Influence of Information Security Culture on the Information Security Governance Capabilities (Case Study: PT XYZ)

Abstract

Objective – To analyze the relationship between a company’s information security approach/culture with its information security governance capabilities based on COBIT 5 framework and provide recommendations that can be used to improve the company's information security capabilities per COBIT 5 standard.

Methodology – The research uses qualitative and quantitative methods by conducting interviews and distributing questionnaires to 3 members of the IT Department at PT XYZ.

Findings – The research found that the measured COBIT 5 processes (APO13 and DSS05) failed to reach the expected target (level 4), with each DSS05 and APO13 can only reach level 1 and 2 respectively. In addition, several flaws were also found in the company’s information security culturethat may have contributed directly or indirectly to the current state of the company’s information security capabilities.

Novelty – In this study, the researchers expand the previous study on information security culture conducted in 2010 by performing a security audit on a company's IT department to analyze the connection between corporate culture, especially information security culture and the capability level of information security governance. The company thus can make improvements or corrections to its information security approach/culture based on the recommendations provided with COBIT 5 framework.

Keywords: Capability Level; COBIT; Governance; Information Security Culture.