{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,26]],"date-time":"2026-02-26T03:57:14Z","timestamp":1772078234544,"version":"3.50.1"},"reference-count":72,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2020,12,4]],"date-time":"2020-12-04T00:00:00Z","timestamp":1607040000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2021,5,10]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>The concept of information security culture, which recently gained increased attention, aims to comprehensively grasp socio-cultural mechanisms that have an impact on organizational security. Different measurement instruments have been developed to measure and assess information security culture using survey-based tools. However, the content, breadth and face validity of these scales vary greatly. This study aims to identify and provide an overview of the scales that are used to measure information security culture and to evaluate the rigor of reported scale development and validation procedures.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>Papers that introduce a new or adapt an existing scale of information security culture were systematically reviewed to evaluate scales of information security culture. A standard search strategy was applied to identify 19 relevant scales, which were evaluated based on the framework of 16 criteria pertaining to the rigor of reported operationalization and the reported validity and reliability of the identified scales.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The results show that the rigor with which scales of information security culture are validated varies greatly and that none of the scales meet all the evaluation criteria. Moreover, most of the studies provide somewhat limited evidence of the validation of scales, indicating room for further improvement. Particularly, critical issues seem to be the lack of evidence regarding discriminant and criterion validity and incomplete documentation of the operationalization process.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title>\n<jats:p>Researchers focusing on the human factor in information security need to reach a certain level of agreement on the essential elements of the concept of information security culture. Future studies need to build on existing scales, address their limitations and gain further evidence regarding the validity of scales of information security culture. Further research should also investigate the quality of definitions and make expert assessments of the content fit between concepts and items.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title>\n<jats:p>Organizations that aim to assess the level of information security culture among employees can use the results of this systematic review to support the selection of an adequate measurement scale. However, caution is needed for scales that provide limited evidence of validation.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This is the first study that offers a critical evaluation of existing scales of information security culture. The results have decision-making value for researchers who intend to conduct survey-based examinations of information security culture.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-12-2019-0140","type":"journal-article","created":{"date-parts":[[2020,12,17]],"date-time":"2020-12-17T23:16:09Z","timestamp":1608246969000},"page":"133-158","source":"Crossref","is-referenced-by-count":27,"title":["A systematic review of scales for measuring information security culture"],"prefix":"10.1108","volume":"29","author":[{"given":"\u0160pela","family":"Orehek","sequence":"first","affiliation":[]},{"given":"Gregor","family":"Petri\u010d","sequence":"additional","affiliation":[]}],"member":"140","published-online":{"date-parts":[[2020,12,4]]},"reference":[{"issue":"7","key":"key2021050810165996900_ref001","doi-asserted-by":"crossref","first-page":"163","DOI":"10.14257\/ijsia.2015.9.7.15","article-title":"Cultivating and assessing an organizational information security culture; an empirical study","volume":"9","year":"2015","journal-title":"International Journal of Security and Its Applications"},{"key":"key2021050810165996900_ref002","unstructured":"Al Hogail, A. and Mirza, M. (2015), \u201cOrganizational information security culture assessment\u201d, paper presented at The 2015 International Conference on Security and Management (SAM\u201915), 27-30 July, Las Vegas, available at: http:\/\/worldcomp-proceedings.com\/proc\/p2015\/SAM_contents.html (accessed 15 June 2019)."