Towards a Cybersecurity Culture-Behaviour Framework: A Rapid Evidence Review

Anna Sutton1 and Lisa Tompson2

University of Waikato

Author Note
1 Corresponding author. Address: School of Psychology, University of Waikato,
Private Bag 3105, Hamilton 3240, New Zealand. Email: anna.sutton@waikato.ac.nz. Orcid
ID: 0000-0001-8997-2460
2 Orcid ID: 0000-0003-3274-8585
Declaration of Interests
Financial support for data collection was provided by New Zealand Defence Force
Defence Technology Agency. The funders had no role in the study design, analysis, or
preparation of the manuscript.
Author Statement
Conceptualization: A.S. and L.T.; Data curation: L.T.; Formal analysis: A.S.; Funding
acquisition: A.S. and L.T.; Investigation: L.T.; Methodology: L.T.; Supervision: A.S. and
L.T.; Writing – original draft: A.S.; Writing - review & editing: A.S. and L.T.
Acknowledgements
The authors would like to thank Zane Sheeran and Taryn Farr for their assistance in
data collection and DTA personnel, especially Austin Chamberlain and Branislav Jovic, for
insightful discussions.

1
 Abstract
A strong organisational cybersecurity culture (CSC) is critical to the success of any
cybersecurity effort, and understanding and measuring CSC is essential if it is to succeed. To
facilitate the framing and measurement of CSC we conducted a rapid evidence assessment
(REA) to synthesise relevant studies on CSC. The systematic search identified 1,768 records.
52 studies were eligible for the final synthesis.
Content analysis of the CSC definitions in the eligible studies highlighted that CSC
should not be viewed solely as a technical problem but as a management issue too; CSC
requires top management involvement and role modelling, with full organisational support
for the desired employee behaviours. We identify both theoretically and empirically derived
models of CSC in the REA, along with a range of methods to develop and test these models.
Integrative analysis of these models provides detailed information about CSC dimensions,
including employee attitudes towards CS; compliance with policies; the role of security
education, training and awareness; monitoring of behaviour and top management
commitment. The evidence indicates that CSC should be understood both in the context of
the wider organisational culture as well as in the shared employee understanding of CS that
leads to behaviour.
Based on the findings of this review, we propose a novel integrated framework of
CSC, consisting of cultural values; the culture-to-behaviour link and behaviour itself. We also
make measurement recommendations based on this CSC framework, ranging from simple,
broad-brush tools through to suggestions for multi-dimensional measures, which can be
applied in a variety of sectors and organisations.
Keywords: cybersecurity culture; rapid evidence assessment; cultural values;
cybersecurity behaviour

2
 Towards a Cybersecurity Culture-Behaviour Framework: A Rapid Evidence Review

1. Introduction
Cybercrime is a rising concern worldwide, with recent figures indicating that it caused
a loss of USD10.3 billion in the USA alone in 2022 (FBI, 2023). Cyber threats are becoming
increasingly sophisticated, and humans are often considered the weakest link in cybersecurity
(ENISA, 2017), whether that is through responding to phishing emails or falling for spoof tech
or customer support. Merely raising awareness or providing training around cybersecurity is
insufficient to adequately protect organisations from cyber-attacks, much as health and safety
training is insufficient to ensure protection from all risks in the workplace (Cooper, 2000).
Instead, people’s behaviour at work is grounded in the shared norms and values of the
organisation, that is, the prevailing organisational culture (Schein, 2004). Just as health and
safety policies are of no use if they are not integrated and enacted in a supportive safety culture
(Cooper, 2000), cybersecurity measures must integrate with other organisational practices if
they are to be effective (ENISA, 2017). Developing a cybersecurity culture (CSC), or an
environment where it becomes the norm for each member of the organisation to recognise and
respond robustly to cyber-attacks, is considered the best way for an organisation to protect
itself (ENISA, 2017).
The heightened threat landscape has engendered a mounting interest in organisations
ensuring that staff are compliant with cybersecurity procedures and practices (X. Chen &
Tyran, 2023). But to make improvements in CSC, professionals need an evidence-based
framework that enables the evaluation of their current CSC. The results of this evaluation can
then be used as a benchmark to measure progress. This study aims to work towards building
such a framework by reviewing the evidence base from multiple sectors where tools to measure
cybersecurity have been developed.
Our overarching objective is to determine, from existing evidence, how organisational
CSC is defined and how it can be assessed. We therefore conducted a rapid evidence
assessment (REA). An REA is a truncated version of a systematic review, to swiftly synthesise
knowledge (Khangura et al., 2012). While being less resource and time intensive, REAs often
have similar findings to commensurate systematic reviews (Tricco et al. 2015). REAs are
particularly valuable for applied settings such as cybersecurity because they provide timely,
user-friendly, and trustworthy evidence summaries that can inform evidence-based decision
making (Khangura et al., 2012).

3
1.1. Organisational culture
Positive organisation culture has many benefits for personnel and organisational
success (Liu et al., 2021). However, organisational culture can also be implicated in negative
outcomes. For example, a cultural failure to prioritise safety or safety-related skills such as
communication and collaboration was blamed for many aviation fatalities in the Australian
Defence Force (Falconer, 2006). This recognition of the central role that organisational
culture plays in safety (Rachman et al., 2016) has catalysed contemporary research into CSC.
CSC is commonly understood to mean the norms and values affecting how the
organisation deals with cybersecurity (Sharma & Aparicio, 2022). It is usefully conceived of
as a sub-component of organisational culture more broadly. Hence, it is instructive to
foreground our discussion of CSC here in the wider context of organisational culture.
Organisational culture can be thought of as the shared perceptions that members of the
organisation have of their work practices (van den Berg & Wilderom, 2004), or more simply
as “the way we do things around here” (attributed to Bower, 1966). This shared
understanding helps to guide individual work behaviour and gives meaning to members of
the group (Schein, 2004). Developing an appropriate organisational culture is important
because it acts to control employees and promote performance (Sutton, 2018).
Two widely used models of organisational culture are the three-level model (Schein,
2004) and the competing values framework (Quinn & Rohrbaugh, 1983). Schein’s model
provides a way to analyse and understand organisational culture at three levels, from most to
least discernible. At the first level, artefacts are the physical products or phenomena we
encounter in the workplace. In the context of cybersecurity, this could include the software
and technology the organisation uses, or ways the organisation deals with security, for
example public key encryption or password protection of email files (Da Veiga & Eloff,
2010). The second level consists of espoused beliefs and values, that is, the beliefs that
underpin discussions of what is important and the right way to do things. For example,
employees may believe that they have a right to privacy even when using work-provided
mobile devices. And third, the level of underlying assumptions consists of taken-for-granted
beliefs about the way things work, such as who has responsibility for the cybersecurity of the
organisation.
Schein’s model is often used as the basis for understanding the unique culture of an
organisation, with an emphasis on measuring the espoused beliefs and values when
representing the organisation’s culture. The underlying basic assumptions are notoriously
difficult to evaluate, and yet are critical to understanding how people work and make

4
decisions in the organisation. Schein’s model has been widely used for theoretical grounding
of CSC studies (e.g. Da Veiga & Eloff, 2010; Knapp & Ferrante, 2014) but, due to the
abstract nature of the dimensions, is difficult to apply to specific organisations.
The competing values framework (CVF), conversely, engenders straightforward
comparisons between organisations on two main value dimensions and has guided meta-
analysis of culture effects on organisational outcomes (Hartnell et al., 2019). The first of the
CVF dimensions is focus—the extent to which the organisation focuses on internal or
external concerns. That is, the relative value it places on the wellbeing and development of
the people within the organisation (internal) or the wellbeing and development of the
organisation overall (external). The second dimension is structure—the extent to which the
organisation values control (using a more rigid structure) or flexibility (with a more adaptable
structure). Using these two dimensions, four main cultural orientations can be identified
(Chang & Lin, 2007; Solomon & Brown, 2021): rule orientation (internal focus and
emphasising control), goal orientation (external focus and emphasises control), support
orientation (internal focus and emphasises flexibility) and innovation orientation (external
focus and emphasises flexibility). Various authors have suggested that cultures that value
control (i.e. a rule or goal orientation) are most conducive to security management (Hu et al.,
2012; Solomon & Brown, 2021). Yet cybersecurity is increasingly essential to all
organisations, so an effective CSC must be able to integrate effectively into any of these
organisational orientations. By reviewing the CSC literature, we aim to build a framework
that researchers and practitioners can use to build and support a more effective CSC.

