Computers & Security (2004) 23, 275e279

www.elsevier.com/locate/cose

From policies to culture

Rossouw von Solmsa,), Basie von Solmsb

a
Department of Information Technology, Port Elizabeth Technikon, Port Elizabeth 6000, South Africa
b
Rand Afrikaans University, Johannesburg 2000, South Africa

Received 31 October 2003; accepted 19 January 2004

KEYWORDS Abstract Management normally sets company vision, rules and regulations
Security policy; through policies. These policies should provide guidance to employees and partners
Organizational as to how they should act and behave to be in line with management’s wishes.
culture; These policies need to be structured and organized effectively to cater for business
Security culture; and technological dynamics and advances. Having defined a series of company pol-
Security education; icies does not ensure that all employees will necessarily obey these policies. Ideally
Security behaviour these policies must manifest in some company culture to ensure appropriate behav-
iour. This can only be achieved through a proper education process. This paper
addresses exactly the process of integrating policies, education and culture.
ª 2004 Elsevier Ltd. All rights reserved.

Introduction Management normally communicates formal

In small organizations, most communication be-
tween management and workers is direct and to
a large extent verbal. Further, in these small en-
terprises, management is in a better position to
ensure that their workers follow these orders and
obey their wishes. In larger organizations this sce-
nario is unfortunately not as easy, mainly for two
reasons. Firstly, due to the number of employees,
probably physically dispersed, it is impractical for
management to convey strategic company infor-
mation informally or verbally and secondly, in most
large organizations the number of management
levels results in little direct communication be-
tween senior management and the workers.
) Corresponding author.
E-mail addresses: rossouw@petech.ac.za (R. von Solms),
basie@rau.ac.za (B. von Solms).
company direction, rules and regulations using
policies. According to BS 7799 the objective of
an information security policy is ‘‘to provide
management direction and support for information
security’’ (BS 7799, 1999). A policy can thus be
classified as a communication document from
management, as management attempts to convey
a specific message to various parties. These parties
can include external parties, for example business
partners, and/or internal parties, for example
company employees. In the case of company
employees management might want ‘‘to direct
employee behaviour’’ (UTMB, 2002) or ‘‘describe
the ethical conduct expected.’’ (NCMS, 2002).
Thus, one of the objectives of an organizational
policy is for management to dictate appropriate
behaviour of its employees.
In the rest of this paper the authors will attempt
to propose a hierarchical structure, based on

