Information Security Culture: A General Living Systems Theory Perspective Rayne Reid School of ICT Nelson Mandela Metropolitan University Port Elizabeth, South Africa s208045820@live.nmmu.ac.za Johan Van Niekerk School of ICT Nelson Mandela Metropolitan University Port Elizabeth, South Africa Johan.VanNiekerk@nmmu.ac.za Karen Renaud Computing Science University of Glasgow Glasgow, Scotland Karen.Renaud@glasgow.ac.uk Abstract—Information security culture (ISC) is often acknowledged as being a vital subculture within an organizational culture. As a subculture, its purpose is to fulfil its security purpose, while integrating into, and supporting, the broader organizational culture. However, in contrast, few discussions of ISCs acknowledge that the ISC itself is comprised of subcultures. The research literature’s lack of exploration of this nested nature of ISC may be hindering in-depth understanding of the ISC as a system within itself, as well as within the broader organizational culture. This paper will therefore address this by straying from traditional views of ISCs. We will examine an ISC as a self-managing, self-repairing collective of multiple ISCs which meet the organizational culture’s security needs. The paper’s objective is to show that an ISC can be viewed and understood as a living system. Keywords-information security culture; general living systems theory, conceptual I. INTRODUCTION Many organisations acknowledge that the creation of an acceptably effective information security solution is of vital importance [1]. Information security aims at securing the processes, technology and people involved with the information used in the activities that fulfil the business’s corporate objectives. These processes, technology and people form the components of such an information security solution and accordingly have to be managed [2]. Employee actions and behavior are particularly important in an information security solution, as almost all information security solutions rely, to a certain extent, on the humans involved in the security process making the right decisions and acting securely [3]. While technology and processes can be formulated so as to be theoretically secure, the true level of security of such technology and processes relies on the people involved in their use and implementation [4]. The extent to which people use technology securely and comply with the mandated secure processes can drastically affect how truly secure these components are. People can both consciously and unconsciously become a threat to any information security solution [5]. When they become a conscious threat it may be with a specific intent or because of negligence. Alternatively, when they become an unconscious threat it may be for a range of reasons, including a lack of knowledge of security practices, an inability to properly apply their knowledge to their own work role or environmental context, because they have been conned or due to common negligence. Regrettably, as a result of this it is more likely that a breach that occurs in an information security solution is the fault of humans, and not technology [3]. This threat has become known as the “human factor” in information security. The establishment of an organizational information security culture (ISC) has been widely accepted as the appropriate counter to this “human factor” threat [4]. The theory supporting this solution being that the creation of a security-conscious corporate culture could potentially lead to employees adopting secure, work-related behavior as a behavioral default [1], [5]. An ISC is often acknowledged as being a subculture of the larger organizational culture [1]. However, it is rarely acknowledge that it can have subcultures of its own. ISCs are, typically, presented in literature as single-level conceptual constructs which are uniformly applicable to all aspects of an organization. However, this representation may be too simplistic to explain the interactions between the interconnected secure business activities and the components of a comprehensive organizational ISC. Therefore it may be advantageous to examine an alternative view if ISC. An ISC could be viewed as a collection of nested systems that display emergent properties and are also self-maintaining and self-repairing. These properties match the primary characteristics of general living systems. This paper will thus examine an ISC to determine whether it may be viewed as a living system. Living systems are open, complex, adaptive, self- organizing living entities that interact with their environment or other systems [6]. A living systems perspective will not simplify how we view ISCs. In fact, it will likely complicate it. However, it is our belief that this alternative view of an ISC will reveal considerations of the culture that previous models have failed to identify. This new perspective may therefore assist in developing a further understanding of the underlying components, operations and impact of an ISC. It may enable us to better understand and predict the overall culture and how the organizational and security cultures interact. This, in turn, may affect our understanding of how good ISCs ought to be nurtured and encouraged. The paper will begin by briefly discussing the concept of ISC; then it will provide a brief overview of general living systems theory and, finally, it will present the way in which an The financial assistance of the Vodacom/NMMU and National Research Foundation (NRF) scholarships in this research is hereby acknowledged. Opinions expressed and conclusions arrived at are those of the authors and are not necessarily to be attributed to the sponsors. 978-1-4799-3383-9/14/$31.00 ©2014 IEEE