Skip to main content
Log in

Measuring the security culture in organizations: a systematic overview of existing tools

  • Original Article
  • Published:
Security Journal Aims and scope Submit manuscript

Abstract

There has been an increase in research into the security culture in organizations in recent years. This growing interest has been accompanied by the development of tools to measure the level of security culture in order to identify potential threats and formulate solutions. This article provides a systematic overview of the existing tools. A total of 16 are identified, of which six are studied in detail. This exploration reveals that there is no validated and widely accepted tool that can be used in different sectors and organizations. The majority of the tools reviewed use only a quantitative method; however, security culture includes very different domains and therefore a mixed-method approach should be used. In contrast to security culture, instruments for measuring safety culture are widely available, and with many similarities between these two domains it is possible that well-established tools for measuring safety culture could be adapted to a security environment.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

References

  • AlHogail, A. 2015. Design and validation of information security culture framework. Computers in Human Behavior 49: 567–575.

    Article  Google Scholar 

  • AlHogail, A., and A. Mirza. 2014. A framework of information security culture change. Journal of Theoretical and Applied Information Technology 64 (2): 540–549.

    Google Scholar 

  • AlHogail, A., and A. Mirza. 2015. Organizational information security culture assessment. In: The 2015 World Congress in Computer Science, Computer Engineering and Applied Computing (SAM’15) Proceedings, pp. 287–292.

  • Alnatheer, M., T. Chan, and K. Nelson. 2012. Understanding and measuring information security culture, Pacific Asia Conference on Information Systems (PACIS).

  • Alvesson, M., and P.O. Berg. 1992. Corporate Culture and Organizational Symbolism. Berlin: Walter de Gruyter.

    Book  Google Scholar 

  • Andress, M., and B. Fonseca. 2000. Manage people to protect data. InfoWorld 22 (46): 48.

    Google Scholar 

  • Bakry, S. 2003. Development of security policies for private networks. International Journal of Network Management 13 (3): 203–210.

    Article  Google Scholar 

  • Baybutt, P., and V. Ready. 2003. Strategies for protecting process plants against terrorism, sabotage and other criminal acts. Homeland Defense Journal 2: 1–4.

    Google Scholar 

  • Beynon, D. 2001. Talking heads. Computerworld 24 (33): 19–21.

    Google Scholar 

  • Breidenbach, S. 2000. How security are you? Information Week 800: 71–78.

    Google Scholar 

  • Chia, P., S. Maynard, and A.B. Ruighaver. (Eds.) 2003. Understanding organisational security culture. In: Information Systems: The challenges of theory and practice. Las Vegas: Information Institute.

  • Connolly, P. 2000. Security starts from within. InfoWorld 22 (28): 39–40.

    Google Scholar 

  • Da Veiga, A. 2008. Cultivating and assessing information security culture (unpublished PhD thesis), University of Pretoria.

  • Da Veiga, A., and J.H.P. Eloff. 2007. Information security culture—Validation of an assessment instrument. Information Systems Management 24: 361–372.

    Article  Google Scholar 

  • Da Veiga, A., and J.H.P. Eloff. 2010. A framework and assessment instrument for information security culture. Computers & Security 29: 196–207.

    Article  Google Scholar 

  • Da Veiga, A., and N. Martins. 2015. Improving information security culture through monitoring and implementation actions illustrated through a case study. Computers & Security 49: 162–176.

    Article  Google Scholar 

  • Fleeger, M.E. 1993. Assessing organizational culture: A planning strategy. Nursing Management 24 (2): 39–42.

    Article  Google Scholar 

  • International Atomic Energy Agency (IAEA). 2017. Self-assessment of nuclear security culture in facilities and activities. IAEA Nuclear Security Series 28: 1–124.

    Google Scholar 

  • Kaplan, B., and D. Duchon. 1988. Combining qualitative and quantitative methods in information systems research: A case study. MIS Quarterly 12 (4): 571–587.

    Article  Google Scholar 

  • Kraemer, S., P. Carayon, and J. Clem. 2009. Human and organizational factors in computer and information security: Pathways to vulnerabilities. Computers & Security 28: 509–520.

    Article  Google Scholar 

  • Kria, S., L. Pietre-Cambacedes, M. Bouissou, and Y.A. Halgan. 2015. A survey of approaches combining safety and security for industrial control systems. Reliability Engineering & System Safety 139: 156–178.

    Article  Google Scholar 

  • Kruger, H.A., and W.D. Kearney. 2006. A prototype for assessing information security awareness. Computers & Security 25 (4): 289–296.

