Da Veiga, AAstakhova, LVBotha, AdèleHerselman, Martha E2020-07-302020-07-302020-05Da Veiga, A. et al. 2020. Defining organisational information security culture—Perspectives from academia and industry. Computers & Security, vol. 92, pp. 920167-40481872-6208https://doi.org/10.1016/j.cose.2020.101713https://www.sciencedirect.com/science/article/pii/S0167404820300018http://hdl.handle.net/10204/11527Copyright: 2020 Elsevier. Due to copyright restrictions, the attached PDF file only contains the abstract of the full text item. For access to the full text item, please consult the publisher's website. The definitive version of the work is published in Computers & Security, Vol. 92, pp 23The ideal or strong information security culture can aid in minimising the threat of humans to information protection and thereby aid in reducing data breaches or incidents in organisations. This research sets out to understand how information security culture is defined from an academic and industry perspective using a mixed-method approach. The definition, factors necessary to instil the ideal information security culture and the potential impact of the ideal information security culture were investigated from both perspectives. A survey approach was implemented to obtain the views from industry and 512 respondents from organisations, many of which operate at an international level, participated in the survey. The research presents a description of information security culture, integrating the existing literature and expanding on it with the views of industry, thereby giving clarity to the concept. The ideal information security culture was identified with the top traits relating to aspects such as an aware and knowledgeable workforce implementing conscientious, caring behaviour to comply with policies as guided by management. The factors that could positively influence an information security culture were identified, consolidated and expanded to five external factors and twenty internal factors. Organisations that have a strong information security culture were identified as achieving mutual trust and integrity through the protection of their information. The description of an information security culture can be used as a baseline to define and understand the concept, identify a single, comprehensive set of factors to be implemented, comprehend the traits of such a culture, as well as what an organisation can achieve by having a strong information security culture. The analysis showed that scientific interpretations of the definitions and factors of information security culture are much wider than their understanding of the industry. Both the results from the scoping review of papers and the feedback from the industry experts are synthesised visually to provide an organisational information security culture model (OISCM). The definition, factors, and model that influence the organisational culture of information security, have prognostic value for industry. For scientists, this is an important topic of research on methods and forms of increasing the level of this knowledge.enInformation security cultureKey traitsDefining organisational information security culture—Perspectives from academia and industryArticleDa Veiga, A., Astakhova, L., Botha, A., & Herselman, M. E. (2020). Defining organisational information security culture—Perspectives from academia and industry. http://hdl.handle.net/10204/11527Da Veiga, A, LV Astakhova, Adèle Botha, and Martha E Herselman "Defining organisational information security culture—Perspectives from academia and industry." (2020) http://hdl.handle.net/10204/11527Da Veiga A, Astakhova L, Botha A, Herselman ME. Defining organisational information security culture—Perspectives from academia and industry. 2020; http://hdl.handle.net/10204/11527.TY - Article AU - Da Veiga, A AU - Astakhova, LV AU - Botha, Adèle AU - Herselman, Martha E AB - The ideal or strong information security culture can aid in minimising the threat of humans to information protection and thereby aid in reducing data breaches or incidents in organisations. This research sets out to understand how information security culture is defined from an academic and industry perspective using a mixed-method approach. The definition, factors necessary to instil the ideal information security culture and the potential impact of the ideal information security culture were investigated from both perspectives. A survey approach was implemented to obtain the views from industry and 512 respondents from organisations, many of which operate at an international level, participated in the survey. The research presents a description of information security culture, integrating the existing literature and expanding on it with the views of industry, thereby giving clarity to the concept. The ideal information security culture was identified with the top traits relating to aspects such as an aware and knowledgeable workforce implementing conscientious, caring behaviour to comply with policies as guided by management. The factors that could positively influence an information security culture were identified, consolidated and expanded to five external factors and twenty internal factors. Organisations that have a strong information security culture were identified as achieving mutual trust and integrity through the protection of their information. The description of an information security culture can be used as a baseline to define and understand the concept, identify a single, comprehensive set of factors to be implemented, comprehend the traits of such a culture, as well as what an organisation can achieve by having a strong information security culture. The analysis showed that scientific interpretations of the definitions and factors of information security culture are much wider than their understanding of the industry. Both the results from the scoping review of papers and the feedback from the industry experts are synthesised visually to provide an organisational information security culture model (OISCM). The definition, factors, and model that influence the organisational culture of information security, have prognostic value for industry. For scientists, this is an important topic of research on methods and forms of increasing the level of this knowledge. DA - 2020-05 DB - ResearchSpace DP - CSIR KW - Information security culture KW - Key traits LK - https://researchspace.csir.co.za PY - 2020 SM - 0167-4048 SM - 1872-6208 T1 - Defining organisational information security culture—Perspectives from academia and industry TI - Defining organisational information security culture—Perspectives from academia and industry UR - http://hdl.handle.net/10204/11527 ER -