{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,2]],"date-time":"2026-05-02T16:16:09Z","timestamp":1777738569794,"version":"3.51.4"},"reference-count":70,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2021,3,8]],"date-time":"2021-03-08T00:00:00Z","timestamp":1615161600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2021,10,26]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This paper outlines the development of a validated questionnaire for assessing information security behaviour. The purpose of this paper is to present data from the questionnaire validation process and the quantitative study results.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>Data obtained through a quantitative survey (N = 263) at a South African university were used to validate the questionnaire.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>Exploratory factor analysis produced 11 factors. Cronbach\u2019s alpha for the 11 factors were all above 0.7, suggesting that the questionnaire is valid and reliable. The responses show that autonomy questions received positive perception, followed by competence questions and lastly relatedness questions. The correlation analysis results show that there was a statistically significant relationship between competence factors and autonomy factors. There was a partial significant relationship between autonomy and relatedness factors, and between competence and relatedness factors. The study results suggest that competence and autonomy could be more important than relatedness in fostering information security behaviour among employees.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title>\n<jats:p>This study used a convenience sampling, a cross-sectional design, and was carried out in a single organisation. This could pose limitations when generalising the study results. Future studies could use random sampling and consider other universities for further validation.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title>\n<jats:p>Universities can use the questionnaire to identify developmental areas to improve information security from a behaviour perspective.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This paper provides a research instrument for assessing information security behaviour from the perspective of the self-determination theory.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-11-2020-0179","type":"journal-article","created":{"date-parts":[[2021,3,7]],"date-time":"2021-03-07T23:55:15Z","timestamp":1615161315000},"page":"625-646","source":"Crossref","is-referenced-by-count":19,"title":["Assessing information security behaviour: a self-determination theory perspective"],"prefix":"10.1108","volume":"29","author":[{"given":"Yotamu","family":"Gangire","sequence":"first","affiliation":[]},{"given":"Ad\u00e9le","family":"Da Veiga","sequence":"additional","affiliation":[]},{"given":"Marlien","family":"Herselman","sequence":"additional","affiliation":[]}],"member":"140","published-online":{"date-parts":[[2021,3,8]]},"reference":[{"key":"key2021102306413037100_ref001","first-page":"3","article-title":"A typology of employees\u2019 information security behaviour","volume-title":"4th International Conference on Information and Communication Technology (ICoICT)","year":"2016"},{"key":"key2021102306413037100_ref002","first-page":"47","article-title":"Information security culture: a behaviour compliance conceptual framework","volume-title":"8th Australasian Information Security Conference (AISC 2010). Conferences in Research and Practice in Information Technology (CRPIT)","year":"2010"},{"key":"key2021102306413037100_ref003","first-page":"844","article-title":"Information security behavior: recognizing the influencers","volume-title":"Computing Conference","year":"2017"},{"issue":"4","key":"key2021102306413037100_ref004","doi-asserted-by":"crossref","first-page":"421","DOI":"10.1108\/ICS-11-2016-0089","article-title":"Deterrence and punishment experience impacts on ISP compliance attitudes","volume":"25","year":"2017","journal-title":"Information and Computer Security"},{"key":"key2021102306413037100_ref005","doi-asserted-by":"crossref","first-page":"145","DOI":"10.1016\/j.cose.2017.04.009","article-title":"Prevention is better than cure! designing information security awareness programs to overcome users\u2019 non-compliance with information security policies in banks","volume":"68","year":"2017","journal-title":"Computers