ABSTRACT
Culture is an overused and oft-abused word, but it is an aspect of any organisation that has a significant bearing on the way that it operates. Information security is in many ways a young subject, and other disciplines have made greater progress in the study of the effects of culture on business or industrial operations. Nevertheless, since information security is primarily about the behaviour of employees, understanding and influencing the culture in which they operate is paramount. Large organisations contain many formal rules, regulations, policies, standards and working practices. Most organisations work on the basis of informal rules and loosely based social alliances. Conformity tends to be driven by forces internal to a person, such as wanting to be part of a group. The ultimate element of conformity is that the behaviours it engenders are almost subconscious.
