Cultivating a strong information security culture.
By Samantha Phillips, Cyber Studies PhD student at the University of Tulsa and TU-Team8 Cyber Fellow
Dec 12, 2023

An introduction to this article appeared in the monthly Creating Connections newsletter put together by the women of The CyberWire. This is a guest-written article. The views and opinions expressed in this article are those of the authors, not necessarily the CyberWire, Inc.

Cultivating a strong information security culture.


Cultivating a strong information security culture (ISC) is a widely professed goal of many organizations, however evaluating the type of ISC present in an organization and whether employee actions reflect secure or unsecure behaviors can be challenging. When presented with the opportunity to pursue my PhD in Cyber Studies with a research focus on ISC, I couldn’t pass up the opportunity to continue my education and hopefully create a positive impact in organizational security. I believe my research will be of interest to those wishing to evaluate an organization’s ISC with the goal of improving an organization’s overall security posture.  

Executive summary.

The primary focus of my research is to establish a measurement tool for information security culture (ISC) within organizations. My first research paper on the topic, “Information Security Culture: A Look Ahead at Measurement Methods”, was published in May 2023 at the Annual Security Conference. The paper addresses the current state of ISC research, defines ISC, outlines the levels of culture, and provides an overview of research plans for creating the measurement tool. Current information security culture measurement approaches focus on measuring a maturity level, while my research aims to measure the type of ISC present in an organization and whether it consists of secure or nonsecure behaviors. My research is grounded in theory from the field of Industrial-Organizational Psychology, particularly the works of Edgar Schein and Geert Hofstede, and aims to apply such concepts in the context of information security. 

My first paper concludes by outlining my future research plans to establish a multi-method approach to measuring information security culture. The approach will aim to measure the three levels of ISC: Artifacts, Espoused beliefs & values, and Underlying assumptions. Artifacts are things that can be observed (seen, heard, felt, etc.) that represent a group, espoused beliefs & values are conscious and explicitly articulated normative or moral functions that guide a group, and underlying assumptions are unconscious beliefs & values, perceptions, thoughts, and feelings of individuals within an organization. For the first part of my research, I am primarily focused on measuring the underlying assumptions individuals have about an organization because they build the foundation of a culture and is the most complex level to evaluate. 

My research proposes the use of a situational judgement test (SJT) to measure the underlying assumptions of individuals within an organization regarding information security. SJT’s are commonly used when making employment decisions such as hiring and promotions. They present the participant with various work-related situations and potential response options. My second paper “Leveraging Situational Judgment Tests to Measure Behavioral Information Security”, which will be included in the proceedings of the 57th Hawaii International Conference on System Science in January 2024, discusses the various ways in which SJT’s can be customized to measure different concepts and how behavioral information security research may benefit from its use in general. 

The purpose of using a situational judgment test over the commonly used Likert-scale that can be seen in prior ISC research is to increase participant engagement, improve enjoyment of completing the survey, gather more in-depth information about individual behavioral tendencies, and measure multiple dimensions/types of ISC within each question. 

The data collection portion of my research on situational judgment tests and information security culture is in its beginning phase, with a goal of conducting a pilot study in the spring of 2024. The initial data collection will aim to gather qualitative data on the engagement and enjoyment of the SJT format and the validity of the SJT items for measuring underlying assumptions in relation to information security culture within organizations. I have also begun considering how the use of artificial intelligence, such as OpenAI’s ChatGPT, could be utilized to further enhance the measurement approach and its wide scale utilization.

Link to published work.