Professional Documents
Culture Documents
Research Online
Australian Information Security Management
Conference
2009
Karen Nelson
Queensland University of Technology
Originally published in the Proceedings of the 7th Australian Information Security Management Conference, Perth, Western Australia, 1st to 3rd
December 2009
This Conference Proceeding is posted at Research Online.
http://ro.ecu.edu.au/ism/2
mohammed.alnatheer@student.qut.edu.au
2
kj.nelson@qut.edu.au
Abstract
An examination of Information Security (IS) and Information Security Management (ISM) research in Saudi Arabia has
shown the need for more rigorous studies focusing on the implementation and adoption processes involved with IS
culture and practices. Overall, there is a lack of academic and professional literature about ISM and more specifically IS
culture in Saudi Arabia. Therefore, the overall aim of this paper is to identify issues and factors that assist the
implementation and the adoption of IS culture and practices within the Saudi environment. The goal of this paper is to
identify the important conditions for creating an information security culture in Saudi Arabian organizations. We plan to
use this framework to investigate whether security culture has emerged into practices in Saudi Arabian organizations.
Keywords
Information security management, Information security policy, Information security compliance, Information security
risk analysis, Information security awareness and training programs, Security culture, Organizational culture, National
culture
INTRODUCTION
Information security may be defined as the prevention of, and recovery from, unauthorized or undesirable destruction,
modification, disclosure, or use of information and information resources, whether accidental or intentional. According to
Pfleeger (1997), information security is the preservation of the confidentiality, integrity, and availability (CIA) of
information and information resources. Information security maintains three basic services:
1.
2.
Integrity, which is concerned with ensuring data cannot be modified without authorizations.
3.
Availability, which is concerned with ensuring information must be available to authorized users when they
require them (Pfleeger, 1997).
ISM focuses on developing and maintaining quality information infrastructures. ISM enhances the confidence and
effectiveness of information services within an organization, or between an organization and its external business
partners (von Solms, 1996). The overall goal of ISM is the prevention or minimization of damage to organizational
assets. ISM can enhance organizations performance, and its establishment is fast becoming the normal way of doing
business and effective ISM ensures business continuity (British Standards Institution, 1995). Globalization and
international competition increases the importance of ISM (von Solms, 1999, 2000). In recent years, several countries
(e.g. the USA, the UK, China, and others) have made investments to establish basic information security techniques
(Rathmell, 2001). In developed countries, IS cultures and practices occur because of the recognition of the importance of
IS and its influence on their economies. According to an Ernst and Young survey, security incidents can cost companies
between $17 and $28 million (Garg, Curtis & Halper, 2004). The impact of security breaches and attacks on
organizational prosperity includes loss of reputation, financial loss and business confidences. Therefore organizations in
developed countries work to ensure a secure environment for their information and communication technologies (ICT) to
safeguard performance and productivity.
However, the majority of the research about ISM has been performed by technologically leading countries such as the
United States of America, the United Kingdom, the European Union and Australia. Saudi Arabian information
technology capacities are still in a developmental phase and are immature in relation to leading western technologically
developed countries. So while information security and its management are concerned with people, processes and
technology and the technology itself can be seen as relatively objective by nature; the people and processes are
influenced by the environment in which they operate. The business environment of Saudi is different to the business
environment in the USA and other Western countries. Furthermore, information security major international standards
6| P a g e
7| P a g e
SECURITY CULTURE
Literature in the area of security shows that research on information security culture is still in its early stages of
development. Issues are still being identified, and, conceptualizations being explored. Culture has influenced the
formation of many security measures, such as national security policy, information ethics, security training, and privacy
issues (Chen, Medlin, & Shaw, 2008). Security culture covers social, cultural and ethical measures to improve the
security relevant behavior of the organizational members and considered to be a subculture of organizational culture
(Schlienger & Teufel, 2002). Security culture should support all organizational activities in a way that information
security becomes a natural aspect in the daily activities of every employee (Schlienger and Teufel, 2002, p. 197).
Security cultures assist the enforcement of information security policies and practices to the organization. As a result,
each organization goals is to be able achieve an effective information security culture in their organization. Information
security culture will emerge over time and become evident in the behavior and activities of the workforce (da Veiga,
Martins, & Eloff, 2007).
Recent studies have shown that the establishment of an organizational information security culture is necessary for
effective information security (Eloff & Von Solms, 2000; Von Solms, 2000). However, organizational culture may have
a substantial influence on the security of information, and this could be negative or positive (Chang, & Lin, 2007). It is
imperative that the organizational culture reflects a positive attitude to information security in the entire organization
(Schlienger & Teufel, 2003; Zakaria, Jarupunphol, & Gani, 2003; Vroom, R. von Solms, 2004) and it is also important
that organizational activities are consistent with good information security culture practices (van Niekerk, and von
Solms, 2005). On the other hand, (Chia, Maynard, and Ruighaver, 2002), argue on the importance for organization to
assess their security culture, and organization management must focus to establish security culture within the
organization culture (Ruighaver, Maynard, & Chang, 2007).
