{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,6]],"date-time":"2026-06-06T05:46:20Z","timestamp":1780724780815,"version":"3.54.1"},"reference-count":60,"publisher":"Emerald","issue":"8","license":[{"start":{"date-parts":[[2023,7,27]],"date-time":"2023-07-27T00:00:00Z","timestamp":1690416000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ITP"],"published-print":{"date-parts":[[2023,12,18]]},"abstract":"Purpose<\/jats:title>This paper aims to provide a maturity model for information security awareness (MMISA), based on the literature, expert interviews and feedback. In addition to developing the MMISA, the authors investigate the role of the three decisive factors that affect ISA maturity level: risk management mechanism, organizational structure and ISA.<\/jats:p><\/jats:sec>Design\/methodology\/approach<\/jats:title>The research methodology is a combined one; qualitative and quantitative methods were applied, including surveying the literature, interviews and developing a survey to collect quantitative data about decisive factors that affect ISA maturity level. The authors perform a variance-based partial least squares-structural equation modeling (PLS-SEM) investigation of the relationships between these factors.<\/jats:p><\/jats:sec>Findings<\/jats:title>The investigation of decisive factors of ISA maturity levels revealed that if the authors identify a strong risk assessment mechanism (through a documented methodology and reliable results), the authors can expect a high level of ISA. If there is a well-defined organizational structure with clear responsibilities, this supports the linking of a risk management mechanism with the level of ISA. The connection between organizational structure and ISA maturity level is supported by ISA activities: an increased level of awareness actions strengthens an organizational structure via the best practices learned by the staff.<\/jats:p><\/jats:sec>Originality\/value<\/jats:title>The main contribution of the proposed MMISA model is that the model offers controls and audit evidence for maturity levels. Beyond that, the authors distinguish in the MMISA model controls supporting knowledge and controls supporting attitude, emphasizing that this is not enough to know what to do, but the proper attitude is required too. The authors didn't find any other ISA maturity model which has a similar feature. The contribution of the authors' work is that the authors provide a method for solving this complex measurement problem via the MMISA, which also offers direct guidance for the daily practices of organizations.<\/jats:p><\/jats:sec>","DOI":"10.1108\/itp-11-2021-0849","type":"journal-article","created":{"date-parts":[[2023,7,27]],"date-time":"2023-07-27T00:13:38Z","timestamp":1690416818000},"page":"174-195","source":"Crossref","is-referenced-by-count":9,"title":["Information security awareness maturity: conceptual and practical aspects in Hungarian organizations"],"prefix":"10.1108","volume":"36","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0023-1143","authenticated-orcid":false,"given":"Andrea","family":"K\u0151","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5133-6557","authenticated-orcid":false,"given":"G\u00e1bor","family":"Tarj\u00e1n","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Ariel","family":"Mitev","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"140","published-online":{"date-parts":[[2023,7,27]]},"reference":[{"key":"key2023120706323782000_ref001","article-title":"Information security governance challenges and critical success factors: systematic review","volume":"99","year":"2020","journal-title":"Computers and Security"},{"issue":"2","key":"key2023120706323782000_ref002","doi-asserted-by":"crossref","first-page":"770","DOI":"10.1108\/ITP-06-2019-0269","article-title":"Information security awareness in a developing country context: insights from the government sector in Saudi Arabia","volume":"34","year":"2020","journal-title":"Information Technology and People"},{"key":"key2023120706323782000_ref060","doi-asserted-by":"crossref","first-page":"1173","DOI":"10.1037\/0022-3514.51.6.1173","article-title":"The Moderator-Mediator variable distinction in social psychological research: conceptual, strategic, and statistical considerations","volume":"51","year":"1986","journal-title":"Journal of Personality and Social Psychology"},{"issue":"3","key":"key2023120706323782000_ref003","doi-asserted-by":"crossref","first-page":"523","DOI":"10.2307\/25750690","article-title":"Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"key":"key2023120706323782000_ref004","first-page":"1155","article-title":"Quantitative methods in psychology: a power primer","volume":"112","year":"1992","journal-title":"Psychological Bulletin"},{"key":"key2023120706323782000_ref005","doi-asserted-by":"crossref","first-page":"162","DOI":"10.1016\/j.cose.2014.12.006","article-title":"Improving