Understanding and measuring information security culture in developing countries : case of Saudi Arabia

The purpose of the current study was to develop a measurement of information security culture in developing countries such as Saudi Arabia. In order to achieve this goal, the study commenced with a comprehensive review of the literature, the outcome being the development of a conceptual model as a reference base. The literature review revealed a lack of academic and professional research into information security culture in developing countries and more specifically in Saudi Arabia. Given the increasing importance and significant investment developing countries are making in information technology, there is a clear need to investigate information security culture from developing countries perspective such as Saudi Arabia. Furthermore, our analysis indicated a lack of clear conceptualization and distinction between factors that constitute information security culture and factors that influence information security culture. Our research aims to fill this gap by developing and validating a measurement model of information security culture, as well as developing initial understanding of factors that influence security culture. A sequential mixed method consisting of a qualitative phase to explore the conceptualisation of information security culture, and a quantitative phase to validate the model is adopted for this research. In the qualitative phase, eight interviews with information security experts in eight different Saudi organisations were conducted, revealing that security culture can be constituted as reflection of security awareness, security compliance and security ownership. Additionally, the qualitative interviews have revealed that factors that influence security culture are top management involvement, policy enforcement, policy maintenance, training and ethical conduct policies. These factors were confirmed by the literature review as being critical and important for the creation of security culture and formed the basis for our initial information security culture model, which was operationalised and tested in different Saudi Arabian organisations. Using data from two hundred and fifty-four valid responses, we demonstrated the validity and reliability of the information security culture model through Exploratory Factor Analysis (EFA), followed by Confirmatory Factor Analysis (CFA.) In addition, using Structural Equation Modelling (SEM) we were further able to demonstrate the validity of the model in a nomological net, as well as provide some preliminary findings on the factors that influence information security culture. The current study contributes to the existing body of knowledge in two major ways: firstly, it develops an information security culture measurement model; secondly, it presents empirical evidence for the nomological validity for the security culture measurement model and discovery of factors that influence information security culture. The current study also indicates possible future related research needs.

Information security management : a case study of an information security culture

This thesis argues that in order to establish a sound information security culture it is necessary to look at organisation's information security systems in a socio- technical context. The motivation for this research stems from the continuing concern of ineffective information security in organisations, leading to potentially significant monetary losses. It is important to address both technical and non- technical aspects when dealing with information security management. Culture has been identified as an underlying determinant of individuals' behaviour and this extends to information security culture, particularly in developing countries. This research investigates information security culture in the Saudi Arabia context. The theoretical foundation for the study is based on organisational and national culture theories. A conceptual framework for this study was constructed based on Peterson and Smith's (1997) model of national culture. This framework guides the study of national, organisational and technological values and their relationships to the development of information security culture. Further, the study seeks to better understand how these values might affect the development and deployment of an organisation's information security culture. Drawing on evidence from three exploratory case studies, an emergent conceptual framework was developed from the traditional human behaviour and the social environment perspectives used in social work, This framework contributes to in- formation security management by identifying behaviours related to four modes of information security practice. These modes provide a sound basis that can be used to evaluate individual organisational members' behaviour and the adequacy of ex- isting security measures. The results confirm the plausibility of the four modes of practice. Furthermore, a final framework was developed by integrating the four modes framework into the research framework. The outcomes of the three case stud- ies demonstrate that some of the national, organisational and technological values have clear impacts on the development and deployment of organisations' informa- tion security culture. This research, by providing an understanding the in uence of national, organi- sational and technological values on individuals' information security behaviour, contributes to building a theory of information security culture development within an organisational context. The research reports on the development of an inte- grated information security culture model that highlights recommendations for developing an information security culture. The research framework, introduced by this research, is put forward as a robust starting point for further related work in this area.

A Proposed Framework for Understanding Information Security Culture and Practices in the Saudi Context

An examination of Information Security (IS) and Information Security Management (ISM) research in Saudi Arabia has shown the need for more rigorous studies focusing on the implementation and adoption processes involved with IS culture and practices. Overall, there is a lack of academic and professional literature about ISM and more specifically IS culture in Saudi Arabia. Therefore, the overall aim of this paper is to identify issues and factors that assist the implementation and the adoption of IS culture and practices within the Saudi environment. The goal of this paper is to identify the important conditions for creating an information security culture in Saudi Arabian organizations. We plan to use this framework to investigate whether security culture has emerged into practices in Saudi Arabian organizations.

Information security culture : a behaviour compliance conceptual framework

Understanding the complex dynamic and uncertain characteristics of organisational employees who perform authorised or unauthorised information security activities is deemed to be a very important and challenging task. This paper presents a conceptual framework for classifying and organising the characteristics of organisational subjects involved in these information security practices. Our framework expands the traditional Human Behaviour and the Social Environment perspectives used in social work by identifying how knowledge, skills and individual preferences work to influence individual and group practices with respect to information security management. The classification of concepts and characteristics in the framework arises from a review of recent literature and is underpinned by theoretical models that explain these concepts and characteristics. Further, based upon an exploratory study of three case organisations in Saudi Arabia involving extensive interviews with senior managers, department managers, IT managers, information security officers, and IT staff; this article describes observed information security practices and identifies several factors which appear to be particularly important in influencing information security behaviour. These factors include values associated with national and organisational culture and how they manifest in practice, and activities related to information security management.

