Embedding Information Security Culture Emerging Concerns and Challenges

The behaviour of employees has been identified as a key factor in the protection of organizational information. As such, many researchers have called for information security culture (ISC) to be embedded into organizations to positively influence employee behaviour towards protecting organizational information. Despite claims that ISC may influence employee behaviours to protect organizational information, there is little empirical work that examines the embedding of ISC into organizations. This paper argues that embedding ISC should not only focus on employee behaviour, but rather in a holistic manner, involve everyone in the organization. The argument is developed through case studies in two organizations based on semi structured interviews of respondents, observations, and documents analysis from each organization. The results show that the challenges of embedding ISC are not as simple as changing employee behaviour and technical aspects of security. Rather, the more challenging problem is how to embed ISC in a holistic manner that includes senior management support and involvement to instil awareness through mandatory training with a clear assignment of responsibility and constant enforcement of security policies and procedures. We believe that the findings will provide researchers in ISC with a broader view of how ISC can be embedded in organizations.