the information security culture through monitoring and implementation actions illustrated through a case study","volume":"49","year":"2015","journal-title":"Computers and Security"},{"key":"key2023120706323782000_ref006","article-title":"A comprehensive model of information security factors for decision-makers","volume":"92","year":"2020","journal-title":"Computers and Security"},{"issue":"2","key":"key2023120706323782000_ref007","doi-asserted-by":"crossref","first-page":"297","DOI":"10.25300\/MISQ\/2015\/39.2.02","article-title":"Consistent partial least squares path modeling","volume":"39","year":"2015","journal-title":"MIS Quarterly"},{"issue":"1","key":"key2023120706323782000_ref008","doi-asserted-by":"crossref","first-page":"23","DOI":"10.1108\/13287261211221128","article-title":"Assessment of information security maturity: an exploration study of Malaysian public service organizations","volume":"14","year":"2012","journal-title":"Journal of Systems and Information Technology"},{"key":"key2023120706323782000_ref009","doi-asserted-by":"crossref","unstructured":"Fertig, T., Sch\u00fctz, A.E., Weber, K. and M\u00fcller, N.H. (2020), \u201cTowards an information security awareness maturity model\u201d, in Zaphiris, P. and Ioannou, A. (Eds.), Learning and Collaboration Technologies. Human and Technology Ecosystems. HCII 2020. Lecture Notes in Computer Science, Springer, Cham, pp.\u00a0587-599.","DOI":"10.1007\/978-3-030-50506-6_40"},{"key":"key2023120706323782000_ref010","first-page":"66","article-title":"Developing a maturity model for information security awareness using a polytomous extension of the Rasch model","year":"2023"},{"key":"key2023120706323782000_ref011","first-page":"6830","article-title":"Software system risk management and assurance","year":"1995"},{"issue":"1","key":"key2023120706323782000_ref012","doi-asserted-by":"crossref","first-page":"39","DOI":"10.1177\/002224378101800104","article-title":"Evaluating structural equation models with unobservable variables and measurement error","volume":"18","year":"1981","journal-title":"Journal of Marketing Research"},{"key":"key2023120706323782000_ref013","article-title":"Financial services modernization act of 1999","author":"GLBA, The Gramm\u2013Leach\u2013Bliley Act","year":"1999"},{"issue":"1","key":"key2023120706323782000_ref014","doi-asserted-by":"crossref","first-page":"111","DOI":"10.2308\/ISYS-2020-072","article-title":"Assessing effects of media affordances and information security awareness on knowledge-sharing in global software development","volume":"36","year":"2022","journal-title":"Journal of Information Systems"},{"issue":"3","key":"key2023120706323782000_ref015","doi-asserted-by":"crossref","first-page":"414","DOI":"10.1007\/s11747-011-0261-6","article-title":"An assessment of the use of partial least squares structural equation modeling in marketing research","volume":"40","year":"2012","journal-title":"Journal of the Academy of Marketing Science"},{"key":"key2023120706323782000_ref016","volume-title":"A Primer on Partial Least Squares Structural Equation\u00a0Modeling (PLS-SEM)","year":"2017","edition":"2nd ed."},{"key":"key2023120706323782000_ref017","volume-title":"Advanced Issues in Partial Least Squares Structural Equation\u00a0Modeling","year":"2017"},{"key":"key2023120706323782000_ref018","article-title":"The health insurance portability and accountability act of 1996","author":"HIPAA","year":"1996"},{"issue":"5","key":"key2023120706323782000_ref019","doi-asserted-by":"crossref","first-page":"243","DOI":"10.1108\/09685220310500153","article-title":"An integrated system theory of information security management","volume":"11","year":"2003","journal-title":"Information Management and Computer Security"},{"issue":"1","key":"key2023120706323782000_ref057","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1080\/10705519909540118","article-title":"Cutoff criteria for fit indexes in covariance structure analysis: conventional criteria versus new alternatives","volume":"6","year":"1999","journal-title":"Structural Equation Modeling: A Multidisciplinary Journal"},{"key":"key2023120706323782000_ref059","volume-title":"Mediation analysis (No. 156)","year":"2008"},{"key":"key2023120706323782000_ref020","volume-title":"CISA Review Manual","author":"ISACA","year":"2017"},{"key":"key2023120706323782000_ref021","unstructured":"ISACA (2020), \u201cGlossary\u201d, available at: https:\/\/www.isaca.org\/resources\/glossary (accessed 20 August 2020)."