Assessing information security culture: A mixed-methods approach to navigating challenges in international corporate IT departments

In the digital era, fostering a strong information security culture in organizations, especially multinational IT departments, is essential to combat cyber threats. This study examines the effectiveness of a mixed-methods approach that combines quantitative surveys with qualitative insights from semi-structured interviews to assess information security culture comprehensively. Through a systematic literature review, the research identifies gaps and opportunities within the academic exploration of information security culture. Using semi-structured interviews with IT professionals from a multinational software company, the study complements an existing quantitative survey to delve deeper into six predefined dimensions of security culture. The qualitative data obtained from the interviews were analyzed using Mayring's qualitative content analysis. The results provided nuanced insights into the organization's security culture, with particular emphasis on aspects such as the accessibility of policies, the commitment of management, and the adequacy of training programs. Confirming the validity of the integrated approach, a comparative analysis of the qualitative findings with the survey data revealed no significant statistical differences in most dimensions. However, differences in certain areas highlighted the need for more transparent communication and specialized training initiatives. The study underscores the complexities involved in cultivating a resilient information security culture. It also demonstrates the value of a mixed-methods approach for a rigorous assessment. This study contributes to the academic discussion of information security culture and provides practical insights for organizations seeking to strengthen their security posture. It advocates further research into different organizational contexts and the cost-effectiveness of qualitative assessments.