SECURITY KNOWLEDGE REQUIRED TO IMPROVE EMPLOYEE SECURITY BEHAVIOR IN INFORMATION SECURITY CULTURE
There are many security risks to the organizations' information assets; nonetheless, among the major threats to achieve a secure information environment are the actions and behavior of the employees when handling information. Insiders, intentionally or unintentionally, can cause serious risks, despite investments usually made on security control measures and other security related products. Insecure human behavior with respect to information security cannot entirely be solved by technical and procedural controls alone. Recently, the development of effective information security culture in organizations is increasingly considered as a way to embed appropriate security practices, and to address the human factor in information security. Past research works on this area indicate that there is a positive relationship between levels of knowledge and how employees behave. The level of knowledge significantly affects information security behavior and should be considered as a critical factor in the effectiveness of information security culture and in any further work that is carried out on information security culture. Therefore, in this paper we have identified the security knowledge required to improve employee behavior in information security culture namely; knowledge of security threat, knowledge of organization information security strategy, knowledge of security technology, knowledge of legislation, regulation and national culture, knowledge of security responsibility and knowledge of security risk. These security knowledge needs to be included as topics in security training and awareness programs conducted by organizations for their employees so that an effective information security culture within the organization can be achieved. Keywords: Information Security, Information Security Culture, Human Behavior and Security knowledge.