Upload
eric-vanderburg
View
49
Download
0
Embed Size (px)
DESCRIPTION
Organizational security culture - Eric Vanderburg
Citation preview
Organizational Security Culture
Eric Vanderburg
June 23, 2007
Introduction
Research Question
Existing Research
• Jerome Want – Want, J. (2006). Corporate Culture: Illuminating the Black Hole.
New York, NY: St. Martin’s Press. – Analyzes how different cultures respond to change
• Michael Caloyannides– Caloyannides, M. (2004). Enhancing Security: Not for the
Conformist. IEEE Security and Privacy, 2(6), 86-88.– Essential characteristics for security personnel– Cites lack of these characteristics in current generation
• Edgar Schein• Chia, Ruighaver, & Maynard
Edgar H. Schein
Three levels for understanding and identifying corporate culture
Schein, E.H. (1999). The Corporate Culture Survival Guide: Sense and Nonsense About Cultural Change. San Francisco, CA: Jossey-Bass Publishers.
Eight cultural dimensions
Chia, P. A., Ruighaver, A.B., Maynard, S.B. (2002), Understanding Organisational Security Culture. Proceedings from PACIS2002: The 6th Pacific Asia Conference on Information Systems, Tokyo, Japan.
Value (Rationale for Research)• Infinity multiplied by 0 is 0
The best security plans, most talented associates, and brilliant leadership combined with an incompatible security culture results in bad security.
• Security is clearly lacking – Below: percentage of US firms not in compliance
Regulation 2005 2006California database breach notification act 15% 15%
Sarbanes-Oxley 38% 28%
HIPPA 38% 40%
GLBA 17% 14%
Other state/local privacy regulations 10% 32%Source: The State of Information Security 2006 worldwide study by CIO
Magazine and PricewaterhouseCoopers