Abstract:

The security and safety culture of organizations requires care and nurturing. When a culture of security and protection is sustainable, it transforms the security of a unique event into a life cycle that generates safety returns forever. In any system, humans are always the weakest escape. A culture of security is primarily for humans, not for computers. Computers do exactly what we tell them to do. The challenge is with humans, who click on the things they receive in the email and think what someone tells them. Humans need a framework to understand what is right for security. The study investigated the knowledge of a safety culture among workers in organizations, using data from secondary sources. This study was evaluated in two points of view; First, it assessed how awareness of a safety culture was established among employees of organizations. Second, it assessed the importance of creating a culture of safety and security among workers in organizations. The study concluded that, organizations can create security and safety awareness culture through; education, building security community and policies, initiating security boot camp, motivation, security and safety mindfulness. The study also concluded that, security and safety awareness across organizations is important and a key determinant of ensuring; Long-term commercial viability of organizations, impenetrable processes of organizations, Safe operations of organizations’ applications systems, Data protection, Protection of organizational functions from top to down, Increased organizational effectiveness and performance and building and maintaining a flexible network environment and hence staying away from information risks.

Keywords: Awareness, Security and Safety, Culture, Organizations.

References:

[1].   Annan, K. A. (2005). In larger freedom: towards development, security and human rights for all: report of the Secretary-General. United Nations Publications.

[2].   Argyris, C. (2017). Integrating the Individual and the Organization. Routledge.

[3].   Arrey, D. A. (2019). Exploring the Integration of Security into Software Development Life Cycle (SDLC) Methodology. Colorado Technical University.

[4].   Beard, R. (2013). Risk theory: the stochastic basis of insurance (Vol. 20). Springer Science & Business Media.

[5].   Bedford, T., Cooke, R., & others. (2001). Probabilistic risk analysis: foundations and methods. Cambridge University Press.

[6].   Benbasat, I., & Zmud, R. W. (2003). The identity crisis within the IS discipline: Defining and communicating the discipline’s core properties. MIS Quarterly, 183–194.

[7].   Blanchard, P. N. (2006). Effective Training, Systems, Strategies, and Practices, 4/e. Pearson Education India.

[8].   Brown, N. J. (2019). Crisis management.

[9].   Camp, L. J. (2009). Mental models of privacy and security. IEEE Technology and Society Magazine, 28(3), 37–46.

[10].  Christopher, L., Choo, K.-K., & Dehghantanha, A. (2017). Honeypots for employee information security awareness and education training: a conceptual EASY training model. In Contemporary Digital Forensic Investigations of Cloud and Mobile Applications (pp. 111–129). Elsevier.

[11].  Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide. NIST Special Publication, 800(61), 1–147.

[12].  Clifford, W., & Smith, J. (1995). Corporate risk management: theory and practice. The Journal of Derivates, 30, 21, 31.

[13].  Coopey, J. (1995). The learning organization, power, politics and ideology introduction. Management Learning, 26(2), 193–213.

[14].  Cummins, J. D., & Weiss, M. A. (2009). Convergence of insurance and financial markets: Hybrid and securitized risk-transfer solutions. Journal of Risk and Insurance, 76(3), 493–545.

[15].  Donaldson, L. (2001). The contingency theory of organizations. Sage.

[16].  Fennell, M. (2010). Training skills. The Oxford Guide to Surviving as a CBT Therapist, 371–405.

[17].  Furnell, S., & Clarke, N. (2005). Organizational security culture: Embedding security awareness, education, and training. Proceedings of the IFIP TC11 WG, 11, 67–74.

[18].  Glendon, A. I., & Stanton, N. A. (2000). Perspectives on safety culture. Safety Science, 34(1–3), 193–214.

[19].  Hafey, R. (2017). Lean safety: Transforming your safety culture with lean management. Productivity Press.

[20].  Herath, T., & Rao, H. R. (2009). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154–165.

[21].  Hofstede, G. (2001). Culture’s consequences: Comparing values, behaviors, institutions and organizations across nations. Sage publications.

[22].  Hofstede, G., Neuijen, B., Ohayv, D. D., & Sanders, G. (1990). Measuring organizational cultures: A qualitative and quantitative study across twenty cases. Administrative Science Quarterly, 286–316.

[23].  Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), 83–95.

[24].  Jacob, F. (1977). Evolution and tinkering. Science, 196(4295), 1161–1166.

