An analysis on the dimensions of information security culture concept: A review

Abstract The cultivation of positive Information Security Culture (ISC) is an effective way to promote security behavior and practices among employees in the organization. However, there is yet a consensus on a standard set of dimensions for the ISC concept. ISC has been associated with many facets, with some overlapping dimensions found in the literature. There is little explanation, if any, as to why this happens or to what extent do variances of dimensions affects ISC concept and findings. This paper presents an analysis of the different dimensions in conceptualizing the ISC. Eight major databases including Web of Science, Scopus and Google Scholar were systematically exhausted using PRISMA and a total of 79 studies from 2000 to 2017 was selected for analysis. While different approaches such as adopted theories affect the dimensions of ISC, our analysis also covered other contributing factors such as the objective of the study, type of organization under study and the information security maturity level. In addition, we found no evidence of a set of widely accepted concepts and dimensions for ISC. This review provides substantial evidence on the numerous dimensions used in ISC and could be utilized by academicians as a reference in ISC-related studies.

• Publication year

  2019

• Venue

  Journal of Information Security and Applications

• Publication date

  2019-02-01

• Fields of study

  Computer Science

• Identifiers
  DOI 10.1016/J.JISA.2018.11.003
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• Organisational culture, procedural countermeasures, and employee security behaviour: A qualitative study

  2017cited by this paper
• Human Factors in Information Security Culture: A Literature Review

  2017cited by this paper
• Information Security Policy Compliance Behavior Based on Comprehensive Dimensions of Information Security Culture: A Conceptual Framework

  2017cited by this paper
• INFORMATION SECURITY CULTURE FOR MALAYSIAN PUBLIC ORGANIZATION: A CONCEPTUAL FRAMEWORK

  2017cited by this paper
• Defining and identifying dominant information security cultures and subcultures

  2017cited by this paper
• Assessing information security culture: The case of Malaysia public organization

  2017cited by this paper
• A systematic literature review: Information security culture

  2017cited by this paper
• European Conference on Information Systems ( ECIS ) 2007 Fostering Information Security Culture in Small and Medium Size Enterprises : An Interpretive Study in Australia

  2017cited by this paper
• Information Security Culture in Public Hospitals: The Case of Hawassa Referral Hospital

  2016cited by this paper
• Information security culture in healthcare informatics: A preliminary investigation

  2016cited by this paper
• Security by Compliance? A Study of Insider Threat Implications for Nigerian Banks

  2016cited by this paper
• Gestión de seguridad de la información: revisión bibliográfica

  2016cited by this paper
• Interpreting information security culture: An organizational transformation case study

  2016cited by this paper
• Impacts of Comprehensive Information Security Programs on Information Security Culture

  2015cited by this paper
• Information Security Culture Critical Success Factors

  2015cited by this paper
• Improving the information security culture through monitoring and implementation actions illustrated through a case study

  2015cited by this paper
• Organisational Security Culture and Information Security Compliance for E-Government Development: The Moderating Effect of Social Pressure

  2015cited by this paper
• Design and validation of information security culture framework

  2015cited by this paper
• Information security culture - state-of-the-art review between 2000 and 2013

  2015cited by this paper
• An Identification of Variables Influencing the Establishment of Information Security Culture

  2015cited by this paper
• An Information Security Training and Awareness Approach (ISTAAP) to Instil an Information Security-Positive Culture

  2015cited by this paper
• Factors affecting recruitment into depression trials: Systematic review, meta-synthesis and conceptual framework.

  2015cited by this paper
• Information Security Culture: Definition, Frameworks and Assessment : A Systematic Literature Review

  2015cited by this paper
• The Influence of Organizational Information Security Culture on Information Security Decision Making

  2015cited by this paper
• Cultivating and Assessing an Organizational Information Security Culture; an Empirical Study

  2015cited by this paper
• Information security culture and information protection culture: A validated assessment instrument

  2015cited by this paper
• Beyond the Black Box: A Systematic Review of Breast, Prostate, Colorectal, and Cervical Screening Among Native and Immigrant African-Descent Caribbean Populations

  2015cited by this paper
• FACTORIAL INVARIANCE OF AN INFORMATION SECURITY CULTURE ASSESSMENT INSTRUMENT FOR MULTINATIONAL ORGANISATIONS WITH OPERATIONS ACROSS DATA PROTECTION JURISDICTIONS