and Security"},{"issue":"7","key":"key2021102306413037100_ref006","doi-asserted-by":"crossref","first-page":"887","DOI":"10.1016\/j.im.2017.01.003","article-title":"Determinants of early conformance with information security policies","volume":"54","year":"2017","journal-title":"Information and Management"},{"key":"key2021102306413037100_ref007","article-title":"Issues and trends in information security policy compliance","volume-title":"6th International Conference on Research and Innovation in Information Systems (ICRIIS)","year":"2019"},{"key":"key2021102306413037100_ref008","first-page":"103","article-title":"Unpacking security policy compliance: the motivators and barriers of employees\u2019 security behaviors","volume-title":"Symposium on Usable Privacy and Security (SOUPS)","year":"2015"},{"issue":"3","key":"key2021102306413037100_ref009","doi-asserted-by":"crossref","first-page":"523","DOI":"10.2307\/25750690","article-title":"Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"key":"key2021102306413037100_ref010","article-title":"When believing in technology leads to poor cyber security: development of a trust in technical controls scale","volume":"98","year":"2020","journal-title":"Computers and Security"},{"key":"key2021102306413037100_ref011","first-page":"12","article-title":"Na\u00efve and accidental behaviours that compromise information security: what the experts think","volume-title":"10th International Symposium on Human Aspects of Information Security and Assurance (HAISA 2016)","year":"2016"},{"key":"key2021102306413037100_ref012","doi-asserted-by":"crossref","first-page":"117","DOI":"10.1016\/j.cobeha.2017.12.009","article-title":"Habit formation and change","volume":"20","year":"2018","journal-title":"Current Opinion in Behavioral Sciences"},{"key":"key2021102306413037100_ref013","first-page":"33","article-title":"The effect of organisational culture on employee security behaviour: a qualitative study","volume-title":"10th International Symposium on Human Aspects of Information Security and Assurance (HAISA 2016)","year":"2016"},{"key":"key2021102306413037100_ref014","doi-asserted-by":"crossref","first-page":"90","DOI":"10.1016\/j.cose.2012.09.010","article-title":"Future directions for behavioral information security research","volume":"32","year":"2013","journal-title":"Computers and Security"},{"issue":"SI","key":"key2021102306413037100_ref015","doi-asserted-by":"crossref","first-page":"49","DOI":"10.1145\/3210530.3210535","article-title":"InfoSec process action model (IPAM): systematically addressing individual security behavior","volume":"49","year":"2018","journal-title":"Acm Sigmis Database: The Database for Advances in Information Systems"},{"key":"key2021102306413037100_ref016","doi-asserted-by":"crossref","first-page":"162","DOI":"10.1016\/j.cose.2014.12.006","article-title":"Improving the information security culture through monitoring and implementation actions illustrated through a case study","volume":"49","year":"2015","journal-title":"Computers and Security"},{"issue":"3","key":"key2021102306413037100_ref017","doi-asserted-by":"crossref","first-page":"323","DOI":"10.1080\/17437199.2014.941722","article-title":"Theories of behaviour and behaviour change across the social and behavioural sciences: a scoping review","volume":"9","year":"2015","journal-title":"Health Psychology Review"},{"key":"key2021102306413037100_ref018","doi-asserted-by":"crossref","first-page":"51","DOI":"10.1007\/978-1-4302-6356-2_3","article-title":"Data and privacy governance concepts","volume-title":"The Privacy Engineer\u2019s Manifesto","year":"2014"},{"key":"key2021102306413037100_ref019","volume-title":"Discovering Statistics Using SPSS","year":"2009","edition":"4th ed.,"},{"key":"key2021102306413037100_ref020","article-title":"A conceptual model of information security compliant behaviour based on the self-determination theory","volume-title":"Conference on Information Communications Technology and Society (ICTAS 2019)","year":"2019"},{"key":"key2021102306413037100_ref021","first-page":"144","article-title":"Information security behavior: development of a measurement instrument based on the self-determination theory","volume-title":"14th IFIP WG 11.12 International Symposium (HAISA 2020)","year":"2020"},{"key":"key2021102306413037100_ref022","first-page":"1","article-title":"Quantitative research design","volume-title":"Data