[25].  Klein, J. I., & Rice, C. (2014). US education reform and national security. Council on Foreign Relations.

[26].  Kleindorfer, P. R., & Saad, G. H. (2005). Managing disruption risks in supply chains. Production and Operations Management, 14(1), 53–68.

[27].  Klinke, A., & Renn, O. (2002). A New Approach to Risk Evaluation and Management: Risk-Based, Precaution-Based, and Discourse-Based Strategies 1. Risk Analysis: An International Journal, 22(6), 1071–1094.

[28].  Kohn, A. (1999). Punished by Rewards: The Trouble with Gold Stars, Incentive Plans, A’s, Praise, and Other Bribes. Houghton Mifflin Harcourt.

[29].  Lord, K. M. (2012). Perils and Promise of Global Transparency, the: Why the Information Revolution May Not Lead to Security, Democracy, or Peace. Suny Press.

[30].  Martins, A., & Elofe, J. (2002). Information security culture. In Security in the information society (pp. 203–214). Springer.

[31].  Marzbali, M. H., Abdullah, A., Razak, N. A., & Tilaki, M. J. M. (2011). A review of the effectiveness of crime prevention by design approaches towards sustainable development. Journal of Sustainable Development, 4(1), 160.

[32].  Merchant, K. A., & der Stede, W. A. (2007). Management control systems: performance measurement, evaluation and incentives. Pearson Education.

[33].  Mitnick, K. D., & Simon, W. L. (2011). The art of deception: Controlling the human element of security. John Wiley & Sons.

[34].  Peltier, T. R. (2010). Information security risk analysis. Auerbach publications.

[35].  Poolsappasit, N., Dewri, R., & Ray, I. (2011). Dynamic security risk management using bayesian attack graphs. IEEE Transactions on Dependable and Secure Computing, 9(1), 61–74.

[36].  Posthumus, S., & Von Solms, R. (2004). A framework for the governance of information security. Computers & Security, 23(8), 638–646.

[37].  Puhakainen, P., & Siponen, M. (2010). Improving employees’ compliance through information systems security training: an action research study. MIS Quarterly, 757–778.

[38].  Quinn, R. E., & Spreitzer, G. M. (1997). The road to empowerment: Seven questions every leader should consider. Organizational Dynamics, 26(2), 37–49.

[39].  Rice, A. L. (2013). The enterprise and its environment: A system theory of management organization. Routledge.

[40].  Sasse, M. A., Brostoff, S., & Weirich, D. (2001). Transforming the �weakest link��a human/computer interaction approach to usable and effective security. BT Technology Journal, 19(3), 122–131.

[41].  Schön, D. A. (2017). The reflective practitioner: How professionals think in action. Routledge.

[42].  Shaw, R. S., Chen, C. C., Harris, A. L., & Huang, H.-J. (2009). The impact of information richness on information security awareness training effectiveness. Computers & Education, 52(1), 92–100.

[43].  Singer, P. W., & Friedman, A. (2014). Cybersecurity: What everyone needs to know. OUP USA.

[44].  Siponen, M. T. (2000). A conceptual foundation for organizational information security awareness. Information Management & Computer Security, 8(1), 31–41.

[45].  Sodiya, A. S., Onashoga, S. A., & Oladunjoye, B. A. (2007). Threat modeling using fuzzy logic paradigm. Informing Science: International Journal of an Emerging Transdiscipline, 4(1), 53–61.

[46].  Solana, J. (2003). A secure Europe in a better world: European security strategy. Içinde Klaus Schilder ve Tobias Hauschild, Der., Civilian Perspective or Security Strategy.

[47].  Stoneburner, G., Goguen, A. Y., & Feringa, A. (2002). Sp 800-30. risk management guide for information technology systems.

[48].  Sunder, S., & Cyert, R. M. (1997). Theory of accounting and control. South-Western College Pub.

[49].  Sussman, S. W., & Siegal, W. S. (2003). Informational influence in organizations: An integrated approach to knowledge adoption. Information Systems Research, 14(1), 47–65.

[50].  Thomson, K.-L., & Von Solms, R. (2005). Information security obedience: a definition. Computers & Security, 24(1), 69–75.

[51].  Wiseman, R. M., & Gomez-Mejia, L. R. (1998). A behavioral agency model of managerial risk taking. Academy of Management Review, 23(1), 133–153.