{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,26]],"date-time":"2026-02-26T19:34:53Z","timestamp":1772134493176,"version":"3.50.1"},"reference-count":51,"publisher":"Emerald","issue":"5","license":[{"start":{"date-parts":[[2021,8,17]],"date-time":"2021-08-17T00:00:00Z","timestamp":1629158400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["AJIM"],"published-print":{"date-parts":[[2021,9,6]]},"abstract":"Purpose<\/jats:title>The objective of this research was to propose and validate a holistic framework for information security culture evaluation, built around a novel approach, which includes technological, organizational and social issues. The framework's validity and reliability were determined with the help of experts in the information security field and by using multivariate statistical methods.<\/jats:p><\/jats:sec>Design\/methodology\/approach<\/jats:title>The conceptual framework was constructed upon a detailed literature review and validated using a range of methods: first, measuring instrument was developed, and then content and construct validity of measuring instrument was confirmed via experts' opinion and by closed map sorting method. Convergent validity was confirmed by factor analysis, while the reliability of the measuring instrument was tested using Cronbach's alpha coefficient to measure internal consistency.<\/jats:p><\/jats:sec>Findings<\/jats:title>The proposed framework was validated based upon the results of empirical research and the usage of multivariate analysis. The resulting framework ultimately consists of 46 items (manifest variables), describing eight factors (first level latent variables), grouped into three categories (second level latent variables). These three categories were built around technological, organizational and social issues.<\/jats:p><\/jats:sec>Originality\/value<\/jats:title>This paper contributes to the body of knowledge in information security culture by developing and validating holistic framework for information security culture evaluation, which does not observe information security culture in only one aspect but takes into account its organizational, sociological and technical component.<\/jats:p><\/jats:sec>","DOI":"10.1108\/ajim-02-2021-0037","type":"journal-article","created":{"date-parts":[[2021,8,16]],"date-time":"2021-08-16T00:16:05Z","timestamp":1629072965000},"page":"699-719","source":"Crossref","is-referenced-by-count":5,"title":["Holistic framework for evaluating and improving information security culture"],"prefix":"10.1108","volume":"73","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-8973-5932","authenticated-orcid":false,"given":"Krunoslav","family":"Arbanas","sequence":"first","affiliation":[]},{"given":"Mario","family":"Spremic","sequence":"additional","affiliation":[]},{"given":"Nikolina","family":"Zajdela Hrustek","sequence":"additional","affiliation":[]}],"member":"140","published-online":{"date-parts":[[2021,8,17]]},"reference":[{"key":"key2021090208114640500_ref001","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/WCCAIS.2014.6916579","article-title":"Information security culture: a definition and a literature review","year":"2014"},{"key":"key2021090208114640500_ref002","first-page":"286","article-title":"Organizational information security culture assessment","year":"2015"},{"key":"key2021090208114640500_ref003","doi-asserted-by":"publisher","first-page":"567","DOI":"10.1016\/j.chb.2015.03.054","article-title":"Design and validation of information security culture framework","volume":"49","year":"2015","journal-title":"Computers in Human Behavior"},{"issue":"2","key":"key2021090208114640500_ref004","doi-asserted-by":"publisher","first-page":"104","DOI":"10.7763\/IJSSH.2014.V4.327","article-title":"A conceptual model to understand information security culture","volume":"4","year":"2014","journal-title":"International Journal of Social Science and Humanity"},{"key":"key2021090208114640500_ref005","doi-asserted-by":"publisher","first-page":"248","DOI":"10.1109\/ICITST.2014.7038814","article-title":"A conceptual analysis of information security education, information security training and information security awareness definitions","year":"2014"},{"issue":"2","key":"key2021090208114640500_ref006","doi-asserted-by":"publisher","first-page":"131","DOI":"10.31341\/jios.43.2.1","article-title":"Key success factors of information systems security","volume":"43","year":"2019","journal-title":"Journal of Information and Organizational Sciences"},{"issue":"4","key":"key2021090208114640500_ref007","first-page":"376","article-title":"Key factors of information security culture","volume":"29","year":"2020","journal-title":"Policija i sigurnost"},{"key":"key2021090208114640500_ref008","volume-title":"The Practice of Social Research","year":"2014","edition":"14th ed."