},{"issue":"6","key":"key2021050810165996900_ref003","doi-asserted-by":"crossref","first-page":"620","DOI":"10.1080\/0144929X.2016.1269198","article-title":"The impact of security and its antecedents in behaviour intention of using e-government services","volume":"36","year":"2017","journal-title":"Behaviour and Information Technology"},{"key":"key2021050810165996900_ref004","unstructured":"AlKalbani, A., Deng, H. and Kam, B. (2015), \u201cOrganisational security culture and information security compliance for E-Government development: the moderating effect of social pressure\u201d, paper presented at The Pacific Asia Conference on Information Systems (PACIS), 5-9 July, Singapore, available at: https:\/\/pdfs.semanticscholar.org\/2892\/fe0931830eb5665e5b1614440d965978926f.pdf?_ga=2.6402546.1915429506.1576068243-1272771706.1576068243 (accessed 7 July 2019)."},{"key":"key2021050810165996900_ref005","unstructured":"Allen, M.J. and Yen, W.M. (2002), \u201cIntroduction to measurement theory\u201d, available at: http:\/\/books.google.si\/books?id=MNUpY_csc6cC (accessed 18 June 2019)."},{"key":"key2021050810165996900_ref006","unstructured":"Alnatheer, M., Chan, T. and Nelson, K. (2012), \u201cUnderstanding and measuring information security culture\u201d, paper presented at The Pacific Asia Conference on Information Systems (PACIS), 11-15 July, Ho Chi Minh City, Vietnam, available at: www.pacis-net.org\/file\/2012\/PACIS2012-005.pdf (accessed 29 June 2019)."},{"key":"key2021050810165996900_ref069","volume-title":"Standards for Educational and Psychological Testing","author":"American Educational Research Association \u2013 AERA, American Psychological Association \u2013 APA, National Council on Measurement in Education \u2013 NCME","year":"1992"},{"key":"key2021050810165996900_ref007","volume-title":"Publication Manual of the American Psychological Association","author":"American Psychological Association (APA)","year":"2020"},{"issue":"3","key":"key2021050810165996900_ref008","doi-asserted-by":"crossref","first-page":"303","DOI":"10.1177\/0049124189017003004","article-title":"A new incremental fit index for general structural equation models","volume":"17","year":"1989","journal-title":"Sociological Methods and Research"},{"key":"key2021050810165996900_ref009","first-page":"1","article-title":"Securing health care: assessing factors that affect HIPAA security compliance in academic medical centers","volume-title":"Proceedings of the 2011 44th HI International Conference on System Sciences","year":"2011"},{"key":"key2021050810165996900_ref010","volume-title":"Instill a Security Culture by Elevating Communication","year":"2018"},{"key":"key2021050810165996900_ref011","volume-title":"Web Survey Methodology","year":"2015"},{"key":"key2021050810165996900_ref012","volume-title":"Reliability and Validity Assessment","year":"1979"},{"issue":"3","key":"key2021050810165996900_ref013","doi-asserted-by":"crossref","first-page":"11","DOI":"10.1080\/08874417.2015.11645767","article-title":"Impacts of comprehensive information security programs on information security culture","volume":"55","year":"2015","journal-title":"Journal of Computer Information Systems"},{"key":"key2021050810165996900_ref014","volume-title":"The Essentials of Factor Analysis","year":"2006"},{"issue":"1","key":"key2021050810165996900_ref015","doi-asserted-by":"crossref","first-page":"26","DOI":"10.4018\/IJABIM.2019010102","article-title":"Workplace violence and social engineering among Korean employees","volume":"10","year":"2019","journal-title":"International Journal of Asian Business and Information Management"},{"key":"key2021050810165996900_ref016","first-page":"1006","article-title":"A cybersecurity culture research philosophy and approach to develop a valid and reliable measuring instrument","volume-title":"In Science and Information (SAI) Computer Conference","year":"2016"},{"issue":"5","key":"key2021050810165996900_ref070","doi-asserted-by":"crossref","first-page":"584","DOI":"10.1108\/ICS-08-2017-0056","article-title":"An approach to information security culture change combining ADKAR and the ISCA questionnaire to aid transition to the desired culture","volume":"26","year":"2018","journal-title":"Information and Computer Security"},{"issue":"2","key":"key2021050810165996900_ref017","doi-asserted-by":"crossref","first-page":"196","DOI":"10.1016\/j.cose.2009.09.002","article-title":"A framework and assessment instrument for information security culture","volume":"29","year":"2010","journal-title":"Computers and Security"},{"key":"key2021050810165996900_ref018","doi-asserted-by":"crossref","first-page":"162","DOI":"10.1016\/j.cose.2014.12.006","article-title":"Improving the information security culture through monitoring