0167-4048/$ - see front matter ª 2004 Elsevier Ltd. All rights reserved.
doi:10.1016/j.cose.2004.01.013
276
various levels of abstraction, on how policies can
be implemented to effectively influence the be-
haviour of employees. The paper will address the
topic from an information security point of view,
but the results should be applicable to most disci-
plines. The paper will firstly analyse precisely what
is meant by the word policy and how it relates to
the discipline of information security. This will be
followed by an analysis of a possible relationship
between policies and creating a culture. An exam-
ple, from Christianity and Judaism, indicating how
laws and directives cultivated a culture will be dis-
cussed and this will be mapped onto the discipline
of information security. Finally, a graphical model
will be devised and put into general context.
What is a policy?
A policy can be defined as (1) ‘‘a course of action,
guiding principle, or procedure considered expedi-
ent’’ or (2) ‘‘a certificate of insurance’’ (The
American Heritage
Dictionary, 2000). From this
definition it can be deduced that a policy refers
to, firstly, action that needs to be taken or a proce-
dure that needs to be followed and, secondly,
a statement or declaration that can be made.
Thus, if the procedure is followed correctly, then
the ‘certificate of insurance’ should be intact.
A procedure can be defined as ‘‘a series of steps
taken to accomplish an end’’ (The American
Heritage
Dictionary, 2000). If this series of steps
is followed meticulously, it should result in the
wish of management (as spelt out in the policy)
being met and thus in that the original intent of
the policy is ‘insured’.
Senior management is responsible for the well-
being of the organization. Therefore they need to
clearly spell out their direction for the company
to be successful. This direction is spelt out by means
of a series of policies. These policies will communi-
cate certain aspects to external parties, and also to
fellow employees. The objective of the policies, to
internal parties, is to influence and determine their
course of action. Thus, management indirectly de-
termines the actions of the employees to serve
the interests of the organization.
In an information security program, people are
often referred to as the weakest link. Russell
(2002) and Voss (2001) reiterate this statement
by highlighting that human error is often the root
cause of problems in some of the most technolog-
ical implementations. Information security policies
create a solid platform to implement secure prac-
tices in an organization. ‘‘Knowing the policies is
R. von Solms, B. von Solms
only half of the equationdstaff need to know
how they should comply, from a procedural per-
spective’’ (RUsecure, 2002, online).
Therefore, the intent of senior management
might be pure, the policies defined crystal clear
and detailed procedures provided, but the result
not as desired. Especially not in the world of infor-
mation security, as seen from the previous para-
graph. The question that arises is how the intent
of top management can manifest in the actions
of the employees?
Policies and culture
To ensure that the actions, creations and artefacts
of employees satisfy the sentiment of manage-
ment, as spelt out in their company policies, it is
important that an appropriate group culture is
cultivated. If such a group culture manifests, and
this culture is in synchronization with the underly-
ing policies, then it would ensure acceptable ac-
tions and behavioural patterns of the individual
group members. The objective is thus to develop
a group culture, where all actions and creations
of group members (employees) are in line with
the vision of management.
How can such a culture be developed and pre-
cisely what does it entail? To answer these ques-
tions, it is important that one first defines what
a culture is and then how a culture is cultivated.
Schein (1992) defines the culture of a group as
follows: ‘‘A pattern of shared basic assumptions
that the group learned as it solved its problems
of external adaptation and internal integration,
that has worked well enough to be considered val-
id and, therefore, to be taught to new members as
the correct way to perceive, think, and feel in re-
lation to those problems.’’ This definition basically
addresses two issues, firstly, the shared basic
assumptions of the group need to be defined and
secondly, these assumptions need to be taught to
everybody who forms part of the group.
To define and develop the shared assumptions
that are acceptable to both management and the
group members is a major task. Management,
through drafting a series of policies, would define
what they expect from the group members. These
policies must be acceptable to the group mem-
bers, especially as far as basic assumptions and be-
liefs are concerned. Everybody must agree that
these are for the benefit of the organization, as
well as that it is not infringing on any of the indi-
vidual’s personal assumptions and beliefs. Schein
(1992) defined an organizational culture model,
as depicted in Fig. 1.
From policies to culture 277