},{"key":"key2021090208114640500_ref009","doi-asserted-by":"publisher","DOI":"10.1108\/OIR-06-2020-0218","article-title":"Willingness to information security as a function of personality characteristics and threat assessment among adolescents","year":"2021","journal-title":"Online Information Review"},{"key":"key2021090208114640500_ref010","volume-title":"Organizational Research Methods","year":"2001"},{"issue":"3","key":"key2021090208114640500_ref011","doi-asserted-by":"crossref","first-page":"523","DOI":"10.2307\/25750690","article-title":"Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"key":"key2021090208114640500_ref012","doi-asserted-by":"publisher","first-page":"109","DOI":"10.28945\/4596","article-title":"The effect of rational based beliefs and awareness on employee compliance with information security procedures: a case study of a financial corporation in Israel","volume":"15","year":"2020","journal-title":"Interdisciplinary Journal of Information, Knowledge, and Management"},{"issue":"3","key":"key2021090208114640500_ref013","doi-asserted-by":"publisher","first-page":"438","DOI":"10.1108\/02635570710734316","article-title":"Exploring organizational culture for information security management","volume":"107","year":"2007","journal-title":"Industrial Management and Data Systems"},{"key":"key2021090208114640500_ref014","doi-asserted-by":"publisher","first-page":"101713","DOI":"10.1016\/j.cose.2020.101713","article-title":"Defining organisational information security culture\u2014perspectives from academia and industry","volume":"92","year":"2020","journal-title":"Computers and Security"},{"key":"key2021090208114640500_ref015","unstructured":"European Union (2016), \u201cDIRECTIVE (EU) 2016\/1148 (NIS directive)\u201d, available at: https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32016L1148&qid=1613308044181&from=EN (accessed 21 January 2021)."},{"key":"key2021090208114640500_ref016","volume-title":"Discovering Statistics Using IBM SPSS Statistics","year":"2013","edition":"14th ed."},{"issue":"5","key":"key2021090208114640500_ref017","doi-asserted-by":"publisher","first-page":"378","DOI":"10.1128\/JCM.41.11.5325-5326.2003","article-title":"Measuring nominal scale agreement among many raters","volume":"76","year":"1971","journal-title":"Psychological Bulletin"},{"key":"key2021090208114640500_ref018","doi-asserted-by":"publisher","DOI":"10.1080\/08874417.2020.1845583","article-title":"A cyber-security culture framework for assessing organization readiness","year":"2020","journal-title":"Journal of Computer Information Systems"},{"key":"key2021090208114640500_ref019","doi-asserted-by":"publisher","DOI":"10.1057\/s41284-021-00286-2","article-title":"Working from home during COVID-19 crisis: a cyber security culture assessment survey","year":"2021","journal-title":"Security Journal"},{"key":"key2021090208114640500_ref020","volume-title":"Multivariate Data Analysis","year":"2019","edition":"8ht ed."},{"key":"key2021090208114640500_ref021","doi-asserted-by":"publisher","first-page":"456","DOI":"10.4018\/IJCWT.2015040103","article-title":"Information security culture: a systematic literature review","year":"2015"},{"issue":"3","key":"key2021090208114640500_ref022","doi-asserted-by":"publisher","DOI":"10.1016\/j.heliyon.2021.e06522","article-title":"Human factor, a critical weak point in the information security of an organization's Internet of things","volume":"7","year":"2021","journal-title":"Heliyon"},{"issue":"3","key":"key2021090208114640500_ref023","doi-asserted-by":"publisher","first-page":"246","DOI":"10.1108\/ICS-05-2014-0033","article-title":"Information security culture state-of-the-art review between 2000 and 2013","volume":"23","year":"2015","journal-title":"Information