Survey of Information Security in more than 100 organizations

How do Swedish non-manual workers view information security and how can we understand behavior in relation to the phenomenon? Lack of knowledge about these issues led to the implementation of a comprehensive survey of Swedish non-manual workers within the framework of the SECURIT research program.

Statistics Sweden (SCB) carried out the survey in the spring of 2016 on behalf of the researchers.

The survey was a collaboration between several of the projects included in the program. Some of the research questions were:

  • How can behavior related to information security rules be explained?
  • What is the relationship between organizational culture and employee attitudes and behaviors about information security?
  • What impact does the information security climate have?
  • What attitudes have employees towards whistle blowing and freedom of communication?

The sample was chosen as 1) a representative sample of 2000 non-manual workers in Sweden (the national selection) and 2) as an organizational survey of approximately 9000 employees in six different industries (the industry selection). The industries were chosen to encompass both private and public organizations, which deal with sensitive information. The three private industries were the chemical industry, the IT sector and the banking sector. The three public industries were university, health care and social services. 3681 respondents answered the questionnaire (response rate: 34 percent), 674 in the national selection (response rate: 34 percent) and 3007 in the industry selection (response rate: 31 percent to 34 percent in the various industries).

Results

The survey results gave a representative picture of employees' perception of information security in Swedish private and public organizations. The results also showed that there were significant differences between different organizations and industries regarding the aspects of information security that the survey examined. A number of scientific papers were produced based on the survey results. These may be found on the Results and dissemination page.

Based on results from the survey, a tool was also developed to make it possible to measure information security climate in organizations. This tool can be used to benchmark the own organization compared with other organizations. Moreover, the survey can be used in further research because there is now a reference material that makes it possible to investigate how information security develops over time. Another possibility of using the survey is in evaluating organizational development projects aimed at improving information security.