Volume 15, Number 2

Security Culture, Top Management, and Training on Security Effectiveness: A Correlational Study Without CISSP Participants


Joshua Porche1 and Shawon Rahman2, 1Information Security System Engineer, USA, 2University of Hawaii-Hilo Hilo, USA


The purpose of this study was to analyze the relationships between four variables (predictive constructs of top management, awareness and training, security culture, and task interdependence) and an information program's security effectiveness. The difference between this study and previous research is the exclusion of information technology (IT) security professionals with Certified Information Systems Security Professional (CISSP) certifications. In contrast, participants in previous research were IT professionals with CISSP certifications. The research question asked to what extent is there a statistically significant correlation between each of the four predictive constructs and security effectiveness. This study made the same correlational determination between the independent variables and the dependent variable construct using a study population of 155 Information Systems Audit and Control Association (ISACA) members. This study used structural equation modeling (SEM) techniques to analyze relationships. The same previously used instruments were reused to reassess these particular participants. The results of SEM revealed that there was a significant relationship between security culture and security effectiveness. Similarly, significant relationships were found between top management, awareness and training, security culture, and security effectiveness, which repeated similar findings from previous research. A post hoc test was conducted using path analysis to reaffirm the direct causal relationship between security culture and security effectiveness that was also previously researched with similar results. The results demonstrated that security culture is a significant influence regardless of the participants' perception of a security professional with or without CISSP certification. The implications of this can greatly affect reorganizational structure changes focused on developing security culture as an investment and a much-targeted construct focused on by future researchers. This could result in humandepartments or functional managers realigning staff positions to concentrate on spreading security culture among fellow employees who affect cybersecurity either directly or indirectly in the workplace.


Security Effectiveness, Security Culture, Security Awareness, SecurityTraining, Security Management, Task Interdependence.