1.2. Scoping the cybersecurity culture literature

The REA began with a scoping phase to 1) identify whether previous systematic
reviews had been conducted on measuring CSC and 2) develop an operational definition of
CSC. We found only a single published systematic review of factors influencing
cybersecurity culture (Mwim & Mtsweni, 2022). However, this review used a limited set of
keywords for a comprehensive search and was skewed in its representation of the global
evidence base (which may relate to ease of access to studies).
The scoping phase revealed a range of definitions of CSC. We adopted the ENISA
(European Union Agency for Network and Information Security) definition of CSC, which
incorporates the ISO standards on information security management systems. Cybersecurity
is defined by these ISO standards as the preservation of the confidentiality, integrity, and

5
availability (commonly known as CIA) of information in cyberspace. CSC therefore refers to
the:
“knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of
people regarding cybersecurity and how they manifest themselves in people’s
behaviour with information technologies. CSC encompasses familiar topics including
cybersecurity awareness and information security frameworks but is broader in both
scope and application, being concerned with making information security
considerations an integral part of an employee’s job, habits and conduct, embedding
them in their day-to-day actions” (ENISA, 2017, p. 5).

This definition consists of two main elements. First, the norms and values of those
employed within the organisation, where norms are people’s beliefs, knowledge and attitudes
about behaviour and values are their internal drivers of behaviour. Second, the resultant
behaviour of those individuals. We therefore developed a working definition of CSC as the
norms and values of people in the organisation regarding cybersecurity and how that
manifests in behaviour. This definition was used to develop search terms to be used in the
systematic search.

2. Methods

2.1. Search strategy

The purpose of this REA was to configure existing knowledge, rather than to
aggregate knowledge. For this reason, it was not necessary to perform an exhaustive search
for studies (Gough et al., 2012). To that end, we opted to use a combination of key word
searches in electronic databases, hand searches of grey literature and citation analysis of
eligible studies.

2.1.1. Electronic database

We tested search syntax in several electronic bibliographic databases against a
reference set of studies (harvested from Mwim & Mtsweni, 2022, see Supplementary
Information) that could be considered eligible for the REA. Standard evaluation methods for
information retrieval were used to assess the suitability of several databases. For example,
sensitivity metrics were used to determine the proportion of eligible records retrieved,

6
balanced by specificity metrics, which measure the probability of non-relevant records being
retrieved.
Based on the results of the above analysis, SCOPUS was selected as the electronic
bibliographic database to be used in this REA. SCOPUS is a large, interdisciplinary database,
that includes conference proceedings, and was searched on 16 March 2023 with the following
search syntax:
TITLE-ABS-KEY ( ( cybersecurity OR "cyber security" OR cyber-security OR
"computer crime" OR "network security" OR "cyber threats" OR "cyber security"
OR "security assessment" OR "information security policies" ) AND ( culture OR
"security awareness" OR "employee behavior" OR "information security
awareness" OR "intention behaviour gap" ) ) AND PUBYEAR > 1997 AND
PUBYEAR < 2024 AND ( LIMIT-TO ( DOCTYPE , "cp" ) OR LIMIT-TO (
DOCTYPE , "ar" ) OR LIMIT-TO ( DOCTYPE , "ch" ) OR LIMIT-TO (
DOCTYPE , "cr" ) OR LIMIT-TO ( DOCTYPE , "re" ) OR LIMIT-TO (
DOCTYPE , "bk" ) ) AND ( LIMIT-TO ( LANGUAGE , "English" ) )

2.1.2. Citation analysis

Citation analysis discovers studies that are linked by common methods or substantive
content, independent of vocabulary, and therefore complement keyword searches of
electronic databases (Tompson & Belur, 2016). We undertook backwards and forwards
citation analysis on all eligible studies.

2.2. Screening process

Screening followed a conventional two-stage process. Systematic search results from
SCOPUS were uploaded to the EPPI Reviewer Web software (Thomas et al., 2022) to
manage the workflow process and data.
In the pilot screening stage, records were double screened on title and abstract and
inter-rater reliability exercises were undertaken until there was a sufficient level of agreement
between screeners (e.g., >90%). Disagreements pertaining to screening decisions formed the
basis of discussion to develop the codebook of decision rules. Thereafter, records were single
screened on title and abstract.
In the second stage of screening, candidate records that were not excluded in the first
stage were screened on full text, where those full texts could be retrieved. Inter-rater

7
reliability exercises were again used initially to ensure consistency in screening decisions
across researchers.

2.2.1. Inclusion criteria

Studies to be synthesised in this REA needed to satisfy the following criteria. The
study must:
1. be published in English. Available resources limited our ability to search for and translate
non-English studies.
2. be published after 1998. Dhawan et al. (2021) found only 1 paper published on
“cybersecurity” in 1998, and >2,000% growth in the intervening years .
3. contain enough information to make a screening decision. Missing or incomprehensible
title and abstracts were discounted.
4. include substantive information about CSC.
5. use an organisational unit of analysis.
6. propose or include a way of measuring organisational CSC.

2.2.2. Data extraction

Studies judged eligible after the screening process were coded to extract relevant
information (data) using the following instrument:
1. Study details (title, year, author(s), publication status, study location(s))
2. Context
2.1. Industry (using the International Standard Industrial Classification of All Economic
Activities)
2.2. Role specialism (e.g., IT professionals, Chief Executive Officers, trainers)
3. Research design
3.1. Theoretical/conceptual only
3.2. Qualitative (e.g., interviews, case study, document analysis)
3.3. Quantitative (e.g., survey instruments, meta-analysis)
4. Models of CSC
4.1. Definition of CSC used in study
4.2. Models of CSC (e.g., dimensions or categories)
4.3. Antecedents and outcomes of CSC
5. Metrics used to measure cybersecurity culture: has the paper used a specific questionnaire
or other measure of CSC? If so:

8
 5.1. Name and authors of measure
5.2. Information on validation of measure, e.g., developed in this paper or reused from
elsewhere?
5.3. What are the dimensions or subscales of the measure?
6. Authors’ conclusions

2.3. Evidence synthesis

Using content analysis of the extracted definitions, which counts the number of times
a word appears, we identified the most common words used in defining CSC and used this to
add detail to our working definition. Subsequently, we conducted thematic analysis of the
data, following Braun and Clarke’s (2006) guidelines, to identify important key themes of
CSC.
This REA adopted a configurative approach to the evidence synthesis. That is, the
synthesis interprets and arranges information extracted out of the eligible studies to produce
new ways of understanding the focal concepts. We started with analysis of the CSC models
used in the studies, examining their source and evaluating their evidence. We then considered
the outcomes of CSC, that is, how culture influences behaviour, and how the studies have
conceptualised and tested this. Finally, we evaluated the measures identified in this review, in
terms of their psychometric quality, dimensions and overall utility.

3. Results
In this section, we summarise the results of our data extraction and analysis. First, we
provide a general description of the included studies. Second, we report on the content and
thematic analysis of CSC definitions extracted from the data. Third, we present the detailed
analysis of CSC data in two parts: models of CSC and how CSC affects behaviour. Finally,
we provide a summary of the CSC measurement tools identified in this review.

