IJCNC 05

SECURITY CULTURE, TOP MANAGEMENT, AND TRAINING ON SECURITY EFFECTIVENESS: A CORRELATIONAL
STUDY WITHOUT CISSP PARTICIPANTS

Joshua Porche1
and Shawon Rahman2
Information Security System Engineer, Melbourne, Florida, 32940, USA
2Professor, Department of Computer Science and Engineering, University of Hawaii-Hilo
Hilo, Hawaii 96720, USA

ABSTRACT

The purpose of this study was to analyze the relationships between four variables (predictive constructs of top management, awareness and training, security culture, and task interdependence) and an information program’s security effectiveness. The difference between this study and previous research is the exclusion of information technology (IT) security professionals with Certified Information Systems Security Professional (CISSP) certifications. In contrast, participants in previous research were IT professionals with CISSP certifications. The research question asked to what extent is there a statistically significant correlation between each of the four predictive constructs and security effectiveness. This study made the same correlational determination between the independent variables and the dependent variable construct using a study population of 155 Information Systems Audit and Control Association (ISACA) members. This study used structural equation modeling (SEM) techniques to analyze relationships. The same previously used instruments were reused to reassess these particular participants. The results of SEM revealed that there was a significant relationship between security culture and security effectiveness. Similarly, significant relationships were found between top management, awareness and training, security culture, and security effectiveness, which repeated similar findings from previous research. A post hoc test was conducted using path analysis to reaffirm the direct causal relationship between security culture and security effectiveness that was also previously researched with similar results. The results demonstrated that security culture is a significant influence regardless of the participants’ perception of a security professional with or without CISSP certification. The implications of this can greatly affect reorganizational structure changes focused on developing security culture as an investment and a muchtargeted construct focused on by future researchers. This could result in human departments or functional managers realigning staff positions to concentrate on spreading security culture among fellow employees who affect cybersecurity either directly or indirectly in the workplace.

KEYWORDS

Security Effectiveness, Security Culture, Security Awareness, Security Training, Security Management, Task Interdependence

1. INTRODUCTION

The present work investigates the key principles needed to address security management’s inability to thwart costly security breaches in organizations. This study examines the extent to which task interdependence (TI), top management support (TM), awareness and training support (AW), and security culture (SC) are positively associated with information security program effectiveness (EF) without participants with Certified Information Systems Security Professional

Table 1. Descriptive Statistics for Mean and Standard Deviation for the 26 Survey Questions