ابعاد و مولفه های فرهنگ امنیت اطلاعات: یک مرور سیستماتیک

نوع مقاله : مقاله پژوهشی

نویسندگان

دانشگاه علامه طباطبائی

چکیده

ایجاد فرهنگ امنیت اطلاعات در به ‌حداقل رساندن تهدیدات، به‌ویژه تهدیدات انسانی در جهت حفاظت از اطلاعات کمک می‏کند و در نتیجه، به کاهش نقض داده‎ها یا حوادث در سازمان‎ها منجر می‎شود. تاکنون مطالعه‎ای جهت شناسایی مؤلفه‎های فرهنگ امنیت اطلاعات در کشور صورت نگرفته است. بر اساس نظریه‎های مختلف، فرهنگ امنیت اطلاعات با رویکردهای مختلفی بررسی و مورد تجزیه‌وتحلیل قرار گرفته است. هدف این مقاله بررسی تحقیقات موجود در حوزه فرهنگ امنیت اطلاعات و شناسایی ابعاد و مؤلفه‏های فرهنگ امنیت اطلاعات و یکپارچه‎سازی ادبیات این حوزه است.  
به‌منظور انجام این مرور نظام‌مند کلیه مطالعات انجام‌گرفته درحوزه فرهنگ امنیت اطلاعات با استفاده ازکلیدواژه‏های مرتبط از پایگاه داده‎های معتبر استخراج شد و سرانجام، تعداد 310 مقاله مرتبط از سال 2000 تا 2022 مورد بررسی قرار گرفت. بر اساس بررسی صورت‌گرفته و با توجه به هدف پژوهش، مؤلفه‏ها و ابعاد فرهنگ امنیت اطلاعات با رویکردها و دیدگاه‎های متفاوت شناسایی و گردآوری گردید.
یافته‌های پژوهش حاکی از آن است که مجموعه‎ای از ابعاد و مؤلفه‎ها که به‌طور گسترده پذیرفته شده باشند، وجود ندارد و محققان مختلف، ابعاد و مؤلفه‏های متفاوتی برای فرهنگ امنیت اطلاعات در نظر گرفته‎اند. محققان از 3 تئوری و مفهوم در مطالعات خود استفاده نموده‏اند. فراوانی تئوری‌های مورد استفاده در پژوهش‏های مختلف مشخص شد و بیشترین تئوری مورد استفاده، مدل فرهنگ سازمانی «شاین» است. پژوهش‎ها در سازمان‏ها و صنایع مختلفی انجام گرفته، ولی مدل یا چارچوبی مختص به یک صنعت خاص ارائه نشده است. همچنین، بیشتر مدل‌ها یا چارچوب‎های پیشنهادی جنبه توصیفی داشته و مورد ارزیابی قرار نگرفته‌اند. از لحاظ تفکیک جغرافیایی نیز ‌پژوهش‌ها مورد بررسی قرار گرفت و مشخص گردید که بیشترین آن‌ها به کشورهای در حال توسعه تعلق دارند

کلیدواژه‌ها


عنوان مقاله [English]

Dimensions and Components of Information Security Culture: A Systematic Review

نویسندگان [English]

  • Soheila Jafarnezhad Sany
  • Mohammadreza Taghva
  • Mohammad Tagh Taghavifard
  • Miral Seyednaghavi
چکیده [English]

