Information security culture: A look ahead at measurement methods

The information security culture field is a complex research area that does not currently have a standardized term, definition, and measurement process for organizations of various sizes, industries, and locations. While information security culture is still a relatively new field, the field of organizational culture research is more established and can continue to offer theory and methods to improve information security culture development and practice. Organizational culture research has established three levels of culture that will be used to propose an information security culture definition and guide future research plans for creating a multi-method information security culture measurement process. A multimethod approach will aim to overcome the limitations of using a single method approach by capturing all aspects of an organization’s information security culture. The methods introduced in this paper for future research are a situational judgment test, analysis of beliefs and values through company statements, documents, and processes, and observations by a third party.