    Article  Google Scholar 

  • Lundy, O., and A. Cowling. 1996. Strategic Human Resource Management. London: Routledge.

    Google Scholar 

  • Maidabino, A.A., and A.N. Zainab. 2011. Collection security management at university libraries: Assessment of its implementation status. Malaysian Journal of Library & Information Science 16 (1): 15–33.

    Google Scholar 

  • Malcolmson, J. 2009. What is security culture? Does it differ in content from general organisational culture? 43rd Annual 2009 International Carnahan Conference on Security Technology, Zurich, Switzerland: IEEE.

  • Martins, A., and J. Eloff. 2002. Information security culture. In Security in the Information Society, IFIP Advances in Information and Communication Technology, 86, ed. M.A. Ghonaimy, M.T. El-Hadidi, and H.K. Aslan. Boston: Springer.

    Google Scholar 

  • Nosworthy, J. 2000. Implementing information security in the 21st century—Do you have the balancing factors? Computers & Security 19 (4): 337–347.

    Article  Google Scholar 

  • OʼDonovan, G. 2006. The Corporate Culture Handbook: How to plan, implement and measure a successful culture change. California: Lifey Press.

    Google Scholar 

  • Reniers, G., and W. Dullaert. 2007. Gaining and Sustaining Site-Integrated Safety and Security in Chemical Clusters. Zelzate: Nautilus Academic Books.

    Google Scholar 

  • Ross, S.J. 2011. Creating a Culture of Security. Illinois: Information Systems Audit & Control Association.

    Google Scholar 

  • Schein, E.H. 2004. Organizational Culture and Leadership. San Francisco: Jossey-Bass.

    Google Scholar 

  • Schein, E.H. 2009. The Corporate Culture Survival Guide. San Francisco: Jossey-Bass.

    Google Scholar 

  • Schlienger, T. and S. Teufel. 2003. Analyzing information security culture: Increased trust by an appropriate information security culture. In: 14th International Workshop on Database and Expert Systems Applications.

  • Schlienger, T., and S. Teufel. 2005. Tool supported management of information security culture: Application in a private bank. In Security and Privacy in the Age of Ubiquitous Computing, SEC 2005, IFIP Advances in Information and Communication Technology, 181, ed. R. Sasaki, S. Qing, E. Okamoto, and H. Yoshiura. Boston: Springer.

    Google Scholar 

  • Schwarzwalder, R. 1999. Intranet security. Database and Network Journal 22 (2): 58–62.

    Google Scholar 

  • van Niekerk, J. and R. von Solms. 2005. A holistic framework for the fostering of an information security sub-culture in organizations. Paper presented at the 4th Annual ISSA Conference South Africa.

  • van Nunen, K., G. Reniers, and K. Ponnet. 2018a. Measuring and improving safety culture in organizations: An exploration of tools developed and used in Belgium. Journal of Risk Research 21 (5): 622–644.

    Article  Google Scholar 

  • van Nunen, K., M. Sas, G. Reniers, K. Ponnet, and W. Hardyns. 2018b. An integrative conceptual framework for physical security culture in organizations. Journal of Integrated Security Science 2 (1): 25–32.

    Google Scholar 

  • Vierendeels, G., G. Reniers, K. van Nunen, and K. Ponnet. 2018. An integrative conceptual framework for safety culture: The Egg Aggregated Model (TEAM) of safety culture. Safety Science 103: 323–339.

    Article  Google Scholar 

  • Von Solms, B. 2000. Information security—The third wave? Computers & Security 19 (7): 615–620.

    Article  Google Scholar 

  • Vroom, C., and R. von Solms. 2004. Towards information security behavioural compliance. Computers & Security 23 (3): 191–198.

    Article  Google Scholar 

  • World Institute for Nuclear Security (WINS). 2011. A WINS international best practice guide for your organization: Nuclear security culture, 1–22. Vienna: WINS.

    Google Scholar 

  • Zakaria, O. 2004. Understanding challenges in information security culture: A methodological approach issue. In: Proceedings of the 2nd Australian Information Security Management Conference, Australia: Perth.

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Marlies Sas.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Sas, M., Hardyns, W., van Nunen, K. et al. Measuring the security culture in organizations: a systematic overview of existing tools. Secur J 34, 340–357 (2021). https://doi.org/10.1057/s41284-020-00228-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1057/s41284-020-00228-4

Keywords

Navigation