Year
2023
Degree Name
Doctor of Philosophy
Department
School of Computing and Information Technology
Abstract
In organisations, the use of technology and its advancement solutions has become more necessary than before to manage their operations and services efficiently and competitively. Such advances have exposed organisations to several external and internal risks to their information security. Many organisations have experienced cyber-attacks due to a lack of compliance with information security controls, information security awareness, management support and commitment, and employees’ mistakes. The biggest threats that an organisation could face are employees' negligence and intentional or unintentional internal violations, which ultimately put the organisation’s information and assets at risk. Indeed, ensuring employees' compliance with information security controls is a major challenge experienced by the management of information security in organisations. In the last 20 years, most of the literature on information security has been about solutions, and scholars have paid less attention to a few important employee-related factors. In Saudi Arabia, several studies have been conducted in the context of the information security domain, however, none of these studies has endeavoured to investigate employees’ compliance and their differences in terms of information security culture and perceptions of information security controls from different job positions, departments, and regions across the country. In addition to that, the literature shows a significant gap in prior research as their findings do not reflect the nature of the public organisations and their culture in Saudi Arabia. Public organisations in Saudi Arabia have different administration styles where values, beliefs, and tribal customs play a significant role within those organisations. Therefore, this research proposes a model to study differences in employees’ perceptions to identify factors that influence their perceptions and can positively alter their intentions toward complying with information security controls. The model was empirically validated in a large Saudi Arabian government organisation that has over 200 branches in all regions of the country. The results confirm differences in employees’ perceptions toward complying with information security controls across Saudi Arabia’s regions. The results also reveal the significant factors, such as employees' awareness, skills, knowledge, social power and pressure, and organisational culture, that positively influence employees’ perceptions and intentions toward compliance. Besides that, the results confirm the significant effect of monitoring and measurement in enhancing employees' detection certainty and punishment severity within an organisation. The research identifies employees' perceptions from all regions of Saudi Arabia, demonstrating the degree of variation between employees' understanding and culture concerning information security. The research contributes to increasing the body of knowledge related to information security culture by identifying deficiencies and challenges, particularly in developing countries. It provides a significant notion concerning differences in the employees’ perceptions and their beliefs toward complying with information security controls in public organisations from different regions of Saudi Arabia. It assists in understanding the prominent factors and challenges experienced in managing information security in the public sector, especially in Saudi Arabia. Moreover, the research contributes toward improving information security compliance within organisations by highlighting several policies that must be considered by organisations' management and policymakers when developing an information security plan.
Recommended Citation
Al Ghamdi, Sultan Safar, Culture impact on information security controls in Saudi Arabia’s public organisations, Doctor of Philosophy thesis, School of Computing and Information Technology, University of Wollongong, 2023. https://ro.uow.edu.au/theses1/1518
FoR codes (2008)
0806 INFORMATION SYSTEMS, 0899 OTHER INFORMATION AND COMPUTING SCIENCES
Unless otherwise indicated, the views expressed in this thesis are those of the author and do not necessarily represent the views of the University of Wollongong.