{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,20]],"date-time":"2026-02-20T18:26:37Z","timestamp":1771611997386,"version":"3.50.1"},"reference-count":94,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2025,5,12]],"date-time":"2025-05-12T00:00:00Z","timestamp":1747008000000},"content-version":"vor","delay-in-days":131,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100004329","name":"Slovenian Research and Innovation Agency","doi-asserted-by":"crossref","award":["L5-50163"],"award-info":[{"award-number":["L5-50163"]}],"id":[{"id":"10.13039\/501100004329","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100004329","name":"Slovenian Research and Innovation Agency","doi-asserted-by":"crossref","award":["P5-0168"],"award-info":[{"award-number":["P5-0168"]}],"id":[{"id":"10.13039\/501100004329","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,1,17]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>The reporting of phishing emails plays a critical role in enhancing organizational resilience to cyber threats. Timely reporting enables organizations to adapt dynamically to potential attacks, mitigating potential financial costs, and disruptions to business operations. While phishing susceptibility has been extensively examined in research, studies on the drivers and barriers to employees\u2019 reporting of suspicious emails remain limited. Even fewer studies have examined how organizational processes and characteristics, particularly information security culture (ISC), shape this proactive protective behaviour. This study aims to investigate (a) how ISC factors\u2014IS-supportive norms, the quality of IS-related communication, awareness and understanding of IS policies, IS knowledge, attitudes to IS, and sense of responsibility\u2014influence the reporting of phishing emails and (b) whether the proposed research model exhibits cross-cultural structural equivalence. Data were collected via an online survey panel, sampling employees from medium and large organizations in Germany (n\u00a0=\u00a0306), the UK (n\u00a0=\u00a0205), and the USA (n\u00a0=\u00a0506). A multigroup structural equation-modelling approach was employed to analyse the data. The findings highlight the pivotal role of IS-supportive norms, policy awareness, and knowledge in shaping employees\u2019 attitudes and sense of responsibility, which, in turn, positively influence phishing email reporting. The quality of IS-related communication processes emerged as a complex and double-edged factor: while accessible and effective two-way communication fostered phishing email reporting, it simultaneously reduced employees\u2019 sense of responsibility and led to less favourable attitudes towards IS. Overall, the ISC and phishing-reporting model demonstrated good cross-cultural stability. IS-supportive norms, communication quality, awareness of policies, and knowledge influence employees\u2019 attitudes, sense of responsibility, and phishing reporting (directly or indirectly) consistently across countries. However, notable differences were also observed. For example, in Germany, attitudes towards IS were a stronger predictor of phishing reporting, whereas in the UK and USA, a sense of responsibility was more influential. The study advances the understanding of ISC as a determinant of phishing email reporting and offers practical recommendations for strengthening organizational strategies that promote reporting behaviour and improve resilience against cyber threats.<\/jats:p>","DOI":"10.1093\/cybsec\/tyaf011","type":"journal-article","created":{"date-parts":[[2025,5,12]],"date-time":"2025-05-12T14:16:20Z","timestamp":1747059380000},"source":"Crossref","is-referenced-by-count":3,"title":["Information security culture and phishing-reporting model: structural equivalence across Germany, UK, and USA"],"prefix":"10.1093","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-5975-5318","authenticated-orcid":false,"given":"Gregor","family":"Petri\u010d","sequence":"first","affiliation":[{"name":"Full Professor, Faculty of Social Sciences, Centre for Methodology and Informatics, University of Ljubljana , Kardeljeva ploscad 5, SI-1000 Ljubljana ,","place":["Slovenia"]}]},{"given":"John N","family":"Just","sequence":"additional","affiliation":[{"name":"Chief Learning Officer, KnowBe4, Inc. , 