چارچوب عوامل موثر بر انطباق رفتار کارکنان با سیاست‌های امنیت اطلاعات در نظام بانکی

کاظم پوریان, سعید; تقوا, محمدرضا; قربانی‌زاده, وجه‌الله; مانیان, امیر

چارچوب عوامل موثر بر انطباق رفتار کارکنان با سیاست‌های امنیت اطلاعات در نظام بانکی

نوع مقاله : مقاله علمی پژوهشی

نویسندگان

¹ دانشجوی دکتری مدیریت فناوری اطلاعات، دانشکده مدیریت و حسابداری، دانشگاه علامه طباطبائی

² استاد گروه مدیریت فناوری اطلاعات، دانشکده مدیریت و حسابداری، دانشگاه علامه طباطبائی

³ استاد گروه مدیریت دولتی، دانشکده مدیریت و حسابداری، دانشگاه علامه طباطبائی

⁴ استاد گروه مدیریت فناوری اطلاعات، دانشکدگان مدیریت، دانشگاه تهران

چکیده

با توجه به نقش حیاتی عامل انسانی به عنوان یکی از حلقه‌های آسیب‌پذیر در زنجیره امنیت اطلاعات، پژوهش حاضر با هدف شناسایی، طبقه‌بندی و یکپارچه‌سازی عوامل مؤثر بر انطباق رفتار کارکنان با سیاست‌های امنیت اطلاعات در صنعت بانکداری، به ارائه یک چارچوب مفهومی جامع در این حوزه می‌پردازد. این مطالعه از روش تحقیق کیفی فراترکیب بهره برده است. با جستجوی نظام‌مند در پایگاه‌های علمی، تعداد ۶۷ مقاله معتبر که به طور مستقیم به موضوع پژوهش پرداخته بودند، انتخاب و به صورت عمیق به روش تحلیل مضمون مورد تجزیه و تحلیل قرار گرفتند. چارچوب نظری اصلی برای طبقه‌بندی و یکپارچه‌سازی عوامل مستخرج، مدل رفتار، قابلیت، فرصت، انگیزه (COM-B) بوده است که با مفاهیم کلیدی از نظریه‌های انگیزش محافظت، رفتار برنامه‌ریزی‌شده، خنثی‌سازی و بازدارندگی عمومی تلفیق شد. یافته‌های پژوهش نشان داد رفتار انطباقی محصول تعامل سه بعد اصلی است. بعد انگیزه با 13 عامل به عنوان محوری‌ترین بعد شناسایی شد که در آن نگرش و باورها و ارزیابی هزینه و فایده به ترتیب با 39 و 24 تکرار، بیشترین فراوانی را داشتند. در بعد فرصت با 11 عامل، آموزش و آگاهی و هنجارهای اجتماعی با 28 و 21 تکرار قدرتمندترین عوامل محیطی تعیین شدند. در بعد قابلیت نیز که متشکل از 12 است، عامل خودکارآمدی با 18 تکرار، اهمیت بیشتری نسبت به سایر عوامل این دسته دارد. این پژوهش چارچوبی یکپارچه و چندبعدی ارائه می‌دهد که نشان می‌دهد انطباق رفتار کارکنان نظام بانکی با سیاست‌های امنیت اطلاعات بیش از یک الزام فنی، یک انتخاب شناختی و اجتماعی است. این چارچوب پیامدهای کاربردی مهمی برای مدیران بانکی دارد، از جمله لزوم تغییر تمرکز از راهبردهای ابزارمحور به رویکردهای انسان‌محور که بر اصلاح نگرش، تقویت خودکارآمدی و پرورش فرهنگ امنیت مثبت تأکید دارند. همچنین، این چارچوب به عنوان یک مبنای نظری جامع، مسیرهای تحقیقاتی آتی را برای آزمودن روابط میان این عوامل هموار می‌سازد.

کلیدواژه‌ها

20.1001.1.24767220.1404.15.3.7.7

موضوعات

مدیریت

عنوان مقاله [English]

A Framework of Factors Influencing Employees’ Compliance Behavior with Information Security Policies in the Banking Sector

نویسندگان [English]

Saeed Kazempourian ¹
Mohammad Reza Taghva ²
Vajhollah Ghorbanizadeh ³
Amir Manian ⁴

¹ Ph.D. Candidate in Information Technology Management, Faculty of Management and Accounting, Allameh Tabataba’i University

² Professor, Department of Information Technology Management, Faculty of Management and Accounting, Allameh Tabataba’i University

³ Professor, Department of Public Administration, Faculty of Management and Accounting, Allameh Tabataba’i University

⁴ Professor, Department of Information Technology Management, College of Management, University of Tehran

چکیده [English]

