Organisational culture and deterrence in a university information security environment

Abstract

Information security has become a growing concern for many organisations as well as for individuals and societies. Universities create, process, handle and store large quantities of confidential information daily which should always be secured. There are laws that govern how institutions should treat and protect confidential information from unauthorized access. Information security experts indicate that the highest percentage of information security incidents and breaches are due to human behaviour and internal attacks. This has caused a growing concern that calls for organisations to direct more focus on information security human behaviour within their environments. There is inadequate literature addressing how deterrence and organisational culture influence information security behaviour. To this point, this research report is about the influence and the role of organisational culture and deterrence in a university information security environment. The study analysed the role that organisational culture and deterrence play in information security through the lenses of Deterrence theory and Organisational Culture theory. A case study research strategy following an interpretivism philosophy was used to gain knowledge and understanding on how aspects such as organisational norms and values as well as techniques used for consequence management affect the handling and securing of information in a university setting. Although the study context is a university environment, students were excluded from the study since the focus is on organisational culture and deterrence. A total of nine Information Technology (IT) personnel together with information security experts, functional managers and end-users who have a key role in information security in a university information security environment were interviewed using semi-structured interviews. The study found that organisational culture and deterrence may play a huge role in influencing behaviour in an information security environment. The significance of this study is in showing the value and importance of organisational culture and deterrence in university information security.