Creating an information security culture helps to minimize threats, especially threats caused by humans, in order to protect information, and as a result, it leads to the reduction of data breaches or incidents in organizations. No study has been conducted to identify the components of information security culture in the country so far. Information security culture has been investigated and analyzed using different approaches and based on different theories. The purpose of this article is to review the existing researches in the field of information security culture in order to investigate the knowledge resulted and identify the dimensions and components of the information security culture and integrate the literature in this field.
In order to carry out this systematic review, all the studies conducted in the field of information security culture were extracted from reliable databases using relevant keywords. Finally, 310 related articles from 2000 to 2022 were reviewed. Based on the results of this study and according to the purpose of the research, the components and dimensions of information security culture with different approaches and perspectives were identified and compiled.
The research findings indicate that there is no widely accepted set of dimensions and components. Different researchers have considered different dimensions and components for the information security culture. They have used 3 theories and concepts in their studies. The frequency of theories used in different researches was determined and the most commonly used one is Schein’s organizational culture model. Also the mentioned researches have been carried out in various organizations and industries. There is no industry-specific model or framework provided. Also, most of the proposed models or frameworks are descriptive and have not been evaluated, and in terms of geographical division, the researches were also examined and it was found that most of the researches belong to developing countries.

کلیدواژه‌ها [English]

  • Information Security
  • Information Security Culture
  • Organizational Culture
  • Systematic Review
 
