Defining and identifying dominant information security cultures and subcultures

An empirical case study was conducted using a survey approach with a validated information security culture questionnaire to illustrate how to identify dominant information security cultures and subcultures. The survey was conducted at four intervals in the same organisation over a number of years to identify potential information security subcultures and to monitor the change, if targeted interventions for each are implemented. Using t-tests and ANOVA tests, a number of information security subcultures were identified, mostly evident across the organisation's office locations (which are separated geographically), as well as between employees that worked in the IT division compared to those who did not. The data indicate that the dominant information security culture and subcultures improved over time to a more positive information security culture after the implementation of targeted interventions. This illustrates how the identification and targeting of information security subcultures with customised interventions can influence the information security culture positively. By using information security interventions, organisations can target their high-risk subcultures and monitor the change over time through continuous assessment, thereby minimising the risk to information protection from a human perspective.