A significant impact is made by the employee’s behavior to information security in organizations. The culture concept can help different parts of the organization that concerns about information security within the organization. “Exploring the Relationship between Organizational Culture and Information Security Culture” gives the accompanying meaning of data security society: “ISC is the totality of examples of conduct in an association that add to the assurance of data of all kinds.”
The continuous improvement is necessary to information security culture. In “Information Security Culture from Analysis to Change,” writers remarked, “It’s a ceaseless procedure, a cycle of assessment and change or maintenance.” The following five steps are needed to manage the information security culture: Pre-evaluation, strategic planning, effective planning, implementation, and post-evaluation.
Pre-Evaluation:
It identifies the awareness of information security within employees and analyses the current security policy.
Strategic Planning:
To come up with a better awareness-program, it is necessary to set clear targets. Clustering people is helpful to achieve it.
Operative Planning:
Good security could be achieved by a culture based on management-buy-in, internal communication, training, and security awareness program.
Implementation:
The four stages must be applied to implement the information security culture: commitment of the management, courses for all organizational members, communication with corporate members and determination of the employees.