Consideringing the critical role of the human factor as a vulnerable link in the information security chain, this study aims to identify, classify, and integrate the factors influencing employee compliance with Information Security Policies (ISPs) in banking sector. The research culminates in the development of a comprehensive conceptual framework for this domain. The study employs a qualitative meta-synthesis methodology. Through a systematic search of academic databases, 67 pertinent articles directly addressing the research topic were selected and subjected to in-depth thematic analysis. The primary theoretical framework for classifying and integrating the extracted factors was the Capability, Opportunity, Motivation-Behavior (COM-B) model, which was synthesized with key concepts from Protection Motivation Theory (PMT), the Theory of Planned Behavior (TPB), Neutralization Theory, and General Deterrence Theory (GDT). The findings reveal that compliant behavior is the product of the interplay of three primary dimensions. The motivation dimension, comprising 13 factors, emerged as the most pivotal dimension, with attitudes and beliefs and cost–benefit evaluations occurring 39 and 24 times, respectively. Within the opportunity dimension, encompassing 11 factors, training and awareness and social norms—with 28 and 21 occurrences respectively—were identified as the most influential environmental factors. In the capability dimension, which consists of 12 factors, self-efficacy, with 18 occurrences, proved more significant than any other factor in that category. This research proposes an integrated, multidimensional framework demonstrating that employee compliance with ISPs in the banking system is not merely a technical requirement but a cognitive and social choice. The framework holds significant practical implications for banking managers, highlighting the necessity of shifting focus from tool-centric strategies to human-centric approaches that emphasize attitude modification, self-efficacy enhancement, and the cultivation of a positive security culture. Furthermore, by providing a comprehensive theoretical foundation, the framework enables future empirical research to examine the relationships among these factors.

کلیدواژه‌ها [English]

Information Security
Bank
Compliance
Protection Motivation Theory
General Deterrence Theory

مراجع

Aebissa, B., Dhillon, G., & Meshesha, M. (2023). The direct and indirect effect of organizational justice on employee intention to comply with information security policy: The case of Ethiopian banks. Computers & Security, 130, 103248. https://doi.org/10.1016/j.cose.2023.103248

Afshari, P., Bayazidi, S., & Yazdani, S. (2024). Meta-synthesis as an original method to synthesize qualitative literature in chronic diseases: A narrative review. Jundishapur Journal of Chronic Disease Care, 13(2). e139621. https://doi.org/10.5812/jjcdc-139621

Aftana. (2016). Hackers Targeted the Websites of Bank Sepah and Bank Maskan. https://aftana.ir/news/11446 {In Persian}

Aftana. (2025). Predatory Sparrow at Bank Sepah; The Disruption Will Be Resolved Soon. https://www.aftana.ir/news/22863 {In Persian}

Ajzen, I. (1985). From intentions to actions: A theory of planned behavior (pp. 11-39). Springer Berlin Heidelberg.

Ajzen, I., & Fishbein, M. (1973). Attitudinal and normative variables as predictors of specific behavior. Journal of personality and Social Psychology, 27(1), 41–57. https://psycnet.apa.org/doi/10.1037/h0034440

Alassaf, M. & Alkhalifah, A. (2021). Exploring the Influence of Direct and Indirect Factors on Information Security Policy Compliance: A Systematic Literature Review. IEEE Access, 9, 162687-162705. https://doi.org/10.1109/ACCESS.2021.3132574

Albrechtsen, E. (2007). A qualitative study of users' view on information security. Computers & security, 26(4), 276-289. https://doi.org/10.1016/j.cose.2006.11.004

Ali, R. F., Dominic, P. D. D., Ali, S. E. A., Rehman, M., & Sohail, A. (2021). Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance. Applied Sciences, 11(8), 3383. https://doi.org/10.3390/app11083383

AlKalbani, A., Deng, H., & Kam, B. (2017). AlKalbani, A., Deng, H., Kam, B., & Zhang, X. (2017). Information security compliance in organizations: An institutional perspective. Data and Information Management, 1(2), 104-114. https://doi.org/10.1515/dim-2017-0006

Alraja, M. N., Butt, U. J., & Abbod, M. (2023). Information security policies compliance in a global setting: An employee's perspective. Computers & Security, 129, 103208. https://doi.org/10.1016/j.cose.2023.103208

Amankwa, E., Loock, M., & Kritzinger, E. (2022). The determinants of an information security policy compliance culture in organisations: the combined effects of organisational and behavioural factors. Information & Computer Security, 30(4), 583-614. https://doi.org/10.1108/ICS-10-2021-0169

Ameen, N., Tarhini, A., Shah, M. H., Madichie, N., Paul, J., & Choudrie, J. (2021). Keeping customers' data secure: A cross-cultural study of cybersecurity compliance among the Gen-Mobile workforce. Computers in Human Behavior, 114, 106531. https://doi.org/10.1016/j.chb.2020.106531

Ameen, N., Tarhini, A., Shah, M. H., & Madichie, N. O. (2020). Employees’ behavioural intention to smartphone security: A gender-based, cross-national study. Computers in Human Behavior, 104, 106184. https://doi.org/10.1016/j.chb.2019.106184

Amiri, M. , Roozbehani, K. & Zamanian, M. (2015). Identifying the failure of implementation of information security management systems (ISMS) with a focus on Iranian organizations. Science and Technology Policy Letters, 05(2), 69-76.