and Computer Security"},{"key":"key2021090208114640500_ref024","doi-asserted-by":"publisher","first-page":"102267","DOI":"10.1016\/j.cose.2021.102267","article-title":"Enhancing employees information security awareness in private and public organisations: a systematic literature review","volume":"106","year":"2021","journal-title":"Computers and Security"},{"issue":"1","key":"key2021090208114640500_ref025","doi-asserted-by":"publisher","first-page":"159","DOI":"10.2307\/2529310","article-title":"The measurement of observer agreement for categorical data","volume":"33","year":"1977","journal-title":"Biometrics"},{"issue":"4","key":"key2021090208114640500_ref026","doi-asserted-by":"publisher","first-page":"563","DOI":"10.1111\/j.1744-6570.1975.tb01393.x","article-title":"A quantitative approach to content validity","volume":"28","year":"1975","journal-title":"Personnel Psychology"},{"issue":"1","key":"key2021090208114640500_ref027","doi-asserted-by":"publisher","first-page":"199","DOI":"10.1080\/07421222.1995.11518075","article-title":"An empirical assessment of the information resource management construct","volume":"12","year":"1995","journal-title":"Journal of Management Information Systems"},{"issue":"1","key":"key2021090208114640500_ref028","doi-asserted-by":"publisher","first-page":"84","DOI":"10.1037\/1082-989X.4.1.84","article-title":"Sample size in factor analysis","volume":"4","year":"1999","journal-title":"Psychological Methods"},{"issue":"5","key":"key2021090208114640500_ref029","doi-asserted-by":"publisher","first-page":"15","DOI":"10.14257\/ijsia.2017.11.5.02","article-title":"A conceptual model for exploring the factors influencing information security culture","volume":"11","year":"2017","journal-title":"International Journal of Security and Its Applications"},{"key":"key2021090208114640500_ref030","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/ICRIIS.2017.8002442","article-title":"A systematic literature review: information security culture","year":"2017"},{"issue":"3","key":"key2021090208114640500_ref031","doi-asserted-by":"crossref","first-page":"192","DOI":"10.1287\/isre.2.3.192","article-title":"Development of an instrument to measure the perceptions of adopting an information technology innovation stable","volume":"2","year":"1991","journal-title":"Information Systems Research"},{"issue":"1","key":"key2021090208114640500_ref032","doi-asserted-by":"publisher","first-page":"114","DOI":"10.22237\/jmasm\/1020255360","article-title":"The Q-sort method: assessing reliability and construct validity of questionnaire items at A pre-testing stage","volume":"1","year":"2002","journal-title":"Journal of Modern Applied Statistical Methods"},{"key":"key2021090208114640500_ref033","doi-asserted-by":"publisher","first-page":"12","DOI":"10.1016\/j.jisa.2018.11.003","article-title":"An analysis on the dimensions of information security culture concept: a review","volume":"44","year":"2019","journal-title":"Journal of Information Security and Applications"},{"issue":"2","key":"key2021090208114640500_ref034","doi-asserted-by":"publisher","first-page":"146","DOI":"10.1108\/ICS-12-2016-0095","article-title":"Key elements of an information security culture in organisations","volume":"27","year":"2019","journal-title":"Information and Computer Security"},{"key":"key2021090208114640500_ref035","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/ISSA.2012.6320442","article-title":"Assessing information security culture: a critical analysis of current approaches","year":"2012"},{"issue":"1","key":"key2021090208114640500_ref036","doi-asserted-by":"publisher","first-page":"133","DOI":"10.1108\/ICS-12-2019-0140","article-title":"A systematic review of scales for measuring information security culture","volume":"29","year":"2021","journal-title":"Information and Computer Security"},{"key":"key2021090208114640500_ref037","doi-asserted-by":"publisher","first-page":"133","DOI":"10.1007\/978-3-319-32824-9_7","article-title":"Creating a cyber security culture for your water\/waste water utility","volume":"3","year":"2017","journal-title":"Cyber-Physical Security. Protecting Critical Infrastructure"},{"key":"key2021090208114640500_ref038","doi-asserted-by":"publisher","first-page":"353","DOI":"10.1108\/09685221311314383","article-title":"Critical