The Competing Security Cultures Framework
Every organization that is concerned about protecting its information assets and systems—basically all organizations in today’s networked and digital society—has an information security culture. The security culture is a facet of the overall organizational culture. Most organizations, in fact, have multiple information security cultures, reflections of local values and priorities, and not everyone inside the organization is going to share the same beliefs and assumptions about how security should and does work. What the information security team values and thinks is most important for protecting the organization will probably be different, at least in degree, from what HR (or Internal Audit, ...