Alfawaz, S., K. Nelson, & K. Mohannak. 2010. Information security culture: a behaviour compliance conceptual framework. In Information Security 2010: AISC'10 Proceedings of the Eighth Australasian Conference on Information Security [Conferences in Research and Practice in Information Technology 105: 51-60).  
AlHogail, A. 2015. Design and validation of information security culture framework. Computers in Human Behavior 49: 567-575.
Ali, R. F., P. D. D. Dominic, S. E. A. Ali, M. Rehman, & A. Sohail. 2021. Information security behavior and information security policy compliance: A systematic literature review for identifying the transformation process from noncompliance to compliance. Applied Sciences 11 (8): 3383.
Alnatheer, M. A. 2014. A conceptual model to understand information security culture. International Journal of Social Science and Humanity 4 (2): 104.
_____, M., T. Chan, & K. Nelson. 2012. Understanding and measuring information security culture. In Proceedings of the 16th Pacific Asia Conference on Information Systems (PACIS) (pp. 1-15). University of Science (Vietnam)/ AIS Electronic Library (AISeL).
Al-Tabbaa, O., S. Ankrah, & N. Zahoor. 2019. Systematic literature review in management and business studies: A case study on university–industry collaboration.?: SAGE Publications Ltd.
Arbanas, K., M. Spremic, & N. Z. Hrustek. 2021. Holistic framework for evaluating and improving information security culture. Aslib Journal of Information Management 73 (5): 699-719.
Azmi, N. A. A. M., A. P. Teoh, A. Vafaei-Zadeh, & H. Hanifah. 2021. Predicting information security culture among employees of telecommunication companies in an emerging market. Information & Computer Security?
Chen, Y. A. N., K. Ramamurthy, & K. W. Wen. 2015. Impacts of comprehensive information security programs on information security culture. Journal of Computer Information Systems 55 (3): 11-19.
Cheng, Ch. & Y. Lin. 2002. Evaluating the best mail battle tank using fuzzy decision theory with linguistic criteria evaluation. European Journal of Operational Research 142: 147-186.
Chia, P., S. Maynard, & A. B. Ruighaver. 2002b. "Understanding Organisational Security Culture". Paper presented at the Sixth Pacific Asia Conference on Information Systems.
D'Arcy, J., & G. Greene. 2014. Security culture and the employment relationship as drivers of employees’ security compliance. Information Management & Computer Security 22 (5): 474-489.
Da Veiga, A., & J. H. Eloff. 2010. A framework and assessment instrument for information security culture. Computers & security 29 (2): 196-207.
Da Veiga, A., & N. Martins. 2014. Information security culture: A comparative analysis of four assessments. In Proceedings of the 8th European Conference on IS Management and Evaluation (Vol. 8, No. 2014, pp. 49-57). Ghent, Belgium.
_____. 2015. Information security culture and information protection culture: A validated assessment instrument. Computer Law & Security Review 31 (2): 243-256.
_____. 2017. Defining and identifying dominant information security cultures and subcultures. Computers & Security 70: 72-94.
Da Veiga, A., L. V. Astakhova, A. Botha, & M. Herselman. 2020. Defining organisational information security culture—Perspectives from academia and industry. Computers & Security 92: 101713.
Dhillon, G. 2006. Principles of information systems security - text and cases. Hoboken, NJ.: Wiley.
Dojkovski, S., S. Lichtenstein, & M. J. Warren. 2007. Fostering information security culture in small and medium size enterprises: an interpretive study in Australia. In Proceedings of the European Conference on Information Systems (ECIS). At. Gallen, Switzerland.
_____, & M. Warren. 2006. Challenges in fostering an information security culture in Australian small and medium sized enterprises. In ECIW2006: proceedings of the 5th European conference on Information Warfare and Security. Academic Conferences Limited (pp. 31-40).
Dong, K., R. F/ Ali, P. Dominic, S. E. A. Ali. 2021. The Effect of Organizational Information Security Climate on Information Security Policy Compliance: The Mediating Effect of Social Bonding towards Healthcare Nurses. Sustainability 13 (5): 2800.
Hassan, N. H., & Z. Ismail. 2012. A conceptual model for investigating factors influencing information security culture in healthcare environment. Procedia-Social and Behavioral Sciences 65: 1007-1012.
_____, and N. Maarop. 2015. “Information security culture: a systematic literature review”, Proceedings of the 5th International Conference on Computing and Informatics, Istanbul, Turkey, pp. 456-463.
Hassan, N. H., N. Maarop, Z. Ismail, & W. Z. Abidin. 2017. Information security culture in health informatics environment: A qualitative approach. In 2017 International Conference on Research and Innovation in Information Systems (ICRIIS) (pp. 1-6). IEEE.
IBM Infographic: Cyber Security Intelligence Index; IBM: Armonk, NY, USA, 2014. Available online: http://www-935.ibm.com/services/us/en/it-services/security-services/2014-cyber-security-intelligence-index-infographic.
Karlsson, F., J. Åström, & M. Karlsson. 2015. Information security culture–state-of-the-art review between 2000 and 2013. Information & Computer Security 23 (3): 246-285.
Kraemer, S., & P. Carayon. 2005. Computer and information security culture: Findings from two studies. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting (Vol. 49, No. 16, pp. 1483-1488). Los Angeles, CA: SAGE Publications.
