{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,27]],"date-time":"2026-01-27T15:51:33Z","timestamp":1769529093701,"version":"3.49.0"},"reference-count":49,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2015,6,8]],"date-time":"2015-06-08T00:00:00Z","timestamp":1433721600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2015,6,8]]},"abstract":"\n Purpose<\/jats:title>\n \u2013 The purpose of the study was twofold: to investigate the correlation between a sample of personal psychological and demographic factors and resistance to phishing; and to investigate if national culture moderates the strength of these correlations. <\/jats:p>\n <\/jats:sec>\n \n Design\/methodology\/approach<\/jats:title>\n \u2013 To measure potential determinants, a survey was distributed to 2,099 employees of nine organizations in Sweden, USA and India. Then, the authors conducted unannounced phishing exercises, in which a phishing attack targeted the same sample. <\/jats:p>\n <\/jats:sec>\n \n Findings<\/jats:title>\n \u2013 Intention to resist social engineering, general information security awareness, formal IS training and computer experience were identified to have a positive significant correlation to phishing resilience. Furthermore, the results showed that the correlation between phishing determinants and employees\u2019 observed that phishing behavior differs between Swedish, US and Indian employees in 6 out of 15 cases. <\/jats:p>\n <\/jats:sec>\n \n Research limitations\/implications<\/jats:title>\n \u2013 The identified determinants had, even though not strong, a significant positive correlation. This suggests that more work needs to be done to more fully understand determinants of phishing. The study assumes that culture effects apply to all individuals in a nation. However, differences based on cultures might exist based on firm characteristics within a country. The Swedish sample is dominating, while only 40 responses from Indian employees were collected. This unequal size of samples suggests that conclusions based on the results from the cultural analysis should be drawn cautiously. A natural continuation of the research is therefore to further explore the generalizability of the findings by collecting data from other nations with similar cultures as Sweden, USA and India. <\/jats:p>\n <\/jats:sec>\n \n Originality\/value<\/jats:title>\n \u2013 Using direct observations of employees\u2019 security behaviors has rarely been used in previous research. Furthermore, analyzing potential differences in theoretical models based on national culture is an understudied topic in the behavioral information security field. This paper addresses both these issues.<\/jats:p>\n <\/jats:sec>","DOI":"10.1108\/ics-05-2014-0029","type":"journal-article","created":{"date-parts":[[2015,5,22]],"date-time":"2015-05-22T08:10:47Z","timestamp":1432282247000},"page":"178-199","source":"Crossref","is-referenced-by-count":53,"title":["Investigating personal determinants of phishing and the effect of national culture"],"prefix":"10.1108","volume":"23","author":[{"given":"Waldo","family":"Rocha Flores","sequence":"first","affiliation":[]},{"given":"Hannes","family":"Holm","sequence":"additional","affiliation":[]},{"given":"Marcus","family":"Nohlberg","sequence":"additional","affiliation":[]},{"given":"Mathias","family":"Ekstedt","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2020122322312730000_b1","doi-asserted-by":"crossref","unstructured":"Ajzen, I.\n (1991), \u201cThe theory of planned behavior\u201d, \n Organizational Behavior and Human Decision Processes\n , Vol. 50 No. 2, pp. 179-211.","DOI":"10.1016\/0749-5978(91)90020-T"},{"key":"key2020122322312730000_b2","doi-asserted-by":"crossref","unstructured":"Anderson, J.C.\n and \n Gerbing, D.W.