33 N Garden Ave, Ste 1200, Clearwater, FL 33755 ,","place":["United States"]}]}],"member":"286","published-online":{"date-parts":[[2025,5,12]]},"reference":[{"key":"2025051210161181500_bib1","first-page":"1","article-title":"The influence of human factors on the intention to report phishing emails","volume-title":"Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems, Hamburg, Germany, 2023","author":"Marin"},{"key":"2025051210161181500_bib2","first-page":"5","article-title":"Enhancing cybersecurity awareness training: a comprehensive phishing exercise approach","volume":"14","author":"Miranda","year":"2018","journal-title":"Int Manag Rev"},{"key":"2025051210161181500_bib3","article-title":"Phishing activity trends Report\u20143rd quarter 2024","author":"Anti-Phishing Working Group, Inc."},{"key":"2025051210161181500_bib4","article-title":"2024 Data breach investigations report","author":"Verizon"},{"key":"2025051210161181500_bib5","article-title":"Business email compromise: the $55 billion scam","author":"Federal Bureau of Investigation"},{"key":"2025051210161181500_bib6","doi-asserted-by":"publisher","first-page":"103387","DOI":"10.1016\/j.cose.2023.103387","article-title":"Mitigation strategies against phishing attacks: a systematic literature review","volume":"132","author":"Naqvi","year":"2023","journal-title":"Comput Secur"},{"key":"2025051210161181500_bib7","doi-asserted-by":"publisher","first-page":"63","DOI":"10.1108\/ICS-02-2021-0021","article-title":"Response to a phishing attack: persuasion and protection motivation in an organizational context","volume":"30","author":"Bayl-Smith","year":"2021","journal-title":"ICS"},{"key":"2025051210161181500_bib8","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1177\/2158244021990656","article-title":"Phishing for long tails: examining organizational repeat clickers and protective stewards","volume":"11","author":"Canham","year":"2021","journal-title":"SAGE Open"},{"key":"2025051210161181500_bib9","article-title":"Phishing attacks: defending your organization","author":"National Cyber Security Centre"},{"key":"2025051210161181500_bib10","first-page":"1","article-title":"The effects of group discussion and role-playing training on self-efficacy, support-seeking, and reporting phishing emails: evidence from a mixed-design experiment","volume-title":"Proceedings of the 2024 CHI Conference on Human Factors in Computing Systems, Honolulu, HI","author":"Chen","year":"2024"},{"key":"2025051210161181500_bib11","first-page":"117","article-title":"Investigating the effect of phishing believability on phishing reporting","author":"Kersten"},{"key":"2025051210161181500_bib12","doi-asserted-by":"publisher","first-page":"101343","DOI":"10.1016\/j.tele.2020.101343","article-title":"Why do users not report spear phishing emails?","volume":"48","author":"Kwak","year":"2020","journal-title":"Telem Inform"},{"key":"2025051210161181500_bib13","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3469886","article-title":"Human factors in phishing attacks: a systematic literature review","volume":"54","author":"Desolda","year":"2022","journal-title":"ACM Comput Surv"},{"key":"2025051210161181500_bib14","doi-asserted-by":"publisher","first-page":"102996","DOI":"10.1016\/j.ijhcs.2023.102996","article-title":"Indicators of employee phishing email behaviours: intuition, elaboration, attention, and email typology","volume":"172","author":"Buckley","year":"2023","journal-title":"Int J Hum Comput Stud"},{"key":"2025051210161181500_bib15","article-title":"Communication is crucial in the fight against phishing scams [opinion]","author":"Carpenter","year":"2021","journal-title":"Inform Secur Mag"},{"key":"2025051210161181500_bib16","doi-asserted-by":"publisher","first-page":"793","DOI":"10.1080\/07421222.2022.2096551","article-title":"Improving phishing reporting using security gamification","volume":"39","author":"Jensen","year":"2022","journal-title":"J Manag Inf Syst"},{"key":"2025051210161181500_bib17","article-title":"Proofpoint: 2024 State of the phish\u2014Today's cyber threats and phishing protection"},{"key":"2025051210161181500_bib18","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1186\/s13673-020-00237-7","article-title":"Don't click: towards an effective anti-phishing training. A comparative