I.Introduction
Public and private organisations face a wide range of information threats. Securing their information has become a crucial function within the information systems management regime. With an increasing reliance on technologies connected over open data networks, effective information security management (ISM) has become a critical success factor for public and private organisations alike. In order to achieve effective ISM, it is essential to develop and deploy an effective information security culture.
Best practice and trends in information security are similar throughout the world. However, when it comes to applying these best practice approaches to specific situations, local context and circumstances need to be considered. This is the case when we consider the application of generic best practices to a specific country, particularly a country which may be considered asstill developing technologically, and where there is uneven technological development.
Previous studies have shown that non-technical issues are at least as important as technical issues in safeguarding an organisation’s sensitive information (Dhillon and Torkzadeh, 2006; Siponen and Oinas-Kukkonen, 2007). However, the importance of non-technical information security management issues, has been de-emphasised in much previous ISM research, which tends to be quantitative in nature (Siponen and Oinas-Kukkonen, 2007). Researchers have also argued that organisations need an information security culture as well as technological mechanisms to ensure a safe environment for information assets (Chia et al., 2002; Ruighaver et al., 2007; Schlienger and Teufel, 2002, 2003; Zakaria and Gani, 2003; Zakaria, 2004). There is a particular lack of attention in the current ISM literature about developing countries and on how factors such as the national and organizational culture, the information security environment and the level of information security awareness, relate to individual attitudes towards information security and its management.
Thus, the challenge is to determine which aspects of an organisation’s environment facilitate and enable sustainable information security compliance. This is a complex issue with no easy answers. One aspect that is prominent in the extant literature is that creating a security culture is becoming a key goal for private and public organisations in their attempts to safeguard their information assets. A culture that encourages ethical conduct and commitment to compliance with information security requirements appears to be what organisations need to focus on. In order to achieve this goal, firstly, the environmental factors that influence behaviour and encourage or inhibit individual employees and managers from doing the right thing, even when they know what the policy says, should be identified.
Secondly, an effective management strategy that manages internal and external factors should be implemented.
The intent of this study is to contribute to the body of knowledge related to the development and deployment of information security culture in the context of developing countries. Using a case study approach, this thesis examines the factors affecting individuals’ beliefs and behaviours related to information security culture. Specifically, the study will examine factors, internal and external to the
organisation, which influence information security development and deployment in three different types of organisations (public, private and non-profit) in Saudi Arabia.
II.Background of the Organization
Has introduced the need for a greater understanding of organizational elements associated with effective information security culture in the context of Saudi Arabia. The research questions, study design and potential contributions from the study have been presented. A background to the overall context of the study and the motivations and rationale for the study has also been provided. An outline of each of the remaining chapters follows. It outlines the foundations of the study. The three main subject areas are reviewed: information security management, information security culture and the cultural dimensions of the Saudi Arabia context. The initial framework for the research derived from the literature In this chapter, the dimensions of the framework and how they are derived are brought forth. This chapter concludes by presenting the analytical framework used in the research.
A case study method is used. The chapter begins with a theoretical perspective of the research methodology. The background for the selection of the case study method is discussed. Then, the case study protocol including data collection procedures is outlined including their relevance to each phase of the research and how they relate to the research questions. Finally, the data analysis strategy and processes are discussed, followed by a discussion of the issues associated with validity and reliability.
III.Case Study Analysis
This chapter presents an analysis of the qualitative data collected for this study. The chapter is divided in two sections. The first section gives a detailed description of each case sites and an analysis of the data collected in order to form a view of the information security culture of each organisation and the values influencing its security culture. The second section presents a cross case analysis of information
security values and issues identified in the three cases. The findings presented in this chapter are derived from interviews with case participants and an analysis of secondary information about each case’s organisation. The secondary information includes annual reports, policy documents, organisational structures and press releases. Each case issue is presented with a quote from the participant, which reflects the respondent’s view of the issues. The values and issues are organised into the major categories corresponding to components of the research’s conceptual framework on the information security culture development.
The research question aims to identify the organisational and national cultural values and factors that have influenced the implementation and impact of information security management. The research conceptual model is represented here to provide a focus for the case practices and issues. In this study, efforts were made to select for case studies, organisations that allowed for data to be collected about a range of businesses, sizes and approaches to information systems security management. The three cases for the study were selected to represent private, public and non-profit sectors. They will be referred to as Case A, Case B and Case C, respectively. In this research, all information that may identify the participants or their organisations will be anonymous. Thus, the case study will not contain specific information about the organisation and participants’ names or references. Instead, each participant’s response will be assigned a sequential number, for example, [P5-A] (where P5 = Participant number
five and‘A’ refers to participant’s organisation, in this example, participant five belongs to Case A).
To understand the information security culture in an organisation, it is important to understand first its information security environment, practices and issues. Using a semi-structured interview, the participants responded to the first set of the protocol questions concerning their organisation’s actual practices. There were fifteen questions in a structured questions and ten open ended questions and responses were recorded.
IV.Case Study Evaluation
At the time of the study, no comprehensive information security related standard or policy existed. However, the information security policy was embedded in the organisation’s overall policies. There were also some documents, related mostly to technical aspects of information security management, scattered across several departments (IT, HR and IC ). Respondents from organisation C emphasised
the importance of organisational policies in information security development, for example, a policy to standardise managerial procedures. It appears that the lack of clarity about what kind of procedures to follow and enforce contributed to the lack of compliance with information security in Case C. One IT staff member explained: “ there are no clear procedures and guidelines related to information security issues and it is taken for granted that managers and individuals will do the right thing, but unfortunately, this is not always the case” Managers from different departments also supported the IT staff members’ shared view that the absence of clear information security procedures and directions con-tributed significantly to most of the information security system incidents.
V.References
1. Patton, M. (2002). Qualitative research and evaluation methods. 3rd ed. Thousand Oaks, CA: Sage Publications.
2. Patton, M. Q. (1990). Qualitative evaluation and research methods. Sage, Newbury Park, CA: Sage, 2nd edition.
3. Peterson, M. F. and Smith, P. B. (1997). Does national culture of ambient tem perature explain cross-national differences in role stress? no sweat! Academy of Management Journal, 40(4):930–946.
