Organizational Security Culture

Eric Vanderburg

June 23, 2007

Introduction

Research Question

Existing Research

• Jerome Want – Want, J. (2006). Corporate Culture: Illuminating the Black Hole.

New York, NY: St. Martin’s Press. – Analyzes how different cultures respond to change

• Michael Caloyannides– Caloyannides, M. (2004). Enhancing Security: Not for the

Conformist. IEEE Security and Privacy, 2(6), 86-88.– Essential characteristics for security personnel– Cites lack of these characteristics in current generation

• Edgar Schein• Chia, Ruighaver, & Maynard

Edgar H. Schein

Three levels for understanding and identifying corporate culture

Schein, E.H. (1999). The Corporate Culture Survival Guide: Sense and Nonsense About Cultural Change. San Francisco, CA: Jossey-Bass Publishers.

Eight cultural dimensions

Chia, P. A., Ruighaver, A.B., Maynard, S.B. (2002), Understanding Organisational Security Culture. Proceedings from PACIS2002: The 6th Pacific Asia Conference on Information Systems, Tokyo, Japan.

Value (Rationale for Research)• Infinity multiplied by 0 is 0

The best security plans, most talented associates, and brilliant leadership combined with an incompatible security culture results in bad security.

• Security is clearly lacking – Below: percentage of US firms not in compliance

Regulation 2005 2006California database breach notification act 15% 15%

Sarbanes-Oxley 38% 28%

HIPPA 38% 40%

GLBA 17% 14%

Other state/local privacy regulations 10% 32%Source: The State of Information Security 2006 worldwide study by CIO

Magazine and PricewaterhouseCoopers