literature review","volume":"10","author":"Jampen","year":"2020","journal-title":"Hum Cent Comput Inf Sci"},{"key":"2025051210161181500_bib19","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.ijhcs.2018.06.004","article-title":"Exploring susceptibility to phishing in the workplace","volume":"120","author":"Williams","year":"2018","journal-title":"Int J Hum Comput Stud"},{"key":"2025051210161181500_bib20","first-page":"842","article-title":"Phishing in organizations: findings from a large-scale and long-term study","author":"Lain"},{"key":"2025051210161181500_bib21","doi-asserted-by":"publisher","first-page":"1146","DOI":"10.1177\/0093650215627483","article-title":"Suspicion, cognition, and automaticity model of phishing susceptibility","volume":"45","author":"Vishwanath","year":"2018","journal-title":"Commun Res"},{"key":"2025051210161181500_bib22","doi-asserted-by":"publisher","first-page":"242","DOI":"10.1016\/j.cose.2012.10.003","article-title":"Security-related behavior in using information systems in the workplace: a review and synthesis","volume":"32","author":"Guo","year":"2013","journal-title":"Comput Secur"},{"key":"2025051210161181500_bib23","doi-asserted-by":"publisher","first-page":"104110","DOI":"10.1016\/j.cose.2024.104110","article-title":"Towards a cybersecurity culture-behaviour framework: a rapid evidence review","volume-title":"Comput Secur","author":"Sutton","year":"2024"},{"key":"2025051210161181500_bib24","doi-asserted-by":"publisher","first-page":"196","DOI":"10.1016\/j.cose.2009.09.002","article-title":"A framework and assessment instrument for information security culture","volume":"29","author":"Da\u00a0Veiga","year":"2010","journal-title":"Comput Secur"},{"key":"2025051210161181500_bib25","first-page":"49","article-title":"Information security culture: a comparative analysis of four assessments","volume-title":"Proceedings of the 8th European Conference on IS Management and Evaluation","author":"Da\u00a0Veiga"},{"key":"2025051210161181500_bib26","doi-asserted-by":"publisher","first-page":"55","DOI":"10.1080\/19393555.2019.1643956","article-title":"A dimension-based information security culture model and its relationship with employees\u2019 security behavior: a case study in Malaysian higher educational institutions","volume":"28","author":"Nasir","year":"2019","journal-title":"Inform Secur J: A Global Perspect"},{"key":"2025051210161181500_bib27","first-page":"436","article-title":"An identification of variables influencing the establishment of information security culture","author":"Sherif"},{"key":"2025051210161181500_bib28","article-title":"Forrester: the Forrester Wave\u2122: security awareness and training solutions, Q1 2022"},{"key":"2025051210161181500_bib29","article-title":"KnowBe4: security culture report"},{"key":"2025051210161181500_bib30","volume-title":"The Seven Dimensions of Security Culture","author":"Laycock","year":"2019"},{"key":"2025051210161181500_bib31","article-title":"Information security culture: a look ahead at measurement methods","author":"Phillips"},{"key":"2025051210161181500_bib32","doi-asserted-by":"publisher","first-page":"184","DOI":"10.1111\/j.1468-2885.2003.tb00288.x","article-title":"Understanding the influence of perceived norms on behaviors","volume":"13","author":"Rimal","year":"2003","journal-title":"Commun Theory"},{"key":"2025051210161181500_bib33","doi-asserted-by":"publisher","first-page":"36","DOI":"10.1016\/j.dss.2016.09.009","article-title":"Employees\u2019 information security policy compliance: a norm activation perspective","volume":"92","author":"Yazdanmehr","year":"2016","journal-title":"Decis Support Syst"},{"key":"2025051210161181500_bib34","doi-asserted-by":"publisher","first-page":"289","DOI":"10.1016\/j.cose.2006.02.008","article-title":"A prototype for assessing information security awareness","volume":"25","author":"Kruger","year":"2006","journal-title":"Comput Secur"},{"key":"2025051210161181500_bib35","doi-asserted-by":"publisher","first-page":"165","DOI":"10.1016\/j.cose.2013.12.003","article-title":"Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q)","volume":"42","author":"Parsons","year":"2014","journal-title":"Comput