How can we explain improvements in organizational information security culture in an organization providing critical infrastructure?

Abstract

The aims of the present study are to 1) Compare results from a study conducted before and a study conducted after efforts to improve organizational information security culture in an organization providing critical infrastructure, and 2) discuss the results of the comparison. In this study, we compare the results of two surveys done over a period of just over two years; the first early in 2014 (N = 323) and the second late in 2016 (N = 446). Organizational information security culture was measured with an index which was made by adding the scores of respondents’ answers to 24 items with answer alternatives ranging from 1 to 5. Thus, the minimum score of the information security index was 24 and the maximum score was 120. We found a statistically significant improvement in the index, comparing 2014 to 2016. Changes are discussed considering respondents’ experiences with the implemented measures, sample characteristics and other methodological factors. We conclude that it seems that management implementation of measures aimed at improving organizational security culture has led to improvements.