  2015cited by this paper
• A Conceptual Model for Cultivating an Information Security Culture

  2015cited by this paper
• From information security to cyber security cultures

  2014cited by this paper
• A Conceptual Model to Understand Information Security Culture

  2014cited by this paper
• Information security culture: A general living systems theory perspective

  2014cited by this paper
• Information security culture: A definition and a literature review

  2014cited by this paper
• Understanding Information Security Culture: A Survey in Small and Medium Sized Enterprises

  2014cited by this paper
• A proposal of an organizational information security culture framework

  2014cited by this paper
• Security culture and the employment relationship as drivers of employees' security compliance

  2014cited by this paper
• Information Security Culture: A Comparative Analysis of Four Assessments

  2014cited by this paper
• The Value of Using a Validated Information Security Culture

  2014cited by this paper
• Variations in Information Security Cultures across Professions: A Qualitative Study

  2013cited by this paper
• Parliamentary control of security information agency in terms of security culture: State and problems

  2013cited by this paper
• Information security culture assessment: Case study

  2013cited by this paper
• Understanding and measuring information security culture in developing countries : case of Saudi Arabia

  2012cited by this paper
• Understanding And Measuring Information Security Culture

  2012cited by this paper
• A Conceptual Model for Investigating Factors Influencing Information Security Culture in Healthcare Environment

  2012cited by this paper
• Information security management : a case study of an information security culture

  2011cited by this paper
• Creating a Culture of Security

  2011cited by this paper
• An Ethnographic Investigation of the Assimilation of New Organizational Members into an Information Security Culture

  2011cited by this paper
• Embedding Information Security Culture Emerging Concerns and Challenges

  2010cited by this paper
• Information security culture: A management perspective

  2010cited by this paper
• A framework and assessment instrument for information security culture

  2010cited by this paper
• Information Security Culture: A Survey

  2010cited by this paper
• Information security culture: A Behaviour Compliance Conceptual Framework

  2010cited by this paper
• Enabling Information Security Culture: Influences and Challenges for Australian SMEs

  2010cited by this paper
• Preferred reporting items for systematic reviews and meta-analyses: the PRISMA Statement

  2009cited by this paper
• An integrated view of human, organizational, and technological challenges of IT security management

  2009cited by this paper
• Cultivating and assessing information security culture

  2009cited by this paper
• Capturing Culture in Medical Information Security Research

  2009cited by this paper
• Proposed Framework for Understanding Information Security Culture and Practices in the Saudi Context

  2009cited by this paper
• Exploring the relationship between organizational culture and information security culture

  2009cited by this paper
• The PRISMA Statement for Reporting Systematic Reviews and Meta-Analyses of Studies That Evaluate Health Care Interventions: Explanation and Elaboration

  2009cited by this paper
• Information Security Cultures of Four Professions: A Comparative Study

  2008cited by this paper
• Organisational security culture: Extending the end-user perspective

  2007cited by this paper
• An Information Security Governance Framework

  2007cited by this paper
• Developing information security culture in small and medium size enterprises: Australian case studies

  2007cited by this paper
• Performing systematic literature reviews in software engineering

  2006cited by this paper
• Challenges in fostering an information security culture in Australian small and medium sized enterprises

  2006cited by this paper
• Information Security - The Fourth Wave

  2006cited by this paper
• Information security: management's effect on culture and policy

  2006cited by this paper
• Understanding Information Security Culture: A Conceptual Framework

  2006cited by this paper
• Computer and Information Security Culture: Findings from two Studies

  2005cited by this paper
• Establishing an information security culture in organizations : an outcomes based education approach

  2005cited by this paper
• Security Governance: Its Impact on Security Culture

  2005cited by this paper
• Tool Supported Management of Information Security Culture

  2005cited by this paper
• Information security culture in small and medium sized enterprises: a socio-cultural framework

  2005cited by this paper
• Unite security culture: May a unified security culture be plausible?