\n (1991), \u201cPredicting the performance of measures in a confirmatory factor analysis with a pretest assessment of their substantive validities\u201d, \n Journal of Applied Psychology\n , Vol. 76 No. 5, pp. 732-740.","DOI":"10.1037\/0021-9010.76.5.732"},{"key":"key2020122322312730000_b3","doi-asserted-by":"crossref","unstructured":"Applegate, S.D.\n (2009), \u201cSocial engineering: hacking the wetware!\u201d, \n Information Security Journal: A Global Perspective\n , Vol. 18 No. 1, pp. 40-46.","DOI":"10.1080\/19393550802623214"},{"key":"key2020122322312730000_b4","doi-asserted-by":"crossref","unstructured":"Bakhshi, T.\n , \n Papadaki, M.\n and \n Furnell, S.\n (2009), \u201cSocial engineering: assessing vulnerabilities in practice\u201d, \n Information Management & Computer Security\n , Vol. 17 No. 1, pp. 53-63.","DOI":"10.1108\/09685220910944768"},{"key":"key2020122322312730000_b5","doi-asserted-by":"crossref","unstructured":"Bulgurcu, B.\n , \n Cavusoglu, H.\n and \n Benbasat, I.\n (2010), \u201cInformation security policy compliance: an empirical study of rationality-based beliefs and information security awareness\u201d, \n MIS Quarterly\n , Vol. 34 No. 3, pp. 523-548.","DOI":"10.2307\/25750690"},{"key":"key2020122322312730000_b6","unstructured":"Cohen, J.\n and \n Cohen, P.\n (1983), \n Applied Multiple Regression\/Correlation Analysis for the Behavioral Sciences\n , Erlbaum, Hillsdale, NJ."},{"key":"key2020122322312730000_b7","doi-asserted-by":"crossref","unstructured":"Crossler, R.E.\n , \n Johnston, A.C.\n , \n Lowry, P.B.\n , \n Hu, Q.\n , \n Warkentin, M.\n and \n Baskerville, R.\n (2013), \u201cFuture directions for behavioral information security research\u201d, \n Computers & Security\n , Vol. 32, pp. 90-101.","DOI":"10.1016\/j.cose.2012.09.010"},{"key":"key2020122322312730000_b8","doi-asserted-by":"crossref","unstructured":"D\u2019Arcy, J.\n and \n Herath, T.\n (2011), \u201cA review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings\u201d, \n European Journal of Information Systems\n , Nature Publishing Group, Vol. 20 No. 6, pp. 643-658.","DOI":"10.1057\/ejis.2011.23"},{"key":"key2020122322312730000_b9","unstructured":"DeVellis, R.F.\n (1991), \n Scale Development: Theory and Applications\n , Sage, Newbury Park, CA."},{"key":"key2020122322312730000_b10","doi-asserted-by":"crossref","unstructured":"Dhamija, R.\n , \n Tygar, J.D.\n and \n Hearst, M.\n (2006), \u201cWhy phishing works\u201d, Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Montreal, pp. 581-590.","DOI":"10.1145\/1124772.1124861"},{"key":"key2020122322312730000_b11","doi-asserted-by":"crossref","unstructured":"Dinev, T.\n , \n Goo, J.\n , \n Hu, Q.\n and \n Nam, K.\n (2009), \u201cUser behaviour towards protective information technologies: the role of national cultural differences\u201d, \n Information Systems Journal\n , Vol. 19 No. 4, pp. 391-412.","DOI":"10.1111\/j.1365-2575.2007.00289.x"},{"key":"key2020122322312730000_b12","doi-asserted-by":"crossref","unstructured":"Dodge, R.\n , \n Carver, C.\n and \n Ferguson, A.\n (2007), \u201cPhishing for user security awareness\u201d, \n Computers & Security\n , Vol. 26 No. 1, pp. 73-80.","DOI":"10.1016\/j.cose.2006.10.009"},{"key":"key2020122322312730000_b13","doi-asserted-by":"crossref","unstructured":"Gerbing, D.W.\n and \n Anderson, J.\n (1988), \u201cAn updated paradigm for scale development incorporating unidimensionality and its assessment\u201d, \n Journal of Marketing Research\n , Vol. 25 No. 2, pp. 186-192.","DOI":"10.1177\/002224378802500207"},{"key":"key2020122322312730000_b14","unstructured":"Glass, G.V.\n and \n Hopkins, K.D.\n (1995), \n Statistical Methods in Education and Psychology\n , 3rd ed., Allyn & Bacon."},{"key":"key2020122322312730000_b15","doi-asserted-by":"crossref","unstructured":"Halevi, T.\n , \n Lewis, J.\n and \n Memon, N.