1.
Organizational Security Culture
Eric Vanderburg
June 23, 2007

2.
Introduction

3.
Research Question

4.
Existing Research
• Jerome Want
– Want, J. (2006). Corporate Culture: Illuminating the Black Hole.
New York, NY: St. Martin’s Press.
– Analyzes how different cultures respond to change
• Michael Caloyannides
– Caloyannides, M. (2004). Enhancing Security: Not for the
Conformist. IEEE Security and Privacy, 2(6), 86-88.
– Essential characteristics for security personnel
– Cites lack of these characteristics in current generation
• Edgar Schein
• Chia, Ruighaver, & Maynard

5.
Edgar H. Schein
Three levels for understanding and identifying
corporate culture
Schein, E.H. (1999). The Corporate Culture Survival Guide:
Sense and Nonsense About Cultural Change. San Francisco, CA:
Jossey-Bass Publishers.

6.
Eight cultural dimensions
Chia, P. A., Ruighaver, A.B., Maynard, S.B. (2002), Understanding
Organisational Security Culture. Proceedings from PACIS2002:
The 6th Pacific Asia Conference on Information Systems, Tokyo,
Japan.

7.
Value (Rationale for Research)
• Infinity multiplied by 0 is 0
The best security plans, most talented associates, and brilliant
leadership combined with an incompatible security culture results in
bad security.
• Security is clearly lacking – Below: percentage of US firms not in
compliance
Regulation 2005 2006
California database breach notification act 15% 15%
Sarbanes-Oxley 38% 28%
HIPPA 38% 40%
GLBA 17% 14%
Other state/local privacy regulations 10% 32%
Source: The State of Information Security 2006 worldwide study by CIO
Magazine and PricewaterhouseCoopers