An organisational culture consists of employees’ shared basic values and assumptions about the surrounding world. These values and assumptions govern employees’ actions. Organisational culture is often described as a central part in managing an organisation and many studies on culture and information security view organisations as rationale instruments where management can mould the way employees act. Studies that employ approaches to understand how different patterns of attitudes and values, and hence prioritisations, can differ in different contexts are less common.
The Attitude research project investigated the relationship between organisational culture and employees’ attitudes and information security behaviour in different industries. We were also interested in a research methodological question concerning how surveys are designed with regards the measuring information security compliance. These studies are often designed without paying attention to situations when employees need to prioritise between information security rules and their core work tasks. Does it make any difference if a respondent has to answer yes or not to the statement “I follow the information security policy at my workplace” or if it is a question posed as “How often are you non-compliant with the information security policy because it worsen the quality in your work?”?
The study was sent out by Statistics Sweden as a survey targeting white-collar workers in private and public organisations in Sweden. It was based on two samples: one randomised sample of 2,000 white-collar workers in Sweden and one randomised sample targeting organisations in six industries (municipal social services, health care, universities and university collages, banking, chemical processing industry, and IT-consultants). For the latter, approximately 1,500 white-collar workers per industry were selected randomly. The analysis was carried out using Competing Values Framework in order to identify the organisations’ cultures.
The results show that organisational culture has some importance for information security. Thus, influencing organisational culture in a certain direction can be an effective way of increasing information security in an organisation. In addition, the results show that there is a difference whether or not information security is measured as an integrated part of a work situation. These results should be of importance when employees’ information security compliance is measure, even when practitioners carry out studies.
Karlsson F, Karlsson M, Åström J (2017) Measuring employees’ compliance - the importance of value pluralism. Information & Computer Security, Volume 25, Issue 3, 279-299.
Karlsson F, Åström J, Karlsson M (2015) Information security culture : State-of-the-art review between 2000 and 2013. Information Management & Computer Security, Volume 23, Issue 3, 246-285.
Karlsson M, Karlsson F, Åström J (2017) Organisationskulturens påverkan på informationssäkerhetsarbetet. I Hallberg J, Johansson P, Karlsson F, Lundberg F, Lundgren B, Törner M: Informationssäkerhet och organisationskultur. Studentlitteratur, Lund.