3.1. Included studies

The PRISMA diagram (Figure 1) summarises the identification, inclusion, and
exclusion of studies in this search. Fifty-two studies were included in the final assessment, 40
from the SCOPUS database and another 12 from the citation analysis of those studies.

9
 Records identified in systematic
search of SCOPUS up to 16 March
2023 n = 1,768

Duplicates removed n = 4

Records screened on title and

abstract n = 1,764
Records excluded n = 1,613
Not in English n = 1
Too little information n = 30
Not substantively on CSC n = 1,344
Not at organisational level n = 94
Does not include ways of measuring CSC n = 146

Records screened using full-text

document n = 151

Records excluded n = 111

Could not retrieve study n = 6
Not substantively on CSC n = 37
Not at organisational level n = 3
Does not include ways of measuring CSC n = 65

Studies included n = 40

Citation analysis n = 24
Records excluded n = 12

jhm

Studies included in review k = 52

Figure 1. PRISMA diagram

CSC is a recent and increasingly researched topic, as evidenced by the year in which
these studies were published. While only nine studies were found prior to 2015, 29 were
published between 2015 and 2020 and 21 were published between 2021 and March 2023.

10
 Twenty-one studies did not specify the industry of their sample and many recruited
participants from several industries. The most common industrial sectors were Financial /
insurance (19 studies) and Education (14 studies each), closely followed by Information /
communication (9) and Human health and social work activities (9) and then Electricity, gas,
steam, air conditioning supply (6) and Professional, scientific, technical activities (6). Other
industry sectors were represented in three or fewer studies.
Most studies took place in Europe (13), Africa (11) or North America (10), with Asia
(7) and Oceania (5) also represented. Five studies were pan-continental and two unspecified.
Table 1 shows the distribution of methods and publication source.

Table 1. Summary of methods and publication sources

Publication Conceptual / Qualitative Quantitative Mixed-
Review methods
Journal article 3 3 19 9
Conference 3 4 8 4
proceedings
Thesis / white 1 - 1 1
paper

3.2. Cybersecurity culture definitions

We used a combination of content and thematic analysis to examine the CSC
definitions extracted from the data. Most studies defined CSC based on Schein’s general
model of organisational culture (2004). In line with our working definition of CSC, these
studies included the main points captured by ENISA, that is, that CSC consists of the norms
and values of people in the organisation regarding cybersecurity and how those manifest in
behaviour. Content analysis revealed common words that appeared in the extracted
definitions (see Table 2), which we used to augment our working definition of CSC.

Table 2. CSC definitions content analysis

Word Count
organisation 89
information 86
values 42
policies and procedures 40
assumptions 31
beliefs 28
attitudes 27

11
 behaviour 26
employees / people 26
knowledge 21
shared 17
systems 15
assets 10
comply 9

Table 3. Themes emerging from the thematic analysis of CSC definitions

Higher level theme Sub-themes
General definitions • Organisational-level phenomenon
• Shared values, assumptions, beliefs, and attitudes
Focus • Security / protection of organisation
• Employee behaviour, esp. knowledge of / compliance with
policies
Achievability • Role conflict / compromise
• Organisational support
• Management not technical
Understanding CSC • Tacit assumptions
effect on behaviour • Knowledge-sharing
Information SC vs • Protecting information vs response to cyberattacks
cyber SC • Interchangeable terms
• Individual responsibility

Thematic analysis of the definitions revealed four main themes in the data,
summarised in Table 3. First, CSC can be defined as an organisational-level phenomenon,
referring to the shared values, assumptions, beliefs, and attitudes of employees about the
security of information within the organisation.
Second, there is a distinct focus in the literature on resultant employee behaviour as
the essential outcome, especially how that behaviour may be changed and become a new or
stronger CSC (e.g., da Veiga et al., 2020). CSC shows some distinction from general
organisational culture definitions in that it emphasises knowledge of and compliance with
policies and procedures, as well as highlighting the importance of protecting organisational
systems and assets.

12
 Third, while authors note that cybersecurity should be prioritised to build a strong
CSC, they caution that this requires not just that required behaviours are accepted and
understood by employees, but also that they are achievable within the organisation (Branley-
Bell et al., 2021). That is, the organisation should ensure that employees do not experience
role conflict. For example, normal work duties or culture might encourage speed of task
completion, but cybersecurity procedures might require a slower, more cautious approach.
This conflict can lead to the development of compromises between security and productivity
by utilising security behaviours that enable employees to achieve their work goals but may be
non-compliant. Similarly, organisational support also demonstrates how much the
organisation prioritises cybersecurity (X. Chen & Tyran, 2023). Thus, CSC should not be
viewed solely as a technical problem but as a management issue: it requires top management
involvement and role modelling (Butler & Brown, 2023).
Fourth, the importance of evaluating and understanding an organisation’s CSC is also
highlighted (Nicholson et al., 2019): employees gain much of their understanding of
appropriate work behaviour from their work peers rather than official company policies. It is
therefore these tacit assumptions and values that guide workplace behaviour rather than
written policy. The role of knowledge-sharing is also underscored, emphasising how
employees often seek answers to their queries from peers rather than consulting official
guidelines (Nasir et al., 2019).
Fifth, some authors drew a distinction between information security (IS) and
cybersecurity, with the former involving the protection of organisational information from
unauthorised access or misuse that could disrupt the confidentiality, integrity and availability
of the information, and the latter including the addition of the ability to protect or defend
against cyber-attacks (Huang & Pearlson, 2019). These authors suggest that while both
require compliance with policy, cybersecurity also requires personal involvement in CS.
However, in most of the literature, and indeed the ISO standards, the terms information
security culture (ISC) and cybersecurity culture are used interchangeably, and individual
involvement of employees is assumed to be essential to both. For example, in a detailed study
to develop an understanding of ISC from both an academic and industry perspective, da
Veiga et al. (2020) created a two-paragraph definition that included protection factors and
emphasised personal involvement. Indeed, one of the key shared assumptions in an effective
CSC must be that employees adopt individual responsibility for improving the security of the
organisation’s information systems (Georgiadou et al., 2022). As Alshare et al (2018, p. 13)

13
note “Employees should have a strong sense of treating company data as they would want
their own data to be treated.”

3.3. Models of CSC

In this section, we present the results of our analysis of CSC models as a synthesis of
key findings under two main headings: models of CSC and findings around the relationship
between culture and behaviour. In constructing this synthesis, we evaluated the quality of
models according to their theoretical and empirical support. Theoretically-derived models
identify potential cultural dimensions from theories on how organisational culture is
structured or how it influences behaviour. In contrast, empirically-derived models develop a
set of dimensions from interviews or surveys with subject-matter experts and employees. The
ideal is a model derived from theory and validated empirically.

3.3.1. Theoretically derived CSC models

Schein’s model of organisational culture was used to provide context and theoretical
background for 14 included studies but was rarely used as the basis of a specific measure. As
a framework for CSC, Schein’s model draws attention to the fact that observable behaviours
or policies (aka “artefacts”) are the result of values and underlying assumptions in the culture.
However, as noted in the introduction, while Schein’s model is an important
conceptualisation of culture, it is difficult to measure all aspects of it.
The competing values framework (CVF) of organisational culture was applied to the
study of CSC in four studies, either on its own or integrated with other theoretical models. To
its advantage, this approach inherently acknowledges CSC as a sub-component of
organisational culture and identifies how organisational values will specifically influence
cybersecurity values (see Table 4). Further, it has been used in a meta-analysis of
organisational culture and outcomes, and thus demonstrably provides an effective framework
for synthesis of information (Hartnell et al., 2019).