  2004cited by this paper
• Analyzing information security culture: increased trust by an appropriate information security culture

  2003cited by this paper
• Information security culture in a value net

  2003cited by this paper
• Development of security policies for private networks

  2003cited by this paper
• Information security culture - from analysis to change

  2003cited by this paper
• Categories and Concepts

  2003cited by this paper
• Assessing Information Security Culture

  2002cited by this paper
• Understanding organisational security culture

  2002cited by this paper
• Information Security Culture

  2002cited by this paper
• Information Security Culture: The Socio-Cultural Dimension in Information Security Management

  2002cited by this paper
• Exploring Organisational Security Culture : Developing a comprehensive research model

  2002cited by this paper
• Book Review

  2001cited by this paper
• Culture′s Consequences: Comparing Values, Behaviors, Institutions and Organizations Across Nations

  2001cited by this paper
• A Framework for Linking Culture and Improvement Initiatives in Organizations

  2000cited by this paper
• A conceptual foundation for organizational information security awareness

  2000cited by this paper
• The nature of safety culture: a review of theory and research

  2000cited by this paper
• The Corporate Culture Survival Guide

  1999cited by this paper
• An Information Model Based on Classification Theory

  1996cited by this paper
• Organizational Culture and Leadership

  1991cited by this paper
• Measuring organizational cultures: A qualitative and quantitative study across twenty cases.

  1990cited by this paper
• Organizational Culture and Leadership: A Dynamic View

  1985cited by this paper
• The Theory of Communicative Action: Reason and the Rationalization of Society

  1984cited by this paper
• Beyond Culture

  1977cited by this paper
• The Silent Language

  1964cited by this paper

• Assessing the Determinants of Behavioural Cybersecurity in Healthcare: A Study of Patient Health Application Users in Saudi Arabia

  2026cites this paper
• Modern Web Application Security in Practice: National-Scale Measurement and Managerial Insights from Türkiye

  2026cites this paper
• Information security culture and phishing-reporting model: structural equivalence across Germany, UK, and USA

  2025cites this paper
• Using Anonymous Discussion Platforms to Support Open Conversations about Cybersecurity in Organisations

  2025influential citation
• Integrating Information Security Culture and Protection Motivation to Enhance Compliance with Information Security Policies in Banking: Evidence from PLS-SEM and fsQCA

  2025influential citation
• The Effect of Organizational Factors on the Mitigation of Information Security Insider Threats

  2025cites this paper
• Enhancing cybersecurity awareness strategies in organization using Delphi technique

  2025cites this paper
• Promoting employees’ information security vigilance by enhancing awareness: the roles of organizational climate and deterrence measures

  2025cites this paper
• Taxonomy-based approach for understanding and enhancing security culture in universities

  2025cites this paper
• An Appraisal in Internal Control Frameworks Implementation of COSO, ISO 27001 and NIST for Opportunities in Industry 5.0

  2025influential citation
• Developing and testing a framework for matching distinct personality types with information security awareness methods

  2025cites this paper
• An Investigation of the Factors That Influence Information Security Culture in Government Organizations in Bhutan

  2024cites this paper
• Factors Influencing Information Security Culture in Organizations Dealing With Economic Crime in Kenya

  2024cites this paper
• Addressing Cybersecurity Challenges in Times of Crisis: Extending the Sociotechnical Systems Perspective

  2024cites this paper
• Influence of Information Culture on Records Management: A Review of Contemporary Literature

  2024cites this paper
• Research on Data Security and Privacy Protection Strategies in Hospital Information Management

  2024cites this paper
• The Role of Information Security Culture in Zero Trust Adoption: Insights From UAE Organizations

  2024influential citation
• Managing Security Evidence in Safety-Critical Organizations

  2024cites this paper
• Physical security culture: The neglected foundation for effective security

  2024cites this paper
• Information Security Management System Assessment Model by Integrating ISO 27002 and 27004

  2024cites this paper
• Information security awareness maturity: conceptual and practical aspects in Hungarian organizations

  2023cites this paper
• Towards an integrated risk analysis security framework according to a systematic analysis of existing proposals

  2023cites this paper
• Defending Taiwan's Democracy in the Internet Commons

  2023cites this paper
• The New Frontier of Cybersecurity: Emerging Threats and Innovations

  2023cites this paper
• Examining the effect of regulatory factors on avoiding online blackmail threats on social media: A structural equation modeling approach

  2023cites this paper
• Analyzing web descriptions of cybersecurity breaches in the healthcare provider sector: A content analytics research method

  2023cites this paper
• The ISO/IEC 27001 Information Security Management Standard: How to Extract Value from Data in the IT Sector

