Information security management: A case study of an information security culture

This thesis argues that in order to establish a sound information security culture it is necessary to look at organisation’s information security systems in a sociotechnical context. The motivation for this research stems from the continuing concern of ineffective information security in organisations, leading to potentially significant monetary losses. It is important to address both technical and nontechnical aspects when dealing with information security management. Culture has been identified as an underlying determinant of individuals’ behaviour and this extends to information security culture, particularly in developing countries. This research investigates information security culture in the Saudi Arabia context. The theoretical foundation for the study is based on organisational and national culture theories. A conceptual framework for this study was constructed based on Peterson and Smith’s (1997) model of national culture. This framework guides the study of national, organisational and technological values and their relationships to the development of information security culture. Further, the study seeks to better understand how these values might affect the development and deployment of an organisation’s information security culture. Drawing on evidence from three exploratory case studies, an emergent conceptual framework was developed from the traditional human behaviour and the social environment perspectives used in social work, This framework contributes to information security management by identifying behaviours related to four modes of information security practice. These modes provide a sound basis that can be used