Abstract
CONTEXT: Recent studies have highlighted a growing interest in security culture. Frameworks and standards currently exist, offering cybersecurity regulatory guidelines for organizations both locally and internationally, as evidenced in the literature. However, research on information security culture (ISC) within universities remains limited. Moreover, there is a notable absence of professional and academic investigations into ISC. OBJECTIVES: In this article we aim to thoroughly examine ISC in universities through four main objectives. First, we will identify essential knowledge areas (KAs) in this field. Second, we will analyze best practices (BPs) used to promote security culture in universities. Third, we will explore where these practices can be applied across different university areas. Finally, we will create a detailed taxonomy to organize the aspects of ISC in university settings. METHOD: We employed a multivocal literature review (MLR) approach to identify the primary KAs and BPs for understanding and enhancing security culture in universities. We scrutinized 81 primary studies from formal (FL; peer-reviewed) and grey literature (GL; blogs, web pages, white papers). These studies span the past 14 years, from 2010 to 2024. RESULTS: We identified 12 main KAs and 76 best practice areas from both FL and GL. Our findings have enabled us to establish a taxonomy of security culture in universities. This comprehensive categorization serves as a valuable resource for understanding aspects of security culture. CONCLUSION: This study will assist researchers and practitioners in finding relevant studies from the FL and GL to obtain evidence that will help develop an ISC model. Moreover, it has shed light on several areas that warrant further research and development to enhance security culture.