INFORMATION SECURITY CULTURE FOR MALAYSIAN PUBLIC ORGANIZATION: A CONCEPTUAL FRAMEWORK

Mohamad Noorman Masrek¹*, Qamarul Nazrin Harun²
and Muhammad Khairulnizan Zaini³

¹Assoc Prof. Dr., Faculty of Information Management, Universiti Teknologi MARA, Shah Alam Selangor, MALAYSIA, mnoormanm@gmail.com
² Faculty of Information Management, Universiti Teknologi MARA, Shah Alam Selangor, MALAYSIA, qamarulnaz@gmail.com
³Faculty of Information Management, Universiti Teknologi MARA, Shah Alam Selangor, MALAYSIA, nizam0374@salam.uitm.edu.my
*Corresponding Author

Abstract
Information security has traditionally been technology oriented. A survey of the literature shows that research on the technical aspects and formal control of information security is abundant, but emphasizes on social aspects covering employee information security culture has rarely been emphasized. Standards such as GAISP, ISO27002 (or previously known as ISO/BS 17799), SSECMM and Standard of Good Practices have mainly giving emphasize on technical aspects with little attention given on the culture and management of employee information security practices. Given that the employee as the IT users might be a considerable threat to the security level, as well as being essential resources to prevent incidents from happening, non-technological aspects of information security should also be considered in addition to technological aspects. To this effect the need to develop an information security culture (ISC) is crucial so as to protect the organization from any possible information security threats and breaches. ISC can be defined as “information security perceptions, attitudes and assumptions those are accepted and encouraged in an organization – thus the way in which things are done in an organization to protect information assets”. Studies have shown that, when ISC are not in place, employees of the organization will engage in activities that will endanger the wellbeing of the organization, such as accessing and disclosing confidential information, exploiting information resources for personal gains etc. Against this background, an ISC framework for Malaysian Public Sector organizations is proposed. The framework consists of six dimensions, namely, management support, policy and procedures, compliance, awareness, budget and technology. Each of these dimensions is further divided into sub-dimensions. The developed framework will be empirically validated and tested using qualitative and qualitative approach with focus group interview and questionnaire as the data collection technique.

Keywords: information security culture, information security breaches, conceptual framework