Asfoor, A. H., Latif, A. B. A., & Rahim, F. B. A. (2023). Investigate the Roles of Sanctions, Psychological Capital, and Organizational Security Resources Factors in Information Security Policy Violation. Asia pacific journal of information systems, 33(4), 863-898. https://doi.org/10.14329/apjis.2023.33.4.863

Bandura, A. (1977). Self-efficacy: Toward a unifying theory of behavioral change. Psychological review, 84(2), 191-215. https://psycnet.apa.org/doi/10.1037/0033-295X.84.2.191

Banks, N. (2016). Practise what you preach. Computer Fraud & Security, 2016(4), 5-8. https://doi.org/10.1016/S1361-3723(16)30035-5

Bansal, G., Muzatko, S., & Shin, S. I. (2021). Information system security policy noncompliance: the role of situation-specific ethical orientation. Information Technology & People, 34(1), 250-296. https://doi.org/10.1108/ITP-03-2019-0109

Baskerville, R. & Siponen, M. (2002). An information security meta‐policy for emergent organizations. Logistics Information Management, 15(5/6), 337-346. https://doi.org/10.1108/09576050210447019

Bauer, S., & Bernroider, E. W. (2017). From information security awareness to reasoned compliant action: Analyzing information security policy compliance in a large banking organization. ACM SIGMIS Database: the DATABASE for Advances in Information Systems, 48(3), 44–68. https://doi.org/10.1145/3130515.3130519

Bauer, S., Bernroider, E. W., & Chudzikowski, K. (2017). Prevention is better than cure! Designing information security awareness programs to overcome users' non-compliance with information security policies in banks. Computers & Security, 68, 145-159. https://doi.org/10.1016/j.cose.2017.04.009

Begishev, I. R., Khisamova, Z. I., & Mazitova, G. I. (2019). Information infrastructure of safe computer attack. Helix, 9(5), 5639-5642. https://doi.org/10.29042/2019-5639-5642

Bélanger, F., Collignon, S., & Kahle-Piasecki, L. (2017). Bélanger, F., Collignon, S., Enget, K., & Negangard, E. (2017). Determinants of early conformance with information security policies. Information & Management, 54(7), 887-901. https://doi.org/10.1016/j.im.2017.01.003

Bélanger, F., Maier, J., & Maier, M. (2022). A longitudinal study on improving employee information protective knowledge and behaviors. Computers & Security, 116, 102641. https://doi.org/10.1016/j.cose.2022.102641

Bhana, A., & Ophoff, J. (2023). Risk homeostasis and security fatigue: a case study of data specialists. Information & Computer Security, 31(3), 267-280. https://doi.org/10.1108/ICS-11-2022-0172

Braun, V., & Clarke, V. (2006). Using thematic analysis in psychology. Qualitative Research in Psychology, 3(2), 77-101. http://dx.doi.org/10.1191/1478088706qp063oa

Bulgurcu, B, Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523-548. https://doi.org/10.2307/25750690

Butler, K. J., & Brown, I. (2023). COVID-19 pandemic-induced organisational cultural shifts and employee information security compliance behaviour: a South African case study. Information & Computer Security, 31(2), 221-243. https://doi.org/10.1108/ICS-09-2022-0152

Campbell, R., Pound, P., Pope, C., Britten, N., Pill, R., Morgan, M., & Donovan, J. (2003). Evaluating meta-ethnography: a synthesis of qualitative research on lay experiences of diabetes and diabetes care. Social science & medicine, 56(4), 671-684. https://doi.org/10.1016/S0277-9536(02)00064-3

Carmi, G., & Bouhnik, D. (2020). The effect of rational based beliefs and awareness on employee compliance with information security procedures: A case study of a financial corporation in Israel. Interdisciplinary Journal of Information, Knowledge, and Management, 15, 109. https://doi.org/10.28945/4596

Chen, Y., Xia, W., & Cousins, K. (2022). Voluntary and instrumental information security policy compliance: an integrated view of prosocial motivation, self-regulation and deterrence. Computers & Security, 113, 102568. https://doi.org/10.1016/j.cose.2021.102568

