O impacto das crenças individuais dos profissionais na cultura de segurança da informação nas organizações

: estudo no sector da água/saneamento em Portugal

Abstract

This work performed under the finalization of the MA in Security in Information Systems from the Faculty of Engineering, Catholic University, focuses on the theme of organizational culture in information security, according to one of the pillar which is considered extremely relevant in organizations – “ human factor” in the business sector of Water and Sanitation in Portugal . Thus, leaving the issues of support “Q1 - What are the beliefs of individual professionals in the culture of information security?” and “Q2 - What is the impact of individual beliefs in the culture of Information Security?” This study exploratory in nature and descriptive aims to: 1. Investigate what the Motivating Factors (FM) Inhibitors (FI), Critical Success (FCS) and Good Practice (FBP) that support the adoption / implementation of a Management System of Information Security (ISMS) in the organizations Water and Sanitation sector in Portugal, taking into account the perspective of their own (PP) and face the prospect own organization (PPO) . 2. Compare the two approaches by calculating the average level of importance for each element of the above factors. 3. To analyze the effects obtained by crossing the middle level of importance of the various factors elements (FM, FI, FCS, FBP) with the mapping according to the orientation of ISACA [3] indicating that «from a governance perspective there are six major outcomes that security programme should work to achieve, namely: 1) strategic alignment; 2) risk management; 3) value deliver; 4) resource management; 5) performance management and 6) assurance process integration». The obvious need for the use of “information” as a strategic resource in organizations in general and this sector, in particular, as well as the indispensability of addressing the “effective and efficient management of water resources” in a holistic way, based on the “safety management” through a risk assessment approach, in which the application “information” should be considered in parallel with the resource “water” as alignment with the organization's strategy factor, in order to contribute to the resolution of problems, creating value and ensuring the continuity of services in a contingency situation, puts the “human factor” as undoubtedly a key point at which “create a safety culture” in organizations becomes a challenge for them, should be a focus of attention of corporate governance, as well as a priority objective of the governance of information security in organizations. Thus, in this study we identified the first Major Key Concepts that made possible the realization of the literature review on the state of the art of this problem, where we tried to find answers to the methodological approach to the assessment of organizational culture in information security in organizations, but also find contributions that aided in the execution of this work. Next, we describe the work done by exposing the rational, detailing the objectives and presenting the approach taken, based on the preparation and dissemination of a questionnaire which was used to support the “Diagnosis of Culture in Information Security - Sector: Water and Sanitation in Portugal” audience, which were top managers, middle-level, IT, IT consultants, managers / security officials and employees of organizations in this sector, such as operators, regulators, etc. … Then it turns out the detail of the processing and analysis of data, including sample characterization, addressing the four sectors (FM, FI, FCS, FBP) according to PP and PPO, as well as comparative analysis between the two perspectives and furthermore, the analysis of the resulting mapping of the elements of the second orientation factors of ISACA [4], showing off the results. Finally, weave the findings are presented and endnotes.

Date of Award	2014
Original language	Portuguese
Awarding Institution	Universidade Católica Portuguesa
Supervisor	Tito Santos Silva (Supervisor)