Toward a Unified Information Security Culture Framework for Small and Medium Enterprises, a Design Science Approach

Information Security Culture (ISC) research has yielded many competing models and frameworks, each with distinct but related sets of dimensions, elements, and components. This research examines the present state of theoretical frameworks for information security culture, reviews and compares literatures on ISC frameworks, and identifies frequently reoccurring themes, similarities, and gaps specific to small and medium enterprises (SMEs). These gaps are defined by three dynamic capabilities of SMEs organizational resilience namely dynamic absorptive capability (the ability to identify and assimilate external information), dynamic integration capability (the ability to integrate new knowledge with existing functional skills), and dynamic coordination capability (ability to coordinate individual efforts) and three related themes - adaptability and responsiveness of ISC frameworks, integration into daily SME operations, and practicality and ease of implementation. Using design science research methodology (DSRM), a unified but simplified ISC framework aligned with SMEs' three dynamic capabilities as a solution blueprint was developed. The developed artifact is demonstrated by adapting the stages of the generic design process model with elements from the Technology-Organization-Environment (TOE) framework to create a method for adopting and implementing the ISC framework. We assess the unified ISC framework for SMEs based on two key objectives: its alignment with established ISC framework theory and practice as documented in existing literature, and its provision of a clear process for implementation. The paper concludes with a discussion and recommendations for future research.