Secur"},{"key":"2025051210161181500_bib36","doi-asserted-by":"publisher","first-page":"523","DOI":"10.2307\/25750690","article-title":"Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness","volume":"34","author":"Bulgurcu","year":"2010","journal-title":"MIS Quarterly"},{"key":"2025051210161181500_bib37","doi-asserted-by":"publisher","first-page":"106","DOI":"10.1057\/ejis.2009.6","article-title":"Protection motivation and deterrence: a framework for security policy compliance in organisations","volume":"18","author":"Herath","year":"2009","journal-title":"Eur J Inform Syst"},{"key":"2025051210161181500_bib38","doi-asserted-by":"publisher","first-page":"83","DOI":"10.1016\/j.cose.2011.10.007","article-title":"Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory","volume":"31","author":"Ifinedo","year":"2012","journal-title":"Comput Secur"},{"key":"2025051210161181500_bib39","doi-asserted-by":"publisher","first-page":"49","DOI":"10.1146\/annurev.so.14.080188.000405","article-title":"New directions in the study of culture","volume":"14","author":"Wuthnow","year":"1988","journal-title":"Annu Rev Sociol"},{"key":"2025051210161181500_bib40","doi-asserted-by":"publisher","first-page":"743","DOI":"10.1108\/ICS-08-2019-0095","article-title":"The role of norms in information security policy compliance","volume":"28","author":"Wiafe","year":"2020","journal-title":"ICS"},{"key":"2025051210161181500_bib41","doi-asserted-by":"publisher","first-page":"101766","DOI":"10.1016\/j.tele.2021.101766","article-title":"The impact of formal and informal organizational norms on susceptibility to phishing: combining survey and field experiment data","volume":"67","author":"Petri\u010d","year":"2022","journal-title":"Telemat Inform"},{"key":"2025051210161181500_bib42","doi-asserted-by":"publisher","first-page":"1203","DOI":"10.1108\/JEIM-08-2019-0217","article-title":"The influence of organisational culture and information security culture on employee compliance behaviour","volume":"34","author":"Solomon","year":"2021","journal-title":"JEIM"},{"key":"2025051210161181500_bib43","doi-asserted-by":"publisher","first-page":"12","DOI":"10.1016\/j.jisa.2018.11.003","article-title":"An analysis on the dimensions of information security culture concept: a review","volume":"44","author":"Nasir","year":"2019","journal-title":"J Inform Secur Appl"},{"key":"2025051210161181500_bib44","doi-asserted-by":"publisher","first-page":"371","DOI":"10.1007\/s10111-021-00683-y","article-title":"Leveraging human factors in cybersecurity: an integrated methodological approach","volume":"24","author":"Pollini","year":"2022","journal-title":"Cogn Tech Work"},{"key":"2025051210161181500_bib45","doi-asserted-by":"publisher","first-page":"104","DOI":"10.1515\/dim-2017-0006","article-title":"Information security compliance in organizations: an institutional perspective","volume":"1","author":"AlKalbani","year":"2017","journal-title":"Data Inform Manag"},{"key":"2025051210161181500_bib46","doi-asserted-by":"publisher","first-page":"1483","DOI":"10.1177\/154193120504901605","article-title":"Computer and information security culture: findings from two studies","volume-title":"In:","author":"Kraemer"},{"key":"2025051210161181500_bib47","first-page":"243","article-title":"A proposal of an organizational information security culture framework","volume-title":"Proceedings of International Conference on Information, Communication Technology and System (ICTS)","author":"AlHogail","year":"2014."},{"key":"2025051210161181500_bib48","doi-asserted-by":"publisher","first-page":"31","DOI":"10.4018\/IJCWT.2015040103","article-title":"Information security culture","volume":"5","author":"Lim","year":"2015","journal-title":"Int J Cyber Warf Terror"},{"key":"2025051210161181500_bib49","doi-asserted-by":"publisher","first-page":"162","DOI":"10.1016\/j.cose.2014.12.006","article-title":"Improving the information security culture through monitoring and implementation actions illustrated through a case study","volume":"49","author":"Da\u00a0Veiga","year":"2015","journal-title":"Comput Secur"},{"key":"2025051210161181500_bib50","doi-asserted-by":"publisher","first-page":"tyae011","DOI":"10.1093\/cybsec\/tyae011","article-title":"It is not only about having good attitudes: factor exploration of the attitudes toward security recommendations","volume":"10","author":"Toro-Jarrin","year":"2024","journal-title":"J