Abstract
The reliance on information systems within business in all societies, brings about the need for trust and security in their use. Technology is considered to be the foundation for securing such systems. However, technology alone is not enough, since users make mistakes, both in unwittingly and intentionally, which is why there is a need for well-defined information security awareness policies and practices that reduce the risk of incidents through continual assurance. Culture has been found to play a significant role when implementing awareness strategies, since the impact of information security awareness programmes has varied in their impact, and is influenced by national culture. This paper defines the essential factors that have to be maintained in MiddleEastern organisations in order to implement effective awareness strategies. In considering culture, we present a synthesis of features and components highlighted in the literature. This was supplemented by interviews with experts in information security about attitudes and behaviours among employees in their institutions. Current information security management systems standards were checked for security awareness in their policies. A framework of factors was created by applying thematic analysis to characterise information security awareness. The significant components of the framework were the factors that frame awareness in the light of cultural and environmental perspectives: Knowledge, Attitude, and Behaviour.