\n (2013), \u201cA pilot study of cyber security and privacy related behavior and personality traits\u201d, Proceedings of the 22nd International Conference on World Wide Web Companion, Rio de Janeiro, International World Wide Web Conferences Steering Committee, pp. 737-744.","DOI":"10.1145\/2487788.2488034"},{"key":"key2020122322312730000_b16","doi-asserted-by":"crossref","unstructured":"Hofstede, G.\n (1993), \u201cCultural constraints in management theories\u201d, \n Academy of Management Perspectives, Academy of Management\n , Vol. 7 No. 1, pp. 81-94.","DOI":"10.5465\/ame.1993.9409142061"},{"key":"key2020122322312730000_b17","unstructured":"Hofstede, G.\n (2014), \u201cNational cultural dimensions\u201d, National Cultural Dimensions, available at: http:\/\/geert-hofstede.com\/dimensions.html (accessed 17 March 2014)."},{"key":"key2020122322312730000_b18","doi-asserted-by":"crossref","unstructured":"Holm, H.\n , \n Rocha Flores, W.\n and \n Ericsson, G.\n (2013), \u201cCyber security for a smart grid \u2013 what about phishing?\u201d, Proceedings of the 4th European Innovative Smart Grid Technologies (ISGT) Conference, Lyngby.","DOI":"10.1109\/ISGTEurope.2013.6695407"},{"key":"key2020122322312730000_b19","doi-asserted-by":"crossref","unstructured":"Jackson, T.\n (2000), \u201cManagement ethics and corporate policy: a cross-cultural comparison\u201d, \n Journal of Management Studies\n , Vol. 37 No. 3, pp. 349-369.","DOI":"10.1111\/1467-6486.00184"},{"key":"key2020122322312730000_b20","doi-asserted-by":"crossref","unstructured":"Jagatic, T.N.\n , \n Johnson, N.A.\n , \n Jakobsson, M.\n and \n Menczer, F.\n (2007), \u201cSocial phishing\u201d, \n Communications of the ACM\n , Vol. 50 No. 10, pp. 94-100.","DOI":"10.1145\/1290958.1290968"},{"key":"key2020122322312730000_b21","unstructured":"Jakobsson, M.\n and \n Ratkiewicz, J.\n (2006), \u201cDesigning ethical phishing experiments\u201d, Proceedings of the 15th International Conference on World Wide Web \u2013 WWW \u201906, ACM Press, New York, NY, p. 513."},{"key":"key2020122322312730000_b22","unstructured":"Karjalainen, M.\n , \n Siponen, M.\n , \n Petri, P.\n and \n Suprateek, S.\n (2013), \u201cOne size does not fit all: different cultures require different information systems security interventions\u201d, PACIS 2013 Proceedings, Jeju Island, Paper 98."},{"key":"key2020122322312730000_b23","unstructured":"Kolodziej-Smith, R.\n , \n Friesen, D.\n and \n Yaprak, A.\n (2013), \u201cDoes culture affect how people receive and resist persuasive messages? Research proposals about resistance to persuasion in cultural groups\u201d, \n Global Advances in Business Communication\n , Vol. 2."},{"key":"key2020122322312730000_b24","unstructured":"Lynn, M.R.\n (2006), \u201cDetermination and quantification of content validity\u201d, \n Nursing Research\n , Vol. 35 No. 6, pp. 382-386."},{"key":"key2020122322312730000_b25","doi-asserted-by":"crossref","unstructured":"MacKenzie, S.B.\n , \n Podsakoff, P.M.\n and \n Podsakoff, N.P.\n (2011), \u201cConstruct measurement and validation procedures in MIS and behavioral research: integrating new and existing techniques\u201d, \n MIS Quarterly\n , Vol. 35 No. 2, pp. 293-334.","DOI":"10.2307\/23044045"},{"key":"key2020122322312730000_b26","doi-asserted-by":"crossref","unstructured":"Markus, H.R.\n and \n Kitayama, S.\n (1991), \u201cCulture and the self: implications for cognition, emotion, and motivation\u201d, \n Psychological Review\n , Vol. 98 No. 2, pp. 224-253.","DOI":"10.1037\/0033-295X.98.2.224"},{"key":"key2020122322312730000_b27","unstructured":"Mitnick, K.\n and \n Simon, W.\n (2002), \n The Art of Deception: Controlling the Human Element of Security, Controlling the Human Element of Security\n , Wiley Publishing, Indianapolis, IN."