Table 4. Cultural orientations and CSC (Butler & Brown, 2023)

Cultural orientation CSC
Rule Focus on order, rules and regulations, and uniformity
with regards to information security
Goal Focus on goal achievement, effectiveness, and benefit-
oriented measures with regards to information security
Support Focus on cooperation, information sharing, trust, and
support with regards to information security

14
 Innovation Focus on creativity, adaptability, and resourcefulness
with regards to information security

Findings on CSC using the CVF provide insight into how CSC affects specific
outcomes. A rule-oriented culture positively influences employees’ attitudes towards
compliance as well as increasing the extent to which the feel they have control over their
compliance behaviours (Hu et al., 2012). Perhaps counterintuitively though, compliance with
cybersecurity policies goes beyond just a rule-oriented culture (Butler & Brown, 2023).
Indeed, a goal-oriented culture in the wider organisation also positively influences top
management’s commitment to security, the extent and quality of communication about
security, and the level of monitoring (Solomon & Brown, 2021) as well as employees’
attitudes towards compliance (Hu et al., 2012). We also note that there are complexities in the
relationship between wider culture and CSC that may be contextually-sensitive. For example,
while organisational culture measured on the CVF was found to influence individual
compliance in South Korean banking organisations, the same was not true of US banking
organisations (Kam et al., 2015).

3.3.2. Empirically derived CSC models

Because empirically derived models are developed within unique samples and using
different methods, they rarely show exact overlap. However, when different methods and
approaches result in similar findings, it increases confidence in their generalisability. Here we
summarise the dimensions of CSC models that emerged across several studies, taking into
account judgements of the quality of the evidence, such as appropriate sample size for the
analysis or generalisability of the results. We provide example citations for each summary
dimension and refer the reader to the Supplementary Information (Table 2) for further details.
First, positive attitudes towards CS and towards the organisation itself (for example,
feeling committed to the organisation and wanting to protect it) are important elements of a
CSC (Bounas et al., 2020; Petrič & Roer, 2018). Second, a culture of compliance with
policies and practices makes individual compliance with CS measures more likely(Sharma &
Aparicio, 2022; Tolah et al., 2019). Third, knowledge or awareness of policies is critical: an
employee cannot act in accordance with policies if they do not know them(Da Veiga, 2016;
Nasir et al., 2019). Fourth, security education, training, and awareness (SETA) is highlighted
in most studies as both an element of CSC and an important step in promoting effective CSC
(Ismail et al., 2022; Nasir et al., 2019). Fifth, organisations with better or more extensive
monitoring and security measures signal to employees that CS is important and encourage

15
compliance (Da Veiga, 2016; Nasir et al., 2019). Finally, several studies identify the
cruciality of top management commitment to CS (Sharma & Aparicio, 2022; Solomon &
Brown, 2021). Without this demonstrated commitment at the highest levels, employees are
less likely to follow CS policies.

3.4. Culture to behaviour

Once a model of CSC has been developed, the next issue to address is how CSC
influences behaviour and, for this, the included papers either adopted two main theories to
explain the pathway from culture to behaviour or suggested a variety of unique pathways.
The first theory adopted by authors is the theory of planned behaviour (TPB) (Ajzen, 1991),
which explains how cultural elements such as attitudes and behavioural norms lead to
behaviour, and the second is the competitive organisational dynamics AMC (awareness,
motivation, capability) framework (M.-J. Chen & Miller, 2012). In this section, we present
the results of our analysis, demonstrating how these two theories are applied to CSC and then
turn to the unique pathways suggested in other studies.
The theory of planned behaviour (TPB) posits that an intention to behave in a certain
way, for example, to comply with CS policy, is determined by three cultural variables. These
are: a person’s attitudes towards CS, how people around them seem to behave with regards to
CS (norms) and how much control they believe have over their CS behaviour. When their
attitudes and norms are positive and they believe they have significant control over
behaviour, people are more likely to comply with CS expectations. Some authors
incorporated measures of these attitudes, norms and behavioural control into their measures
of CSC (Y. Chen et al., 2015; Hassandoust et al., 2020; Hu et al., 2012), on the basis that a
shared understanding of these elements forms part of the overall CSC. Other authors have
seen these elements instead as outcomes of CSC, arguing that the shared culture influences
individual attitudes and norms (Nasir et al., 2019; 2020) and thus behavioural intentions, such
as resistance to social engineering (Rocha Flores & Ekstedt, 2016). Behaviour and culture
are, of course, interactive. Culture both shapes and is shaped by employee behaviour over
time. Rather than making a false distinction and given that behavioural norms and attitudes
are directly included in many definitions of culture, we recommend including both norms and
attitudes in an overall CSC framework.
The alternative theory adopted by authors to explain the culture-behaviour link is the
AMC framework. This framework began as a way of analysing competitive behaviour
amongst organisations but has since been applied to CSC to understand how individuals and

16
organisations might react to a cybersecurity threat. To act, the actor must be aware of the
threat1, motivated to respond to it, and have the capability to do so (M.-J. Chen & Miller,
2012). This means that organisations whose members share a high awareness of CS, are
strongly motivated to act, and react to protect security, and have the skills, technology, and
ability to do so, will have effective CSCs. The benefit of this framework is that, with its
origins in competitive organisational dynamics, it is well suited for strategy formulation and
implementation.
Several other specific pathways from culture to behaviour were identified in the
literature. Whether these are causal pathways as such or act to moderate the effect of CSC on
behaviour is yet to be determined, but they provide important contextual information for
evaluating CSC effectiveness. Briefly, they are:
Accountability (Amankwa et al., 2021, 2022). Having a supportive organisational
culture increased employees’ feelings of accountability for complying with security policies,
which in turn influenced a culture of compliance with CS policy. Employees felt more
accountable if they expected to be evaluated and were aware of being monitored. There was
also a greater sense of accountability if employees were involved in the development of the
policies and were familiar with them.
Organisational justice (Alshare et al., 2018). CS violations tend to increase when
employees perceive a low level of justice in the organisation, and reduced severity or speed
of sanctions for CS violations.
Organisational learning, or more specifically, sharing knowledge about information
security amongst employees increases the organisation’s overall security culture
(Hassandoust et al., 2020).
Threat and coping appraisal (Sharma & Aparicio, 2022). The greater the perception
of a CS threat and the greater the individual’s belief that they can respond effectively, the
more likely that individual is to act to protect the information.

3.5. CSC-related behaviour

The final element that emerged from our review of the CSC literature was the focus
on CSC outcomes. While some studies here measured attitudes, motivations or intentions to
comply with IS policy as outcomes of CSC (e.g., Hu et al., 2012; Nasir et al., 2019), here we

1
Despite awareness being a key element of the AMC framework, a substantial number of studies were
excluded from this review because they considered only awareness of and training in cybersecurity, rather than
CSC more widely. Petrič & Roer (2018) make it clear that awareness is not enough and organisations need to
build security cultures in order to change behaviour.

17
focus on specific behaviours. These included: violations of security measures (Alshare et al.,
2018), compliance with IS policies (Bauer & Bernroider, 2017; Butler & Brown, 2023; X.
Chen & Tyran, 2023; Solomon & Brown, 2021), security decision making (Parsons et al.,
2015). Other studies measured the effect of CSC on organisational level outcomes, such as
the effectiveness of an information security programme (Knapp & Ferrante, 2014) or the
overall success of information security (Tejay & Mohammed, 2023).
Having reviewed models of CSC and pathways to behaviour, we now turn to review
the tools available for measuring CSC.

