You are here: Home Contents V6 N4 V6N4_Thomson.html
Personal tools

Information Security Conscience: a precondition to an Information Security Culture?



Full text

Journal of Information Systems Security
Volume 6, Number 4 (2010)
Pages 319
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Kerry-Lynn Thomson — Nelson Mandela Metropolitan University, South Africa
Information Institute Publishing, Washington DC, USA




One of the major difficulties in implementing and ensuring good information security practices in an organisation is, very often, the indifferent or ignorant attitude and behaviour of employees. Employees often do not understand the importance of, and the role they should play in, the protection of information assets in an organisation. This is as a result of the fact that the goals of employees in an organisation are often not aligned with the goals of management. Ideally, the alignment of management and employee goals should occur through the creation of an Information Security Obedient Culture. This paper will explore the flow of knowledge creation, both at an organisational and individual level, which is necessary in the shaping of an Information Security Obedient Culture.




Information Security, Corporate Culture, Knowledge Creation, Information Security Obedience, Information Security Conscience




Berti, J. and Rogers, M. (2004). Social engineering: the forgotten risk. Information security management handbook – fifth edition. Boca Raton, London, New York, Washington D.C. : Auerbach Publishers.

Deloitte & Touche. (May 2002). Management briefing – information security. [online]. [cited 13 January 2003] Available from Internet: URL

Drennan, D. (1992). Transforming company culture. Berkshire, England : MacGraw-Hill.

Freeman, E.H. (2004). Information security and personnel practices. Information security management handbook – fifth edition. Boca Raton, London, New York, Washington D.C. : Auerbach Publishers.

Hagberg Consulting Group (2002). Corporate culture/organisational culture: understanding and assessment [online]. [cited 25 January 2003] Available from Internet: URL

Handy, C. (1978). Gods of management – changing the work of organizations. New York: Oxford University Press.

Hellriegel, D., Jackson, S.E., Slocum, J., Staude, G., Amos, T., Klopper, H.B., Louw, L. and Oosthuizen, T. (2004). Management – second South African edition. Cape Town, South Africa : Oxford University Press Southern Africa.

Henry, K. (2004). The human side of information security. Information security management handbook – fifth edition. Boca Raton, London, New York, Washington D.C.: Auerbach Publishers.

Klein, D.A. (2007). The strategic management of intellectual capital. Butterworth-Heinemann.

von Krogh, G. (1998). Care in knowledge creation. California Management Review, Vol 40 No. 3, pp. 133-153.

Martins, A. & Eloff, J. (2002). Information security culture. IFIP TC11, 17th International Conference on Information Security (SEC2002), Ain Shams University, Cairo, Egypt, Kluwer Academic Publishers Group, Netherlands.: pp.203-214.

Martin, J. & Siehl, C. (1983). Organisational culture and counterculture: an uneasy symbiosis. Organisational Dynamics, Vol 12, No. 2, pp. 52-64.

Meek, V.L. (1988). Organisational culture: origins and weaknesses. Organization Studies, Vol. 9, No. 4, pp. 453-473.

Mitnick, K.D. & Simon, W.L. (2002). The art of deception – controlling the human element of security. Indianapolis, Indiana : Wiley Publishing, Inc.

Nonaka, I. (1994). A dynamic theory of organisational knowledge creation. Organization Science, Vol. 5, No. 1, pp. 14-37.

Oxford Dictionary of Current English (1993). New York City: Oxford University Press.

Sathe, V. (1983). Implications of Corporate culture: A manager’s guide to action. Organisational Dynamics, pp. 5-25.

Schein, E.H. (1999). The Corporate culture survival guide. San Francisco, California, United States of America : Jossey-Bass Publishers.

Shorten, B. (2004). Information security policies from the ground up. Information security management handbook – fifth edition. Boca Raton, London, New York, Washington D.C. : Auerbach Publishers.

Thomson, K.L. & von Solms, R. (2005). Information security obedience: a definition. Computers & Security, Vol. 24, pp 69-75.