Chen, X., Wu, D., Chen, L., & Teng, J. K. (2018). Sanction severity and employees’ information security policy compliance: Investigating mediating, moderating, and control variables. Information & Management, 55(8), 1049-1060. https://doi.org/10.1016/j.im.2018.05.011

Choi, Y. (2017). Human resource management and security policy compliance. International Journal of Human Capital and Information Technology Professionals (IJHCITP), 8(3), 68-81. http://dx.doi.org/10.4018/ijhcitp.2017070105

Choi, Y., & Yoo, T. (2014). Influence of HRM practices on privacy policy compliance intention: a study among bank employees in Korea. International Journal of Security and Its Applications, 8(1), 9-18. https://doi.org/10.14257/IJSIA.2014.8.1.02

Chua, H. N., Wong, S. F., Low, Y. C., & Chang, Y. (2018). Impact of employees’ demographic characteristics on the awareness and compliance of information security policy in organizations. Telematics and Informatics, 35(6), 1770-1780. https://doi.org/10.1016/j.tele.2018.05.005

Cox, J. (2012). Information systems user security: A structured model of the knowing–doing gap. Computers in Human Behavior, 28(5), 1849-1858. https://doi.org/10.1016/j.chb.2012.05.003

Cram, W. A., Proudfoot, J. G., & D'Arcy, J. (2020). Maximizing Employee Compliance with Cybersecurity Policies. MIS Quarterly Executive, 19(3), 183–198. http://dx.doi.org/10.17705/2msqe.00032

D'Arcy, J., Herath, T., & Shoss, M. K. (2014). Understanding employee responses to stressful information security requirements: A coping perspective. Journal of management information systems, 31(2), 285-318. https://doi.org/10.2753/MIS0742-1222310210

D’Arcy, J., & Teh, P. L. (2019). Predicting employee information security policy compliance on a daily basis: The interplay of security-related stress, emotions, and neutralization. Information & Management, 56(7), 103151. https://doi.org/10.1016/j.im.2019.02.006

Da Veiga, A., & Martins, N. (2015). Improving the information security culture through monitoring and implementation actions illustrated through a case study. Computers & Security, 49, 162-176. https://doi.org/10.1016/j.cose.2014.12.006

Da Veiga, A., Astakhova, L. V., Botha, A., & Herselman, M. (2020). Defining organisational information security culture—Perspectives from academia and industry. Computers & Security, 92, 101713. https://doi.org/10.1016/j.cose.2020.101713

Dawson, A. J. (2019). Meta-synthesis of qualitative research. In P. Liamputtong (Ed.), Handbook of research methods in health social sciences (pp. 785-804). Springer. https://doi.org/10.1007/978-981-10-5251-4_112

Duncan, C. (2022). Cyber Security in Banking. Retrieved from https://www.alert-software.com/blog/cybersecurity-in-banking.

Edwards, J., & Kaimal, G. (2016). Using meta-synthesis to support application of qualitative methods findings in practice: A discussion of meta-ethnography, narrative synthesis, and critical interpretive synthesis. The Arts in Psychotherapy, 51, 30-35. https://doi.org/10.1016/j.aip.2016.07.003

Eminağaoğlu, M., Uçar, E., & Eren, Ş. (2009). The positive outcomes of information security awareness training in companies–A case study. information security technical report, 14(4), 223-229. https://doi.org/10.1016/j.istr.2010.05.002

ENISA. (2023). ENISA threat landscape report 2023. Hearklion: European Network and Information Security Agency (ENISA), Retrieved from www.enisa.europa.eu/topics/cyber-threats/threats-and-trends.

Farshadkhah, S., Van Slyke, C., & Fuller, B. (2021). Onlooker effect and affective responses in information security violation mitigation. Computers & Security, 100, 102082. https://doi.org/10.1016/j.cose.2020.102082

Furnell, S., & Rajendran, A. (2012). Understanding the influences on information security behaviour. Computer Fraud & Security, 2012(3), 12-15. https://doi.org/10.1016/S1361-3723(12)70053-2

Gibbs, J. P. (1968). Crime, punishment, and deterrence. The Southwestern Social Science Quarterly, 48(4), 515-530.

