The Influence of Organizational Culture on Information Security Policy Success

Abstract: It is generally accepted that the protection of the organization’s information assets begins with the creation of information security policies and it is these that serve as a blueprint against which the success of all information security efforts are hinged (Whitman and Mattord, 2009). Key to the success and effectiveness of these policies is human behaviour better still known as the human factor, which is described as the weakest link in information security (Mitnick et al. 2002). This assertion is also confirmed by Schneier (2000) who mentions that information security is only as good as its weakest link, and people are the weakest link in the chain. Every cultural setting (be it in an organization or other societal grouping) has particular values, beliefs and practices that it shares as part of its identity and it is these characteristics that largely influence the behaviours of the members. This assertion is confirmed by Triandis et al. (2002) who state that personality is shaped by both genetic and environmental influences but that the most important of the latter are cultural influences. Maccoby (2000) also tells us that personality emerges under the influence of both genes and environment but Loughling & Barling (2001) argue more emphatically that values, beliefs and attitudes significantly influence our behavior. Schein (2004) in his definition reveal that the collection of values, beliefs, practices and assumptions held by people in an organization, which are usually taken for granted, is what defines the organization’s culture. The objective of this research is to investigate the role that this culture (within organizations i.e. organizational culture) may have on the successful implementation of information security policies. The idea is to explore how organizational cultural characteristics can positively influence human behaviour which will then positively impact on information security policy success. If these particular organizational cultural traits are found to positively influence normative human behaviour and hence the successful implementation of information security policies, they can be adapted and/ or adopted by other organizations as part of their organization’s culture to increase their rate of success with security policy implementation. It is our belief that an approach to security policy implementation that is attended to from the organizational culture perspective (other than just security awareness or the use of security technology ) has a higher rate of success because the culture of the organization, like the information security policy is founded on the mission/vision of organization. We will carry out this research by exploring the organizational culture of UNICEF Ghana against the backdrop that they have been successful with the implementation information security policies.