{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,4]],"date-time":"2026-04-04T05:24:07Z","timestamp":1775280247658,"version":"3.50.1"},"reference-count":39,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2016,6,13]],"date-time":"2016-06-13T00:00:00Z","timestamp":1465776000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2016,6,13]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This study aims, firstly, to determine what influence the information security policy has on the information security culture by comparing the culture of employees who read the policy to those who do not, and, secondly, whether a stronger information security culture is embedded over time if more employees have read the information security policy.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>An empirical study is conducted at four intervals over eight years across 12 countries using a validated information security culture assessment (ISCA) questionnaire.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The overall information security culture average scores as well as individual statements for all four survey assessments were significantly more positive for employees who had read the information security policy compared with employees who had not. The overall information security culture also improved from one assessment to the next.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title>\n<jats:p>The information security culture should be measured and benchmarked over time to monitor change and identify and prioritise actions to improve the information security culture. If employees read the information security policy, it has a positive influence on the information security culture of an organisation.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title>\n<jats:p>Organisations should ensure that employees have read the information security policy to aid in minimising the human risk, related errors and incidents and, ultimately, to instil a stronger information security culture with a higher level of compliant behaviour.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This research confirms theoretical research indicating that the information security policy could influence the information security culture positively. It provides novel and statistical evidence illustrating that if employees read the information security policy, they have a stronger information security culture and that the culture can be improved through targeted interventions using an ISCA.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-12-2015-0048","type":"journal-article","created":{"date-parts":[[2016,6,20]],"date-time":"2016-06-20T04:51:07Z","timestamp":1466398267000},"page":"139-151","source":"Crossref","is-referenced-by-count":52,"title":["Comparing the information security culture of employees who had read the information security policy and those who had not"],"prefix":"10.1108","volume":"24","author":[{"given":"Ad\u00e9le","family":"Da Veiga","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"issue":"2013","key":"key2020121521102395700_ref001","first-page":"1093","article-title":"Improving information security behaviour in the healthcare context","volume":"9","year":"2013","journal-title":"Procedia Technology"},{"key":"key2020121521102395700_ref002","volume-title":"Organizational Research Methods","year":"2002"},{"key":"key2020121521102395700_ref003","volume-title":"Social Research Methods","year":"2008","edition":"4th ed."},{"issue":"3","key":"key2020121521102395700_ref004","doi-asserted-by":"crossref","first-page":"523","DOI":"10.2307\/25750690","article-title":"Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness","volume":"34","year":"2010","journal-title":"MIS Q"},{"key":"key2020121521102395700_ref005","first-page":"49","article-title":"Information security culture: a comparative analysis of four assessments","year":"2014"},{"issue":"2015","key":"key2020121521102395700_ref006","first-page":"162","article-title":"Improving the information security culture through monitoring and implementation actions illustrated through a case study","volume":"49","year":"2015","journal-title":"Computers and Security"},{"key":"key2020121521102395700_ref007","article-title":"Models for interpretive information systems research, part 1: is research, action research, grounded theory \u2013 a meta \u2013 study and examples","volume-title":"Research Methodologies, Innovations and Philosophies in Software Systems Engineering and Information Systems","year":"2012"},{"key":"key2020121521102395700_ref008","volume-title":"Essentials of Marketing Research","year":"1993"},{"issue":"4","key":"key2020121521102395700_ref009","doi-asserted-by":"crossref","first-page":"296","DOI":"10.1108\/09685221211267666","article-title":"Health service employees and information security policies: an uneasy partnership?","volume":"20","year":"2012","journal-title":"Information Management & Computer Security"},{"key":"key2020121521102395700_ref010","volume-title":"Organizational behavior","year":"1998","edition":"8th edn."},{"issue":"2009","key":"key2020121521102395700_ref011","first-page":"106","article-title":"Protection motivation and deterrence: a framework for security policy compliance in organisations","volume":"18","year":"2009","journal-title":"European Journal of Information Systems"},{"key":"key2020121521102395700_ref012","volume-title":"Culture\u2019s Consequences: International Differences in Work-related Values","year":"1980"},{"issue":"2011","key":"key2020121521102395700_ref013","first-page":"83","article-title":"Understanding information systems security policy compliance: an integration of the theory of planned behaviour and the protection motivation theory","volume":"31","year":"2014","journal-title":"Computers & Security"},{"key":"key2020121521102395700_ref014","unstructured":"Information Security Breaches Survey (ISBS) (2015), \u201cPricewaterhouseCoopers\u201d, available at: www.pwc.co.uk\/assets\/pdf\/2015-isbs-executive-summary-02.pdf (accessed 4 December 2015)."