},{"key":"key2020122322312730000_b28","doi-asserted-by":"crossref","unstructured":"Mohebzada, J.G.\n , \n Zarka, A.\n , \n El, Bhojani, A.H.\n and \n Darwish, A.\n (2012), \u201cPhishing in a university community: two large scale phishing experiments\u201d, 2012 International Conference on Innovations in Information Technology (IIT), Abu Dhabi, pp. 249-254.","DOI":"10.1109\/INNOVATIONS.2012.6207742"},{"key":"key2020122322312730000_b29","doi-asserted-by":"crossref","unstructured":"Moos, D.C.\n and \n Azevedo, R.\n (2009), \u201cLearning with computer-based learning environments: a literature review of computer self-efficacy\u201d, \n Review of Educational Research\n , Vol. 79 No. 2, pp. 576-600.","DOI":"10.3102\/0034654308326083"},{"key":"key2020122322312730000_b30","unstructured":"Moskal, E.\n (2006), \u201cBusiness continuity management post 9\/11 disaster report methodology\u201d, \n Disaster Recovery Journal\n , Vol. 19 No. 2."},{"key":"key2020122322312730000_b31","unstructured":"Nunnally, J.C.\n and \n Bernstein, I.\n (1994), \n Psychometric Theory\n , 3rd ed., McGraw Hill, New York, NY."},{"key":"key2020122322312730000_b32","doi-asserted-by":"crossref","unstructured":"Paternoster, R.\n and \n Simpson, S.\n (1996), \u201cSanction threats and appeals to morality: testing a rational choice model of corporate crime\u201d, \n Law & Society Review\n , Vol. 30 No. 3, pp. 549-584.","DOI":"10.2307\/3054128"},{"key":"key2020122322312730000_b33","unstructured":"Preacher, K.J.\n (2002), \u201cCalculation for the test of the difference between two independent correlation coefficients\u201d, available at: www.quantpsy.org"},{"key":"key2020122322312730000_b34","unstructured":"Provos, N.\n , \n Mavrommatis, P.\n , \n Rajab, M.A.\n and \n Monrose, F.\n (2008), \u201cAll your iFRAMEs point to us\u201d, Proceedings of the 17th Conference on Security Symposium, USENIX Association, San Jose, CA, pp. 1-15."},{"key":"key2020122322312730000_b35","unstructured":"PWC Advisory Services and Security\n (2013), \u201cThe global state of information security\u00ae survey 2013\u201d, available at: www.pwc.com\/gx\/en\/consulting-services\/information-security-survey\/index.jhtml"},{"key":"key2020122322312730000_b48","doi-asserted-by":"crossref","unstructured":"Rhee, H.-S.\n , \n Kim, C.\n and \n Ryu, Y.U.\n (2009), \u201cSelf-efficacy in information security: its influence on end users\u2019 information security practice behavior\u201d, \n Computers & Security\n , Vol. 28 No. 8, pp. 816-826.","DOI":"10.1016\/j.cose.2009.05.008"},{"key":"key2020122322312730000_b36","unstructured":"Rocha Flores, W.\n and \n Antonsen, E.\n (2013), \u201cThe development of an instrument for assessing information security in organizations: examining the content validity using quantitative methods\u201d, Proceedings of the 2013 International Conference on Information Resources Management, Natal, 22-24 May."},{"key":"key2020122322312730000_b37","unstructured":"Rocha Flores, W.\n and \n Ekstedt, M.\n (2012), \u201cA model for investigation organizational impact on information security behavior\u201d, Proceedings of the 7th Annual Workshop on Information Security and Privacy, Orlando, FL, 16 December."},{"key":"key2020122322312730000_b38","unstructured":"Rocha Flores, W.\n and \n Ekstedt, M.\n (2013), \u201cCountermeasures for social engineering-based malware installation attacks\u201d, Proceedings of the 2013 International Conference on Information Resources Management, Natal, 22-24 May."},{"key":"key2020122322312730000_b40","doi-asserted-by":"crossref","unstructured":"Rocha Flores, W.\n , \n Holm, H.\n , \n Svensson, G.\n and \n Ericsson, G.\n (2014), \u201cUsing Phishing Experiments and Scenario-based Surveys to Understand Security Behaviours in Practice\u201d, Information Management & Computer Security.","DOI":"10.1108\/IMCS-11-2013-0083"},{"key":"key2020122322312730000_b39","unstructured":"Rocha Flores, W.