Cybersecur"},{"key":"2025051210161181500_bib51","doi-asserted-by":"publisher","first-page":"139","DOI":"10.1108\/ICS-12-2015-0048","article-title":"Comparing the information security culture of employees who had read the information security policy and those who had not: illustrated through an empirical study","volume":"24","author":"Da\u00a0Veiga","year":"2016","journal-title":"ICS"},{"key":"2025051210161181500_bib52","volume-title":"Social Foundations of Thought and Action","author":"Bandura","year":"1986"},{"key":"2025051210161181500_bib53","doi-asserted-by":"publisher","first-page":"51","DOI":"10.1177\/002200275800200106","article-title":"Compliance, identification, and internalization: three processes of attitude change","volume":"2","author":"Kelman","year":"1958","journal-title":"J Confl Resol"},{"key":"2025051210161181500_bib54","first-page":"679","article-title":"Organizational entry, assimilation, and exit","volume-title":"Handbook of Organizational Communication: An Interdisciplinary Perspective","author":"Jablin","year":"1987"},{"key":"2025051210161181500_bib55","doi-asserted-by":"publisher","first-page":"456","DOI":"10.1108\/ICS-04-2024-0083","article-title":"Expressing opinions about information security in an organization: the spiral of silence theory perspective","volume":"32","author":"Petri\u010d","year":"2024","journal-title":"ICS"},{"key":"2025051210161181500_bib56","doi-asserted-by":"publisher","first-page":"1359","DOI":"10.1111\/1467-6486.00384","article-title":"Conceptualizing employee silence and employee voice as multidimensional constructs","volume":"40","author":"Dyne","year":"2003","journal-title":"J Manag Stud"},{"key":"2025051210161181500_bib57","doi-asserted-by":"crossref","first-page":"65","DOI":"10.1016\/j.cose.2015.05.012","article-title":"Information security Conscious care behaviour formation in organizations","volume":"53","author":"Safa","year":"2015","journal-title":"Comput Secur"},{"key":"2025051210161181500_bib58","doi-asserted-by":"publisher","first-page":"1049","DOI":"10.1108\/MRR-04-2013-0085","article-title":"Information security awareness and behavior: a theory-based literature review","volume":"37","author":"Lebek","year":"2014","journal-title":"Manage Res Rev"},{"key":"2025051210161181500_bib59","article-title":"Phishing training: a preliminary look at the effects of different types of training","volume-title":"Proceedings of the Workshop on Information Security and Privacy (WISP 2016)","author":"Karumbaiah","year":"2016"},{"key":"2025051210161181500_bib60","doi-asserted-by":"publisher","first-page":"386","DOI":"10.17705\/1jais.00133","article-title":"The centrality of awareness in the formation of user behavioural intention toward protective information technologies","volume":"8","author":"Dinev","year":"2007","journal-title":"JAIS"},{"key":"2025051210161181500_bib61","doi-asserted-by":"publisher","first-page":"211","DOI":"10.1016\/j.cose.2018.09.016","article-title":"Evaluating the explanatory power of theoretical frameworks on intention to comply with information security policies in higher education","volume":"80","author":"Rajab","year":"2019","journal-title":"Comput Secur"},{"key":"2025051210161181500_bib62","doi-asserted-by":"publisher","first-page":"344","DOI":"10.1080\/08874417.2017.1368421","article-title":"The theory of planned behavior and information security policy compliance","volume":"59","author":"Sommestad","year":"2019","journal-title":"J Comput Infor Syst"},{"key":"2025051210161181500_bib63","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1080\/14792779943000116","article-title":"Attitudes and the attitude-behavior relation: reasoned and automatic processes","volume":"11","author":"Ajzen","year":"2000","journal-title":"Europ Rev Soc Psychol"},{"key":"2025051210161181500_bib64","doi-asserted-by":"publisher","first-page":"5","DOI":"10.1080\/1097198X.2019.1701355","article-title":"Universal and culture-dependent employee compliance of information systems security procedures","volume":"23","author":"Karjalainen","year":"2019","journal-title":"J Global Inform Technol Manag"},{"key":"2025051210161181500_bib65","doi-asserted-by":"publisher","first-page":"90","DOI":"10.1016\/j.cose.2014.03.004","article-title":"Information security knowledge sharing in organizations: investigating the effect of behavioural information security