Abstract:

Information has grown to become the most important asset to most organizations today. To effectively secure these assets, a set of security controls is normally introduced. These controls can be physical, technical or operational of nature. Operational controls are those controls that are executed by employees or users of information, like locking your office door or not writing your password word. Thus, the behaviour of the employees or users are influenced by the operational controls defined. These operational controls are normally dictated through company policies and procedures, which are derived from and based on various standards and frameworks.

The major problem experienced in many organizations today are that the users are not aware of or do not adhere to these policies and procedures. Therefore, educating the users to behave according to the company's information security policies and procedures will ensure that an information security culture will be created in the organization. This security culture will give rise to, what can be called, the human firewall. This human firewall should ensure that all users of information are fully educated as far as information security is concerned and their everyday behaviour, when working with company information, is in line with the prescribed policies and procedures.

This talk describes the role of policies, procedures, standards, frameworks, etc in creating an information security culture in an organization where the behaviour of the users creates a human firewall against information security threats.