To become more effective and efficient organisations are increasing their utilisation of information and information systems, which has made them more vulnerable to various kinds of attacks from cybercriminals; a major consequence of which are security breaches. Further, despite previous studies showing insecure behaviour as a major cause, information security if often viewed as a technical problem only, where socio-organisational factors are often overlooked. Therefore, the primary aim of this qualitative research is to investigate how socio-organisational factors influence security behaviour in organisations and to describe the experiences of guardians of information security management. In this context, guardians are defined as those actors who are responsible for protecting information in organisations. In total there were 86 in-depth interviews conducted with three groups of guardians: security managers, who experience guardianship by managing an organisation’s information security; end users, who experience guardianship by using an organisation’s security controls; and security testers, who experience guardianship by testing the level of information security in organisations via the practice of security testing. The emergent findings showed that the willingness and capability of end users towards protecting information in organisations was influenced by numerous socio-organisational factors connecting to: (1) the security behaviour of upper management; (2) the effective development and implementation of security policies; (3) the effective development and implementation of SETA programmes; (4) the effective use of monitoring and enforcement practices; and (5) the usability of technical security controls. In addition, the effectiveness of security managers towards managing end user security behaviour was influenced by upper management support for information security. Lastly, the findings showed that security testing comprised numerous sequential stages, which can be mapped using the universal crime script; where the goals and objectives for each stage, as well the required use of tools and tactics used by different security testers, were successfully mapped.
The socio-organisational factors that shape guardianship experience of information security management in organisations
Johnstone, J. (Author). 20 Jan 2020
Student thesis: Doctoral Thesis