Employee behavior can have a big impact on information security in organizations. Cultural concepts can help different segments of the organization work effectively or work against effectiveness towards information security within an organization. ″Exploring the Relationship between Organizational Culture and Information Security Culture″ provides the following definition of information security culture: ″ISC is the totality of patterns of behavior in an organization that contribute to the protection of information of all kinds.″
Andersson and Reimers (2014) found that employees often do not see themselves as part of the organization Information Security "effort" and often take actions that ignore organizational Information Security best interests. Research shows Information security culture needs to be improved continuously. In ″Information Security Culture from Analysis to Change″, authors commented, ″It′s a never ending process, a cycle of evaluation and change or maintenance.″ To manage the information security culture, five steps should be taken: Pre-evaluation, strategic planning, operative planning, implementation, and post-evaluation.
Pre-Evaluation: to identify the awareness of information security within employees and to analyze the current security policy.
Strategic Planning: to come up with a better awareness program, clear targets need to be set. Clustering people is helpful to achieve it.
Operative Planning: a good security culture can be established based on internal communication, management-buy-in, and security awareness and a training program.
Implementation: four stages should be used to implement the information security culture. They are:
Commitment of the management
Communication with organizational members
Courses for all organizational members
Commitment of the employees