The defining features of a robust information security climate

Data breaches have become a common occurrence with serious consequences, making organizational security management critically important. Nonetheless, the research community has not yet clearly defined the characteristics of a strong organizational security climate. This study conducts a comprehensive literature analysis to identify a collection of research-based and managerially relevant constructs that represent the essential components of a strong security climate. We operationalize the identified measures of the constructs and empirically validate them for reliability, construct validity, and nomological validity in terms of their relationships with employees' security awareness, neutralization, and intention to comply with organizational information security policies (ISPs). The results suggest that these integral elements, when embraced by organizations, discourage employees’ use of neutralization to justify violation of ISPs and improve employees’ security awareness and their ISP compliance intention. Organizations can use the identified subcomponents and their corresponding measures as a diagnostic decision support instrument to make a reliable and valid assessment of the strengths and weaknesses of their security climate, to continuously monitor their security climate, and to develop interventions that contribute to a strong security climate.