Acquisition \u2013 1 Day","year":"2017"},{"issue":"1","key":"key2021102306413037100_ref023","first-page":"242","article-title":"Security-related behavior in using information systems in the workplace: a review and synthesis","volume":"32","year":"2013","journal-title":"Computers and Security"},{"key":"key2021102306413037100_ref024","doi-asserted-by":"crossref","first-page":"52","DOI":"10.1016\/j.cose.2016.12.016","article-title":"An integrative model of information security policy compliance with psychological contract: examining a bilateral perspective","volume":"66","year":"2017","journal-title":"Computers and Security"},{"issue":"2","key":"key2021102306413037100_ref025","doi-asserted-by":"crossref","first-page":"154","DOI":"10.1016\/j.dss.2009.02.005","article-title":"Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness","volume":"47","year":"2009","journal-title":"Decision Support Systems"},{"key":"key2021102306413037100_ref026","article-title":"Willingness and ability to perform information security compliance behavior: psychological ownership and self-efficacy perspective","volume-title":"Pacific Asia Conference on Information Systems (PACIS 2016)","year":"2016"},{"issue":"1","key":"key2021102306413037100_ref027","first-page":"17","article-title":"Indirect effect of management support on users\u2019 compliance behaviour towards information security policies","volume":"47","year":"2017","journal-title":"Health Information Management Journal"},{"key":"key2021102306413037100_ref028","first-page":"1","article-title":"Security awareness: the first step in information security compliance behavior","year":"2019","journal-title":"Journal of Computer Information Systems"},{"issue":"1","key":"key2021102306413037100_ref029","first-page":"69","article-title":"Information systems security policy compliance: an empirical study of the effects of socialization, influence, and cognition","volume":"51","year":"2013","journal-title":"Information and Management"},{"issue":"3","key":"key2021102306413037100_ref030","first-page":"479","article-title":"What influences information security behavior? A study with Brazilian users","volume":"13","year":"2016","journal-title":"Journal of Information Systems and Technology Management"},{"key":"key2021102306413037100_ref031","doi-asserted-by":"crossref","first-page":"122","DOI":"10.1016\/j.cose.2015.07.002","article-title":"Privacy attitudes and privacy behaviour: a review of current research on the privacy paradox phenomenon","volume":"64","year":"2017","journal-title":"Computers and Security"},{"key":"key2021102306413037100_ref032","first-page":"1","article-title":"Why deterrence is not enough: the role of endogenous motivations on employees\u2019 information security behavior","volume-title":"35th International Conference on Information Systems","year":"2014"},{"issue":"1","key":"key2021102306413037100_ref033","article-title":"Systematic literature review of information security compliance behaviour theories","volume":"1551","year":"2020","journal-title":"Journal of Physics: Conference Series"},{"issue":"3","key":"key2021102306413037100_ref034","doi-asserted-by":"crossref","first-page":"277","DOI":"10.1080\/17437199.2016.1151372","article-title":"Theoretical explanations for maintenance of behaviour change: a systematic review of behaviour theories","volume":"10","year":"2016","journal-title":"Health Psychology Review"},{"key":"key2021102306413037100_ref035","first-page":"65","article-title":"On defining behavior: some notes","volume":"42","year":"2014","journal-title":"Behavior and Philosophy"},{"key":"key2021102306413037100_ref036","first-page":"1","article-title":"Self-determination theory","volume-title":"Encyclopedia of Personality and Individual Differences","year":"2017"},{"issue":"1","key":"key2021102306413037100_ref037","doi-asserted-by":"crossref","first-page":"103","DOI":"10.1016\/j.anbehav.2009.03.018","article-title":"Behavioural biologists do not agree on what constitutes behaviour","volume":"78","year":"2009","journal-title":"Animal Behaviour"},{"key":"key2021102306413037100_ref038","first-page":"1","article-title":"Beyond compliance: empowering employees\u2019 extra-role security behaviors in dynamic environments","volume-title":"23rd Americas Conference on Information Systems (AMCIS 2017): A Tradition of Innovation","year":"2017"},{"key":"key2021102306413037100_ref039","volume-title":"Essentials of Research Design and