and implementation actions illustrated through a case study","volume":"49","year":"2015","journal-title":"Computers and Security"},{"issue":"2","key":"key2021050810165996900_ref019","doi-asserted-by":"crossref","first-page":"243","DOI":"10.1016\/j.clsr.2015.01.005","article-title":"Information security culture and information protection culture: a validated assessment instrument","volume":"31","year":"2015","journal-title":"Computer Law and Security Review"},{"key":"key2021050810165996900_ref020","doi-asserted-by":"crossref","first-page":"72","DOI":"10.1016\/j.cose.2017.05.002","article-title":"Defining and identifying dominant information security cultures and subcultures","volume":"70","year":"2017","journal-title":"Computers and Security"},{"issue":"5","key":"key2021050810165996900_ref021","doi-asserted-by":"crossref","first-page":"474","DOI":"10.1108\/IMCS-08-2013-0057","article-title":"Security culture and the employment relationship as drivers of employees\u2019 security compliance","volume":"22","year":"2014","journal-title":"Information Management and Computer Security"},{"key":"key2021050810165996900_ref022","volume-title":"Scale Development: Theory and Applications","year":"2016"},{"key":"key2021050810165996900_ref023","volume-title":"Internet, Phone, Mail, and Mixed-Mode Surveys: The Tailored Design Method","year":"2014"},{"issue":"20","key":"key2021050810165996900_ref024","first-page":"1","article-title":"Understanding and using factor scores: considerations for the applied researcher, practical assessment","volume":"14","year":"2009","journal-title":"Research and Evaluation"},{"key":"key2021050810165996900_ref025","volume-title":"Culture, Technology, Communication: Towards an Intercultural Global Village","year":"2001"},{"key":"key2021050810165996900_ref026","unstructured":"European Union Agency for Network and Information Security (ENISA) (2017), \u201cCyber security culture in organisations\u201d, available at: www.enisa.europa.eu\/publications\/cyber-security-culture-in-organisations (accessed 15 July 2019)."},{"key":"key2021050810165996900_ref027","volume-title":"Zanesljivost in Veljavnost Merjenja","year":"1995"},{"issue":"1","key":"key2021050810165996900_ref028","doi-asserted-by":"crossref","first-page":"39","DOI":"10.1177\/002224378101800104","article-title":"Evaluating structural equation models with unobservable variables and measurement error","volume":"18","year":"1981","journal-title":"Journal of Marketing Research"},{"issue":"2","key":"key2021050810165996900_ref029","first-page":"5","article-title":"From culture to disobedience: recognising the varying user acceptance of IT security","year":"2009","journal-title":"Computer Fraud and Security"},{"key":"key2021050810165996900_ref030","volume-title":"Managing Cybersecurity Resources: A Cost-Benefit Analysis","year":"2005"},{"key":"key2021050810165996900_ref031","volume-title":"Multivariate Data Analysis","year":"2014","edition":"7th ed."},{"issue":"3","key":"key2021050810165996900_ref032","doi-asserted-by":"crossref","first-page":"629","DOI":"10.1177\/001316448904900315","article-title":"A five-item measure of socially desirable response set","volume":"49","year":"1989","journal-title":"Educational and Psychological Measurement"},{"issue":"1","key":"key2021050810165996900_ref033","doi-asserted-by":"crossref","first-page":"104","DOI":"10.1177\/109442819800100106","article-title":"A brief tutorial on the development of measures for use in survey questionnaires","volume":"1","year":"1998","journal-title":"Organizational Research Methods"},{"issue":"1","key":"key2021050810165996900_ref034","doi-asserted-by":"crossref","first-page":"6","DOI":"10.1037\/a0014694","article-title":"Reporting practices in confirmatory factor analysis: an overview and some recommendations","volume":"14","year":"2009","journal-title":"Psychological Methods"},{"issue":"1","key":"key2021050810165996900_ref035","doi-asserted-by":"crossref","first-page":"4","DOI":"10.1080\/10919392.2019.1552743","article-title":"Violators versus non-violators of information security measures in organizationsa study of distinguishing factors","volume":"29","year":"2019","journal-title":"Journal of Organizational Computing and Electronic Commerce"},{"issue":"4","key":"key2021050810165996900_ref036","doi-asserted-by":"crossref","first-page":"205","DOI":"10.1080\/01972240701441556","article-title":"What is social informatics and why does it matter?","volume":"23","year":"2007","journal-title":"The Information Society"},{"issue":"2","key":"key2021050810165996900_ref037","doi-asserted-by":"crossref","first-page":"37","DOI":"10.4018\/jisp.2007040103","article-title":"Information