A systematic literature review: Information security culture

Abstract

Human behavior inside organizations is considered the main threat to organizations. Moreover, in information security the human element consider the most of weakest link in general. Therefore it is crucial to create an information security culture to protect the organization's assets from inside and to influence employees' security behavior. This paper focuses on identifying the definitions and frameworks for establishing and maintaining information security culture inside organizations. It presents work have been done to conduct a systematic literature review of papers published on information security culture from 2003 to 2016. The review identified 68 papers that focus on this area, 18 of which propose an information security culture framework. An analysis of these papers indicate there is a positive relationship between levels of knowledge and how employees behave. The level of knowledge significantly affects information security behavior and should be considered as a critical factor in the effectiveness of information security culture and in any further work that is carried out on information security culture. Therefore, there is a need for more studies to identity the security knowledge that needs to be incorporated into organizations and to find instances of best practice for building an information security culture within organizations.