Evaluation of the contribution of fisheries and aquaculture to food security in developing countries

Fish contain important nutrients such as essential fatty acids, iron, zinc, calcium, vitamin A and vitamin C. Production of freshwater fish depends on the strategic application of various management techniques. The demand for fish products has increased beyond the natural supply, resulting in a high pressure on fisheries. Development of aquaculture is necessary for a rapid growth in fish production. A number of constraints hamper the development of aquaculture. Introduction of polyculture technologies in some countries is a way of maximizing production from different levels of the food chain. The roles of women in making fish products available to consumers is frequently over-looked by policy makers. Gender equity in policy-making and management of fisheries and in capacity building is an important issue. Fish production from inland waters and coastal areas can be increased by adopting cage and pen culture systems. Input subsidies and loans to resource poor farmers can boost fish production.

Enabling information security culture : influences and challenges for Australian SMEs

An effective information security culture is vital to the success of information systems governance, risk management and compliance. Small and medium size enterprises (SMEs) face special challenges developing an information security culture as they may lack the information security knowledge, skills and behaviours of large organisations. This paper reports the main findings from an interpretive study of key influences enabling an effective information security culture for Australian SMEs. The paper provides a framework depicting external and internal influences on SME information security culture and a set of key challenges in the Australian context. The findings highlight that SME owner attitudes and behaviour – in turn influenced by government involvement - strongly influence information security culture for Australian SMEs. A surprising finding is the potential influence of the Australian culture. Practical and theoretical implications are discussed.

Impact of agricultural market liberalization on food security in developing countries : a comparative study of Kenya and Zambia

This research investigates the impacts of agricultural market liberalization on food security in developing countries and it evaluates the supply perspective of food security. This research theme is applied on the agricultural sector in Kenya and in Zambia by studying the role policies played in the maize sub-sector. An evaluation of selected policies introduced at the beginning of the 1980s is made, as well as an assessment of whether those policies influenced maize output. A theoretical model of agricultural production is then formulated to reflect cereal production in a developing country setting. This study begins with a review of the general framework and the aims of the structural adjustment programs and proceeds to their application in the maize sector in Kenya and Zambia. A literature review of the supply and demand synthesis of food security is presented with examples from various developing countries. Contrary to previous studies on food security, this study assesses two countries with divergent economic orientations. Agricultural sector response to economic and institutional policies in different settings is also evaluated. Finally, a dynamic time series econometric model is applied to assess the effects of policy on maize output. The empirical findings suggest a weak policy influence on maize output, but the precipitation and acreage variables stand out as core determinants of maize output. The policy dimension of acreage and how markets influence it is not discussed at length in this study. Due to weak land rights and tenure structures in these countries, the direct impact of policy change on land markets cannot be precisely measured. Recurring government intervention during the structural policy implementation period impeded efficient functioning of input and output markets, particularly in Zambia. Input and output prices of maize and fertilizer responded more strongly in Kenya than in Zambia, where the state often ceded to public pressure by revoking pertinent policy measures. These policy interpretations are based on the response of policy variables which are more responsive in Kenya than in Zambia. According the obtained regression results, agricultural markets in general, and the maize sub-sector in particular, responded more positively to implemented policies in Kenya, than in Zambia, which supported a more socialist economic system. It is observed in these results that in order for policies to be effective, sector and regional dimensions need to be considered. The regional and sector dimensions were not taken into account in the formulation and implementation of structural adjustment policies in the 1980s. It can be noted that countries with vibrant economic structures and institutions fared better than those which had a firm, socially founded system.

Understanding transition towards information security culture change

Transitioning towards an information security culture for organisations has not been adequately explored in the current security and management literature. Many authors have proposed how information security culture can be created, fostered and managed within organisations, but have failed to adequately address the transition process towards information security culture change, particularly for small medium enterprises (SMEs). This paper aims to (1) recapitulate key developments and trends within information security culture literature; (2) explore in detail the transition process towards organisational change; (3) adapt the transition process with respects to the key players involved in transition and propose a transition model for information security culture change; and (4) consider how this model could be used by managers and employees of Australian SMEs. A major intention of this paper is to provide academic researchers and practicing managers with an understanding of the transition process towards achieving information security culture change within SMEs.

Fostering information security culture in small and medium size enterprises: an interpretive study in Australia

By having an effective organisational information security culture where employees intuitively protect corporate information assets, small and medium size enterprises (SMEs) could improve information security. However, previous research has largely overlooked the development of such a culture for SMEs, and the national context in which SMEs operate. The paper explores this topic and provides key findings from an interpretive Australian study based on a literature review, two focus groups and three case studies. A holistic framework is provided for fostering an information security culture in SMEs in a national setting. The paper discusses key managerial challenges for SMEs attempting to develop such a culture. The main findings suggest that Australian SME owners do not provide sufficient support for information security due to insufficient awareness of its importance and may also be affected by national attitudes to risk. The paper concludes that Australian SME owners may benefit from adopting a risk-based approach to information security and should be educated about the potential strategic role of information technology and information security. The paper also identifies the value and difficulty of promoting a behavioural and learning approach to information security to complement traditional technological and managerial approaches. Implications for theory and practice are discussed.