Cybersecurity Education for Awareness and Compliance Noted as an /GI Global Core Reference Title in Security & Forensics for 2019.

A security culture can be a competitive advantage when employees uphold strong values for the protection of information and exhibit behavior that is in compliance with policies, thereby introducing minimal incidents and breaches. The security culture in an organization might, though, not be similar among departments, job levels, or even generation groups. It can pose a risk when it is not conducive to the protection of information and when security incidents and breaches occur due to employee error or negligence. This chapter aims to give organizations an overview of the concept of security culture, the factors that could influence it, an approach to assess the security culture, and to prioritize and tailor interventions for high-risk areas. The outcome of the security culture assessment can be used as input to define security awareness, training, and education programs aiding employees to exhibit behavior that is in compliance with security policies.School of Computin

An approach to information security culture change combining ADKAR and the ISCA questionnaire to aid transition to the desired culture

Purpose: Employee behaviour is a continuous concern owing to the number of information security incidents resulting from employee behaviour. The aim of this research is to propose an approach to information security culture change management that integrates existing change management approaches, such as the ADKAR model of Prosci, and the Information Security Culture Assessment (ISCA) diagnostic instrument (questionnaire), to aid in addressing the risk of employee behaviour that could compromise information security. Design/methodology/approach: The Information Security Culture Change Management (ISCCM) approach is constructed based on literature and the inclusion of the ISCA diagnostic instrument. The ISCA diagnostic instrument statements are also presented in this paper. The ISCCM approach using ISCA is illustrated using data from an empirical study. Findings: The ISCCM approach was found to be useful in defining change management interventions for organisations using the data of the ISCA survey. Employees’ perception and acceptance of change to ensure information security and the effectiveness of the information security training initiatives improved significantly from the as-is survey to the follow-up survey. Research limitations/implications: The research illustrates the ISCCM approach and shows how it should be combined with the ISCA diagnostic instrument. Future research will focus on including a qualitative assessment of information security culture to complement the empirical data. Practical implications: Organisations do not have to rely on or adapt organisational development approaches to change their information security culture – they can use the proposed ISCCM approach, which has been customised from information security and change management approaches, together with the presented ISCA questionnaire, to address information security culture change purposefully. Originality/value: The proposed ISCCM approach can be applied to complement existing information security management approaches through a holistic and structured approach that combines the ADKAR model, Prosci’s approach of change management and the ISCA diagnostic instrument. It will enable organisations to focus on transitioning to a positive or desired information security culture that mitigates the risk of the human element in the protection of information.School of Computin

Improving the information security culture through monitoring and implementation actions illustrated though a case study

The human aspect, together with technology and process controls, needs to be considered as part of aninformation securityprogramme.Current and former employees are still regarded as one of the root causes of information security incidents. One way of addressing the human aspect is to embed an information security culture where the interaction of employees with information assets contributes to the protection of these assets. In other words, it is critical to improve the information security culture in organisations such that the behaviour of employees is in compliancewith information security and related information processing policies andregulatoryrequirements.This canbe achievedby assessing,monitoringandinfluencingan information security culture. An information security culture can be assessed by using an approach such as an information security culture assessment (ISCA). The empirical data derived froman ISCAcan be used to influence the information security culture by focussing on developmental areas, of which awareness and training programmes are a critical facet. In this paperwediscuss a case study of an international financial institution at which ISCA was conducted at four intervals over a period of eight years, across twelve countries. Comparative and multivariate analyses were conducted to establishwhether the information security culture improved from one assessment to the next based on the developmental actions implemented. One of the key actions implemented was training and awareness focussing on the critical dimensions identified by ISCA. The information security culture improved fromone assessment to the next, with the most positive results in the fourth assessment. This research illustrates that the theoretical ISCA tool previously developed can be implemented successfully in organisations to positively influence the information security culture. Empirical evidence is provided supporting the effectiveness of ISCA in the context of identified shortcomings in the organisation's information security culture. In addition, empirical evidence is presented indicating that information security training and awareness is a significant factor in positively influencing an information security culture when applied in the context of ISCA.College of Engineering, Science and Technology2015010

Information security culture and information protection culture: A validated assessment instrument

