Enablers of Information Security Culture

The aim of our article is to provide arguments for a poly-contextual and dynamic approach to information security risk culture. We consider the correlation of memes as DNA (DeoxyriboNucleic Acid) of the mind with knowledge and the organizational context. Our approach is interpretivist, reflective and dialectic (Cecez-Kecmanovic, 2011). It seeks to overcome the limits of knowledge induced by the highly mathematical models that are featured in specialized literature and often taken over in software applications.Yet we have to consider the subjectivism of the information that we process (Von Bayer, 2004, ). Depending on the country or the region, we can notice that there are discrepancies between our own perceptions and the perceptions of our fellows. Human behaviour adjusts depending on our own experiences that are also specific to the environment in which we live (Lorenz, 1969).Can actual information security risk assessment models provide objective, sci-entific information on a wide range of social and technological risks? Can indi-viduals develop unique and precise judgments that can be limited only to math-ematic forms and calculus? “Risk does not exist ‘out there’, independent of our minds and cultures, waiting to be measured” (Slovic,1992). As early as the 1950s opera-tional risk theoreticians stated that risk cannot be defined beyond human per-ceptions (Rappaport, 1953).