Hadlington, L., Binder, J., & Stanulewicz, N. (2021). Exploring the role of moral disengagement and counterproductive work behaviours in information security awareness. Computers in Human Behavior, 114, 106557. https://doi.org/10.1016/j.chb.2020.106557

Han, J., Kim, Y. J., & Kim, H. (2017). An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective. Computers & Security, 66, 52-65. https://doi.org/10.1016/j.cose.2016.12.016

Harris, M. A., & Furnell, S. M. (2012). Harris, M., & Furnell, S. (2012). Routes to security compliance: Be good or be shamed?. Computer Fraud & Security, 2012(12), 12-20. https://doi.org/10.1016/S1361-3723(12)70122-7

Hashemzadeh Aghdam, N. (2021). Data Security Policies: The Indirect Role of Management Support on Users' Adjustment behavior of Banks' Data Systems. Quarterly Studies in Banking Management and Islamic Banking, 7(16), 77-98. https://doi.org/10.22034/jifb.2022.153329 {In Persian}

Hengstler, S., Kuehnel, S., Masuch, K., Nastjuk, I., & Trang, S. (2023). Should i really do that? Using quantile regression to examine the impact of sanctions on information security policy compliance behavior. Computers & Security, 133, 103370. https://doi.org/10.1016/j.cose.2023.103370

Herath, T., & Rao, H. R. (2009). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision support systems, 47(2), 154-165. https://doi.org/10.1016/j.dss.2009.02.005

Homans, G. C. (1958). Social behavior as exchange. American journal of sociology, 63(6), 597-606. https://doi.org/10.1086/222355

Hovav, A., & D’Arcy, J. (2012). Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the US and South Korea. Information & Management, 49(2), 99-110. https://doi.org/10.1016/j.im.2011.12.005

Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), 83-95. https://doi.org/10.1016/j.cose.2011.10.007

Ifinedo, P. (2016). Critical times for organizations: what should be done to curb workers’ noncompliance with IS security policy guidelines?. Information Systems Management, 33(1), 30-41. https://doi.org/10.1080/10580530.2015.1117868

IMF. (2024). Rising Cyber Threats Pose Serious Concerns for Financial Stability. Retrieved from https://www.imf.org/en/Blogs/Articles/2024/04/09/rising-cyber-threats-pose-serious-concerns-for-financial-stability.

ISACA. (2025). Cybersecurity Trends to Watch in 2025. Retrieved from https://www.isaca.org/resources/news-and-trends/industry-news/2025/cybersecurity-trends-to-watch-in-2025.

Jacobs, B. A. (2010). Deterrence and deterrability. Criminology, 48(2), 417-441. https://doi.org/10.1111/j.1745-9125.2010.00191.x

Jaeger, L., Eckhardt, A., & Kroenung, J. (2021). The role of deterrability for the effect of multi-level sanctions on information security policy compliance: Results of a multigroup analysis. Information & Management, 58(3), 103318. https://doi.org/10.1016/j.im.2020.103318

Jansen, J., & Van Schaik, P. (2018). Testing a model of precautionary online behaviour: The case of online banking. Computers in Human Behavior, 87, 371-383. https://doi.org/10.1016/j.chb.2018.05.010

Järveläinen, J. (2016). Integrated business continuity planning and information security policy development approach. International Conference on Information Systems (ICIS), Dublin.

Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. MIS quarterly, 34(3), 549-566. https://doi.org/10.2307/25750691

Kajtazi, M. & Bulgurcu, B. (2013). Information security policy compliance: An empirical study on escalation of commitment. In 19^th Americas Conference on Information Systems, Chicago, Illinois.

Kam, H. J., Mattson, T., & Kim, D. J. (2021). The “Right” recipes for security culture: a competing values model perspective. Information Technology & People, 34(5), 1490-1512. https://doi.org/10.1108/ITP-08-2019-0438

Karjalainen, M., Siponen, M., & Sarker, S. (2020). Toward a stage theory of the development of employees’ information security behavior. Computers & Security, 93, 101782. https://doi.org/10.1016/j.cose.2020.101782

Karlsson, F., Kolkowska, E., & Petersson, J. (2022). Information security policy compliance-eliciting requirements for a computerized software to support value-based compliance analysis. Computers & Security, 114, 102578. https://doi.org/10.1016/j.cose.2021.102578

Kerner, S. M. (2023). 34 cybersecurity statistics to lose sleep over in 2023. Retrieved from https://www.techtarget.com/whatis/34-Cybersecurity-Statistics-to-Lose-Sleep-Over-in-2020.

