Organizational information security culture in critical infrastructure: Developing and testing a scale and its relationships to other measures of information security

Abstract

The aims of the present study are to 1) develop and test a scale measuring organizational information security culture, and 2) examine its relationships to other aspects of information security. The study focuses on an organization providing critical infrastructure. We developed the scale by conducting qualitative interviews (N = 22) and three focus groups (N = 15) in an organization providing critical infrastructure, and by reviewing previous research on culture in organisations. Based on our literature review and the interviews, we chose to measure organizational information security culture by reformulating one of the few existing general organizational safety culture questionnaires. We first tested the questionnaire in a small pilot survey, and then conducted a questionnaire survey (N = 323) including all departments in the organization. Our examination of the factor structure of the scale indicated two factors. Regression analyses indicate that our adapted GAIN-scale, measuring organizational information security culture is the most important variable influencing information security behavior in the model.