security effectiveness: conceptualization and validation of a theory","volume":"1","year":"2007","journal-title":"International Journal of Information Security and Privacy"},{"issue":"12","key":"key2021050810165996900_ref038","doi-asserted-by":"crossref","first-page":"1049","DOI":"10.1108\/MRR-04-2013-0085","article-title":"Information security awareness and behavior: a theory-based literature review","volume":"37","year":"2014","journal-title":"Management Research Review"},{"issue":"7","key":"key2021050810165996900_ref039","doi-asserted-by":"crossref","first-page":"e1000100","DOI":"10.1371\/journal.pmed.1000100","article-title":"The PRISMA statement for reporting systematic reviews and meta-analyses of studies that evaluate health care interventions: explanation and elaboration","volume":"6","year":"2009","journal-title":"PLoS Medicine"},{"issue":"3\/4","key":"key2021050810165996900_ref040","first-page":"107","article-title":"A holistic approach to collection security implementation in university libraries","volume":"36","year":"2012","journal-title":"Library Collections, Acquisitions, and Technical Services"},{"key":"key2021050810165996900_ref071","first-page":"11","article-title":"An information security culture model validated with structural equation modelling","volume-title":"In Proceedings of the Ninth International Symposium on Human Aspects of Information Security and Assurance (HAISA)","year":"2015"},{"key":"key2021050810165996900_ref041","first-page":"203","article-title":"Information security culture","volume-title":"Security in the Information Society","year":"2002"},{"issue":"8","key":"key2021050810165996900_ref042","first-page":"96","article-title":"Assessing the information security culture in a government context: the case of a developing country","volume":"9","year":"2018","journal-title":"International Journal of Civil Engineering and Technology"},{"issue":"7","key":"key2021050810165996900_ref043","first-page":"1255","article-title":"The development of an information security culture scale for the Malaysian public organization","volume":"9","year":"2018","journal-title":"International Journal of Mechanical Engineering and Technology"},{"key":"key2021050810165996900_ref044","doi-asserted-by":"crossref","first-page":"424","DOI":"10.1016\/j.sbspro.2014.07.133","article-title":"The human factor of information security: unintentional damage perspective","volume":"147","year":"2014","journal-title":"Procedia - Social and Behavioral Sciences"},{"issue":"3","key":"key2021050810165996900_ref045","first-page":"255","article-title":"Coefficient alpha: a basic introduction from the perspectives of classical test theory and structural equation modelling","volume":"2","year":"2009","journal-title":"Structural Equation Modeling: A Multidisciplinary Journal"},{"issue":"4","key":"key2021050810165996900_ref046","doi-asserted-by":"crossref","first-page":"264","DOI":"10.7326\/0003-4819-151-4-200908180-00135","article-title":"Preferred reporting items for systematic reviews and meta-analyses: the PRISMA statement","volume":"151","year":"2009","journal-title":"Annals of Internal Medicine"},{"key":"key2021050810165996900_ref047","first-page":"1","article-title":"Adoption of the ICT security culture in SMME\u2019s in the Gauteng province, South Africa","volume-title":"2018 International Conference on Advances in Big Data, Computing and Data Communication Systems (icABCD)","year":"2018"},{"issue":"1","key":"key2021050810165996900_ref048","doi-asserted-by":"crossref","first-page":"285","DOI":"10.25300\/MISQ\/2018\/13853","article-title":"Toward a unified model of information security policy compliance","volume":"42","year":"2018","journal-title":"MIS Quarterly"},{"key":"key2021050810165996900_ref049","first-page":"3021","article-title":"Organizational information security culture in critical infrastructure: developing and testing a scale and its relationships to other measures of information security","volume-title":"Safety and Reliability\u2013Safe Societies in a Changing World","year":"2018"},{"key":"key2021050810165996900_ref050","volume-title":"Social Research Methods","year":"2014"},{"key":"key2021050810165996900_ref051","volume-title":"Psychometric Theory","year":"1994","edition":"3rd ed"},{"key":"key2021050810165996900_ref052","doi-asserted-by":"crossref","first-page":"165","DOI":"10.1016\/j.cose.2013.12.003","article-title":"Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q)","volume":"42","year":"2014","journal-title":"Computers and Security"},{"issue":"2","key":"key2021050810165996900_ref072","doi-asserted-by":"crossref","first-page":"117","DOI":"10.1177\/1555343415575152","article-title":"The