![Page 1: Organizational security culture - Eric Vanderburg](https://reader036.vdocuments.mx/reader036/viewer/2022082915/546c456daf795971298b4e95/html5/thumbnails/1.jpg)
Organizational Security Culture
Eric Vanderburg
June 23, 2007
![Page 2: Organizational security culture - Eric Vanderburg](https://reader036.vdocuments.mx/reader036/viewer/2022082915/546c456daf795971298b4e95/html5/thumbnails/2.jpg)
Introduction
![Page 3: Organizational security culture - Eric Vanderburg](https://reader036.vdocuments.mx/reader036/viewer/2022082915/546c456daf795971298b4e95/html5/thumbnails/3.jpg)
Research Question
![Page 4: Organizational security culture - Eric Vanderburg](https://reader036.vdocuments.mx/reader036/viewer/2022082915/546c456daf795971298b4e95/html5/thumbnails/4.jpg)
Existing Research
• Jerome Want – Want, J. (2006). Corporate Culture: Illuminating the Black Hole.
New York, NY: St. Martin’s Press. – Analyzes how different cultures respond to change
• Michael Caloyannides– Caloyannides, M. (2004). Enhancing Security: Not for the
Conformist. IEEE Security and Privacy, 2(6), 86-88.– Essential characteristics for security personnel– Cites lack of these characteristics in current generation
• Edgar Schein• Chia, Ruighaver, & Maynard
![Page 5: Organizational security culture - Eric Vanderburg](https://reader036.vdocuments.mx/reader036/viewer/2022082915/546c456daf795971298b4e95/html5/thumbnails/5.jpg)
Edgar H. Schein
Three levels for understanding and identifying corporate culture
Schein, E.H. (1999). The Corporate Culture Survival Guide: Sense and Nonsense About Cultural Change. San Francisco, CA: Jossey-Bass Publishers.
![Page 6: Organizational security culture - Eric Vanderburg](https://reader036.vdocuments.mx/reader036/viewer/2022082915/546c456daf795971298b4e95/html5/thumbnails/6.jpg)
Eight cultural dimensions
Chia, P. A., Ruighaver, A.B., Maynard, S.B. (2002), Understanding Organisational Security Culture. Proceedings from PACIS2002: The 6th Pacific Asia Conference on Information Systems, Tokyo, Japan.
![Page 7: Organizational security culture - Eric Vanderburg](https://reader036.vdocuments.mx/reader036/viewer/2022082915/546c456daf795971298b4e95/html5/thumbnails/7.jpg)
Value (Rationale for Research)• Infinity multiplied by 0 is 0
The best security plans, most talented associates, and brilliant leadership combined with an incompatible security culture results in bad security.
• Security is clearly lacking – Below: percentage of US firms not in compliance
Regulation 2005 2006California database breach notification act 15% 15%
Sarbanes-Oxley 38% 28%
HIPPA 38% 40%
GLBA 17% 14%
Other state/local privacy regulations 10% 32%Source: The State of Information Security 2006 worldwide study by CIO
Magazine and PricewaterhouseCoopers