Biblio

Protecting sensitive information from illegal access and misuse is crucial to all organizations. An inappropriate Information Security (IS) policy and procedures are not only a suitable environment for an outsider attack but also a good chance for the insiders' misuse. In this paper, we will discuss the roles of an organization in information security and how human behavior affects the Information Security System (ISS). How an organization can create and instill an effective information security culture in an organization to improve their information safeguards. The findings in this review can be used to further researches and will be useful for organizations to improve their information security structure (ISC).

In the process of diagnosing the culture of information security in an organization, it is considered two methods, the first one is the application of an ISCA (Information Security Culture Assessment) survey questionnaire and the second one based on social engineering techniques such as phishing, answering the question, How can a diagnosis be made effectively of the level of information security culture within an organization? with the objective of determining which of the two methods is the most effective and realistic for the diagnosis of the information security culture. This helps to understand and have a real and complete perception of the behavior and reaction of the users against the attacks of threat actors who make use of persuasion and manipulation tactics in order to obtain confidential or sensitive information. A description of these two methods is applied to a case study (public university). As a result, it is obtained that it is not enough to perform a diagnosis based on questionnaires because they can be relatively subjective in the sense of the way in which users respond to questions or statements. Evidence of controlled social engineering attacks that demonstrate in more detail the real behavior of users should be considered. Based on this more complete knowledge, appropriate strategies can be formulated for the change or strengthening of the security culture that ultimately contributes to the purpose of protecting information assets.

The adherence of employees towards Information Security Policy (ISP) established in the organization is crucial in reducing information security risks. Some scholars have suggested that employees' compliance to ISP could be influenced by Information Security Culture (ISC) cultivated in the organization. Several studies on the impact of ISC towards ISP compliance have proposed different dimensions and factors associated to ISC with substantial differences in each finding. This paper is discussing an enhanced conceptual framework of ISP compliance behavior by addressing ISC as a multidimensional concept which consist of seven comprehensive dimensions. These new proposed ISC dimensions developed using all the key factors of ISC in literature and were aligned with the widely accepted concept of organizational culture and ISC. The framework also integrated with the most significant behavioral theory in this domain of study, which is Theory of Planned Behavior to provide more deep understanding and richer findings of the compliance behavior. This framework is expected to give more accurate findings on the relationships between ISC and ISP compliance behavior.