influence of organizational information security culture on information security decision making","volume":"9","year":"2015","journal-title":"Journal of Cognitive Engineering and Decision Making"},{"issue":"3","key":"key2021050810165996900_ref053","first-page":"35","article-title":"Beyond awareness: using business intelligence to create a culture of information security","volume":"11","year":"2011","journal-title":"Communications of the IIMA"},{"key":"key2021050810165996900_ref054","doi-asserted-by":"crossref","unstructured":"Ramlall, I. (2016), \u201cApplied structural equation modelling for researchers and practitioners: using R and stata for behavioural research\u201d, available at: https:\/\/books.google.si\/books?id=YzGwDQAAQBAJ (accessed 19 June 2019).","DOI":"10.1108\/9781786358820"},{"key":"key2021050810165996900_ref055","first-page":"1","article-title":"Vedenjski vidiki zagotavljanja informacijske varnosti: pomen upravljanja informacijske varnostne culture","volume-title":"Konferenca Informacijska Varnost: odgovori na Sodobne Izzive","year":"2012"},{"key":"key2021050810165996900_ref056","doi-asserted-by":"crossref","first-page":"26","DOI":"10.1016\/j.cose.2016.01.004","article-title":"Shaping intention to resist social engineering through transformational leadership, information security culture and awareness","volume":"59","year":"2016","journal-title":"Computers and Security"},{"key":"key2021050810165996900_ref057","volume-title":"Build a Security Culture","year":"2015"},{"key":"key2021050810165996900_ref058","volume-title":"Multiple Imputation for Nonresponse in Surveys","year":"2004"},{"key":"key2021050810165996900_ref059","volume-title":"The Multitratit-Multimethod Approach to Evaluate Measurement Instruments","year":"1995"},{"issue":"31","key":"key2021050810165996900_ref060","first-page":"46","article-title":"Information security culture - from analysis to change","year":"2003","journal-title":"South African Computer Journal"},{"key":"key2021050810165996900_ref061","volume-title":"Psychometric Properties of Organizational Research Instruments. Method and Analysis in Organizational Research","year":"1984"},{"issue":"5","key":"key2021050810165996900_ref062","doi-asserted-by":"crossref","first-page":"644","DOI":"10.1108\/JEIM-07-2013-0052","article-title":"Identifying factors of \u2018organizational information security management","volume":"27","year":"2014","journal-title":"Journal of Enterprise Information Management"},{"key":"key2021050810165996900_ref063","volume-title":"Using Multivariate Statistics","year":"2014","edition":"6th ed"},{"key":"key2021050810165996900_ref064","volume-title":"Exploratory and Confirmatory Factor Analysis: Understanding Concepts and Applications","year":"2004"},{"issue":"4","key":"key2021050810165996900_ref065","doi-asserted-by":"crossref","first-page":"414","DOI":"10.1037\/0022-0167.34.4.414","article-title":"Uses of factor analysis in counseling psychology research","volume":"34","year":"1987","journal-title":"Journal of Counseling Psychology"},{"key":"key2021050810165996900_ref066","unstructured":"Trochim, W.M. (2006), \u201cResearch methods knowledge base\u201d, available at: https:\/\/socialresearchmethods.net\/kb\/constval.php (accessed 19 June 2019)."},{"key":"key2021050810165996900_ref067","doi-asserted-by":"crossref","first-page":"128","DOI":"10.1016\/j.cose.2015.04.006","article-title":"Analyzing the role of cognitive and cultural biases in the internalization of information security policies: recommendations for information security awareness programs","volume":"52","year":"2015","journal-title":"Computers and Security"},{"issue":"2","key":"key2021050810165996900_ref068","doi-asserted-by":"crossref","first-page":"79","DOI":"10.20982\/tqmp.09.2.p079","article-title":"A beginner\u2019s guide to factor analysis: focusing on exploratory factor analysis","volume":"9","year":"2013","journal-title":"Tutorials in Quantitative Methods for Psychology"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-12-2019-0140\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-12-2019-0140\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:26Z","timestamp":1753406606000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/29\/1\/133-158\/103736"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,12,4]]},"references-count":72,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2020,12,4]]},"published-print":{"date-parts":[[2021,5,10]]}},"alternative-id":["10.1108\/ICS-12-2019-0140"],"URL":"https:\/\/doi.org\/10.1108\/ics-12-2019-0140","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2020,12,4]]}}}