3.6. Tools for measuring CSC

Thirty-three of the included studies reported using 21 different measures of CSC,
ranging from a comprehensive 85 item / 11 dimension questionnaire to brief 2 item scales
(Table 3 in the Supplementary Information). We evaluated measures in terms of basic
psychometric criteria, namely internal reliability and factor analysis. Internal reliability is a
measure of the extent to which people answer all items on a scale in a similar way while
factor analysis shows whether the items tap into the same underlying construct. Both
reliability and factor analysis information were provided for only eleven measures. Internal
reliability was generally good to excellent for these scales (Cronbach alpha >.70 or composite
reliability >.80) and factor analyses demonstrated that the items loaded as expected. These
measures can therefore be said to meet minimum standards for psychometric evaluation and
we therefore appraised them further in terms of their dimensions, items, and overall utility
and provide the findings below.

3.6.1. Measure details

The original ISCA (Information Security Culture Assessment) is a comprehensive
measure consisting of 11 dimensions (85 items), covering policies, management and change
as well as perceptions of trust and privacy (Da Veiga & Eloff, 2010). The dimensions are 1)
information asset management, 2) IS policies, 3) change, 4) user management, 5) IS program,
6) IS leadership, 7) IS management, 8) trust, 9) training & awareness, 10) privacy perception,
and 11) CS in practice. The ISCA measure is empirically derived, rather than based on a
theoretical model, and has been refined over time, with little detail given on the different
versions or adaptations in the seven studies that used it. We therefore cannot recommend its
use.

18
 A similar multi-factor measure developed through a comprehensive mixed methods
approach identified three main factors (organisational measures, sociological factors and
technical measures) (Arbanas et al., 2021). This measure is not recommended due to the lack
of evidence of its use in another sample and the inclusion of a technical dimension in the
culture measure.
Measures based on the competing values framework of culture were used in three
studies, either alone or in combination with other measures. For example, Solomon and
Brown (2021) used the CVF combined with scales assessing communication, monitoring and
top management commitment to measure a more comprehensive model of CSC. Hu et al
(2012) combined CVF with the TPB model to assess CSC in terms of goal and rule
orientation combined with attitudes, subjective norms and perceived behavioural control.
Nasir et al. (2019) combined the TPB with an empirically derived model of security
culture and developed a validated questionnaire that measures culture on seven dimensions
(procedure countermeasures, risk management, security education training and awareness,
top management commitment, monitoring, IS knowledge, and IS knowledge sharing) along
with scales for attitudes, norms, and behavioural control from TPB.
A measure of CSC based on the AMC culture-to-behaviour pathway was used in five
studies. While the exact items and subscales varied among the studies, overall, this measure
assesses employee awareness of CS as well as motivation and capability for action. The most
comprehensive version of this measure (X. Chen & Tyran, 2023) measures awareness,
motivation and capability as well as behavioural norms and organisational support.
Motivation is further assessed in terms of three subscales: perceived rewards and penalties as
well as perceived vulnerability to threat. Where employees are rewarded for compliance,
penalised for non-compliance and perceive the organisation is more vulnerable to the threat,
they are more motivated to act. With a total of 25 items, this is a comprehensive yet concise
measurement tool for a well-validated and theoretically underpinned model of CSC and its
effects on behaviour.
The remaining studies used unique measures of CSC, with item numbers ranging
from two to six. Because their use is mostly limited to single studies, their functionality in
other samples has not yet been demonstrated. However, if a brief measure of CSC is needed,
the best would appear to be one based on the AMC model with only 5 items, which has an
alpha reliability >.90, clear factor loading and has been tested in two distinct samples (Knapp
et al., 2006; Knapp & Ferrante, 2014).

19
3.6.2. Comprehensiveness of this review
Two systematic reviews of CSC measures identified in this REA provided no new
measures. The first systematic review (Sas et al., 2021) identified 4 measures, all of which
were already included in this REA. The second review identified 19 measures (Orehek &
Petrič, 2021), all of which were either a) already included in this REA, b) rated by the authors
of the systematic review as lacking in empirical evidence or c) did not conform to our
definition of CSC (for example, including measures of budget or technology). Overall, this
indicates that the primary studies we synthesise here comprehensively cover the current state
of the art in this field.

4. Discussion
CSC is increasingly recognised as essential to understanding human cybersecurity
behaviour. An organisation may have excellent regulations or guidelines to safeguard
information but if the organisational CSC is weak and employees do not value cybersecurity,
the security of that organisation is threatened. With a positive, strong CSC, employees
believe that CS is a shared responsibility and an integral part of their role (Orehek & Petrič,
2021).
The aim of this REA was to synthesise knowledge about cybersecurity culture to
develop a framework of CSC and recommend measurement tools. To achieve this objective,
we systematically searched a multidisciplinary database (SCOPUS) and performed citation
analysis. Following screening, 52 studies were identified as fulfilling the inclusion criteria;
that is, containing substantive content relevant to CSC frameworks and measurements. Of
these, 33 also developed or used measures of CSC in their research. Based on our analysis,
here we propose an evidence-based framework for CSC that can be utilised across various
sectors and tailored to specific organisations, and then recommend potential tools to use when
measuring it.
Some authors have already begun the work of combining CSC models with
behaviours. For example, CSC was conceptualised as shared assumptions based on Schein’s
model of culture, combined with elements of the theory of planned behaviour in two studies
(Y. Chen et al., 2015; Hassandoust et al., 2020), allowing the authors to identify antecedents
and outcomes of CSC. Similarly, a study using the CVF culture model combined with the
theory of planned behaviour showed how organisational cultural values interacted with
attitudes, norms and perceived behavioural control to predict employees’ intention to comply

20
with CS expectations (Hu et al., 2012). In the remainder of this paper, we introduce a
complete, integrated Cybersecurity Culture-Behaviour (CSCB) framework.

4.1. The Cybersecurity Culture-Behaviour framework

Organisational culture is widely recognised as exerting considerable influence on
employees’ behaviour and organisational success or failure (Schein, 2004). Combined with
the recognition that CSC is a sub-component of, embedded within, and heavily influenced by,
overall organisational culture, it is essential to include some measure of CSC that is drawn
from established models of organisational culture. We incorporated the competing values
framework (CVF), based on the value dimensions of flexibility-control and internal-external
focus (Quinn & Rohrbaugh, 1983), in the final framework of CSC we present here. Our
justification is three-fold. First, the CVF was the most widely used for the development of
measures of CSC in this review and is applicable across a variety of organisations. Second, as
noted in the introduction, the CVF is particularly well suited to understanding CSC as a sub-
component of organisational culture in specific organisational applications. And third, the
CVF has shown the most promise in terms of identifying how and when CSC influences
behaviour.
The effect of culture on behaviour is of paramount importance when considering CSC
measurement, as managing and improving cybersecurity behaviour is the ultimate goal of
developing an effective CSC. We therefore propose key variables from well-supported
theories of the culture-behaviour link to include in the overall CSC framework. Both the
theory of planned behaviour (TPB) (Ajzen, 1991) and the awareness-motivation-capability
(AMC) framework (M.-J. Chen & Miller, 2012) have proven valuable and productive in CSC
research. Although representing opposite ends of the spectrum in understanding behaviour at
work, namely individual behaviour (TPB) and organisational behaviour (AMC), these two
theories show significant similarities in their components, and we propose a model that
combines the key factors of each.
The awareness factor of AMC is a critical component of CSC in empirical studies as
well as the theoretically derived models. Awareness of CS represents the necessity of
behaviour to protect information: with no awareness of potential threats or how to combat
them, individuals will not act.
The motivation factor of AMC represents how likely an individual is to act, given
they are aware of the need. This shows conceptual overlap with the attitudes and behavioural
norms elements from TPB. The more positive an individual’s attitude towards the

21
organisation, the more likely they are to be motivated to act in a way that protects the
organisation. Similarly, if the individual perceives that those around them are behaving
proactively to protect the organisation and complying with CS requirements, they will be
more motivated to behave in this way too.
The capability factor of AMC is an individual’s ability to respond to threats or behave
in a way that protects the organisation and is determined by that person’s perception of the
extent to which they can control their own behaviour (the third element of TPB). This in turn
is based on their understanding of and ability to behave in the way the organisation expects.
These elements, when viewed as shared assumptions about ‘the way cybersecurity is done
around here’ contribute to a holistic view of cybersecurity culture.
Finally, because culture and behaviour mutually influence each other, we include key
behaviours related to CSC. These can be classified as in-role and extra-role behaviours to
support CS in the organisation (Huang & Pearlson, 2019). In-role behaviours are CS
behaviours that are part of the official job role, such as complying with formal security
policies, while extra-role behaviours are actions that the employee takes that are not part of
their official role. These extra-role behaviours include helping (cooperative behaviour,
providing answers to others who may have CS questions) and voicing (offering knowledge
and suggestions to improve CS).
Combining these elements results in a cybersecurity culture-behaviour framework
(Figure 2) that is theoretically grounded, with good empirical support for its constituent
elements, can be tailored for internal organisational evaluation, and is generalisable enough
that it can be used for external benchmarking.

