Editing Computer security (section)

==Information security practices==
Employee behavior can have a big impact on [[information security]] in organizations. Cultural concepts can help different segments of the organization work effectively or work against effectiveness toward information security within an organization. Information security culture is the "...totality of patterns of behavior in an organization that contributes to the protection of information of all kinds."<ref>{{cite conference | last1=Lim | first1=Joo S. | last2=Chang | first2=Shanton | last3=Maynard | first3=Sean | last4=Ahmad | first4=Atif | title=Exploring the Relationship between Organizational Culture and Information Security Culture |book-title=Proceedings of the 7th Australian Information Security Management Conference | date=2009 | publisher=Security Research Institute (SRI), Edith Cowan University |doi=10.4225/75/57B4065130DEF |url=http://ro.ecu.edu.au/ism/12}}</ref>

Andersson and Reimers (2014) found that employees often do not see themselves as part of their organization's information security effort and often take actions that impede organizational changes.<ref>{{cite conference | last1=Reimers | first1=Karl | last2=Andersson | first2=David | conference=ICERI2017 Proceedings | title=Post-secondary Education Network Security: the End User Challenge and Evolving Threats | publisher=IATED | year=2017 | volume=1 | page= | issn=2340-1095 | doi=10.21125/iceri.2017.0554 | pages=1787–1796 | isbn=978-84-697-6957-7 |url=https://library.iated.org/view/REIMERS2017POS| url-access=subscription }}</ref> Indeed, the Verizon Data Breach Investigations Report 2020, which examined 3,950 security breaches, discovered 30% of cybersecurity incidents involved internal actors within a company.<ref>{{cite report|title=Verizon Data Breach Investigations Report 2020 |url=https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf |archive-url=https://web.archive.org/web/20200519161153/https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf |archive-date=2020-05-19 |url-status=live |access-date=2021-09-17 |website=verizon.com}}</ref> Research shows information security culture needs to be improved continuously. In "Information Security Culture from Analysis to Change", authors commented, "It's a never-ending process, a cycle of evaluation and change or maintenance." To manage the information security culture, five steps should be taken: pre-evaluation, strategic planning, operative planning, implementation, and post-evaluation.<ref name="Schlienger, Thomas 2003">{{cite journal | last1 = Schlienger | first1 = Thomas | last2 = Teufel | first2 = Stephanie | year = 2003 | title = Information security culture-from analysis to change | journal = South African Computer Journal | volume = 31 | pages = 46–52 |hdl=10520/EJC27949}}</ref>
* Pre-evaluation: To identify the awareness of information security within employees and to analyze the current security policies.
* Strategic planning: To come up with a better awareness program, clear targets need to be set. Assembling a team of skilled professionals is helpful to achieve it.
* Operative planning: A good security culture can be established based on internal communication, management buy-in, security awareness and a training program.<ref name="Schlienger, Thomas 2003" />
* Implementation: Four stages should be used to implement the information security culture. They are:
:# Commitment of the management
:# Communication with organizational members
:# Courses for all organizational members
:# Commitment of the employees<ref name="Schlienger, Thomas 2003" />
* Post-evaluation: To assess the success of the planning and implementation, and to identify unresolved areas of concern.