There is a little agreement on security culture definition or what exactly constitutes security culture (Ruighaver, et al.,
2007). The majority of research on security culture promotes the benefits of security culture without providing supportive
evidence. As a result, there is little empirical work that investigates the relationship between security culture and ISM
factors in addition to cultural factors. The current study attempts to fill this gap and contribute to the behavioral
information security literature by exploring the influence of ISM factors and cultural factors towards the implementation
and the adoption of security culture. This study is mainly interested on understanding the critihcal factors influence
security culture so it would assist organization to be able to adopt security culture as a normal behavior in their
organization. In the next section we review the factors that may aid in the implementation and adoption of IS culture and
practices in the Saudi context.
Corporate citizenship
Corporate governance
Cultural factors
However, in the case of Saudi Arabia, national cultural factors tend to be obstacles and can affect the adoption of
IS cultural and practices in Saudi Arabian organizations. Therefore, this study will examine the influence of ISM factors
and cultural factors on the adoption of IS cultural and practices in Saudi Arabia.
Corporate Citizenship
Information Security Awareness and Training Programs
The theme of corporate citizenship is concerned with how employees gain an understanding of appropriate IS culture and
practice through awareness raising and training programs. The notion of corporate citizenship is applied at three levels
(national, organizational, and individual). Senge (1990) refers to information security awareness as a state where users in
an organization are aware of, and ideally committed to, their security mission. Information security awareness is
important part of ISM (Nosworthy, 2000; Schultz, 2004; Thomson and Von Solms, 1998). Increasing awareness of
security issues is the most cost-effective control that an organization can implement (Dhillon, 1999). Hinde, (2002)
however suggests that the absence of awareness programs indicate a critical gap in effective security implementation.
Security training and awareness programs are therefore a fundamental component of effective information security
strategy. Security awareness and training can help organizations to minimize some of the damage caused by misused or
misinterpreted application procedures (Straub, 1990; Ceraolo, 1996; Straub and Welke, 1998).
A global information security survey report of 450 information security officers and IT directors (Ernest & Young, 2002)
showed that less than 50 percent of employees had received information security awareness training programs. In 2002, a
security awareness index survey which was conducted by Pentasafe Security Technologies Inc has published a report
based on the results of a free online survey designed to measure organizations' awareness of information security from
583 companies and 1350 individual employees around the world. The survey found 66% of security managers think that
information security awareness is inadequate or dangerously inadequate, 50% of employees have never received formal
information security training, 10 percent of employees have never read their company security policy, and 25% of
employees have not read their security policy in the last two years (Security Awareness Index Survey, 2002). Also,
according to Deloitte, Touche, and Tohmatsu, (2005), about 45% of global organizations do not sensitive their employees
in respect of possible information security threats, and this lack of information security awareness could well lead to
compromised information within the organization. Mitchell, Marcella, and Baxter (1999) found that information security
awareness was concentrated around the IT department and did not extend to IT users. There can be major problems if
organizations do not realize the importance information security awareness amongst users (von Solms, S.H. & von
Solms, R., 2004). Ernst and Young (2001) and Siponen (2000) found that employee awareness is one of the greatest
challenges that organizations must face in order to achieve their required level of security. However, one of the least
expensive and most practical solutions to ensuring the information security awareness is to provide staff training or
development programs to employees.
Legal and Regulatory Environment
In developing countries such as Saudi Arabia, the regulatory and legal environment relating to ICT is still developing.
However, the main components of the regulatory and legal environment can be identified from the literature and these
are: ISM standardization and best practices, and the presence of information security policies.
Information Security Management Standardization and Best Practices
International best practices for ISM are based on the combined experiences of several influential international companies
concerning the way in which they manage their information security (von Solms, 2001). ISM standards are used to
establish and maintain a secure environment for information. ISM standards help senior management to monitor and
control their security, thus minimizing any residual business risk and ensuring that security continues to fulfill corporate,
customer, and legal requirements (How to 27000 Works, 2009). For many years, ISM standards have provided an
authoritative statement on the organizational needs for information security and procedures for establishing a security
9| P a g e
Figure 1 Factors for implementing and adopting IS culture and practices in Saudi Arabia
ACKNOWLEDGEMENTS
The authors would like to thank Professor von Solms, S. H. from University of Johannesburg for his valuable discussions
in this study.
REFERENCES
Albert, C., & Dorofee, A. (2003). Managing Information Security Risks, the OCTAVE Approach. New York, USA:
Addision-Wesley.
Atkinson, P. (1997). Creating culture change strategies for success. Bedfordshire, England: Rushmere Wynne.
BACKGROUND NOTE: SAUDI ARABIA (2009). Bureau of Near Eastern Affairs, US department of state. Retrieved
10 June 2009, from http://www.state.gov/r/pa/ei/bgn/3584.htm
British Standards Institute. (1995). BS7799: Part 1, Information Security Management: Code of Practice for Information
Security Management Systems. London: BSI.
British Standards Institute. (1999). Information Security Management-BS 7799-1:1999. London: BSI.
13| P a g e
14| P a g e
15| P a g e
COPYRIGHT
Mohammed Alnatheer and Karen Nelson 2009. The author/s assign the Security Research Centre (SECAU) & Edith
Cowan University a non-exclusive license to use this document for personal use provided that the article is used in full
and this copyright statement is reproduced. The authors also grant a non-exclusive license to SECAU & ECU to publish
this document in full in the Conference Proceedings. Such documents may be published on the World Wide Web, CDROM, in printed form, and on mirror sites on the World Wide Web. Any other usage is prohibited without the express
permission of the authors
17| P a g e