  2023cites this paper
• Real-Time Deployment of MobileNetV3 Model in Edge Computing Devices Using RGB Color Images for Varietal Classification of Chickpea

  2023cites this paper
• Determining cybersecurity culture maturity and deriving verifiable improvement measures

  2023cites this paper
• Corporate Information Security Policies Targeting Ransomw are Attack

  2022cites this paper
• Developing a Risk Analysis Strategy Framework for Impact Assessment in Information Security Management Systems: A Case Study in IT Consulting Industry

  2022cites this paper
• Enterprise risk management and information technology security in the financial sector

  2022cites this paper
• The cybersecurity behavioral research: A tertiary study

  2022cites this paper
• Addressing Human Factors in Cybersecurity Leadership

  2022cites this paper
• SECURITY KNOWLEDGE REQUIRED TO IMPROVE EMPLOYEE SECURITY BEHAVIOR IN INFORMATION SECURITY CULTURE

  2022cites this paper
• Analysis of Insider Threats in the Healthcare Industry: A Text Mining Approach

  2022cites this paper
• Cyber–Information Security Compliance and Violation Behaviour in Organisations: A Systematic Review

  2022cites this paper
• Cyber4Dev Security Culture Model for African Countries

  2022cites this paper
• Information Security Behavior in Health Information Systems: A Review of Research Trends and Antecedent Factors

  2022cites this paper
• Antecedent factors of information security behavior in health care providers: a systematic review

  2022cites this paper
• The Effect of Organizational Information Security Climate on Information Security Policy Compliance: The Mediating Effect of Social Bonding towards Healthcare Nurses

  2021cites this paper
• Ensuring Information Security of The State and Society

  2021cites this paper
• Информационное средство повышения устойчивости сотрудников организации к социоинженерным атакам

  2021cites this paper
• The effect of perceived organizational culture on employees' information security compliance

  2021cites this paper
• A conceptual framework for information-leakage-resilience

  2021cites this paper
• The impact of general data protection regulation on software engineering practices

  2021cites this paper
• Cyber-Security Culture: Psychological and Legal Aspects

  2021cites this paper
• Holistic framework for evaluating and improving information security culture

  2021cites this paper
• Developing a cyber security culture: Current practices and future needs

  2021influential citation
• Information security cultural differences among health care facilities in Indonesia

  2021influential citation
• An Information Tool for Increasing the Resistance of Employees of an Organization to Social Engineering Attacks

  2021cites this paper
• Human factors affecting information security in libraries

  2021cites this paper
• More than the individual: Examining the relationship between culture and Information Security Awareness

  2020cites this paper
• Issues of the Culture of Information Security under the Conditions of the Digital Economy

  2020cites this paper
• Information Security Culture for Guiding Employee’s Security Behaviour: A Pilot Study

  2020cites this paper
• Can humans be patched? A short current state review.

  2020influential citation
• Defining organisational information security culture - Perspectives from academia and industry

  2020cites this paper
• Technical Strategies Database Managers use to Protect Systems from Security Breaches

  2020cites this paper
• The Assessment of Trust in Information Security Using Kansei

  2020cites this paper
• Information Security Culture Model for Malaysian Organizations: A Review

  2020influential citation
• Factors Shaping Information Security Culture in an Internal IT Department

  2020cites this paper
• Scanning the Resilience of an Organization Employees to Social Engineering Attacks Using Machine Learning Technologies

  2020cites this paper
• Development of Self-Regulation Skills in the Study of a New Discipline “ICT and Media Literacy”

  2020cites this paper
• Проблемы культуры информационной безопасности в условиях цифровой экономики

  2020cites this paper
• Factors Affecting Security Behavior of Kenyan Students: An Integration of Protection Motivation Theory and Theory of Planned Behavior

  2019cites this paper
• Resiliency under Strategic Foresight: The effects of Cybersecurity Management and Enterprise Risk Management Alignment

  2019cites this paper
• Conceptualizing and Learning to Foster Cybersecurity Culture: A Conceptualizing and Learning to Foster Cybersecurity Culture: A Literature Review Literature Review

  year unknowncites this paper
• Poster: Experts’ Perceptions on Factors Impacting Cybersecurity Culture in Organizations

  year unknowncites this paper
• Information Security Culture: A Look Ahead at Measurement Methods

  year unknowninfluential citation