۱- Introduction

۲- Background and related work

۳- Current study

۴- Method

۵- Results

۶- Discussion

References

Abstract

The relationship between security culture and Information Security Awareness (ISA) has received preliminary support; however, its interplay with organisational culture is yet to be empirically investigated. Therefore, this study explored the relationship between ISA, organisational culture, and security culture. A total of 508 working Australians completed an online questionnaire. ISA was measured using the Human Aspects of Information Security Questionnaire (HAIS-Q); organisational culture was measured using the Denison Organisational Culture Survey (DOCS); and security culture was assessed through the Organisational Security Culture Measure. Our results showed that while organisational culture and security culture were correlated with ISA, security culture played an important mediating relationship between organisational culture and ISA. This suggests that organisations should focus on security culture rather than organisational culture to improve ISA, saving time and resources. Future research could further extend current findings by also considering national culture.

Introduction

Human behaviour is largely determined by culture, affecting interactions in everyday social and work environments (Cronk and Salmon, 2017). Therefore, when attempting to understand and shape human behaviour, looking at an individual in isolation is problematic. It is also important to consider the group, the broader social and organisational systems, and their interactions (Tessem and Skaraas, 2005). This is important for information security, as people play a significant role in not only creating risks, but also preventing security breaches. In an organisational context, the primary cause of human error is non-compliance, or nonmalicious unawareness, rather than malicious intent (Parsons et al., 2014). Traditionally, information security has focused on technical solutions, and measures to mitigate risks. However, the importance of the human factor has become increasingly recognised, and it has been well established that technical solutions in isolation cannot sufficiently mitigate security breaches (e.g., Furnell and Clarke, 2012). The role of the human is crucial with humans being the weakest link in information security (Parsons et al., 2017; von Solms and van Niekerk, 2010).