Khan, N. F., Yaqoob, A., Khan, M. S., & Ikram, N. (2022). The cybersecurity behavioral research: A tertiary study. Computers & Security, 120, 102826. https://doi.org/10.1016/j.cose.2022.102826

Koskosas, I. V. (2012). Cultural and organisational commitment in the context of e-banking. International Journal of Internet Technology and Secured Transactions, 4(1), 26–41. https://doi.org/10.1504/IJITST.2012.045147

Lee, C., Lee, C. C., & Kim, S. (2016). Understanding information security stress: Focusing on the type of information security compliance activity. Computers & Security, 59, 60-70. https://doi.org/10.1016/j.cose.2016.02.004

Leung, L. (2015). Validity, reliability, and generalizability in qualitative research. Journal of family medicine and primary care, 4(3), 324-327. https://doi.org/10.4103/2249-4863.161306

Li, L., He, W., Xu, L., Ash, I., Anwar, M., & Yuan, X. (2019). Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. International Journal of Information Management, 45, 13-24. https://doi.org/10.1016/j.ijinfomgt.2018.10.017

Li, Y. J., & Hoffman, E. (2023). Designing an incentive mechanism for information security policy compliance: An experiment. Journal of Economic Behavior & Organization, 212, 138-159. https://doi.org/10.1016/j.jebo.2023.05.033

Liu, C., Wang, N., & Liang, H. (2020). Motivating information security policy compliance: The critical role of supervisor-subordinate guanxi and organizational commitment. International Journal of Information Management, 54, 102152. https://doi.org/10.1016/j.ijinfomgt.2020.102152

McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., & Pattinson, M. (2017). Individual differences and information security awareness. Computers in Human Behavior, 69, 151-156. https://doi.org/10.1016/j.chb.2016.11.065

McLeod, A., & Dolezel, D. (2022). Information security policy non-compliance: Can capitulation theory explain user behaviors?. Computers & Security, 112, 102526. https://doi.org/10.1016/j.cose.2021.102526

Menard, P., Bott, G. J., & Crossler, R. E. (2017). User motivations in protecting information security: Protection motivation theory versus self-determination theory. Journal of Management Information Systems, 34(4), 1203-1230. https://doi.org/10.1080/07421222.2017.1394083

Merhi, M. I., & Ahluwalia, P. (2019). Examining the impact of deterrence factors and norms on resistance to information systems security. Computers in Human Behavior, 92, 37-46. https://doi.org/10.1016/j.chb.2018.10.031

Merhi, M. I., & Ahluwalia, P. (2024). Predicting compliance of security policies: norms and sanctions. Journal of Computer Information Systems, 64(5), 683-697. https://doi.org/10.1080/08874417.2023.2241413

Michie, S., Van Stralen, M. M., & West, R. (2011). The behaviour change wheel: a new method for characterising and designing behaviour change interventions. Implementation science, 6(1), 42. https://doi.org/10.1186/1748-5908-6-42

Miller, B., Miller, K., & Terwilliger, M. G. (2020). PREVENTION OF PHISHING ATTACKS: A THREE-PILLARED APPROACH. Issues in Information Systems, 21(2). https://doi.org/10.48009/2_iis_2020_1-8

Mohammadi, F. , Kazempourian, S., & taghva, M. R. (2021). Technology Intelligence in High Tech Organizations. Science and Technology Policy Letters, 11(1), 51-68.

Musarurwa, A., Flowerday, S., & Cilliers, L. (2018). An information security behavioural model for the bring-your-own-device trend. South African Journal of Information Management, 20(1), 1-9. https://doi.org/10.4102/sajim.v20i1.980

Musarurwa, A., Flowerday, S., & Cilliers, L. (2019). The bring‐your‐own‐device unintended administrator: A perspective from Zimbabwe. The Electronic Journal of Information Systems in Developing Countries, 85(4), e12076. https://doi.org/10.1002/isd2.12076

Nadelson, S., & Nadelson, L. S. (2014). Evidence‐based practice article reviews using CASP tools: a method for teaching EBP. Worldviews on Evidence‐Based Nursing, 11(5), 344-346. https://doi.org/10.1111/wvn.12059

Nazari, F. (2020). Factors Affecting Acceptance of Information Security Policy Among Employees of Tejarat Bank. Master’s thesis. Payame Noor University. {In Persian}

Ogbanufe, O. (2021). Enhancing end-user roles in information security: Exploring the setting, situation, and identity. Computers & Security, 108, 102340. https://doi.org/10.1016/j.cose.2021.102340

Ogbanufe, O. (2023). Securing online accounts and assets: An examination of personal investments and protection motivation. International journal of information management, 68, 102590. https://doi.org/10.1016/j.ijinfomgt.2022.102590

Ogbanufe, O., Crossler, R. E., & Biros, D. (2023). The valued coexistence of protection motivation and stewardship in information security behaviors. Computers & Security, 124, 102960. https://doi.org/10.1016/j.cose.2022.102960

Ogbanufe, O., Crossler, R. E., & Biros, D. (2021). Exploring stewardship: A precursor to voluntary security behaviors. Computers & Security, 109, 102397. https://doi.org/10.1016/j.cose.2021.102397

