Proceedings of the Fifth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2011) 1 Combating Information Security Apathy by Encouraging Prosocial Organisational Behaviour K. Thomson 1 and J. van Niekerk 2 Center for Information Security Studies Nelson Mandela Metropolitan University, South Africa e-mail: {kerry-lynn.thomson|johan.vanniekerk}@nmmu.ac.za Abstract The protection of organisational information assets is a human problem. It is widely acknowledged that an organisation’s employees are the weakest link in the protection of the organisation’s information assets. Most current approaches towards addressing this human problem focus on awareness and educational activities and do not necessarily view the problem from a holistic viewpoint. Combating employee apathy and motivating employees to see information security as their problem is often not adequately addressed by “isolated” awareness activities. This paper examines the motivation of employees to actively contribute towards information security from an organisational science perspective through prosocial organisational behaviour. Keywords Information security, prosocial organisational behaviour, goal-setting theory, information security corporate culture 1. Introduction It is commonly acknowledged that employees are often the weakest link when it comes to protecting information assets. Very often this is due to the apathetic behaviour of employees which leads to a diffusion of responsibility on the part of employees. In other words, each employee believes that information security is not their responsibility (Kabay, 2002). It is, therefore, important that a corporate culture of information security be cultivated to ensure that employees’ behaviour reflects the information security goals of management, and that miscommunication of goals is avoided. Miscommunication is a common factor in everyday life and becomes even more complex in organisations. Miscommunication could occur between employees, but more importantly, between management and its employees. Even though establishing a corporate culture will not eliminate miscommunication completely, it does reduce the possibility that the members of an organisation will misunderstand one another. Corporate culture enables this in two ways. Firstly, there is no need to communicate things about which shared beliefs and values exist. Secondly, shared beliefs and