Exploring the organisational, social and cultural factors influencing those employee attitudes and behaviours that impact the implementation of an information security culture within Omani organisations

Student thesis: Doctoral Thesis

Abstract

Research has strongly established that the success of an information security program is heavily dependent upon the actions of the members of organisations that interact with the information security program. An appropriate information security culture is required to effectively influence and control the actions of the members within an organisation because of this interaction between people and the information security program.This thesis seeks to explore and study the current state of information security behaviour and discipline in public and private organisations in the context of Oman and investigates the challenges in developing an information security culture within these organisations. The key focus of the study is on an investigation and identification of the critical socio-cultural and organisational factors that affect the successful development and maintenance of a culture of information security within public organisations in the context of Oman. The study also aims to examine the difference between public andprivate organisations in Oman regarding information security practices.Although many organisations in Oman have implemented technical solutions to protect information resources from adverse events, internal security breaches continue to occur.For this reason an emphasis on a culture of information security within organisations is required in order to make security an integral part of employees' daily work routines.Although, it is important in practice to address both technical and non-technical aspects when dealing with information security, the research described in this thesis concentrates upon non-technical approaches, and excludes consideration of the technological aspects.To achieve the study aim, the research reviewed and compared the roles of national culture; information security culture; organisational culture and employee behaviour within organisations, in order to determine the socio-cultural and organisational factors that potentially hinder an organisation in implementing, integrating, and maintaining a successful organisational information security culture. A review of related academic work was undertaken. In addition, the research used both quantitative and qualitative research methods to collect, analyse and integrate data from a survey questionnaire of 155 respondents semi-randomly selected from different Omani public and private organisations. The survey results formed the basis of hypotheses about the critical factors in developing effective information security practices in these organisations.The IBM Statistical Package for the Social Sciences (SPSS version 22) with multiple regression was used to analyse the relationship between a dependent variable and several independent variables. To validate the identified critical factors further, thematic analysis was carried out using semi-structured open-ended interviews with specialist Information Technology (IT) and Information Security (IS) senior managers in fifteen selected public and private organisations.The data analysis indicates that security of information in Omani public organisations is not optimal. The findings show in general that these organisations have inadequate information security cultures. These organisations are facing several challenges. These include the remoteness of those in power from the issue and therefore a lack of senior management support and involvement. There is a lack of training and awareness. There is an absence of policies to develop a respect for collectivism, avoiding uncertainty and building a high level of trust, which would all help to support security of information.The current study contributes in a number of ways to discussions and actions around these issues. Firstly, the findings can serve as a basis for Omani public organisations to reform their information security programs. The study identifies an
Date of Award19 Jun 2019
Original languageEnglish
Awarding Institution
  • University Of Strathclyde
SupervisorGeorge Weir (Supervisor) & John N. Wilson (Supervisor)

Cite this