Padayachee, K. (2012). Padayachee, K. (2012). Taxonomy of compliant information security behavior. Computers & Security, 31(5), 673-680. https://doi.org/10.1016/j.cose.2012.04.004

Page, M. J., McKenzie, J. E., Bossuyt, P. M., Boutron, I., Hoffmann, T. C., Mulrow, C. D., ... & Moher, D. (2021). The PRISMA 2020 statement: an updated guideline for reporting systematic reviews. bmj, 372. https://doi.org/10.1136/bmj.n71

Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. (2014). Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Computers & security, 42, 165-176. https://doi.org/10.1016/j.cose.2013.12.003

Pattinson, M., Butavicius, M., Parsons, K., McCormac, A., & Calic, D. (2017). Managing information security awareness at an Australian bank: A comparative study. Information & Computer Security, 25(2), 181-189. https://doi.org/10.1108/ICS-03-2017-0017

Petrič, G., & Orehek, Š. (2025). Expressing opinions about information security in an organization: the spiral of silence theory perspective. Information & Computer Security, 33(2), 223-241. https://doi.org/10.1108/ICS-04-2024-0083

Pham, H. C., El-Den, J., & Richardson, J. (2016). Stress-based security compliance model–an exploratory study. Information & Computer Security, 24(4), 326-347. https://doi.org/10.1108/ICS-10-2014-0067

Phillips, M., & Lu, J. (2018). A quick look at NVivo. Journal of Electronic Resources Librarianship, 30(2), 104-106. https://doi.org/10.1080/1941126X.2018.1465535

Posey, C., & Folger, R. (2020). An exploratory examination of organizational insiders’ descriptive and normative perceptions of cyber-relevant rights and responsibilities. Computers & Security, 99, 102038. https://doi.org/10.1016/j.cose.2020.102038

Pourkarimi, J. , Abili, K. and Azizi, M. (2025). Educational Managers' Competencies in Turbulent Environments (A Meta-Synthesis Study). Interdisciplinary Journal of Management Studies, 18(3), 565-581. https://doi.org/10.22059/jipa.2024.372042.3469 {In Persian}

PurpleSec. (2023). Cyber Security Statistics: The Ultimate List Of Stats, Data, & Trends For 2023. Retrieved from https://purplesec.us/resources/cybersecurity-statistics.

Rajab, M., & Eydgahi, A. (2019). Evaluating the explanatory power of theoretical frameworks on intention to comply with information security policies in higher education. Computers & Security, 80, 211-223. https://doi.org/10.1016/j.cose.2018.09.016

Rhee, H. S., Kim, C., & Ryu, Y. U. (2009). Self-efficacy in information security: Its influence on end users' information security practice behavior. Computers & security, 28(8), 816-826. https://doi.org/10.1016/j.cose.2009.05.008

Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change. Journal of Psychology, 91(1), 93-114. https://doi.org/10.1080/00223980.1975.9915803

Rogers, R. W. (1983). Cognitive and psychological processes in fear appeals and attitude change: A revised theory of protection motivation. Social psychophysiology: A sourcebook, 153-176.

Ruighaver, A. B., Maynard, S. B., & Warren, M. (2010). Ethical decision making: Improving the quality of acceptable use policies. Computers & Security, 29(7), 731-736. https://doi.org/10.1016/j.cose.2010.05.004

Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015). Information security conscious care behaviour formation in organizations. Computers & Security, 53, 65-78. https://doi.org/10.1016/j.cose.2015.05.012

Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & security, 56, 70-82. https://doi.org/10.1016/j.cose.2015.10.006

Safa, N. S., Maple, C., Watson, T., & Von Solms, R. (2018). Motivation and opportunity based model to reduce information security insider threats in organisations. Journal of information security and applications, 40, 247-257. https://doi.org/10.1016/j.jisa.2017.11.001

Sandelowski, M., & Barroso, J. (2007). Handbook for synthesizing qualitative research. New York, NY: Springer.

Schroeder, P., & Siddiqui, Z. (2023, November 10). China’s biggest lender ICBC hit by ransomware attack. Reuters. Retrieved from https://www.reuters.com/world/china/chinas-largest-bank-icbc-hit-by-ransomware-software-ft-2023-11-09/.