governance and national culture","volume":"43","author":"Flores","year":"2014","journal-title":"Comput Secur"},{"key":"2025051210161181500_bib66","doi-asserted-by":"publisher","first-page":"178","DOI":"10.1108\/ICS-05-2014-0029","article-title":"Investigating personal determinants of phishing and the effect of national culture","volume":"23","author":"Rocha\u00a0Flores","year":"2015","journal-title":"ICS"},{"key":"2025051210161181500_bib67","volume-title":"Scale Development: Theory and Applications","author":"De\u00a0Vellis","year":"2003"},{"key":"2025051210161181500_bib68","doi-asserted-by":"publisher","first-page":"489","DOI":"10.1002\/nur.20147","article-title":"The content validity index: are you sure you know what's being reported? Critique and recommendations","volume":"29","author":"Polit","year":"2006","journal-title":"Res Nurs Health"},{"key":"2025051210161181500_bib69","volume-title":"Multivariate Data Analysis","author":"Hair","year":"2019"},{"key":"2025051210161181500_bib70","doi-asserted-by":"publisher","first-page":"71","DOI":"10.1016\/j.dr.2016.06.004","article-title":"Measurement invariance conventions and reporting: the state of the art and future directions for psychological research","volume":"41","author":"Putnick","year":"2016","journal-title":"Dev Rev"},{"key":"2025051210161181500_bib71","doi-asserted-by":"publisher","first-page":"763","DOI":"10.1002\/csr.2086","article-title":"Personal social responsibility: scale development and validation","volume":"28","author":"Davis","year":"2021","journal-title":"Corp Soc Responsibility Env"},{"key":"2025051210161181500_bib72","doi-asserted-by":"publisher","first-page":"224","DOI":"10.1080\/10967494.2019.1690606","article-title":"Employee accountability: development of a multidimensional scale","volume":"23","author":"Han","year":"2020","journal-title":"Int Public Manag J"},{"key":"2025051210161181500_bib73","doi-asserted-by":"publisher","first-page":"65","DOI":"10.1016\/j.cose.2015.05.012","article-title":"Information security conscious care behaviour formation in organizations","volume":"53","author":"Safa","year":"2015","journal-title":"Comput Secur"},{"key":"2025051210161181500_bib74","doi-asserted-by":"publisher","first-page":"60","DOI":"10.1016\/j.cose.2016.02.004","article-title":"Understanding information security stress: focusing on the type of information security compliance activity","volume":"59","author":"Lee","year":"2016","journal-title":"Comput Secur"},{"key":"2025051210161181500_bib75","doi-asserted-by":"publisher","first-page":"589","DOI":"10.1108\/ccij-01-2021-0006","article-title":"Measuring internal communication satisfaction: validating the internal communication satisfaction questionnaire","volume":"26","author":"Tkalac","year":"2021","journal-title":"CCIJ"},{"key":"2025051210161181500_bib76","article-title":"Understanding and measuring information security culture","volume-title":"Presented at The Pacific Asia Conference on Information Systems (PACIS)","author":"Alnatheer","year":"2012"},{"key":"2025051210161181500_bib77","doi-asserted-by":"publisher","first-page":"474","DOI":"10.1108\/imcs-08-2013-0057","article-title":"Security culture and the employment relationship as drivers of employees\u2019 security compliance","volume":"22","author":"D'Arcy","year":"2014","journal-title":"Inf Manag Comput Secur"},{"key":"2025051210161181500_bib78","doi-asserted-by":"publisher","first-page":"121092","DOI":"10.1016\/j.techfore.2021.121092","article-title":"CB-SEM vs PLS-SEM methods for research in social sciences and technology forecasting","volume":"173","author":"Dash","year":"2021","journal-title":"Technol Forecast Soc Change"},{"key":"2025051210161181500_bib79","doi-asserted-by":"publisher","first-page":"411","DOI":"10.1037\/\/0033-2909.103.3.411","article-title":"Structural equation modeling in practice: a review and recommended two-step approach","volume":"103","author":"Anderson","year":"1988","journal-title":"Psychol Bull"},{"key":"2025051210161181500_bib80","doi-asserted-by":"publisher","first-page":"425","DOI":"10.1080\/10705511.2014.915373","article-title":"A comparison of diagonal weighted least squares robust estimation techniques for ordinal data","volume":"21","author":"DiStefano","year":"2014","journal-title":"Struct Equ Model: A Multidiscip