Designing Information Security Culture Artifacts to Improve Security Behavior: An Evaluation in SMEs

Abstract

This article examines the relationship between the information system security culture and the security behaviors of users of the information system (IS). This research follows the design science in information systems research guidelines proposed by [43] to conceptualize the IS security culture in its context, where we propose a model based on Schein’s three-level culture model (1985) [15], and evaluated at the level of our research context, which is SMEs, through a qualitative study conducted with twenty-two users belonging to eight French small and medium-sized enterprises (SMEs). The results of this study show that there is a strong relationship between IS security culture and user behaviors related to IS security, in the sense that a positive security culture is conducive to the creation of security behaviors.