analysis of information security culture definitions","year":"2020"},{"key":"key2021090208114640500_ref039","doi-asserted-by":"publisher","volume-title":"Advice on Exploratory Factor Analysis","year":"2017","DOI":"10.13140\/RG.2.1.5013.9766"},{"issue":"2","key":"key2021090208114640500_ref040","doi-asserted-by":"publisher","first-page":"340","DOI":"10.1057\/s41284-020-00228-4","article-title":"Measuring the security culture in organizations: a systematic overview of existing tools","volume":"34","year":"2020","journal-title":"Security Journal"},{"key":"key2021090208114640500_ref041","volume-title":"Organizational Culture and Leadership","year":"2010","edition":"4th ed."},{"issue":"2","key":"key2021090208114640500_ref042","doi-asserted-by":"publisher","first-page":"565","DOI":"10.20533\/ijisr.2042.4639.2015.0065","article-title":"A conceptual model for cultivating an information security culture","volume":"5","year":"2015","journal-title":"International Journal for Information Security Research"},{"key":"key2021090208114640500_ref043","doi-asserted-by":"publisher","first-page":"249","DOI":"10.1007\/978-3-030-25741-5_25","article-title":"The model of information security culture level estimation of organization","volume":"1019","year":"2020","journal-title":"Advances in Intelligent Systems and Computing"},{"issue":"4","key":"key2021090208114640500_ref044","doi-asserted-by":"publisher","first-page":"1203","DOI":"10.1108\/JEIM-08-2019-0217","article-title":"The influence of organisational culture and information security culture on employee compliance behavior","volume":"34","year":"2020","journal-title":"Journal of Enterprise Information Management"},{"issue":"2","key":"key2021090208114640500_ref045","doi-asserted-by":"publisher","first-page":"215","DOI":"10.1016\/j.ijinfomgt.2015.11.009","article-title":"Information security management needs more holistic approach: a literature review","volume":"36","year":"2016","journal-title":"International Journal of Information Management"},{"key":"key2021090208114640500_ref046","first-page":"1242","article-title":"Holistic approach for governing information system security","year":"2013"},{"key":"key2021090208114640500_ref047","doi-asserted-by":"publisher","first-page":"1","DOI":"10.17705\/1CAIS.01324","article-title":"Validation guidelines for IS positivist research","volume":"13","year":"2004","journal-title":"Communications of the Association for Information Systems"},{"issue":"2","key":"key2021090208114640500_ref048","doi-asserted-by":"publisher","first-page":"179","DOI":"10.1007\/s10799-015-0252-2","article-title":"The impacts of organizational culture on information security culture: a case study","volume":"17","year":"2016","journal-title":"Information Technology and Management"},{"key":"key2021090208114640500_ref049","first-page":"52","article-title":"A comprehensive framework for cultivating and assessing information security culture","year":"2017"},{"issue":"4","key":"key2021090208114640500_ref050","doi-asserted-by":"publisher","first-page":"476","DOI":"10.1016\/j.cose.2009.10.005","article-title":"Information security culture: a management perspective","volume":"29","year":"2010","journal-title":"Computers and Security"},{"key":"key2021090208114640500_ref051","first-page":"211","article-title":"The importance of information security awareness for the success of business enterprises","year":"2016"}],"container-title":["Aslib Journal of Information Management"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/AJIM-02-2021-0037\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/AJIM-02-2021-0037\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,24]],"date-time":"2025-07-24T23:00:23Z","timestamp":1753398023000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ajim\/article\/73\/5\/699-719\/60647"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,8,17]]},"references-count":51,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2021,8,17]]},"published-print":{"date-parts":[[2021,9,6]]}},"alternative-id":["10.1108\/AJIM-02-2021-0037"],"URL":"https:\/\/doi.org\/10.1108\/ajim-02-2021-0037","relation":{},"ISSN":["2050-3806"],"issn-type":[{"value":"2050-3806","type":"print"}],"subject":[],"published":{"date-parts":[[2021,8,17]]}}}