22
 Cultural dimensions Culture-Behaviour link Behaviours

In-role behaviours
Flexibility Awareness • Compliance with
vs policies
Control
Motivation
• Attitudes
• Behavioural norms Extra-role behaviours
Internal focus
• Helping and voicing
vs Capability
External focus • Perceived
behavioural control

Figure 2. The cybersecurity culture-behaviour (CSCB) framework

4.2. Recommended tools for assessing the CSCB framework

Based on the analysis of eligible studies in this REA, we can make three main
recommendations for measurement tools, depending on the required depth of analysis vs
resources and time available. For situations when there is limited time available for
respondents to complete the measure and / or a quick overview of current CSC is needed, we
recommend a short, 5 item measure of CSC based on the AMC model of cybersecurity
culture (Knapp & Ferrante, 2014). This has been used in several studies with a range of
respondents and has shown excellent reliability in different contexts.
For situations where there is greater time available and / or a more detailed evaluation
of CSC is needed but there is not the resource available to develop a unique, context-
validated measure, we recommend a measure incorporating the AMC and two scales for the
wider organisational cybersecurity context (X. Chen & Tyran, 2023). With a total of 25
items, this questionnaire should take only 5-10 minutes to complete but gives a more
comprehensive measure of CSC on the following subscales: awareness, motivation (assessed
as perceived penalties, rewards and vulnerability), compliance and organisational CS context
(assessed as norms and organisational support).
Finally, if a measure specific to the organisation is required, we recommend the
development of one based on the CSCB framework outlined above and utilising the
23
following questionnaires. For CSC cultural values, the 12-item measure as used by Butler and
Brown (2023) allows for the scoring of cultural values in terms of rule, goal, support, or
innovation orientation. For the culture-behaviour link, we recommend the awareness,
motivation and capability subscales (X. Chen & Tyran, 2023), plus attitude, subjective norms
and perceived behavioural control subscales (Hu et al., 2012; Nasir et al., 2019). In terms of
measuring the behaviours element of the framework, while generic measures could be used
(e.g., Solomon & Brown, 2021), ideally this measure will be tailored to the specific
organisation. Tailoring would allow more accurate identification of the behaviours of concern
in the precise cybersecurity context, as well as enabling the distinction between in-role and
extra-role behaviours that are of value in that workplace.

4.3. Theoretical implications

This REA and resulting CSCB framework have substantial implications for theory.
First, by demonstrating that CSC can be defined and measured in terms of established
organisational culture models, we allow researchers and practitioners to make use of the
significant organisational culture literature. There is no need to reinvent the wheel when
considering key questions about the extent to which culture can be changed. Instead, we can
refer to published studies on these topics and use the CSCB framework to consider how the
findings may be applied to the specific context of CSC. For example, a recent study identified
several pathways to successful culture change (Tasoulis et al., 2023). The conditions for
success (such as empowerment and training) and their combinations highlighted in that study
can be integrated into the CSCB framework. For example, empowering workers helps to
build capability, a part of the culture-behaviour link in the CSCB framework, and we could
therefore expect that an intervention to improve employees’ sense of empowerment in CS
could help to translate a good CS culture to desired behaviour.
Second, by drawing out the similarities between TPB and AMC in terms of their
contribution to the culture-behaviour link, the CSCB framework allows for the integration of
theory and empirical findings from these two major strands into the nascent field of CSC
research. A recent experimental study demonstrated the utility of the TPB in explaining
susceptibility to spear phishing attacks (Aleroud et al., 2020) and made recommendations for
improving security that may be generalised to other areas utilising the same underlying
theory. Similarly, recent work utilising the AMC theory of the culture-behaviour link showed
that social media norms had a greater influence on people’s attitudes than physical-world
norms, but that both are effective in changing attitudes over time (Gao et al., 2022). The

24
CSCB framework provides a straightforward means for integrating findings based on these
broader theories into the CSC-specific research literature.
Third, the CSCB framework emphasises the key role of workplace behaviours in the
study of CSC. Behaviour when dealing with potential cyber threats can be understood as an
interaction between the individual’s attitudes, motivation, and capability, and the
organisational or group-level cultural norms. Indeed, these behavioural outcomes
demonstrate that CSC is not simply a concept of theoretical interest but has significant effects
on outcomes of substantial economic and personal importance.

4.4. Practical implications

In this REA we have outlined an integrative CSCB framework and provided
recommendations for specific measures that can be used for each element, tailored to time
and resource availability. Practitioners can use these measures to make an instant snapshot
evaluation of their current CSC as well as to build a picture of change as data is gathered over
time. These data can be used to formulate, direct, and adapt CS strategies to ensure their
success in strengthening CSCB.
Because the framework directly reflects generalised models of organisational culture,
it can also be used to identify areas where the CSC contrasts with wider organisational
culture, or even where the current organisational culture might come into conflict with the
desired CSC and therefore need greater effort and resource for change. For example, if the
organisational culture is highly oriented towards innovation but the approach to CSC requires
a strong rule orientation, the norms of the wider organisation will act to undermine attempts
to improve CS behaviours. Orienting CS strategy to wider organisational norms is key to
success. Developing a preventative and policing CS strategy (Choo, 2011), for example,
could not only flourish within an organisational culture that values security but also help to
build it.
Culture change is a slow and difficult process, and the failure of culture change
interventions is often due to a lack of feedback about how change is proceeding and
embedding (Churruca et al., 2023). The CSCB framework developed here elucidates the link
between culture and behaviour, thereby giving managers and practitioners guidance on how
they can measure the effectiveness of attempted culture change in terms of desired
behaviours or performance benchmarks. Significantly, the ability to tailor the measured
behaviours enables organisations to focus on the key behaviours they require while also

25
benefitting from the substantive research that has been conducted on general organisational
culture-behaviour effects.
Distinguishing between the elements that make up the link between culture and
behaviour also allows managers and trainers to determine where barriers to effective
cybersecurity behaviour may lie in their own team or organisation. For example, if evaluation
identifies that employees’ motivation to behave in a secure manner is high but their capability
is low, focus groups or interviews with the employees could identify the factors that are
disempowering them. If attitudes towards CSC are poor, training strategies can be developed
to ensure that the importance of CSC and personal responsibility are communicated and
understood by employees, and role-modelled by top management.