J"},{"key":"2025051210161181500_bib81","doi-asserted-by":"publisher","first-page":"230","DOI":"10.1177\/0049124192021002005","article-title":"Alternative ways of assessing model fit","volume":"21","author":"Browne","year":"1992","journal-title":"Sociol Methods Res"},{"key":"2025051210161181500_bib82","doi-asserted-by":"publisher","DOI":"10.4324\/9780203807644","volume-title":"Structural Equation Modeling with Mplus: Basic Concepts, Applications, and Programming","author":"Byrne","year":"2013"},{"key":"2025051210161181500_bib83","doi-asserted-by":"publisher","first-page":"78","DOI":"10.1086\/209528","article-title":"Assessing measurement invariance in cross-national consumer research","volume":"25","author":"Steenkamp","year":"1998","journal-title":"J Consum Res"},{"key":"2025051210161181500_bib84","doi-asserted-by":"publisher","first-page":"196","DOI":"10.1016\/j.chb.2016.10.025","article-title":"Why employees share information security advice? Exploring the contributing factors and structural patterns of security advice sharing in the workplace","volume":"67","author":"Dang-Pham","year":"2017","journal-title":"Comput Hum Behav"},{"key":"2025051210161181500_bib85","doi-asserted-by":"publisher","first-page":"408","DOI":"10.2307\/2393374","article-title":"Tightening the iron cage: concertive control in self-managing teams","volume":"38","author":"Barker","year":"1993","journal-title":"Adm Sci Q"},{"key":"2025051210161181500_bib86","doi-asserted-by":"publisher","first-page":"477","DOI":"10.1177\/017084069801900305","article-title":"Attitudes, values and organizational culture: disentangling the concepts","volume":"19","author":"Hofstede","year":"1998","journal-title":"Organization Studies"},{"key":"2025051210161181500_bib87","volume-title":"Culture, Leadership, and Organizations: The GLOBE Study of 62 Societies","author":"House","year":"2004"},{"key":"2025051210161181500_bib88","volume-title":"Riding the Waves of Culture: Understanding Diversity in Global Business","author":"Trompenaars","year":"2011","edition":"3rd edition"},{"key":"2025051210161181500_bib89","doi-asserted-by":"publisher","first-page":"285","DOI":"10.1057\/palgrave.jibs.8400202","article-title":"A quarter century of culture's consequences: a review of empirical research incorporating Hofstede's cultural values framework","volume":"37","author":"Kirkman","year":"2006","journal-title":"J Int Bus Stud"},{"key":"2025051210161181500_bib90","doi-asserted-by":"publisher","first-page":"17","DOI":"10.1145\/572183.572189","article-title":"IT and organizational change in digital economies: a socio-technical approach","volume":"29","author":"Kling","year":"1999","journal-title":"SIGCAS Comput Soc"},{"key":"2025051210161181500_bib91","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/1541948.1541999","article-title":"A behavior model for persuasive design","author":"Fogg","year":"2009"},{"key":"2025051210161181500_bib92","doi-asserted-by":"publisher","first-page":"56","DOI":"10.1007\/978-1-349-11255-5_4","article-title":"Organizational culture: what it is and how to change it","author":"Schein","year":"1990","journal-title":"Human Resource Management in International Firms"},{"key":"2025051210161181500_bib93","article-title":"Why employees violate cybersecurity policies","author":"Posey","year":"2022","journal-title":"Harv Bus Rev"},{"key":"2025051210161181500_bib94","doi-asserted-by":"publisher","first-page":"179","DOI":"10.1080\/07421222.2015.1138374","article-title":"The impact of organizational commitment on insiders\u2019 motivation to protect organizational information assets","volume":"32","author":"Posey","year":"2015","journal-title":"J ManagInform Syst"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyaf011\/63154537\/tyaf011.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyaf011\/63154537\/tyaf011.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,5,12]],"date-time":"2025-05-12T14:16:26Z","timestamp":1747059386000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyaf011\/8128837"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":94,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2025,1,17]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyaf011","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2025]]},"published":{"date-parts":[[2025]]},"article-number":"tyaf011"}}