},{"key":"key2023120706323782000_ref022","article-title":"Information technology \u2013 security techniques \u2013 information security management systems \u2013 requirements","author":"ISO\/IEC 27001:2013","year":"2013"},{"key":"key2023120706323782000_ref023","article-title":"Information security awareness: literature review and integrative framework","year":"2018"},{"issue":"6","key":"key2023120706323782000_ref024","doi-asserted-by":"crossref","first-page":"584","DOI":"10.1080\/0144929X.2011.632650","article-title":"Phishing for phishing awareness","volume":"32","year":"2013","journal-title":"Behaviour and Information Technology"},{"issue":"1","key":"key2023120706323782000_ref025","doi-asserted-by":"crossref","first-page":"227","DOI":"10.1111\/isj.12131","article-title":"Minimum sample size estimation in PLS\u2010SEM: the inverse square root and gamma\u2010exponential methods","volume":"28","year":"2018","journal-title":"Information Systems Journal"},{"issue":"3","key":"key2023120706323782000_ref026","doi-asserted-by":"crossref","first-page":"453","DOI":"10.1108\/JQME-07-2020-0059","article-title":"Cybersecurity workforce in railway: its maturity and awareness","volume":"27","year":"2021","journal-title":"Journal of Quality in Maintenance Engineering"},{"key":"key2023120706323782000_ref027","unstructured":"Kruse, S. and Pankey, B. (2010), \u201cAssessing the effectiveness of security awareness training. RSA and tunitas group\u201d, available at: http:\/\/www.securitymetrics.org\/attachments\/Metricon-6.5-Kruse.pdf (accessed 05 March 2019)."},{"issue":"12","key":"key2023120706323782000_ref028","doi-asserted-by":"crossref","first-page":"1049","DOI":"10.1108\/MRR-04-2013-0085","article-title":"Information security awareness and behavior: a theory-based literature review","volume":"37","year":"2014","journal-title":"Management Research Review"},{"key":"key2023120706323782000_ref029","first-page":"147","article-title":"Customized diagnostic tool for the security maturity level of the enterprise information based on ISO\/IEC 27001","year":"2020"},{"issue":"2","key":"key2023120706323782000_ref030","doi-asserted-by":"crossref","first-page":"63","DOI":"10.5121\/ijcsit.2013.5206","article-title":"An effective method for information security awareness raising initiatives","volume":"5","year":"2013","journal-title":"International Journal of Computer Science and Information Technology"},{"key":"key2023120706323782000_ref031","doi-asserted-by":"publisher","first-page":"104","DOI":"10.1016\/j.techfore.2018.03.009","article-title":"Evolutionary paths and influencing factors towards digital maturity: an analysis of the status quo in Swiss hospitals","volume":"133","year":"2018","journal-title":"Technological Forecasting and Social Change"},{"key":"key2023120706323782000_ref032","doi-asserted-by":"crossref","first-page":"12","DOI":"10.1016\/j.jisa.2018.11.003","article-title":"An analysis on the dimensions of information security culture concept: a review","volume":"44","year":"2019","journal-title":"Journal of Information Security and Applications"},{"key":"key2023120706323782000_ref033","unstructured":"Nemeslaki, A. and Sasvari, P. (2015), \u201cEmpirical analysis of information security awareness in the business and public sectors of Hungary\u201d, Central and Eastern European eDem and eGov Days 2015. Time for a European Internet?, \u00d6sterreichische Computer-Gesellschaft, Wien, pp.\u00a0405-418."},{"key":"key2023120706323782000_ref034","doi-asserted-by":"crossref","first-page":"165","DOI":"10.1016\/j.cose.2013.12.003","article-title":"Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q)","volume":"42","year":"2014","journal-title":"Computers and Security"},{"key":"key2023120706323782000_ref035","unstructured":"PCI (2016), \u201cPCI DSS - payment card industry data security standard \u2013 requirements and security assessment procedures\u201d, Version 3.2, available at: https:\/\/www.pcisecuritystandards.org\/document_library (accessed 20 May 2020)."},{"key":"key2023120706323782000_ref036","volume-title":"Information Security Risk Analysis","year":"2001"},{"key":"key2023120706323782000_ref037","unstructured":"Poepjes, R. and Lane, M. (2012), \u201cAn information security awareness capability model (ISACM)\u201d, available at: https:\/\/ro.ecu.edu.au\/cgi\/viewcontent.cgi?article=1136&context=ism (accessed 30 June 2021)."},{"key":"key2023120706323782000_ref038","doi-asserted-by":"crossref","first-page":"65","DOI":"10.1016\/j.cose.2015.05.012","article-title":"Information security conscious care behaviour formation in organizations","volume":"53","year":"2015","journal-title":"Computers and Security"},{"key":"key2023120706323782000_ref039","unstructured":"SANS (2019), \u201cSANS the rising era of awareness training \u2013 SANS security awareness report\u201d, available at: https:\/\/www.sans.org\/security-awareness-training\/resources\/reports\/(accessed 20 July 2018)."