Abstract
There has been an increase in research into the security culture in organizations in recent years. This growing interest has been accompanied by the development of tools to measure the level of security culture in order to identify potential threats and formulate solutions. This article provides a systematic overview of the existing tools. A total of 16 are identified, of which six are studied in detail. This exploration reveals that there is no validated and widely accepted tool that can be used in different sectors and organizations. The majority of the tools reviewed use only a quantitative method; however, security culture includes very different domains and therefore a mixed-method approach should be used. In contrast to security culture, instruments for measuring safety culture are widely available, and with many similarities between these two domains it is possible that well-established tools for measuring safety culture could be adapted to a security environment.
Similar content being viewed by others
References
AlHogail, A. 2015. Design and validation of information security culture framework. Computers in Human Behavior 49: 567–575.
AlHogail, A., and A. Mirza. 2014. A framework of information security culture change. Journal of Theoretical and Applied Information Technology 64 (2): 540–549.
AlHogail, A., and A. Mirza. 2015. Organizational information security culture assessment. In: The 2015 World Congress in Computer Science, Computer Engineering and Applied Computing (SAM’15) Proceedings, pp. 287–292.
Alnatheer, M., T. Chan, and K. Nelson. 2012. Understanding and measuring information security culture, Pacific Asia Conference on Information Systems (PACIS).
Alvesson, M., and P.O. Berg. 1992. Corporate Culture and Organizational Symbolism. Berlin: Walter de Gruyter.
Andress, M., and B. Fonseca. 2000. Manage people to protect data. InfoWorld 22 (46): 48.
Bakry, S. 2003. Development of security policies for private networks. International Journal of Network Management 13 (3): 203–210.
Baybutt, P., and V. Ready. 2003. Strategies for protecting process plants against terrorism, sabotage and other criminal acts. Homeland Defense Journal 2: 1–4.
Beynon, D. 2001. Talking heads. Computerworld 24 (33): 19–21.
Breidenbach, S. 2000. How security are you? Information Week 800: 71–78.
Chia, P., S. Maynard, and A.B. Ruighaver. (Eds.) 2003. Understanding organisational security culture. In: Information Systems: The challenges of theory and practice. Las Vegas: Information Institute.
Connolly, P. 2000. Security starts from within. InfoWorld 22 (28): 39–40.
Da Veiga, A. 2008. Cultivating and assessing information security culture (unpublished PhD thesis), University of Pretoria.
Da Veiga, A., and J.H.P. Eloff. 2007. Information security culture—Validation of an assessment instrument. Information Systems Management 24: 361–372.
Da Veiga, A., and J.H.P. Eloff. 2010. A framework and assessment instrument for information security culture. Computers & Security 29: 196–207.
Da Veiga, A., and N. Martins. 2015. Improving information security culture through monitoring and implementation actions illustrated through a case study. Computers & Security 49: 162–176.
Fleeger, M.E. 1993. Assessing organizational culture: A planning strategy. Nursing Management 24 (2): 39–42.
International Atomic Energy Agency (IAEA). 2017. Self-assessment of nuclear security culture in facilities and activities. IAEA Nuclear Security Series 28: 1–124.
Kaplan, B., and D. Duchon. 1988. Combining qualitative and quantitative methods in information systems research: A case study. MIS Quarterly 12 (4): 571–587.
Kraemer, S., P. Carayon, and J. Clem. 2009. Human and organizational factors in computer and information security: Pathways to vulnerabilities. Computers & Security 28: 509–520.
Kria, S., L. Pietre-Cambacedes, M. Bouissou, and Y.A. Halgan. 2015. A survey of approaches combining safety and security for industrial control systems. Reliability Engineering & System Safety 139: 156–178.
Kruger, H.A., and W.D. Kearney. 2006. A prototype for assessing information security awareness. Computers & Security 25 (4): 289–296.
Lundy, O., and A. Cowling. 1996. Strategic Human Resource Management. London: Routledge.
Maidabino, A.A., and A.N. Zainab. 2011. Collection security management at university libraries: Assessment of its implementation status. Malaysian Journal of Library & Information Science 16 (1): 15–33.
Malcolmson, J. 2009. What is security culture? Does it differ in content from general organisational culture? 43rd Annual 2009 International Carnahan Conference on Security Technology, Zurich, Switzerland: IEEE.
Martins, A., and J. Eloff. 2002. Information security culture. In Security in the Information Society, IFIP Advances in Information and Communication Technology, 86, ed. M.A. Ghonaimy, M.T. El-Hadidi, and H.K. Aslan. Boston: Springer.
Nosworthy, J. 2000. Implementing information security in the 21st century—Do you have the balancing factors? Computers & Security 19 (4): 337–347.
OʼDonovan, G. 2006. The Corporate Culture Handbook: How to plan, implement and measure a successful culture change. California: Lifey Press.
Reniers, G., and W. Dullaert. 2007. Gaining and Sustaining Site-Integrated Safety and Security in Chemical Clusters. Zelzate: Nautilus Academic Books.
Ross, S.J. 2011. Creating a Culture of Security. Illinois: Information Systems Audit & Control Association.
Schein, E.H. 2004. Organizational Culture and Leadership. San Francisco: Jossey-Bass.
Schein, E.H. 2009. The Corporate Culture Survival Guide. San Francisco: Jossey-Bass.
Schlienger, T. and S. Teufel. 2003. Analyzing information security culture: Increased trust by an appropriate information security culture. In: 14th International Workshop on Database and Expert Systems Applications.
Schlienger, T., and S. Teufel. 2005. Tool supported management of information security culture: Application in a private bank. In Security and Privacy in the Age of Ubiquitous Computing, SEC 2005, IFIP Advances in Information and Communication Technology, 181, ed. R. Sasaki, S. Qing, E. Okamoto, and H. Yoshiura. Boston: Springer.
Schwarzwalder, R. 1999. Intranet security. Database and Network Journal 22 (2): 58–62.
van Niekerk, J. and R. von Solms. 2005. A holistic framework for the fostering of an information security sub-culture in organizations. Paper presented at the 4th Annual ISSA Conference South Africa.
van Nunen, K., G. Reniers, and K. Ponnet. 2018a. Measuring and improving safety culture in organizations: An exploration of tools developed and used in Belgium. Journal of Risk Research 21 (5): 622–644.
van Nunen, K., M. Sas, G. Reniers, K. Ponnet, and W. Hardyns. 2018b. An integrative conceptual framework for physical security culture in organizations. Journal of Integrated Security Science 2 (1): 25–32.
Vierendeels, G., G. Reniers, K. van Nunen, and K. Ponnet. 2018. An integrative conceptual framework for safety culture: The Egg Aggregated Model (TEAM) of safety culture. Safety Science 103: 323–339.
Von Solms, B. 2000. Information security—The third wave? Computers & Security 19 (7): 615–620.
Vroom, C., and R. von Solms. 2004. Towards information security behavioural compliance. Computers & Security 23 (3): 191–198.
World Institute for Nuclear Security (WINS). 2011. A WINS international best practice guide for your organization: Nuclear security culture, 1–22. Vienna: WINS.
Zakaria, O. 2004. Understanding challenges in information security culture: A methodological approach issue. In: Proceedings of the 2nd Australian Information Security Management Conference, Australia: Perth.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Sas, M., Hardyns, W., van Nunen, K. et al. Measuring the security culture in organizations: a systematic overview of existing tools. Secur J 34, 340–357 (2021). https://doi.org/10.1057/s41284-020-00228-4
Published:
Issue Date:
DOI: https://doi.org/10.1057/s41284-020-00228-4