Torah a series of commandments, laws and

directives are recorded. In the rest of this para-
graph, the origin and relationship amongst these
commandments, laws and directives will be dis-
cussed as well as the influential role they played
in cultivating a culture. A number of critical
aspects in this regard will be identified subse-
quently and extrapolated onto the information
security situation in a business environment.
 In the Bible (Ex 20:1), God announced the
commandments as to how He wants to be
served. God gave these commandments to
Moses to take to the Israelites. The command-
ments came directly from the highest author-
Figure 1 Schein’s organizational culture model.
ity. This was core to the credibility of the
The culture of the organization rests on basic commandments, the fact that it was written by
assumptions and beliefs that influence the nature God himself (Bible, Deut 5:22b).
of the group members, their inherent thoughts Thus, executive level policies should originate,
and feelings. The culture is subsequently ex- and be signed, by the most senior official in
pressed in collective values, norms and knowl- the company to ensure credibility.
edge. This is usually expressed in the form of The Executive Information Security policy
rules, regulations, procedures, etc. These even- should be signed by the CEO of the company
tually affect the behaviour of the employees and or somebody with similar seniority.
result in actions, artefacts and creations.
Secondly, education plays an important part in  Only 10 commandments were received by
cultivating a culture, as seen from the definition Moses (Bible, Ex 20). These commandments
above. are still in force today in the mentioned
Therefore, it can be concluded that, if manage- religions, thousands of years later.
ment wants their employees to act in a specific Thus, executive level policies should be fairly
way that is beneficial to the organization, they static over time, not to cumbersome and
need to dictate the behaviour of the employees. should address conceptual issues rather than
This can be done by expressing collective values, specifics.
norms and knowledge, through defining specific The Information Security policy should be short
policies and procedures. These policies and proce- and sweet, not including technical and
dures should reflect the underlying assumptions business details that change regularly and
and beliefs of management. should address security principles rather
This theory, whereby management’s vision and than detail.
wishes result in an organizational culture, sounds
ideal, but can it work in practice? The next para-  The Book of the Covenant (Bible, Ex 21e24)
graph will provide an example of a culture that was states many laws, 613 to be precise. Most of
cultivated, based on ‘policies’ and ‘procedures’. these laws interpret the commandments,
taking a period of time and specific situations
into account. These laws are a little more
The Moses model1
dynamic (specifically in the Christian religion)
and do dictate the lives of the followers of the
The culture of many groups and nations is founded religion to ensure it is directly in line with the
on one or other religion. Judaism and Christianity commandments (God’s will).
are two examples where religion played, and is
still playing, a definite role in cultivating a specific Thus, executive level policies should be aug-
culture amongst various groups of followers. Even mented by secondary policies. These sec-
after more than 20 centuries this is still the case. ondary policies can be more dynamic,
Core to both Christianity and Judaism is the specific and quite detailed, taking the
Torah, the first five books of the Old Testament, current economic, business, technological,
as recorded in the Holy Bible (Bible, 1994). In the etc. situations into consideration.
A series of secondary information security
1
With due respect to the Christian and Judaism religions. policies should support the executive level
278
policy. For example, an access control pol-
icy, an Internet policy, a network security
policy, etc.
 The laws are supported by a series of directives
(Bible, Ex 25e32). These directives state how,
where and when God must be served. These
directives are grouped for different situations
or groups of followers.
Thus, a series of procedures that is logically
ordered, prepared in a non-technical way and
specifically spelling out actions and behav-
iour, should interpret the executive and
secondary level policies for the employees.
A series of procedure documents addressing
the proposed actions of, amongst others,
computer end-users, the department of
human resources, third party consultants,
etc. needs to be compiled.
The suggested framework of how policies and
procedures should be arranged to ensure that con-
ceptual ideas of top management are effectively
interpreted and logically communicated to the
employees, is presented in Fig. 2.
The matter of the fact is that unless policies
and procedures are properly communicated and
educated to employees, the chances that they will
manifest in their behaviour and culture are minimal.
 The Bible (Deut 6:6e9) states:
B ‘‘never forget these commands’’,
Executive
Information
Security
Policy
Figure 2 Hierarchical ordering of (a) commandments, laws and directives and (b) executive and secondary level
policies and procedures.
R. von Solms, B. von Solms
B ‘‘teach them to your children’’,
B ‘‘repeat them when you are at home, when
you are away, when you are resting, when
you are working’’,
B ‘‘tie them to your arms’’,
B ‘‘wear them on your foreheads’’ and
B ‘‘write them on the door posts of your
houses and on your gates’’.
Thus, the policies and procedures should be
