Cardiff University | Prifysgol Caerdydd ORCA
Online Research @ Cardiff 
WelshClear Cookie - decide language by browser settings

The employee cybersecurity awareness framework

Bishop, Laura M., Asquith, Phoebe M. and Morgan, Phillip L. ORCID: https://orcid.org/0000-0002-5672-0758 2025. The employee cybersecurity awareness framework. Human Behavior and Emerging Technologies 10.1155/hbe2/1025045

[thumbnail of Human Behavior and Emerging Technologies - 2025 - Bishop - The Employee Cybersecurity Awareness Framework.pdf]
Preview
PDF - Published Version
Available under License Creative Commons Attribution.

Download (1MB) | Preview

Abstract

With cyberattack methods becoming increasingly sophisticated and end-users of targeted technology continuing to be the weakest link, it is crucial to develop more optimal ways to measure and better understand human cybersecurity behaviour risk. Across three studies, a tool consisting of a battery of established questionnaires and other measures to investigate employee cybersecurity vulnerability factors was tested and developed. Study 1 determined key correlating factors including security–self-efficacy, experience and involvement, awareness and organisational policy, with large effect sizes. A refined tool was deployed in Study 2 amongst a larger sample of employees within a multinational organisation. Exploratory factor analysis determined two latent factors—cybersecurity awareness and psychological ownership. However, 55% of variance within a regression model was explained by cybersecurity awareness alone. Study 3 included an even larger sample employed by multiple organisations—with cybersecurity awareness accounting for 60% of variance. We propose the employee cybersecurity awareness framework (ECAF) with cybersecurity awareness at its core and containing six underlying factors: threat appraisal, information security self-efficacy, information security awareness, information security attitude, information security operation policy and cybersecurity experience and involvement. The ECAF can be deployed by organisations to optimally measure employee cybersecurity risk factors and determine optimal interventions tailored to risk profiles.

Item Type: Article
Date Type: Published Online
Status: In Press
Schools: Schools > Psychology
Publisher: Wiley
ISSN: 2578-1863
Date of First Compliant Deposit: 20 May 2025
Date of Acceptance: 9 April 2025
Last Modified: 21 Jul 2025 10:15
URI: https://orca.cardiff.ac.uk/id/eprint/177742

Actions (repository staff only)

Edit Item Edit Item

Downloads

Downloads per month over past year

View more statistics