},{"key":"key2020121521102395700_ref015","volume-title":"Information Security Culture \u2013 A Preliminary Investigation","author":"Information Security Forum (ISF)","year":"2000"},{"key":"key2020121521102395700_ref016","volume-title":"Information Technology \u2013 Security Techniques \u2013 Code of Practice for Information Security Management","author":"ISO\/IEC 27002","year":"2013"},{"issue":"2000","key":"key2020121521102395700_ref017","first-page":"349","article-title":"Management ethics and corporate policy: a cross cultural comparison","volume":"37","year":"2000","journal-title":"Journal Management Studies"},{"key":"key2020121521102395700_ref018","unstructured":"King Code of Governance for South Africa (King III) (2009), \u201cInstitute of directors Southern Africa\u201d, available at: www.iodsa.co.za\/?kingIII (accessed 9 October 2014)."},{"issue":"2009","key":"key2020121521102395700_ref019","first-page":"493","article-title":"Information security policy: an organizational-level process model","volume":"28","year":"2009","journal-title":"Computers & Security"},{"key":"key2020121521102395700_ref020","volume-title":"Organizational Surveys","year":"1996"},{"issue":"1970","key":"key2020121521102395700_ref021","first-page":"607","article-title":"Determining sample size for research activities","volume":"30","year":"1970","journal-title":"Educational and Psychological Measurement"},{"issue":"8","key":"key2020121521102395700_ref022","doi-asserted-by":"crossref","first-page":"685","DOI":"10.1016\/S0167-4048(03)00007-5","article-title":"Improving user security behavior","volume":"22","year":"2003","journal-title":"Computers & Security"},{"key":"key2020121521102395700_ref023","first-page":"606","article-title":"Organisational culture","volume-title":"Organisational Behaviour","year":"2016","edition":"3rd ed."},{"key":"key2020121521102395700_ref024","unstructured":"National Institute of Standards and Technology (NIST) (2010), \u201cNIST special publication 800-37: guide for applying the risk management framework to federal information systems\u201d, available at: www.nist.gov\/manuscript-publication-search.cfm?pub_id=916094 (accessed 4 December 2015)."},{"issue":"2012","key":"key2020121521102395700_ref025","first-page":"673","article-title":"Taxonomy of compliant information security behavior","volume":"31","year":"2012","journal-title":"Computers & Security"},{"key":"key2020121521102395700_ref026","article-title":"Employees\u2019 behaviour towards IS security policy compliance","year":"2007"},{"issue":"2014","key":"key2020121521102395700_ref027","first-page":"165","article-title":"Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q)","volume":"42","year":"2014","journal-title":"Computers & Security"},{"key":"key2020121521102395700_ref028","unstructured":"Ponemone Institute (2015), \u201cGlobal cyber impact report\u201d, available at: www.aon.com\/risk-services\/thought-leadership\/2015-global-cyber-impact-report.jsp (accessed 22 September 2015)."},{"key":"key2020121521102395700_ref029","unstructured":"PricewaterhouseCoopers (PwC) (2014), \u201cThe global state of information security survey\u201d, available at: www.pwc.com\/gx\/en\/consulting-services\/information-security-survey\/download.jhtml (accessed 10 December 2014)."},{"key":"key2020121521102395700_ref030","unstructured":"Protiviti (2014), \u201cIT security and privacy survey\u201d, available at: www.protiviti.com\/itsecuritysurvey, (accessed 11 December 2014)."},{"key":"key2020121521102395700_ref031","volume-title":"Research Methods for Business Students","year":"2009","edition":"5th ed."},{"key":"key2020121521102395700_ref032","first-page":"436","article-title":"An identification of variables influencing the establishment of information security culture","year":"2015"},{"issue":"201","key":"key2020121521102395700_ref033","first-page":"217","article-title":"Employees\u2019 adherence to information security policies: an exploratory field study","volume":"51","year":"2014","journal-title":"Information & Management"},{"key":"key2020121521102395700_ref034","volume-title":"IBM Software Group, ATTN: Licensing, 200 W","author":"SPSS version 22","year":"2013"},{"key":"key2020121521102395700_ref035","unstructured":"Survey Tracker (2014), Training Technologies Inc., available at: www.surveytracker.com\/ (accessed 7 June 2014)."},{"key":"key2020121521102395700_ref036","volume-title":"Information Security Forum","author":"The standard of good practice for information security (SOGP)","year":"2007"},{"issue":"10","key":"key2020121521102395700_ref037","doi-asserted-by":"crossref","first-page":"7","DOI":"10.1016\/S1361-3723(06)70430-4","article-title":"Cultivating an organisational information security culture","volume":"2006","year":"2006","journal-title":"Computer Fraud and Security"},{"issue":"2004","key":"key2020121521102395700_ref038","first-page":"275","article-title":"From policies to culture","volume":"23","year":"2004","journal-title":"Computers & Security"},{"key":"key2020121521102395700_ref039","volume-title":"Management of Information Security","year":"2014","edition":"4th edn."}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/ICS-12-2015-0048","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-12-2015-0048\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-12-2015-0048\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:25Z","timestamp":1753406605000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/24\/2\/139-151\/112149"}},"subtitle":["Illustrated through an empirical study"],"short-title":[],"issued":{"date-parts":[[2016,6,13]]},"references-count":39,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2016,6,13]]}},"alternative-id":["10.1108\/ICS-12-2015-0048"],"URL":"https:\/\/doi.org\/10.1108\/ics-12-2015-0048","relation":{},"ISSN":["2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2016,6,13]]}}}