properly communicated to ALL parties,
regularly refreshed, posted on prominent
places to be seen, become part of every
individual, etc. Only then has it got a proper
chance to influence the behaviour of the
employees to such an extent that it might
manifest in a company culture.
A continuous information security awareness
program should be in place to ensure initial
education, and also regular updates and
reminders.
The 10 commandments, written by God on two
stone tables, eventually played a central role in
the religious beliefs of many people and influenced
the culture and therefore behaviour of many
nations over thousands of years. Similarly, the
wishes, dreams and vision of top management, as
spelt out in an executive level policy, should strive
to eventually influence the behaviour of employ-
ees by creating a company culture, acceptable to
all parties involved. To achieve this, two aspects
Procedures for
3rd Parties
HR
Procedures
End- user
Procedures
From policies to culture
are of critical importance. Firstly, the policies and
procedures should be defined in a proper framework
to ensure that management’s conceptual ideas are
entrenched in a series of logically structured docu-
ments. These documents should cater for dynamic
business and technological fluidity, and also hide
technical detail when not required. Secondly, these
policies and procedures should be communicated to
all employees through a well defined process of
education, reminders, refresher courses, etc. If this
is not done properly and continuously, the effect of
the executive level information security policy
might never manifest in some organizational cul-
ture. This will mean that most company rules and
regulations will have to be enforced and continu-
ously policed. It will not become embedded in the
everyday behaviour of the employees, and thus
a company culture, which is obviously the ideal.
If information is important to an organization,
top management should clearly spell out their sen-
timent in this regard in an executive information
security policy. Ultimately, top management
would like all employees and partners to share this
sentiment with them and ensure that proper infor-
mation security controls are introduced and ad-
hered to. For this reason, a series of supporting
policies needs to be defined, implemented and ed-
ucated to the parties concerned. Hopefully, this
education will become entrenched in employee
behaviour to such an extent that an information
security culture is cultivated. At this point, man-
agement can feel satisfied that their sentiment
about the importance of information security,
has actually been manifested in the everyday lives
and actions of employees, providing proper pro-
tection to information resources.
Conclusion
Top management is ultimately responsible for the
well-being of an organization. They normally use
policies to spell out their management support
and direction. These policies need to be communi-
cated and interpreted to all submissive parties.
One of the important objectives of these policies
is to prescribe the actions and behaviour of these
parties. The fact that these policies, and associated
procedures, are communicated and educated
to employees and partners does not ensure that
279
subsequent actions and behaviour from these par-
ties will necessarily be according to these policies.
One way to ensure that employee actions, behav-
iour, artefacts and creations are according to com-
pany policies is to align these with company culture.
This paper highlighted the importance of ensur-
ing that company policies are effectively struc-
tured and organized, and also, that unless these
policies and procedures are effectively communi-
cated and educated to employees, the chances
that they will manifest in company culture are
minimal. Thus, for policies to dictate company cul-
ture, proper education and communication on
a continuous basis are imperative. A lot of re-
search still needs to be done to effectively imple-
ment this principle.
References
Bible. Good News Bible. Bible Society of South Africa, SA;
1994.
BS 7799. Code of practice for information security manage-
ment. UK: British Standards Institute; 1999.
National Centre for Manufacturing Sciences (NCMS); 2002.
Available from: http://www.ncms.org/2201/membership/
policies.htm. [Accessed 21 November 2002].
RUsecure information security policies; 2002. Available from:
http://www.information-security-policies.com/policies.htm.
[Accessed 21 November 2002].
Russell C. Security awarenessdimplementing an effective
strategy; 2002. Available from: http://rr.sans.org/aware/
sec_aware.php. [Accessed 21 November 2002].
Schein E. Organizational culture and leadership. 2nd ed. Jossey-
Bass; 1992.
The American Heritage
Dictionary. 4th ed. Houghton Mifflin
Publishing Company; 2000.
University of Texas Medical Branch (UTMB); 2002. Available
from: http://www.utmb.edu/policy/rehab/search2/01-00-
01.pdf. [Accessed 21 November 2002].
Voss BD. The ultimate defence of depth: security awareness in
your company; 2001. Available from: http://rr.sans.org/
aware/ultimate.php. [Accessed 21 November 2002].
Rossouw von Solms is a professor in Information Technology at
the Port Elizabeth Technikon in South Africa. He has published
and presented numerous papers in the field of information secu-
rity. He has been a member of IFIP TC11 since 1995.
Basie von Solms is a professor in Computer Science at the RAU-
Standard Bank Academy for Information Technology at the Rand
Afrikaans University in South Africa. He has authored more than
70 papers in the field of information security. He is currently
a vice-president of IFIP and the immediate past-chairperson
of IFIP TC11.