\n and \n Korman, M.\n (2012), \u201cConceptualization of constructs for shaping information security behavior: towards a measurement instrument\u201d, Proceedings of the 7th Annual Workshop on Information Security and Privacy, Orlando, FL, 16 December."},{"key":"key2020122322312730000_b41","doi-asserted-by":"crossref","unstructured":"Siponen, M.\n and \n Vance, A.\n (2010), \u201cNeutralization: new insights into the problem of employee systems security policy violations\u201d, \n MIS Quarterly\n , Vol. 34 No. 3, pp. 487-502.","DOI":"10.2307\/25750688"},{"key":"key2020122322312730000_b49","unstructured":"Sheng, S.\n (2010), \u201cWho falls for phish?\u201d, in Proceedings of the 28th International Conference on Human Factors in Computing Systems \u2013 CHI \u201810, ACM Press, New York, NY, p. 373."},{"key":"key2020122322312730000_b42","doi-asserted-by":"crossref","unstructured":"Sommestad, T.\n and \n Hallberg, J.\n (2013), \u201cA review of the theory of planned behaviour in the context of information security policy compliance\u201d, in \n Janczewski, L.J.\n , \n Wolfe, H.B.\n and \n Shenoi, S.\n (Eds), \n Security and Privacy Protection in Information Processing Systems\n , IFIP Advances in Information and Communication Technology, Springer Berlin Heidelberg, Berlin, Vol. 405, pp. 257-271.","DOI":"10.1007\/978-3-642-39218-4_20"},{"key":"key2020122322312730000_b43","doi-asserted-by":"crossref","unstructured":"Srite, M.\n and \n Karahanna, E.\n (2006), \u201cThe role of espoused national cultural values in technology acceptance\u201d, \n MIS Quarterly, Society for Information Management and The Management Information Systems Research Center\n , Vol. 30 No. 3, pp. 679-704.","DOI":"10.2307\/25148745"},{"key":"key2020122322312730000_b44","doi-asserted-by":"crossref","unstructured":"Straub, D.\n , \n Boudreau, M.-C.\n and \n Gefen, D.\n (2004), \u201cValidation guidelines for is positivist research\u201d, \n Communications of the Association for Information Systems\n , Vol. 13 No. 1, pp. 380-427.","DOI":"10.17705\/1CAIS.01324"},{"key":"key2020122322312730000_b45","unstructured":"Urbach, N.\n and \n Ahlemann, F.\n (2010), \u201cStructural equation modeling in information systems research using partial least squares\u201d, \n Journal of Information Technology Theory and Application (JITTA\n ), Vol. 11 No. 2."},{"key":"key2020122322312730000_b46","doi-asserted-by":"crossref","unstructured":"Workman, M.\n (2007), \u201cGaining access with social engineering: an empirical study of the threat\u201d, \n Information Systems Security\n , Vol. 16 No. 6, pp. 315-331.","DOI":"10.1080\/10658980701788165"},{"key":"key2020122322312730000_b47","doi-asserted-by":"crossref","unstructured":"Workman, M.\n (2008), \u201cWisecrackers: a theory-grounded investigation of phishing and pretext social engineering threats to information security\u201d, \n Journal of the American Society for Information Science and Technology\n , Vol. 59 No. 4, pp. 662-674.","DOI":"10.1002\/asi.20779"}],"container-title":["Information & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/ICS-05-2014-0029","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-05-2014-0029\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-05-2014-0029\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:54Z","timestamp":1753406574000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/23\/2\/178-199\/119715"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015,6,8]]},"references-count":49,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2015,6,8]]}},"alternative-id":["10.1108\/ICS-05-2014-0029"],"URL":"https:\/\/doi.org\/10.1108\/ics-05-2014-0029","relation":{},"ISSN":["2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2015,6,8]]}}}