Sharma, S., & Warkentin, M. (2019). Do I really belong?: Impact of employment status on information security policy compliance. Computers & Security, 87, 101397. https://doi.org/10.1016/j.cose.2018.09.005

Silic, M., Barlow, J. B., & Back, A. (2017). A new perspective on neutralization and deterrence: Predicting shadow IT usage. Information & management, 54(8), 1023-1037. https://doi.org/10.1016/j.im.2017.02.007

Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information security policies: An exploratory field study. Information & management, 51(2), 217-224. https://doi.org/10.1016/j.im.2013.08.006

Sollars, M. (2016). Risk-based security: Staff can play the defining role in securing assets. Network Security, 2016(9), 9-12. https://doi.org/10.1016/S1353-4858(16)30087-3

Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005). Analysis of end user security behaviors. Computers & security, 24(2), 124-133. https://doi.org/10.1016/j.cose.2004.07.001

Straub Jr, D. W. (1990). Effective IS security: An empirical study. Information systems research, 1(3), 255-276. https://doi.org/10.1287/isre.1.3.255

Sullivan, P. (2025). Cyber Attack Statistics to Know in 2025. Retrieved from https://parachute.cloud/cyber-attack-statistics-data-and-trends.

Sykes, G., & Matza, D. (1957). Techniques of neutralization: A theory of delinquency. American sociological review, 22(6), 664-670. https://doi.org/10.2307/2089195

Tam, C., de Matos Conceição, C., & Oliveira, T. (2022). What influences employees to follow security policies?. Safety science, 147, 105595. https://doi.org/10.1016/j.ssci.2021.105595

Teh, P. L., Ahmed, P. K., & D'Arcy, J. (2015). What drives information security policy violations among banking employees?: insights from neutralization and social exchange theory. Journal of Global Information Management (JGIM), 23(1), 44-64. http://doi.org/10.4018/jgim.2015010103

Trang, S., & Nastjuk, I. (2021). Examining the role of stress and information security policy design in information security compliance behaviour: An experimental study of in-task behaviour. Computers & Security, 104, 102222. https://doi.org/10.1016/j.cose.2021.102222

Tsohou, A., Karyda, M., & Kokolakis, S. (2015). Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs. Computers & security, 52, 128-141. https://doi.org/10.1016/j.cose.2015.04.006

U.S. Department of Justice. (2024, March). Former bank manager sentenced to 3 years in prison for theft from customer accounts. Retrieved from https://www.justice.gov/usao-wdwa/pr/former-bank-manager-sentenced-3-years-prison-theft-customer-accounts.

Uchendu, B., Nurse, J. R., Bada, M., & Furnell, S. (2021). Developing a cyber security culture: Current practices and future needs. Computers & Security, 109, 102387. https://doi.org/10.1016/j.cose.2021.102387

Van der Kleij, R., Wijn, R., & Hof, T. (2020). An application and empirical test of the Capability Opportunity Motivation-Behaviour model to data leakage prevention in financial organizations. Computers & Security, 97, 101970. http://dx.doi.org/10.1016/j.cose.2020.101970

Van Slyke, C., & Belanger, F. (2020). Explaining the interactions of humans and artifacts in insider security behaviors: The mangle of practice perspective. Computers & Security, 99, 102064. https://doi.org/10.1016/j.cose.2020.102064

Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: Insights from habit and protection motivation theory. Information & management, 49(3-4), 190-198. https://doi.org/10.1016/j.im.2012.04.002

Vance, A., Siponen, M. T., & Straub, D. W. (2020). Effects of sanctions, moral beliefs, and neutralization on information security policy violations across cultures. Information & Management, 57(4), 103212. https://doi.org/10.1016/j.im.2019.103212

Verizon. (2023). 2023 Data breach investigation report, verizon. Retrieved from www.verizon.com/business/resources/reports/2023-data-breach-investigations-report-dbir.pdf.

Wall, J. D., & Warkentin, M. (2019). Perceived argument quality's effect on threat and coping appraisals in fear appeals: An experiment and exploration of realism check heuristics. Information & Management, 56(8), 103157. https://doi.org/10.1016/j.im.2019.03.002

Williams, A. S., Maharaj, M. S., & Ojo, A. I. (2019). Employee behavioural factors and information security standard compliance in Nigeria banks. Int. J. Comput. Digit. Syst, 8(4). https://doi.org/10.12785/ijcds/080407

Xie, T., & Gorrivan, C. (2024, June 26). Evolve Bank & Trust confirms its data was stolen in cyber attack. Bloomberg News. Retrieved from https://www.bloomberg.com/news/articles/2024-06-26/evolve-bank-trust-confirms-its-data-was-stolen-in-cyber-attack.

Yevseyeva, I., Morisset, C., Turland, J., Coventry, L., Groß, T., Laing, C., & van Moorsel, A. (2014). Consumerisation of IT: Mitigating risky user actions and improving productivity with nudging. Procedia Technology, 16, 508-517. https://doi.org/10.1016/j.protcy.2014.10.118

Yin, Y., Hsu, C., & Zhou, Z. (2023). Employees' in-role and extra-role information security behaviors from the PE fit perspective. Computers & Security, 133, 103390. https://doi.org/10.1016/j.cose.2023.103390