Abstract | Već duži niz godina istraživanja iz domene informacijske sigurnosti ističu kako su upravo informacije ključni resurs svake organizacije koje je, sukladno tome, potrebno primjereno štititi. Međutim, ono što se promijenilo u odnosu na prije dvadesetak godina je činjenica da zaštita informacija temeljena na samo tehničkim mjerama zaštite više nije dovoljna, a informacijska sigurnost više ne predstavlja tehnički nego upravljački problem. Novija istraživanja pokazuju kako je za primjereno upravljanje informacijskom sigurnošću potrebno, uz davno prepoznate tehničke mjere, uzeti u obzir i ne-tehničke mjere s posebnim naglaskom na ljudski čimbenik. Međutim, iako su ljudi u literaturi prepoznati kao kritične prijetnje u zaštiti informacijske imovine, oni ujedno mogu postati i rješenje problema. Mjerama kao što su, između ostalog, definiranje sigurnosnih politika i procedura ili održavanje radionica podizanja svijesti o informacijskoj sigurnosti uspostavlja se dobra kultura informacijske sigurnosti koja može značajno doprinijeti zaštiti informacijske imovine na način da ljude, kao prepoznati problem informacijske sigurnosti, pretvori u rješenje tog problema. Način za postizanje toga je uspostava primjerene kulture informacijske sigurnosti kao načina zaštite informacija što dovodi do potrebe identifikacije elemenata koji doprinose uspostavi kulture informacijske sigurnosti. Glavni doprinosi istraživanja opisanog u ovoj disertaciji su sistematizacija znanja iz područja kulture informacijske sigurnosti, identifikacija ključnih čimbenika koji čine kulturu informacijske sigurnosti, razvijen i validiran mjerni instrument za procjenu kulture informacijske sigurnosti temeljen na dosadašnjim istraživanjima i provedenom empirijskom istraživanju te u konačnici, razvijen i validiran okvir za procjenu i unapređenje kulture informacijske sigurnosti koji kulturu informacijske sigurnosti ne promatra u samo jednom aspektu (primjerice ponašanje zaposlenika) već u obzir uzima njenu organizacijsku, sociološku i tehničku komponentu. Validacija mjernog instrumenta i radnog okvira za procjenu i unapređenje kulture informacijske sigurnosti provedena je putem provjere pouzdanosti te sadržajne i konstruktne valjanosti teorijskih koncepata pomoću znanstvenih metoda (evaluacija eksperata, metoda sortiranja karata, faktorska analiza) i pokazatelja (Fleiss Kappa, omjer pogodaka, omjer sadržajne valjanosti, Cronbachov alfa i dr.). |
Abstract (english) | For many years, information security researchers have identified information as the key resource of any organization that needs to be adequately protected. However, what has changed in the past twenty years is the fact that information protection based on purely technical measures is no longer sufficient, since information security is no longer technical but managerial problem. Recent research shows that, with well-known technical measures, for an appropriate information security management it is necessary to take into account non-technical measures also, with a special emphasis on the human factor. However, although literature recognize people as the weakest link in the security chain, they can also become a solution of the problem. A good way to achieve this is to establish an appropriate information security culture as a way of protecting information, which leads to the need of identifying elements that contribute to the establishment of an information security culture in organization. The research described in this thesis contained several phases based on the use of qualitative and quantitative scientific methods. The first phase referred to the identification of key factors of information security culture in the organizational context, the second phase consisted of activities for conceptual framework development, the third phase was about the development and testing of a measuring instrument, and the final, fourth phase referred to the analysis of empirical research data as well as correlation analysis of information security culture and information security measures implementation in the organization. During the first phase, key factors of information security culture in the organizational context were identified by using scientific methods of review, analysis and synthesis of available relevant research in the field of information security culture. During the second phase, an information security culture evaluation and improvement conceptual framework, in form of defined categories and components of each category based on the results of the first phase of research, was developed. The most extensive, third phase, consisted of the development and testing of a measuring instrument which was in the form of a survey questionnaire. The creation of the questionnaire particles was based on a literature search in the information security culture field, after which the particles used so far were used to describe and measure the identified factors influencing the information security culture. In other words, particle creation was based on the results obtained in the first phase of the research. In this section, a convenient (available) sample of 12 experts was contacted to participate in the validation of the content and construct validity of extracted particles. In the context of this research, the term “experts” means certified professionals in the field of information security or information systems auditing. Content validation included the calculation of the Content Validity Ratio (CVR) and the Averaged value of relative importance. The next steps included the measurement scale development and measurement instrument testing. In this part of the research, the Q-sort (card sorting) method was used and it was based on the experts’ involvement in particle assessment, where experts were to classify particles into separate categories with respect to similarities and differences among particles. If the experts consistently classified the particles into appropriate constructs, it was considered that the convergent validity of a certain construct was achieved, as well as the discriminant validity in relation to other constructs. For those particles for which experts did not reach consensus, they were excluded from further analysis. Two measurement methods were used to assess the reliability of the sorting procedure: the Fleiss Kappa coefficient, as a measure of agreement between more than two experts, and the Hit Ratio, as an indicator of how many variables were placed in the target group by experts. Scales that have a high percentage of “correct” classifications can be said to have a high degree of construct validity and a high potential for good reliability. All the measuring instrument particles were measured using a five-degree Likert-type semantic ordinal scale. In order to determine the relevance of the measuring instrument, it contained several questions about objective indicators of the implemented information security measures in the organization (for example, occurrences of incidents or awareness campaigns via e-mails alerting employees to various security threats). For the purpose of measuring instrument validation in terms of internal consistency and conceptual framework validation, it was planned to form a sample of organizations that make operators of essential services in the context of critical national infrastructure in the Republic of Croatia. Then, after the sample would be formed, the survey questionnaire would be sent to employees of these organizations, who are users of the information system. However, due to the impossibility of determining the entire population of the operators of essential services, from which a random sample was to be formed, due to the sensitivity of information about which organizations they are, the author of this study was forced to use the non-probabilistic Snowball method to determine participants in the empirical part of this study. For this reason, as a basis for determining the required minimum sample size or number of subjects, a literaturesupported measure of at least three times more subjects than there are particles in the measuring instrument, was taken. The empirical research was conducted on the basis of voluntary and anonymous participation without collecting any personal data. The final, fourth phase included the analysis of the collected data after the conducted empirical research as well as the analysis of the correlation between information security culture and implemented information security measures in the organization. At the very beginning, a descriptive statistical analysis was used, which goal was to examine summary descriptions of the distributions of quantitative variables and to validate the instrument in terms of reliability of the obtained data. To assess the reliability of the measuring instrument, the Cronbach's α (alpha) coefficient was used, as a measure of internal consistency, which determines the extent to which research results can be repeated over time or through different groups of subjects. In order to further verify the validity and reliability of the measuring instrument, an exploratory factor analysis was performed on the data obtained by empirical research, which reduced the total number of factors to 8 factors distributed within 3 higher-level categories. It is important to emphasize that the information security culture evaluation and improvement framework is based on a validated measuring instrument and shares its structure. This means that the measuring instrument consists of manifest variables (particles) that describe the first-level latent variables (factors) and the second-level latent variables (categories) that are described by these factors. The mentioned factors and categories from the measuring instrument are integral parts of the information security culture evaluation and improvement framework, which in its initial structure consisted of 13 factors divided into 3 higher-level categories (organizational measures, sociological factors and technical measures). Based on the question of objective indicators of implemented information security measures in the organization, which were the part of the measuring instrument, correlation analysis was used to verify and prove the positive relatively weak correlation between information security culture and implemented information security measures. Thus, in addition to the validation of the measuring instrument as the basis for the framework development, the information security culture evaluation and improvement framework was successfully validated. Finally, after theoretical and empirical validation of the measuring instrument and framework, first through the expert opinion method, and then by factor analysis, the final structure of the measuring instrument and the information security culture evaluation and improvement framework was obtained. It consisted of 3 second-level latent variables (categories), 8 first-level latent variables (factors) and 46 manifest variables (particles) that directly measure first-level latent variables. One of the main identified research limitations is the inability to create a representative sample of organizations that are the operators of essential services as well as employees or participants in the research due to the inability to determine the size of the entire population. The organizations that are operators of essential services have been selected for the proposed framework and measurement instrument validation because they are increasingly the targets of various forms of information security incidents and are an important element in terms of national critical infrastructure. Additional recognized limitations are the limited ability to generalize results due to the use of non-probabilistic sampling method, relatively small number of experts who participated in the content and construct validation of the measuring instrument, poor motivation of potential participants and inevitable possible subjectivity during the relevant literature review. This thesis is divided into 7 chapters, where the first chapter, which is the introductory part, briefly elaborates the importance of the research topic from which the 3 research goals to be achieved by this research arose, as well as the formulation of 2 hypotheses that this research seeks to confirm or discard. The second chapter provides a general view of information security, its evolution through history and the basic components that make information security. The third chapter deals with an extensive topic of information security management in which the emphasis is on information security as corporate governance part as well as managementlevel, and no longer only the technical-level problem. Also, this chapter emphasizes the need for a holistic approach to information security management. This chapter also addresses the challenges of information security as well as the elements of information security management and provides a brief overview of relevant laws and norms in the field of information security with emphasis on the importance of the so-called critical national infrastructure. The fourth chapter provides a detailed overview of information security culture, from the definition of the term, through its importance and relationship with organizational culture to documenting the acquired knowledge about key factors and existing models and frameworks of information security culture from relevant literature. The fifth chapter is reserved for the research methodology, which describes step by step the scientific methods and indicators that will be used in meeting the set research goals. The sixth chapter extensively presents the results of the research obtained through the methodology described in the previous chapter, while the seventh, last chapter, summarizes the research results in the context of research goals and hypotheses, underlining the contributions and limitations of this research. |