Identification of Key Human Factors affecting adoption of Information Security Culture - A Study on Small & Medium Scale Organisations in Sri Lanka

Abstract

"In today's fast-paced and technology-driven world, organizations heavily rely on Information Technology (IT) to meet their business needs. However, this increased dependence on IT and the exposure to the internet also create opportunities for malicious attackers to exploit vulnerabilities. While advancements in security technology, particularly those incorporating AI and ML, have helped organizations strengthen their defences, many experts argue that this approach alone is insufficient as security solely is not a technical problem but also a people problem. Although this threat is brought forward in multiple risk and intelligence indexes highlighting that 95% of all successful cyber-attacks are caused by human error and this weakest link is yet often neglected. On the other hand, having only 14% of SMEs remain prepared to defend themselves against cyber threats is also very much alarming.

This study focuses on deciphering the ‘human’ element by identifying the key human factors, characteristics and challenges affecting the adoption of a security-first culture. With SMEs forced to rethink the fundamental investment in security and control by instating cyber security on their priority index, this study aims at helping readers realize the importance of the human element in information security and thereby help address this problem by development of a conceptual framework through in-depth review of literature, analysis of existing models and evaluation of results gathered thorough synthesis of data. The researcher intends to identify the human factors affecting the adoption of information security culture and thereby provides proper direction to strengthen the security posture of the organisation by investing proportionately in security by challenging the common conception of solely implementing technological controls to address security concerns."