Methodology","year":"2005"},{"key":"key2021102306413037100_ref040","volume-title":"The Cambridge Dictionary of Psychology","year":"2012"},{"key":"key2021102306413037100_ref041","first-page":"1","article-title":"Reliable behavioural factors in the information security context","volume-title":"12th International Conference on Availability, Reliability and Security (ARES \u201817)","year":"2017"},{"key":"key2021102306413037100_ref042","first-page":"56","article-title":"Information security policy compliance behavior based on comprehensive dimensions of information security culture: a conceptual framework","volume-title":"2017 International Conference on Information System and Data Mining","year":"2017"},{"key":"key2021102306413037100_ref043","unstructured":"NIST (2017), \u201cSecurity and privacy controls for federal information systems and organizations\u201d, available at: https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-53\/rev-4\/final"},{"key":"key2021102306413037100_ref044","volume-title":"A Step-by-Step Approach to Using SAS for Factor Analysis and Structural Equation Modelling","year":"2013"},{"key":"key2021102306413037100_ref045","volume-title":"Researching Information Systems and Computing","year":"2006"},{"key":"key2021102306413037100_ref046","doi-asserted-by":"crossref","first-page":"152","DOI":"10.4018\/978-1-7998-3149-5.ch010","article-title":"Factors influencing information security policy compliance behavior","volume-title":"Modern Theories and Practices for Cyber Ethics and Security Compliance","year":"2020"},{"key":"key2021102306413037100_ref047","doi-asserted-by":"crossref","first-page":"83","DOI":"10.1016\/j.cose.2015.10.002","article-title":"Analysis of personal information security behavior and awareness","volume":"56","year":"2016","journal-title":"Computers and Security"},{"issue":"5","key":"key2021102306413037100_ref048","doi-asserted-by":"crossref","first-page":"673","DOI":"10.1016\/j.cose.2012.04.004","article-title":"Taxonomy of compliant information security behavior","volume":"31","year":"2012","journal-title":"Computers and Security"},{"key":"key2021102306413037100_ref049","article-title":"Information security behavior: towards multi-stage models","volume-title":"Pacific Asia Conference on Information Systems 2013 (PACIS 2013)","year":"2013"},{"key":"key2021102306413037100_ref050","doi-asserted-by":"crossref","first-page":"40","DOI":"10.1016\/j.cose.2017.01.004","article-title":"The human aspects of information security questionnaire (HAIS-Q): two further validation studies","volume":"66","year":"2017","journal-title":"Computers and Security"},{"key":"key2021102306413037100_ref051","doi-asserted-by":"crossref","first-page":"165","DOI":"10.1016\/j.cose.2013.12.003","article-title":"Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q)","volume":"42","year":"2014","journal-title":"Computers and Security"},{"key":"key2021102306413037100_ref052","first-page":"57","article-title":"Examining attitudes towards information security behaviour using mixed methods","volume-title":"9th International Symposium on Human Aspects of Information Security and Assurance (HAISA 2015)","year":"2015"},{"issue":"4","key":"key2021102306413037100_ref053","doi-asserted-by":"crossref","first-page":"489","DOI":"10.1515\/jhsem-2014-0035","article-title":"From weakest link to security hero: transforming staff security behavior","volume":"11","year":"2014","journal-title":"Journal of Homeland Security and Emergency Management"},{"key":"key2021102306413037100_ref054","unstructured":"Ponemon Institute (2020), \u201cThe third annual study on the state of endpoint security risk\u201d, available at: www.morphisec.com\/hubfs\/2020StateofEndpointSecurityFinal.pdf"},{"key":"key2021102306413037100_ref055","unstructured":"PricewaterhouseCoopers (2018), \u201cThe global state of information security survey 2018\u201d, available at: www.pwc.com\/us\/en\/services\/consulting\/cybersecurity\/library\/information-security-survey.htm"},{"issue":"1","key":"key2021102306413037100_ref056","doi-asserted-by":"crossref","first-page":"68","DOI":"10.1037\/0003-066X.55.1.68","article-title":"Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being","volume":"55","year":"2000","journal-title":"American Psychologist"},{"key":"key2021102306413037100_ref057","doi-asserted-by":"crossref","first-page":"65","DOI":"10.1016\/j.cose.2015.05.012","article-title":"Information security