Evaluation of Information Security Culture of Key Service Operators

Relevant literature has been pointing out for many years that information security has ceased to be exclusively technical and has become primarily a business issue with a particular emphasis on the human factor. With this shift in thinking, the focus changes from exclusively technical security measures to organizational and sociological protection elements, bringing information security culture into focus. A well-established information security culture, which, in addition to established technical measures, considers sociological factors and organizational measures, can not only contribute to the protection of information but also change the way employees think so that they stop viewing information security as an obstacle in their daily work. This paper presents the results of empirical research of information security culture based on established security practices conducted on 239 employees of organizations from 8 sectors representing key service operators in the Republic of Croatia.