 → 10 Jul 2020 Conference number: 14th https://www.haisa.org/?page=home

Publication series

Name	IFIP Advances in Information and Communication Technology (IFIPAICT)
Publisher	Springer
Volume	593
ISSN (Print)	1868-4238
ISSN (Electronic)	1868-422X

Conference

Conference	14th International Symposium on Human Aspects of Information Security & Assurance
Abbreviated title	HAISA 2020
Country/Territory	Greece
City	Mytilene
Period	8/07/20 → 10/07/20
Internet address	https://www.haisa.org/?page=home

Keywords

Information security culture
Culture
Shared-value view
Action-based view
Mental model view
Problem-solving view

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

10.1007/978-3-030-57404-8_27

Ophoff_CriticalAnalysisOfInformationSecurity_Accepted_2020Accepted author manuscript, 324 KB

Cite this

Ruhwanya, Z., & Ophoff, J. (2020). Critical analysis of information security culture definitions. In N. Clarke, & S. Furnell (Eds.), Human Aspects of Information Security and Assurance: 14th IFIP WG 11.12 International Symposium, HAISA 2020, Mytilene, Lesbos, Greece, July 8–10, 2020, Proceedings (pp. 353-365). (IFIP Advances in Information and Communication Technology (IFIPAICT); Vol. 593). Springer. https://doi.org/10.1007/978-3-030-57404-8_27

Ruhwanya, Zainab ; Ophoff, Jacques. / Critical analysis of information security culture definitions. Human Aspects of Information Security and Assurance: 14th IFIP WG 11.12 International Symposium, HAISA 2020, Mytilene, Lesbos, Greece, July 8–10, 2020, Proceedings. editor / Nathan Clarke ; Steven Furnell. Cham : Springer, 2020. pp. 353-365 (IFIP Advances in Information and Communication Technology (IFIPAICT)).

@inproceedings{b6d0e4e869de4e7a9b92345fb666cb0e,

title = "Critical analysis of information security culture definitions",

abstract = "This article aims to advance the understanding of information security culture through a critical reflection on the wide-ranging definitions of information security culture in the literature. It uses the hermeneutic approach for conducting literature reviews. The review identifies 16 definitions of information security culture in the literature. Based on the analysis of these definitions, four different views of culture are distinguished. The shared values view highlights the set of cultural value patterns that are shared across the organization. An action-based view highlights the behaviors of individuals in the organization. A mental model view relates to the abstract view of the individual{\textquoteright}s thinking on how information security culture must work. Finally, a problem-solving view emphasizes a combination of understanding from shared value-based and action-based views. The paper analyzes and presents the limitations of these four views of information security culture definitions.",

author = "Zainab Ruhwanya and Jacques Ophoff",

year = "2020",

month = aug,

day = "21",

doi = "10.1007/978-3-030-57404-8_27",

language = "English",

isbn = "9783030574031",

series = "IFIP Advances in Information and Communication Technology (IFIPAICT)",

publisher = "Springer",

pages = "353--365",

editor = "Nathan Clarke and Steven Furnell",

booktitle = "Human Aspects of Information Security and Assurance",

note = "14th International Symposium on Human Aspects of Information Security & Assurance, HAISA 2020 ; Conference date: 08-07-2020 Through 10-07-2020",

url = "https://www.haisa.org/?page=home",

}

Ruhwanya, Z & Ophoff, J 2020, Critical analysis of information security culture definitions. in N Clarke & S Furnell (eds), Human Aspects of Information Security and Assurance: 14th IFIP WG 11.12 International Symposium, HAISA 2020, Mytilene, Lesbos, Greece, July 8–10, 2020, Proceedings. IFIP Advances in Information and Communication Technology (IFIPAICT), vol. 593, Springer, Cham, pp. 353-365, 14th International Symposium on Human Aspects of Information Security & Assurance, Mytilene, Greece, 8/07/20. https://doi.org/10.1007/978-3-030-57404-8_27

Critical analysis of information security culture definitions. / Ruhwanya, Zainab; Ophoff, Jacques.
Human Aspects of Information Security and Assurance: 14th IFIP WG 11.12 International Symposium, HAISA 2020, Mytilene, Lesbos, Greece, July 8–10, 2020, Proceedings. ed. / Nathan Clarke; Steven Furnell. Cham: Springer, 2020. p. 353-365 (IFIP Advances in Information and Communication Technology (IFIPAICT); Vol. 593).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Critical analysis of information security culture definitions

AU - Ruhwanya, Zainab

AU - Ophoff, Jacques

N1 - Conference code: 14th

PY - 2020/8/21

Y1 - 2020/8/21

N2 - This article aims to advance the understanding of information security culture through a critical reflection on the wide-ranging definitions of information security culture in the literature. It uses the hermeneutic approach for conducting literature reviews. The review identifies 16 definitions of information security culture in the literature. Based on the analysis of these definitions, four different views of culture are distinguished. The shared values view highlights the set of cultural value patterns that are shared across the organization. An action-based view highlights the behaviors of individuals in the organization. A mental model view relates to the abstract view of the individual’s thinking on how information security culture must work. Finally, a problem-solving view emphasizes a combination of understanding from shared value-based and action-based views. The paper analyzes and presents the limitations of these four views of information security culture definitions.

AB - This article aims to advance the understanding of information security culture through a critical reflection on the wide-ranging definitions of information security culture in the literature. It uses the hermeneutic approach for conducting literature reviews. The review identifies 16 definitions of information security culture in the literature. Based on the analysis of these definitions, four different views of culture are distinguished. The shared values view highlights the set of cultural value patterns that are shared across the organization. An action-based view highlights the behaviors of individuals in the organization. A mental model view relates to the abstract view of the individual’s thinking on how information security culture must work. Finally, a problem-solving view emphasizes a combination of understanding from shared value-based and action-based views. The paper analyzes and presents the limitations of these four views of information security culture definitions.

U2 - 10.1007/978-3-030-57404-8_27

DO - 10.1007/978-3-030-57404-8_27

M3 - Conference contribution

SN - 9783030574031

T3 - IFIP Advances in Information and Communication Technology (IFIPAICT)

SP - 353

EP - 365

BT - Human Aspects of Information Security and Assurance

A2 - Clarke, Nathan

A2 - Furnell, Steven

PB - Springer

CY - Cham

T2 - 14th International Symposium on Human Aspects of Information Security & Assurance

Y2 - 8 July 2020 through 10 July 2020

ER -

Ruhwanya Z, Ophoff J. Critical analysis of information security culture definitions. In Clarke N, Furnell S, editors, Human Aspects of Information Security and Assurance: 14th IFIP WG 11.12 International Symposium, HAISA 2020, Mytilene, Lesbos, Greece, July 8–10, 2020, Proceedings. Cham: Springer. 2020. p. 353-365. (IFIP Advances in Information and Communication Technology (IFIPAICT)). Epub 2020 Aug 21. doi: 10.1007/978-3-030-57404-8_27

Critical analysis of information security culture definitions

Abstract

Publication series

Conference

Keywords

UN SDGs

Access to Document

Fingerprint

Cite this