conscious care behaviour formation in organizations","volume":"53","year":"2015","journal-title":"Computers and Security"},{"key":"key2021102306413037100_ref058","volume-title":"Research Methods for Business Students","year":"2016","edition":"7th ed"},{"issue":"4","key":"key2021102306413037100_ref059","doi-asserted-by":"crossref","first-page":"401","DOI":"10.1177\/002188637100700401","article-title":"The individual, the organization, and the career \u2013 a conceptual scheme","volume":"7","year":"1971","journal-title":"The Journal of Applied Behavioral Science"},{"key":"key2021102306413037100_ref060","doi-asserted-by":"crossref","first-page":"177","DOI":"10.1016\/j.cose.2015.01.002","article-title":"Personality, attitudes, and intentions: predicting initial adoption of information security behavior","volume":"49","year":"2015","journal-title":"Computers and Security"},{"key":"key2021102306413037100_ref061","article-title":"Information and cyber security","volume-title":"6th International Conference on Information Systems Security and Privacy (ICISSP 2020)","year":"2020"},{"issue":"1","key":"key2021102306413037100_ref062","doi-asserted-by":"crossref","first-page":"42","DOI":"10.1108\/IMCS-08-2012-0045","article-title":"Variables influencing information security policy compliance: a systematic review of quantitative studies","volume":"22","year":"2014","journal-title":"Information Management and Computer Security"},{"issue":"7","key":"key2021102306413037100_ref063","doi-asserted-by":"crossref","first-page":"296","DOI":"10.1016\/j.im.2011.07.002","article-title":"Out of fear or desire? Towards a better understanding of employees\u2019 motivation to follow is security policies","volume":"48","year":"2011","journal-title":"Information and Management"},{"key":"key2021102306413037100_ref064","volume-title":"Applied Multivariate Statistics for the Social Sciences","year":"2002","edition":"4th ed"},{"key":"key2021102306413037100_ref065","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/ICTAS.2019.8703636","article-title":"A conceptual privacy governance framework","volume-title":"2019 Conference on Information Communications Technology and Society (ICTAS)","year":"2019"},{"issue":"1","key":"key2021102306413037100_ref066","doi-asserted-by":"crossref","first-page":"111","DOI":"10.26577\/JPSS-2017-1-557","article-title":"The problems of thinking about mind, body and experience","volume":"60","year":"2017","journal-title":"The Journal of Psychology and Sociology"},{"key":"key2021102306413037100_ref067","doi-asserted-by":"crossref","first-page":"128","DOI":"10.1016\/j.cose.2015.04.006","article-title":"Analyzing the role of cognitive and cultural biases in the internalization of information security policies: recommendations for information security awareness programs","volume":"52","year":"2015","journal-title":"Computers and Security"},{"issue":"4","key":"key2021102306413037100_ref068","doi-asserted-by":"crossref","first-page":"52","DOI":"10.1080\/15536548.2013.10845690","article-title":"Control-related motivations and information security policy compliance: the role of autonomy and efficacy","volume":"9","year":"2013","journal-title":"Journal of Information Privacy and Security"},{"issue":"3","key":"key2021102306413037100_ref069","first-page":"1","article-title":"Exploratory factor analysis: a five-step guide for novices","volume":"8","year":"2010","journal-title":"Journal of Emergency Primary Health Care"},{"issue":"2","key":"key2021102306413037100_ref070","doi-asserted-by":"crossref","first-page":"79","DOI":"10.20982\/tqmp.09.2.p079","article-title":"A beginner\u2019 s guide to factor analysis: focussing on exploratory factor analysis","volume":"9","year":"2013","journal-title":"Tutorials in Quantitative Methods for Psychology"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-11-2020-0179\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-11-2020-0179\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:20Z","timestamp":1753406600000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/29\/4\/625-646\/105370"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,3,8]]},"references-count":70,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2021,3,8]]},"published-print":{"date-parts":[[2021,10,26]]}},"alternative-id":["10.1108\/ICS-11-2020-0179"],"URL":"https:\/\/doi.org\/10.1108\/ics-11-2020-0179","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2021,3,8]]}}}