An investigation of the factors that influence information security culture in government organisations in Bhutan

Sonam Tenzin

Adoption of information technology in organisations has increased the amount of data and information being generated and stored. This information is essential for individuals and organisations. Therefore, safeguarding information assets from external and internal threats is of vital importance. Information security threats can be categorised as technical and human- based threats, and human-based threats are major sources of information security breaches in organisations (Glaspie & Karwowski, 2018). Large investments have been made by organisations to secure data and security networks, but despite this, information security breaches as a result of human-based action are on the rise (Ponemon, 2019). Information security threats can be reduced by improving the information security behaviour of employees. In addition, having an effective information security culture is believed to contribute to improving information security behaviour. Information security culture includes information security attitudes, assumptions, beliefs, values, and knowledge that employees use when interacting with organisational information assets and systems. To establish an effective information security culture, it is important to identify and understand the key factors that influence information security culture. This study therefore investigated the key factors that contribute to the establishment of an effective information security culture and explored how information security culture influences the information security behaviour of employees. A research model was developed for the study based on an analysis of the information security literature. The target population for this research study is employees of government organisations in Bhutan. Data was collected using an online questionnaire. Using responses collected from 181 participants, the research model was tested using Partial Least Squares Structural Equation Modelling (PLS- SEM). The research model explained a relatively high proportion of the variability in information security culture (53.1%) but only 14.9% of the variability in information security behaviour. Six out of the nine hypotheses were supported. Senior management support, information security policy, training and awareness campaigns, interpersonal trust, and job- versus employee-oriented organisational culture were shown to be factors influencing information security culture. This study also found that establishing an effective information security culture contributes to good information security behaviour. Identifying the role of interpersonal trust is particularly valuable as it extends the work of Dang-Pham, Pittayachawan, and Bruno (2017) and clarifies the importance of interpersonal trust in establishing an effective information security culture, and through that good information security behaviour. These findings will help government policy makers and information security practitioners when designing and developing information security strategies and programs. This will establish effective information security culture in organisations to nurture good information security behaviour.

An investigation of the factors that influence information security culture in government organisations in Bhutan

Files and links (1)

Abstract

Details

Metrics