A security culture can be a competitive advantage when employees uphold strong values for the protection of information and exhibit behavior that is in compliance with policies, thereby introducing minimal incidents and breaches. The security culture in an organization might, though, not be similar among departments, job levels or even generation groups. It can pose a risk when it is not conducive to the protection of information and when security incidents and breaches occur due to employee

more »

... or or negligence. This chapter aims to give organizations an overview of the concept of security culture, the factors that could influence it, an approach to assess the security culture, and to prioritize and tailor interventions for high-risk areas. The outcome of the security culture assessment can be used as input to define security awareness, training and education programs aiding employees to exhibit behavior that is in compliance with security policies. the internal factors that could potentially influence the security culture. A security culture assessment approach is discussed with practical advice to roll out such an assessment in an organization. The emphasis is on understanding what the as-is security culture is in order to implement corrective actions to influence it positively. Examples are given of how to analyze the data, which management can use to define change management plans using methods such as awareness, training and education.