Information security culture – state-of-the-art review between 2000 and 2013

The aim of this paper is to survey existing information security culture research to scrutinise the kind of knowledge that has been developed and the way in which this knowledge has been brought about.

Results are based on a literature review of information security culture research published between 2000 and 2013 (December).

This paper can conclude that existing research has focused on a broad set of research topics, but with limited depth. It is striking that the effects of different information security cultures have not been part of that focus. Moreover, existing research has used a small repertoire of research methods, a repertoire that is more limited than in information systems research in general. Furthermore, an extensive part of the research is descriptive, philosophical or theoretical – lacking a structured use of empirical data – which means that it is quite immature.

Findings call for future research that: addresses the effects of different information security cultures; addresses the identified research topics with greater depth; focuses more on generating theories or testing theories to increase the maturity of this subfield of information security research; and uses a broader set of research methods. It would be particularly interesting to see future studies that use intervening or ethnographic approaches because, to date, these have been completely lacking in existing research.

Findings show that existing research is, to a large extent, descriptive, philosophical or theoretical. Hence, it is difficult for practitioners to adopt these research results, such as frameworks for cultivating or assessment tools, which have not been empirically validated.

Few state-of-the-art reviews have sought to assess the maturity of existing research on information security culture. Findings on types of research methods used in information security culture research extend beyond the existing knowledge base, which allows for a critical discussion about existing research in this sub-discipline of information security.