Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Security culture and information technology, SECURIT 
Teodor Sommestad 
Jonas Hallberg 
www.foi.se/securit
Information security? 
• Secure information assets … 
• Administrative security, physical security, IT security1 
• The ri...
Organization, human, and technology 
Organization with individuals 
www.foi.se/securit 
ISMS 
Information 
security cultur...
Motivation 
• The need for improved 
information security 
• Security culture is vital for 
information security 
• SECURI...
What is culture? 
Hoefstede: 
“culture is the collective 
programming of the 
mind that distinguishes 
the members of one ...
The SECURIT research consortium 
www.foi.se/securit
The SECURIT program, 2012-2017 
Psychology 
Information 
security 
culture 
Cognitive 
science 
www.foi.se/securit 
Philos...
The research projects in SECURIT 
www.foi.se/securit
Themes addressed in User acceptance of 
information security policies 
• Theme 1: Factors influencing the compliance with ...
Theme 1: Protection Motivation Theory 
Rewards 
Coping appraisal 
Response 
efficacy 
Self-efficacy 
Response cost 
0.19 (...
Theme 1: Theory of planned behavior 
www.foi.se/securit 
Intention Behaviour 
Attitude 
Subjective 
Norm 
Percieved 
Behav...
Theme 2: How do people do their 
information security risk calculations? 
Weinstein, N D. 2000. “Perceived Probability, Pe...
SECURIT project managers 
• Security culture: Sven Ove Hansson, KTH 
• User acceptance of information security policies: T...
Upcoming SlideShare
Loading in …5
×

Jonas hallberg. securit

1,386 views

Published on

New Trends in Societal Security research in the Nordic countries 26 - 27 November 2014 in Stockholm

Published in: Science
  • Be the first to comment

  • Be the first to like this

Jonas hallberg. securit

  1. 1. Security culture and information technology, SECURIT Teodor Sommestad Jonas Hallberg www.foi.se/securit
  2. 2. Information security? • Secure information assets … • Administrative security, physical security, IT security1 • The right information to the right entity on time Alice 1. SIS. (2007). SIS HB 550: Terminologi för informationssäkerhet, utgåva 3. SIS Förlag. www.foi.se/securit Bob MKG PMKG KPubl Kpriv
  3. 3. Organization, human, and technology Organization with individuals www.foi.se/securit ISMS Information security culture Education, training, and exercises Compliance Access control Technology Protection against malware Intrusion prevention Intrusion detection Logging
  4. 4. Motivation • The need for improved information security • Security culture is vital for information security • SECURIT studies: • security‐relevant characteristics of humans and organizations • the effects of applied social measures www.foi.se/securit
  5. 5. What is culture? Hoefstede: “culture is the collective programming of the mind that distinguishes the members of one group or category of people from another”. www.foi.se/securit Edgar Schein:
  6. 6. The SECURIT research consortium www.foi.se/securit
  7. 7. The SECURIT program, 2012-2017 Psychology Information security culture Cognitive science www.foi.se/securit Philosophy Informatics Political science Cyber security Information security culture: Shared patterns of thought, behaviour, and values that arise and evolve within a social group, based on communicative processes influenced by internal and external requirements, are conveyed to new members and have implications on information security.
  8. 8. The research projects in SECURIT www.foi.se/securit
  9. 9. Themes addressed in User acceptance of information security policies • Theme 1: Factors influencing the compliance with information security policies and similar security-related behavior within organizations • Theme 2: The risk perceptions of individuals and groups and the relationship between information security risk perceptions, policies, and compliance • Theme 3: Information security incident models and the effect on the information security of organizations www.foi.se/securit
  10. 10. Theme 1: Protection Motivation Theory Rewards Coping appraisal Response efficacy Self-efficacy Response cost 0.19 (only one study) 0.17 to 0.30 0.34 to 0.40 0.38 to 0.40 -0.40 to -0.28 www.foi.se/securit Intention R2=0.37 to 0.42 Behavior Threat appraisal Severity Vulnerability 0.18 to 0.31 • It matters if it is: • Compliance or secure behavior • Threats to you or threats to others • Generic or specific behavior Sommestad, Teodor, Henrik Karlzén and Jonas Hallberg, “A Meta-Analysis of Studies on Protection Motivation Theory and Information Security Behavior”
  11. 11. Theme 1: Theory of planned behavior www.foi.se/securit Intention Behaviour Attitude Subjective Norm Percieved Behaviour Control R2=0.42 R2=0.25-31 Actual Behaviour Control E.g., I find it meaningful to follow the rules? Were the rules 0.48 actually followed? 0.52 0.45 E.g., my friends think I should follow the rules? E.g., I have the ability to do what the rules says? E.g., I intend to follow the rules? 0.83 0.35 How difficult it actually is? Sommestad, Teodor, and Jonas Hallberg. 2013. “A Review of the Theory of Planned Behaviour in the Context of Information Security Policy Compliance”
  12. 12. Theme 2: How do people do their information security risk calculations? Weinstein, N D. 2000. “Perceived Probability, Perceived Severity, and Health- Protective Behavior.” Health Psychology : Official Journal of the Division of Health Psychology, American Psychological Association 19 (1) (January): 65–74. www.foi.se/securit
  13. 13. SECURIT project managers • Security culture: Sven Ove Hansson, KTH • User acceptance of information security policies: Teodor Sommestad, FOI • Attitude, culture, and information security: Anders Pousette, Göteborgs universitet • Discourse and security practice: Peter Johansson, Göteborgs universitet • Balanced IT-based Organizational development: Jonas Landgren, Göteborgs universitet/Chalmers • ATTITUDE: Joachim Åström, Örebro universitet • INTERORG: Frans Prenkert, Örebro universitet • CONGRUENCE: Karin Axelsson, Linköpings universitet www.foi.se/securit

×