Information security culture in practice

Information assets are central to today's organisations - in both the private and public sectors. The need to protect these assets is therefore essential. It has been shown that information security cannot rely solely on technical and administrative structures in the organisation. There is also important to take into consideration how employees think about information security and to work with an appropriate information security culture. In order to be able to develop an appropriate information security culture, however, methods and tools are needed to measure and identify the need for change in the current way of working with information security.

Organisations often have several management systems that govern the work of employees. Information security management systems are seldom the only thing employees need to take into consideration. Therefore, this gives raise goal conflicts between different instructions, where the prioritization is left to individual employees. The purpose of the project is to develop and evaluate an IT-system to identify conflicts of goals and values in existing information security cultures. The IT system is an implementation of a previously developed method at Örebro University, the Value-Based Compliance method, for identifying and analysing goal and value conflicts regarding information security.

The developed IT system will consist of two modules:
1. A module where interviews and observations are used to collect data on information security work, in order to identify goal and value conflicts in a work-group.
2. A module where data is collected through an organization-specific survey, developed based on the analysis in (1). This survey can be used to analyse a larger part of the organisation (or the entire organization) to measure goal and value conflicts in the organisation. The survey can be reused in order to recurringly analyse goal and values conflicts relating to information security.

The project includes that the development of the IT system takes place in parallel with audits in organizations where parts of the IT system and the underlying Value-Based Compliance method are used.

The project started in February 2019 and is planned to continue through December 2023. The project is part of the national research program Information security culture in practice. The research program is jointly performed by the Swedish Defence Research Agency (FOI) Gothenburg University and Örebro University. The research program is a continuation of the research program SECURIT.