},{"issue":"1","key":"key2023120706323782000_ref040","first-page":"63","article-title":"Old monarchy in the new cyberspace: empirical examination of information security awareness among Austrian and Hungarian enterprises","volume":"15","year":"2015","journal-title":"Academic and Applied Research in Military and Public Management Science"},{"key":"key2023120706323782000_ref041","article-title":"Maturity level assessments of information security controls: an empirical analysis of practitioners assessment capabilities","volume":"108","year":"2021","journal-title":"Computers and Security"},{"issue":"1","key":"key2023120706323782000_ref042","doi-asserted-by":"crossref","first-page":"31","DOI":"10.1108\/09685220010371394","article-title":"A conceptual foundation for organizational information security awareness","volume":"8","year":"2000","journal-title":"Information Management and Computer Security"},{"issue":"2","key":"key2023120706323782000_ref043","doi-asserted-by":"crossref","first-page":"215","DOI":"10.1016\/j.ijinfomgt.2015.11.009","article-title":"Information security management needs more holistic approach: a literature review","volume":"36","year":"2016","journal-title":"International Journal of Information Management"},{"key":"key2023120706323782000_ref044","unstructured":"Spitzner, L. (2012), \u201cSecurity awareness maturity model\u201d, available at: https:\/\/securingthehuman.sans.org\/blog\/2012\/05\/22\/security-awareness-maturity-model (accessed 22 December 2017)."},{"issue":"3","key":"key2023120706323782000_ref045","doi-asserted-by":"crossref","first-page":"1832","DOI":"10.9770\/jesi.2020.7.3(26)","article-title":"Training in shaping employee information security awareness","volume":"7","year":"2020","journal-title":"Entrepreneurship and Sustainability"},{"key":"key2023120706323782000_ref046","article-title":"What influences employees to follow security policies?","volume":"147","year":"2022","journal-title":"Safety Science"},{"key":"key2023120706323782000_ref047","article-title":"Mediating effects of information security awareness","volume":"106","year":"2021","journal-title":"Computers and Security"},{"key":"key2023120706323782000_ref058","first-page":"52","article-title":"Information security risk assessment: a method comparison","volume-title":"Computer","year":"2017"},{"issue":"2","key":"key2023120706323782000_ref048","doi-asserted-by":"crossref","first-page":"197","DOI":"10.1086\/651257","article-title":"Reconsidering Baron and Kenny: myths and truths about mediation analysis","volume":"37","year":"2010","journal-title":"Journal of Consumer Research"},{"issue":"1","key":"key2023120706323782000_ref049","doi-asserted-by":"crossref","first-page":"2","DOI":"10.1108\/IMDS-09-2015-0382","article-title":"Using PLS path modeling in new technology research: updated guidelines","volume":"116","year":"2016","journal-title":"Industrial Management and Data Systems"},{"key":"key2023120706323782000_ref050","article-title":"COBIT five: a business framework for the governance and management of enterprise IT","author":"ISACA","year":"2012"},{"key":"key2023120706323782000_ref051","volume-title":"COBIT2019 Framework: Introduction and Methodology","author":"ISACA","year":"2018"},{"key":"key2023120706323782000_ref052","article-title":"ISO 27032 \u2013 international standard ISO\/IEC 27032:2012. Information technology -- security techniques -- guidelines for cybersecurity","author":"ISO\/IEC 27032:2012","year":"2012"},{"key":"key2023120706323782000_ref053","volume-title":"COBIT 4.1 Control Objectives for Information Technology","author":"ITGI","year":"2007"},{"key":"key2023120706323782000_ref054","unstructured":"Kruse, S. and Pankey, B. (2018), \u201cUser awareness maturity model (UAMM)\u201d, available at: http:\/\/securitymetrics.org\/attachments\/Metricon-6.5-Kruse.pdf (accessed 05 March 2022)."},{"key":"key2023120706323782000_ref055","volume-title":"NIST Special Publication 800-53. Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations","author":"NIST","year":"2013"},{"key":"key2023120706323782000_ref056","unstructured":"Sarbanes, S.P. and Oxley, M.G. (2002), \u201cSarbanes-Oxley act of 2002\u201d, The Public Company Accounting Reform and Investor Protection Act, p. 55, Washington DC, US Congress."}],"container-title":["Information Technology & People"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ITP-11-2021-0849\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ITP-11-2021-0849\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,24]],"date-time":"2025-07-24T21:55:59Z","timestamp":1753394159000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/itp\/article\/36\/8\/174-195\/179901"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,7,27]]},"references-count":60,"journal-issue":{"issue":"8","published-online":{"date-parts":[[2023,7,27]]},"published-print":{"date-parts":[[2023,12,18]]}},"alternative-id":["10.1108\/ITP-11-2021-0849"],"URL":"https:\/\/doi.org\/10.1108\/itp-11-2021-0849","relation":{},"ISSN":["0959-3845"],"issn-type":[{"value":"0959-3845","type":"print"}],"subject":[],"published":{"date-parts":[[2023,7,27]]}}}