| Summary: | The present study’s goal was to build a measurement scale of the level of information security in an institution’s organizational culture. Therefore, based on a broad bibliographical review, the study conceptualized the organizational culture of information security, which was our object of evaluation. Then, the study defined the latent trait – Organizational Culture of Information Security, establishing that the attributes that characterize the latent trait are: the nine principles of the Organization for Economic Cooperation and Development – OECD; and the information security controls of the ABNT NBR ISO / IEC 27002’s standard. In order to build the scale, we developed an evaluation instrument, a questionnaire, and applied it to federal public organizations. After the analysis and validation of the instrument, based on Item Response Theory -IRT, we obtained a set of 55 items that structure the scale. The study yielded the following results: a proposal of a concept of organizational culture applied to information security; and the development of a standardized and interpreted scale of evaluation of the organizational culture level of information security, defined in five levels: 0 - Chaos, 1 - Elementary, 2 - In Progress 3 - Advanced and 4 - Optimized. The scale developed based on IRT allows us to evaluate all types of organizations, enables comparing organizations in a supply chain, and provides the necessary information for self-knowledge of the organization, helping managers to optimize investments in information security and in managerial decision-making.
|
|---|