4.5. Limitations
The CSC literature is relatively new and much of the research has been carried out
with IT professionals or management in private organisations. A significant gap in the
literature exists around theory-led, empirically substantiated studies on CSC within specific
settings. While we have drawn on literature about organisational culture in general to make
recommendations here, there may well be CSC factors unique to specific industries or
organisations that have not yet been identified in published research and therefore not present
in this review.
Similarly, while we have recommended a framework with good evidence to support
the component elements, and it has the advantage of drawing on both theoretical and
empirical support, it should be noted that none of the research summarised and evaluated here
has subjected this overall framework to validation. While there is good evidence from several
studies that CSC is best conceptualised in terms of an evaluation of organisational culture
applied to the cybersecurity context plus an evaluation of employee perceptions and norms
for behaviour, it remains for future research to assess the utility of this CSCB framework
overall.
Finally, as a REA, this review does not provide the same level of comprehensiveness
that would be expected from a full systematic review. It is possible that there are studies that
have been missed, though we have taken several steps to combat this. First, the search string
was piloted with eligible studies from an identified systematic review (Mwim & Mtsweni,
2022) acting as the gold standard data set. Second, we conducted citation analysis for all
included studies and identified further papers from this. Third, we compared our review of
measures to two systematic reviews of similar measures (Orehek & Petrič, 2021; Sas et al.,

26
2021) and found no substantial gaps in our approach. Indeed, we were able to identify and
review more measures than either of these systematic reviews.

5. Conclusion
A strong CSC is critical to the success of any cybersecurity effort and understanding
and measuring CSC is essential if it is to succeed. This review has systematically assessed the
evidence for CSC in the academic literature, developed an integrative framework for
understanding and measuring CSC that can be applied to specific industries or organisations,
and recommended specific measures for different applications.

6. References

Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human
Decision Processes, 50(2), 179–211.
http://ovidsp.ovid.com/ovidweb.cgi?T=JS&CSC=Y&NEWS=N&PAGE=fulltext&D=ps
yc3&AN=1992-11514-001
Aleroud, A., Abu-Shanab, E., Al-Aiad, A., & Alshboul, Y. (2020). An examination of
susceptibility to spear phishing cyber attacks in non-English speaking communities.
Journal of Information Security and Applications, 55.
https://doi.org/10.1016/j.jisa.2020.102614
Alshare, K. A., Lane, P. L., & Lane, M. R. (2018). Information security policy compliance: a
higher education case study. Information & Computer Security, 26(1), 91–108.
https://doi.org/10.1108/ICS-09-2016-0073
Amankwa, E., Loock, M., & Kritzinger, E. (2021). Information Security Policy Compliance
Culture. International Journal of Technology and Human Interaction, 17(4), 75–91.
https://doi.org/10.4018/IJTHI.2021100105
Amankwa, E., Loock, M., & Kritzinger, E. (2022). The determinants of an information
security policy compliance culture in organisations: the combined effects of
organisational and behavioural factors. Information & Computer Security, 30(4), 583–
614. https://doi.org/10.1108/ICS-10-2021-0169
Arbanas, K., Spremic, M., & Zajdela Hrustek, N. (2021). Holistic framework for evaluating
and improving information security culture. Aslib Journal of Information Management,
73(5), 699–719. https://doi.org/10.1108/AJIM-02-2021-0037

27
Bauer, S., & Bernroider, E. W. N. (2017). From Information Security Awareness to Reasoned
Compliant Action. ACM SIGMIS Database: The DATABASE for Advances in
Information Systems, 48(3), 44–68. https://doi.org/10.1145/3130515.3130519
Bounas, K., Georgiadou, A., Kontoulis, M., Mouzakitis, S., & Askounis, D. (2020). Towards
a Cybersecurity Culture Tool through a Holistic, Multi-dimensional Assessment
Framework. Proceedings of the 13th IADIS International Conference Information
Systems 2020, 135–139. https://doi.org/10.33965/is2020_202006C016
Bower, M. (1966). The will to manage: corporate success through programmed
management. McGraw-Hill. https://books.google.co.uk/books?id=_5xEAAAAIAAJ
Branley-Bell, D., Coventry, L., & Sillence, E. (2021). Promoting Cybersecurity Culture
Change in Healthcare. 14th ACM International Conference on PErvasive Technologies
Related to Assistive Environments, PETRA 2021, 544–549.
https://doi.org/10.1145/3453892.3461622
Braun, V., & Clarke, V. (2006). Using thematic analysis in psychology. Qualitative Research
in Psychology, 3(2), 77–101.
https://doi.org/http://dx.doi.org/10.1191/1478088706qp063oa
Butler, K. J., & Brown, I. (2023). COVID-19 pandemic-induced organisational cultural shifts
and employee information security compliance behaviour: a South African case study.
Information & Computer Security, 31(2), 221–243. https://doi.org/10.1108/ICS-09-
2022-0152
Chang, S. E., & Lin, C. S. (2007). Exploring organizational culture for information security
management. Industrial Management and Data Systems, 107(3), 438–458.
https://doi.org/10.1108/02635570710734316
Chen, M.-J., & Miller, D. (2012). Competitive Dynamics: Themes, Trends, and a Prospective
Research Platform. Academy of Management Annals, 6(1), 135–210.
https://doi.org/10.5465/19416520.2012.660762
Chen, X., & Tyran, C. K. (2023). A Framework for Analyzing and Improving ISP
Compliance. Journal of Computer Information Systems, 1–16.
https://doi.org/10.1080/08874417.2022.2161024
Chen, Y., Ramamurthy, K., & Wen, K. W. (2015). Impacts of comprehensive information
security programs on information security culture. Journal of Computer Information
Systems, 55(3), 11–19. https://doi.org/10.1080/08874417.2015.11645767
Choo, K. K. R. (2011). The cyber threat landscape: Challenges and future research directions.
Computers and Security, 30(8), 719–731. https://doi.org/10.1016/j.cose.2011.08.004

28
Churruca, K., Westbrook, J., Bagot, K. L., Mcmullan, R. D., Urwin, R., Cunningham, N.,
Mitchell, R., Hibbert, P., Sunderland, N., Loh, E., & Taylor, N. (2023). Retrospective
analysis of factors influencing the implementation of a program to address
unprofessional behaviour and improve culture in Australian hospitals. BMC Health
Services Research, 23, 584. https://doi.org/10.1186/s12913-023-09614-1
Cooper, M. D. (2000). Towards a model of safety culture. Safety Science, 36(2), 111–136.
https://doi.org/10.1016/S0925-7535(00)00035-7
Da Veiga, A. (2016). A cybersecurity culture research philosophy and approach to develop a
valid and reliable measuring instrument. 2016 SAI Computing Conference (SAI), 1006–
1015. https://doi.org/10.1109/SAI.2016.7556102
da Veiga, A., Astakhova, L. V., Botha, A., & Herselman, M. (2020). Defining organisational
information security culture—Perspectives from academia and industry. Computers &
Security, 92, 101713. https://doi.org/10.1016/j.cose.2020.101713
Da Veiga, A., & Eloff, J. H. P. (2010). A framework and assessment instrument for
information security culture. Computers & Security, 29(2), 196–207.
https://doi.org/10.1016/j.cose.2009.09.002
Dhawan, S. M., Gupta, B. M., & Elango, B. (2021). Global Cyber Security Research Output
(1998–2019): A Scientometric Analysis. Science & Technology Libraries, 40(2), 172–
189. https://doi.org/10.1080/0194262X.2020.1840487
ENISA. (2017). Cyber Security Culture in organisations. https://doi.org/10.2824/10543
Falconer, B. T. (2006). Attitudes to safety and organisational culture in Australian military
aviation. University of New South Wales.
FBI. (2023). FBI Internet Crime Report 2022. www.ic3.gov
Gao, S., Wang, Y., & Webster, G. D. (2022). Causal Modeling of Descriptive Social Norms
from Twitter and the Physical World on Expressed Attitudes Change: A Case Study of
COVID-19 Vaccination. Cyberpsychology, Behavior and Social Networking, 25(12),
769–775. https://doi.org/10.1089/cyber.2022.0153
Georgiadou, A., Mouzakitis, S., Bounas, K., & Askounis, D. (2022). A Cyber-Security
Culture Framework for Assessing Organization Readiness. Journal of Computer
Information Systems, 62(3), 452–462. https://doi.org/10.1080/08874417.2020.1845583
Gough, D., Thomas, J., & Oliver, S. (2012). Clarifying differences between review designs
and methods. Systematic Reviews, 1(1). https://doi.org/10.1186/2046-4053-1-28
Hartnell, C. A., Ou, A. Y., Kinicki, A. J., Choi, D., & Karam, E. P. (2019). A Meta-Analytic
Test of Organizational Culture’s Association With Elements of an Organization’s

