1. Security culture and information technology, SECURIT
Teodor Sommestad
Jonas Hallberg
www.foi.se/securit
2. Information security?
• Secure information assets …
• Administrative security, physical security, IT security1
• The right information to the right entity on time
Alice
1. SIS. (2007). SIS HB 550: Terminologi för informationssäkerhet, utgåva 3. SIS Förlag.
www.foi.se/securit
Bob
MKG
PMKG
KPubl
Kpriv
3. Organization, human, and technology
Organization with individuals
www.foi.se/securit
ISMS
Information
security culture
Education,
training, and
exercises
Compliance
Access control
Technology
Protection
against malware
Intrusion prevention
Intrusion detection
Logging
4. Motivation
• The need for improved
information security
• Security culture is vital for
information security
• SECURIT studies:
• security‐relevant characteristics of
humans and organizations
• the effects of applied social
measures
www.foi.se/securit
5. What is culture?
Hoefstede:
“culture is the collective
programming of the
mind that distinguishes
the members of one
group or category of
people from another”.
www.foi.se/securit
Edgar Schein:
7. The SECURIT program, 2012-2017
Psychology
Information
security
culture
Cognitive
science
www.foi.se/securit
Philosophy
Informatics
Political
science
Cyber
security
Information security
culture:
Shared patterns of thought,
behaviour, and values that
arise and evolve within a
social group, based on
communicative processes
influenced by internal and
external requirements, are
conveyed to new members
and have implications on
information security.
9. Themes addressed in User acceptance of
information security policies
• Theme 1: Factors influencing the compliance with
information security policies and similar security-related
behavior within organizations
• Theme 2: The risk perceptions of individuals and groups
and the relationship between information security risk
perceptions, policies, and compliance
• Theme 3: Information security incident models and the
effect on the information security of organizations
www.foi.se/securit
10. Theme 1: Protection Motivation Theory
Rewards
Coping appraisal
Response
efficacy
Self-efficacy
Response cost
0.19 (only one study)
0.17 to 0.30
0.34 to 0.40
0.38 to 0.40
-0.40 to -0.28
www.foi.se/securit
Intention
R2=0.37 to 0.42
Behavior
Threat appraisal
Severity
Vulnerability 0.18 to 0.31
• It matters if it is:
• Compliance or secure
behavior
• Threats to you or
threats to others
• Generic or specific
behavior
Sommestad, Teodor, Henrik Karlzén and Jonas Hallberg,
“A Meta-Analysis of Studies on Protection Motivation
Theory and Information Security Behavior”
11. Theme 1: Theory of planned behavior
www.foi.se/securit
Intention Behaviour
Attitude
Subjective
Norm
Percieved
Behaviour
Control
R2=0.42 R2=0.25-31
Actual
Behaviour
Control
E.g., I find it
meaningful to
follow the
rules?
Were the rules
0.48 actually followed?
0.52
0.45
E.g., my
friends think I
should follow
the rules?
E.g., I have
the ability to
do what the
rules says?
E.g., I intend to
follow the rules?
0.83
0.35
How difficult it
actually is?
Sommestad, Teodor, and Jonas Hallberg. 2013. “A Review of the Theory of
Planned Behaviour in the Context of Information Security Policy Compliance”
12. Theme 2: How do people do their
information security risk calculations?
Weinstein, N D. 2000. “Perceived Probability, Perceived Severity, and Health-
Protective Behavior.” Health Psychology : Official Journal of the Division of Health
Psychology, American Psychological Association 19 (1) (January): 65–74.
www.foi.se/securit
13. SECURIT project managers
• Security culture: Sven Ove Hansson, KTH
• User acceptance of information security policies: Teodor Sommestad, FOI
• Attitude, culture, and information security: Anders Pousette, Göteborgs universitet
• Discourse and security practice: Peter Johansson, Göteborgs universitet
• Balanced IT-based Organizational development: Jonas Landgren, Göteborgs
universitet/Chalmers
• ATTITUDE: Joachim Åström, Örebro universitet
• INTERORG: Frans Prenkert, Örebro universitet
• CONGRUENCE: Karin Axelsson, Linköpings universitet
www.foi.se/securit