A strong information protection culture is required in organisations where the confidentiality, sensitivity and privacy of information are understood and handled accordingly. This is necessary to reduce the risk of human behaviour to the protection of information as well as to uphold privacy requirements from a regulatory perspective. This research explores the concept of an information security culture and how information privacy can be incorporated to define an information protection culture. Next, the researchers explain information attributes relating to information security and information privacy to derive information attributes that can be considered when referring to an information protection culture. The information attributes are used to evaluate an existing information security culture assessment instrument that can potentially be used to assess an information protection culture. The research reveals that the information security culture assessment (ISCA) instrument can be used, but that it can be further improved by incorporating additional privacy concepts. An information protection culture assessment (IPCA) is conducted as part of a case study in an organisation. This allowed for a factor and reliability analysis to validate the IPCA. The analysis indicated that the IPCA is valid and reliable when grouping the items into the newly identified factors, but can further be enhanced by aligning it to information privacy attributes.College of Engineering, Science and Technolog

A study on information privacy concerns and expectations of demographic groups in South Africa

Globally, there is growing concern over transparency and fairness when processing personal information and upholding the privacy of individuals. South Africa faces specific challenges in defining and implementing privacy policies and guidelines while meeting individuals’ expectations as to how their personal information is handled. There is limited data available about individual concerns and expectations for privacy in South Africa across demographic groups. Such data can aid in informing privacy policies and guidelines and addressing differences and sensitivity among demographical groups concerning information privacy. This paper explores the information privacy concerns and expectations of individuals in South Africa. Data were collected through a cross-sectional survey using the Information Privacy Concern Instrument (IPCI) that was developed in previous studies in line with the Protection of Personal Information Act (POPIA) No. 4 of 2013 of South Africa. Privacy concern was found to be high in South Africa, while confidence in organisations meeting data privacy principles was low. Statistically significant differences showed that older participants, females and white participants had higher privacy expectations than Generation Y participants, males and black participants, who were more confident that organisations were meeting privacy principles. A visual index for information privacy concerns and expectations is proposed to comprehend it across demographic groups and to monitor change going forward. The recommendations provided can serve as input for further development of privacy guidelines by stakeholders such as the South African Information Protection Regulator and responsible parties handling personal information while considering differences among demographical groups in South Africa concerning information privacy.National Research Foundation (NRF)School of Computin

A model for information security culture with innovation and creativity as enablers

This research aims to elicit a conceptual understanding of creativity and innovation to enable a totally aligned information security culture. Stimulating the creativity and innovation of employees in an organisation can help to solve information security problems and to create a culture where information security issues are addressed and resolved, as opposed to being introduced by end-users. The study applied a theoretical approach with a scoping literature review using the PRISMA method to derive traits and programmes that organisations can implement to stimulate creativity and innovation as part of the organisational culture. A model for engendering employee creativity and innovation as part of the information security culture is proposed, through the lens of the three levels of organisational culture. This study both offers novel insights for managerial practice and serves as a point of reference for further academic research about the influence of creativity and innovation in information security culture.School of Computin

Cultivating and assessing information security culture

The manner in which employees perceive and interact (behave) with controls implemented to protect information assets is one of the main threats to the protection of such assets and the effective use of information security controls. Should the interaction not be conducive to the protection of the information assets, it could have a profound impact on the profit of an organisation, productive working hours could be lost, confidential information might be disclosed to unauthorised people and compliance with legal and regulatory regulations could be affected - all this, despite the fact that adequate technical and procedural controls might be in place. Current research highlights the importance of a strong information security culture to address the threat that employee behaviour poses to the protection of information assets. Various research perspectives propose how an acceptable level of information security culture should be cultivated, and how to assess this culture to determine whether it is on an acceptable level. These approaches are however not adequate to cultivate information security culture, as all the relevant information security components and the influences on the information security culture have to be considered. This leads to the question as to whether the assessment instruments proposed to assess the information security culture are indeed adequate and valid. The main contribution of this research relates to the development of an information security culture framework and process consisting of an assessment instrument to assess information security culture. In order to develop the information security culture framework, the researcher developed a Comprehensive Information Security Framework (CISF) that equips organisations with a holistic approach to the implementation of information security. The framework provides a single point of reference for the governance of information security. The Information Security Culture Framework (ISCF) is developed using the CISF as foundation. The ISCF can be used by organisations to cultivate an information security culture conducive to the protection of information assets. It considers all the components required for information security culture, namely information security, organisational culture and organisational behaviour. It integrates the aforementioned concepts and illustrates the influence between the components. The ISCF further serves as a basis for designing an information security culture assessment instrument. This instrument is incorporated as part of an Information Security Culture Assessment process (lSCULA) defined by the researcher. ISCULA provides management with the steps to conduct an information security culture assessment, as well as the steps to validate the assessment instrument. The application of ISCULA is tested in an empirical study conducted in an organisation. It illustrates how to validate an information security culture assessment instrument by ensuring that it is designed based on the ISCF and meets the statistical requirements for a valid and reliable assessment instrument. Both the ISCF and the ISCULA process can ultimately be deployed by organisations to minimise the threat that employee behaviour poses to the protection of information assets.Thesis (PhD)--University of Pretoria, 2009.Computer Scienceunrestricte