29
 System and Its Relative Predictive Validity on Organizational Outcomes. Journal of
Applied Psychology. https://doi.org/10.1037/apl0000380
Hassandoust, F., Maduka, S., Allen, N., & Johnston, C. (2020). The Establishment of
Information Security Knowledge Sharing in The Establishment of Information Security
Knowledge Sharing in Organizations: Antecedents and Consequences. Pacific Asia
Conference on Information Systems, 1–14. https://aisel.aisnet.org/pacis2020
Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012). Managing Employee Compliance with
Information Security Policies: The Critical Role of Top Management and Organizational
Culture. Decision Sciences, 43(4), 615–660. https://doi.org/10.1111/j.1540-
5915.2012.00361.x
Huang, K., & Pearlson, K. (2019). For What Technology Can’t Fix: Building a Model of
Organizational Cybersecurity Culture. 52nd Hawaii International Conference on System
Sciences, 6398–6407. https://hdl.handle.net/10125/60074
Ismail, S., Ismail, M. N., Ahmad, A., & Khairuddin, M. A. (2022). Exploring the information
security culture within industrial control systems organisations: Expert reviews. AIP
Conference Proceedings, 2617, 050005. https://doi.org/10.1063/5.0120877
Kam, H.-J., Katerattanakul, P., & Hong, S.-G. (2015). A Tale of Two Cities: Information
Security Policy Compliance of the Banking Industry in the United States and South
Korea. 23rd European Conference on Information Systems, 1–16.
http://aisel.aisnet.org/ecis2015_cr/90
Khangura, S., Konnyu, K., Cushman, R., Grimshaw, J., & Moher, D. (2012). Evidence
summaries: The evolution of a rapid review approach. Systematic Reviews, 1(1).
https://doi.org/10.1186/2046-4053-1-10
Knapp, K. J., & Ferrante, C. J. (2014). Information Security Program Effectiveness in
Organizations. Journal of Organizational and End User Computing, 26(1), 27–46.
https://doi.org/10.4018/joeuc.2014010102
Knapp, K. J., Marshall, T. E., Kelly Rainer, R., & Nelson Ford, F. (2006). Information
security: management’s effect on culture and policy. Information Management &
Computer Security, 14(1), 24–36. https://doi.org/10.1108/09685220610648355
Liu, G., Tsui, E., & Kianto, A. (2021). Knowledge-friendly organisational culture and
performance: A meta-analysis. Journal of Business Research, 134, 738–753.
https://doi.org/10.1016/j.jbusres.2021.05.048

30
Mwim, E. N., & Mtsweni, J. (2022). Systematic Review of Factors that Influence the
Cybersecurity Culture. IFIP Advances in Information and Communication Technology,
658 IFIP, 147–172. https://doi.org/10.1007/978-3-031-12172-2_12
Nasir, A., Abdullah Arshah, R., & Ab Hamid, M. R. (2019). A dimension-based information
security culture model and its relationship with employees’ security behavior: A case
study in Malaysian higher educational institutions. Information Security Journal: A
Global Perspective, 28(3), 55–80. https://doi.org/10.1080/19393555.2019.1643956
Nasir, A., Arshah, R. A., & Hamid, M. R. A. (2020). Information Security Culture for
Guiding Employee’s Security Behaviour: A Pilot Study. 2020 6th International
Conference on Information Management (ICIM), 205–209.
https://doi.org/10.1109/ICIM49319.2020.244699
Nicholson, J., Coventry, L., & Briggs, P. (2019). Introducing the cybersurvival task:
Assessing and addressing staff beliefs about effective cyber protection. 14th Symposium
on Usable Privacy and Security, SOUPS 2018, 443–457.
https://www.scopus.com/inward/record.uri?eid=2-s2.0-
85067287106&partnerID=40&md5=1162f2bfd32e705d9489156b7cdc78d6
Orehek, Š., & Petrič, G. (2021). A systematic review of scales for measuring information
security culture. Information & Computer Security, 29(1), 133–158.
https://doi.org/10.1108/ICS-12-2019-0140
Parsons, K. M., Young, E., Butavicius, M. A., McCormac, A., Pattinson, M. R., & Jerram, C.
(2015). The Influence of Organizational Information Security Culture on Information
Security Decision Making. Journal of Cognitive Engineering and Decision Making,
9(2), 117–129. https://doi.org/10.1177/1555343415575152
Petrič, G., & Roer, K. (2018). To measure security culture A scientific approach.
Quinn, R. E., & Rohrbaugh, J. (1983). A Spatial Model of Effectiveness Criteria: Towards a
Competing Values Approach to Organizational Analysis. Management Science, 29(3),
363–377. https://doi.org/10.1287/mnsc.29.3.363
Rachman, M., Mees, B., & Fry, S. (2016). The Influence of Indonesian National and Military
Organisational Culture on Safety Management Systems. Journal of Safety Studies, 2(2),
116. https://doi.org/10.5296/jss.v2i2.10445
Rocha Flores, W., & Ekstedt, M. (2016). Shaping intention to resist social engineering
through transformational leadership, information security culture and awareness.
Computers & Security, 59, 26–44. https://doi.org/10.1016/j.cose.2016.01.004

31
Sas, M., Hardyns, W., van Nunen, K., Reniers, G., & Ponnet, K. (2021). Measuring the
security culture in organizations: a systematic overview of existing tools. Security
Journal, 34(2), 340–357. https://doi.org/10.1057/s41284-020-00228-4
Schein, E. H. (2004). Organizational Culture and Leadership (3rd ed.). Jossey-Bass.
https://doi.org/10.1080/09595230802089917
Sharma, S., & Aparicio, E. (2022). Organizational and team culture as antecedents of
protection motivation among IT employees. Computers & Security, 120, 102774.
https://doi.org/10.1016/j.cose.2022.102774
Solomon, G., & Brown, I. (2021). The influence of organisational culture and information
security culture on employee compliance behaviour. Journal of Enterprise Information
Management, 34(4), 1203–1228. https://doi.org/10.1108/JEIM-08-2019-0217
Sutton, A. (2018). People, Management and Organizations. Palgrave Macmillan.
Tasoulis, K., Pappas, I. O., Vlachos, P., & Oruh, E. S. (2023). Employee reactions to planned
organizational culture change: A configurational perspective. Human Relations.
https://doi.org/10.1177/00187267231183305
Tejay, G. P. S., & Mohammed, Z. A. (2023). Cultivating security culture for information
security success: A mixed-methods study based on anthropological perspective.
Information & Management, 60(3), 103751. https://doi.org/10.1016/j.im.2022.103751
Tolah, A., Furnell, S. M., & Papadaki, M. (2019). A Comprehensive Framework for
Understanding Security Culture in Organizations. In IFIP Advances in Information and
Communication Technology (Vol. 557, pp. 143–156). Springer New York LLC.
https://doi.org/10.1007/978-3-030-23451-5_11
Tompson, L., & Belur, J. (2016). Information retrieval in systematic reviews: a case study of
the crime prevention literature. Journal of Experimental Criminology, 12(2), 187–207.
https://doi.org/10.1007/s11292-015-9243-x
van den Berg, P. T., & Wilderom, C. P. M. (2004). Defining, Measuring, and Comparing
Organisational Cultures. Applied Psychology, 53(4), 570–582.
https://doi.org/10.1111/j.1464-0597.2004.00189.x

32