Kuusisto, T., & I. Ilvonen. 2003. Information security culture in small and medium size enterprises. Frontiers of E-business Research?: 431-439.
Lim, J. S., A. Ahmad, S. Chang, & S. Maynard. 2010. Embedding information security culture emerging concerns and challenges. Proceedings of the Pacific Asia Conference on Information Systems, PACIS, Taipei, Taiwan.
Mahfuth, A., S. Yussof, Asmidar abu Bakar, N. A. B. Ali, & W. Abdallah. 2017. A conceptual model for exploring the factors influencing information security culture. International Journal of Security and Its Applications 11 (5): 15-21.
Martins, A., J. & Elofe. 2002. Information security culture. In Security in the information society (pp. 203-214). Boston, MA.: Springer.
_____, N., & A. da Veiga. 2015. An Information Security Culture Model Validated with Structural Equation Modelling. In HAISA (pp. 11-21).
Masrek, M. N., Q. N. Harun, & M. K. Zaini. 2018. The development of an information security culture scale for the Malaysian public organization. International Journal of Mechanical Engineering and Technology 9 (7): 1255-1267.
Mcllwraith, A. 2006. Information security and employee behaviour: How to reduce risk through employee education, training and awareness. Burlington: Gower Publishing Company, Hampshire.
Moher, D., A. Liberati, J. Tetzlaff, and D. G. Altman. 2009, Preferred reporting items for systematic reviews and meta-analyses: the PRISMA statement. Annals of Internal Medicine 151 (4): 264-269.
Nasir, A., R. Abdullah, R. A. Arshah, & M. R. Ab Hamid. 2019. A dimension-based information security culture model and its relationship with employees’ security behavior: A case study in Malaysian higher educational institutions. Information Security Journal: A Global Perspective 28 (3): 55-80.
_____, R. A. Arshah, & M. R. Ab Hamid. 2017. Information Security Policy Compliance Behavior Based on Comprehensive Dimensions of Information Security Culture: A Conceptual Framework. In Proceedings of the 2017 International Conference on Information System and Data Mining (pp. 56-60). ACM
_____. 2020. Information Security Culture for Guiding Employee’s Security Behaviour: A Pilot Study. In 2020 6th International Conference on Information Management (ICIM) (pp. 205-209). IEEE.
Nasir, A., M. Rashid, & A. Hamid. 2018. Conceptualizing and validating information security culture as a multidimensional second-order formative construct. In The Thirteenth International Multi-Conference on Computing in the Global Information Technology (pp. 1-8). Venice, Italy.
Nel, F., & L. Drevin. 2019. Key elements of an information security culture in organisations. Information & Computer Security 27 (2):146-164.
Ngo, L., W. Zhou, & M. Warren. 2005. Understanding transition towards information security culture change. In Proceedings of 3rd Australian Information Security Management Conference (pp. 67-73).
Rotvold, G. 2008. How to create a security culture in your organization? The Information Management Journal 1 (4): 33–38.
Ruhwanya, Z., & J. Ophoff. 2019. Information security culture assessment of small and medium-sized enterprises in Tanzania. In International Conference on Social Implications of Computers in Developing Countries (pp. 776-788). Springer, Cham.
Ruighaver, A. B., S. B. Maynard, & S. Chang. 2007. Organisational security culture: Extending the end-user perspective. Computers & security 26 (1): 56-62.
Sas, M., W. Hardyns, K. van Nunen, G. Reniers, & K. Ponnet. 2021. Measuring the security culture in organizations: a systematic overview of existing tools. Security Journal 34 (2): 340-357.
Schlienger, T., & S. Teufel. 2003 September). Analyzing information security culture: increased trust by an appropriate information security culture. In 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings. (pp. 405-409). IEEE.
Silva, M. 2015. A systematic review of Foresight in Project Management literature. Procedia Computer Science 64: 792-799.
Shahri, A. B., Z. Ismail, & N. Z. A. Rahim. 2013. Security culture and security awareness as the basic factors for security effectiveness in health information systems. Sains Humanika 64 (2): .
Sherif, E, & S. Furnell. 2015. A conceptual model for cultivating an information security culture. Int J Inf Security Res 5 (2): 565–573.
Shkarlet, S., V. Lytvynov, M. Dorosh, E. Trunova, and M. Voitsekhovska. 2020. The model of information security culture level estimation of organization. Advances in Intelligent Systems and Computing 1019: 249-258.
Solomon, G. and I. Brown. 2020. The influence of organisational culture and information security culture on employee compliance behavior. Journal of Enterprise Information Management 34 (4): 1203-1228.
Tang, M., M. G. Li, & T. Zhang. 2016. The impacts of organizational culture on information security culture: a case study. Information Technology and Management 17 (2): 179-186.
Tolah, A., S. M. Furnell, & M. Papadaki. 2019. A comprehensive framework for understanding security culture in organizations. In IFIP World Conference on Information Security Education (pp. 143-156). Springer, Cham.
_____. 2021. An empirical analysis of the information security culture key factors framework. Computers & Security 108: 102354.
Van Niekerk, J., & R. Von Solms. 2006. Understanding Information Security Culture: A Conceptual Framework. In ISSA (pp. 1-10).
_____. 2010. Information security culture: A management perspective. Computers and Security 29 (4): 476-486.
Von Solms, B. 2000. Information security—The third wave? Computers & Security 19 (7): 615–620.