Cyber4Dev Security Culture Model for African Countries

Creating a good information security culture among employees with-in organizations is the cornerstone for a safe and robust cyberspace. Further-more, a strong information security culture within organizations will assist in reducing the effects of human habits that lead to data breaches. This article seeks to conduct a scoping review of the scholarly literature on Cyber Resilience for Development (Cyber4Dev) security culture within the context of Afri-can countries. With limited scholarly articles available for Cyber4Dev, the re-view will focus on information security culture to adapt it to a Cyber4Dev security culture that organizations in Africa can replicate. Using the Preferred Re-porting Items for Systematic Reviews and Meta-Analyses (PRISMA) for the scoping review, this paper analysed 40 scholarly articles on information security culture to propose a Cyber4Dev security culture model for organizations applicable within an African context. Economic, social-culture and trust were identified as some of the factors to consider in an African context to promote an information security culture. Organisations can consider these factors as part of their information security programs. The model serves as reference for further research to explore the influence of the identified factors in an African context.School of Computin

A conceptual framework for a student personal information privacy culture at universities in Zimbabwe

In this research, an information privacy culture is proposed to be embedded in three basic concepts: students’ privacy expectations, privacy awareness and confidence in universities’ capability to uphold information privacy. The aim of this research was to address the lack of an information privacy culture framework in the context of universities in Zimbabwe, the upsurge of privacy breaches in these institutions and the need to assist them in processing the information in line with regulatory requirements. The main objective of this study was therefore to ascertain the key components of a student personal information privacy culture (SPIPC) conceptual framework for universities in Zimbabwe. A scoping review was conducted and a SPIPC conceptual framework is proposed.School of Computin

Comparing the protection and use of online personal information in South Africa and the United Kingdom in line with data protection requirements

Purpose: This research investigates the difference between South Africa (SA) and the United Kingdom (UK) in terms of data protection compliance with the aim to establish if a country that has had data protection in place for a longer period of time has a higher level of compliance with data protection requirements in comparison with a country that is preparing for compliance. Design/methodology/approach: An insurance industry multi-case study within the online insurance services environment was conducted. Personal Information (PI) of four newly created consumer profiles was deposited to 10 random insurance organisation websites in each country to evaluate a number of data privacy requirements of the Data Protection Act (DPA) and Protection of Personal Information Act (POPIA). Findings: The results demonstrate that not all the websites honored the selected opt-out preferences as direct marketing material from the insurance organisations in the sample was sent to both the SA and UK consumer profiles. Forty-two unsolicited third party contacts were received by the SA consumer profiles whereas the UK consumer profiles did not re-ceive any third party direct marketing. It was also found that the minimality principle is not always met by both SA and UK organisations. Research implications: As a jurisdiction with a heavy stance towards privacy implementation and regulation, it was found that the UK is more compliant than SA in terms of implementation of the evaluated data protection requirements included in the scope of this study, however not fully compliant. Originality/value: Based upon the results obtained from this research, it suggests that the SA insurance organisations should ensure that the non-compliance aspects relating to direct marketing and sharing data with third parties are addressed. SA insurance companies should learn from the manner in which the UK insurance organisations implement these privacy requirements. Furthermore, the UK insurance organisations should focus on improved compliance for direct marking and the minimality principle. The study indicate the positive role that data protection legislation plays in a county like the UK with a more mature stance toward compliance with data protection legislation.This research is supported by the Women in Research (WiR) Grant from the University of South Africa.School of Computin