About the Journal Editorial Board For Authors Publication ethics Archive Abstracting & Indexing Contact us
Introduction
Online submission

№1, 2026

DEVELOPMENT OF A CONCEPTUAL MODEL FOR ASSESSING PERSONAL INFORMATION SECURITY CULTURE
Rasmiyya Mahmudova
rasmahmudova@gmail.com

The rapid expansion of the digital environment has led to an increase in information security risks, thereby necessitating the formation of an information security culture at both organizational and individual levels. In this article, existing approaches for assessing information security culture are systematically analyzed. The main objective of the research is to determine the adequacy of these approaches in terms of measuring not only the organizational level but also the knowledge, attitudes, and behaviors of individuals regarding information security. The article researchs the main characteristics, application areas, and limitations of existing methods in a comparative manner. As a result of the analysis, it has been determined that most existing models are oriented toward assessing information security culture from the perspective of organizational structure and management. In these approaches, the human factor is mostly evaluated as the weak link in the security chain, and the measurement of values, motivations, and behaviors at the individual level is not sufficiently covered. In order to fill this gap, the article proposes a conceptual model for assessing personal information security culture. The model presents a multi-level approach that integrates an individual's knowledge, values, risk perception, sense of responsibility, and behavioral habits related to information security. The proposed conceptual model creates an opportunity to understand the individual's decision-making process and behavioral motivation regarding information security, as well as to more deeply assess the impact of personal culture on the organizational security environment (pp.70-80).

Keywords:Information security, Human factor, Security behavior, İnformation security culture, Assessment methods, Social engineering risks, Security policy
DOI:

https://doi.org/10.25045/jpis.v17.i1.08

References
  • Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211. https://doi.org/10.1016/0749-5978(91)90020-T
  • Alfawaz, S. (2011). Information security culture: A behaviour compliance conceptual framework. Information Management & Computer Security, 19(4), 296–310. https://doi.org/10.1108/09685221111173064
  • AlHogail, A. (2015). Design and validation of information security culture framework. Computers in Human Behavior, 49, 567–575. https://doi.org/10.1016/j.chb.2015.03.054
  • Aliguliyev, R.M., Mahmudova R.Sh. (2010). Information Culture: its Essence Problems of Formation and Ways of Solution. Problems of information society, no. 1, 14-22.
  • Aliguliev R.M. Mahmudova R.Sh., Mahmudov R.Sh. (2014). Voprosy zashchity detey shkol'nogo vozrasta ot internet-zavisimosti [Issues of protecting school-age children from Internet addiction]. Distantsionnoye i virtual'noye obucheniye [Distance and virtual education], No. 5. Pp. 97–107 (in Russian).
  • Alnatheer, M., Chan, T., & Nelson, K. (2012). Information security culture: A behavior compliance conceptual framework. International Journal of Computer Science and Information Security, 10(3), 1–8. https://www.ijcsis.org/papers/Vol10No3/1.pdf
  • Strategy of the Republic of Azerbaijan on Information Security and Cybersecurity for 2023-2027, https://e-qanun.az/framework/55045, August 28, 2023. (In Azerbaijani)  
  • Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548. https://doi.org/10.2307/25750690
  • Cano, J. J. (2021). Organizational culture for information security: A systemic perspective. ISACA Journal, 3. https://www.isaca.org/resources/isaca-journal/issues/2021/volume-3/organizational-culture-for-information-security
  • Da Veiga, A., & Eloff, J. H. P. (2010). A framework and assessment instrument for information security culture. Computers & Security, 29(2), 196–207. https://doi.org/10.1016/j.cose.2009.09.002  
  • Da Veiga, A., & Martins, N. (2007). Information security culture assessment: An instrument and validation. Proceedings of the 2007 Information Security for South Africa Conference (ISSA 2007). Johannesburg, South Africa: IEEE. https://doi.org/10.1109/ISSA.2007.147
  • ENISA. (2018). Cyber security culture in organisations. European Union Agency for Cybersecurity. https://www.enisa.europa.eu/publications/cyber-security-culture-in-organisations
  • Dutton, W. H. (2017). Fostering a Cyber Security Culture: Insights from a Global Cybersecurity Capacity Centre. Global Cyber Security Capacity Centre, University of Oxford.
  • Govender, S. G., Kritzinger, E., & Loock, M. (2020). A framework for the assessment of information security risk, the reduction of information security cost and the sustainability of information security culture. In IFIP AICT, 580. Springer.
  • Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. MIS Quarterly, 34(3), 549–566. https://doi.org/10.2307/25750691 
  • Mahmudova, R. (2023). Problems of evaluating the organization’s information security culture. Problems of Information Society, 14(1), 66–74.
  • Mahmudova, R. Sh. (2023). Cyber-physical systems: Security problems and issues of personnel information security culture. International Journal of Education and Management Engineering, 13(2), 18-26. https://doi.org/10.5815/ijeme.2023.02.03
  • Mahmudova, R.S., Dashdamirova, K.G. (2021). Analysis of information security problems in the information society environment. Problems of Information Society, 2, 83-94.
  • McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., & Pattinson, M. (2017). Individual differences and information security awareness. Computers in Human Behavior, 69, 151–156. https://doi.org/10.1016/j.chb.2016.11.065
  • Morić, D., Roncevic, N., & Petric, G. (2023). Understanding information security behavior: A social and cognitive perspective. Information & Computer Security, 31(4), 567–584. https://doi.org/10.1108/ICS-03-2023-0045
  • Nguyen, B. H., & Le, H. N. Q. (2024). Investigation on information security awareness based on KAB model: The moderating role of age and education level. Information & Computer Security, 32(5), 598–612. https://doi.org/10.1108/ICS-09-2023-0152
  • Orehek, Š., & Petrič, G. (2021). A systematic review of scales for measuring information security culture. Information & Computer Security, 29(1), 133–158. https://doi.org/10.1108/ICS-12-2019-0140 
  • Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. (2014). Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q). Computers & Security, 42, 165–176. https://doi.org/10.1016/j.cose.2013.12.003
  • Parsons, K., Calic, D., Pattinson, M., Butavicius, M., & McCormac, A. (2017). The human aspects of information security questionnaire (HAIS-Q): Two further validation studies. Computers & Security, 66, 40–51.
    https://doi.org/10.1016/j.cose.2017.01.004
  • Petrič, G., & Orehek, Š. (2022). Exploring organizational factors influencing information security culture. Computers & Security, 116, 102651. https://doi.org/10.1016/j.cose.2022.102651
  • Phillips, J., Brummel, B., Aurigemma, S., & Moore, T. (2009). Information security culture: A look ahead at measurement methods. Retrieved from https://tylermoore.utulsa.edu/asc23phillips.pdf
  • Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change. The Journal of Psychology, 91(1), 93–114. https://doi.org/10.1080/00223980.1975.9915803
  • Ruhwanya, Z., & Ophoff, J. (2020). Critical analysis of information security culture definitions. In HAISA 2020 (IFIP AICT, 593). Springer.
  • Sasse, M. A., Brostoff, S., & Weirich, D. (2001). Transforming the ‘weakest link’—A human/computer interaction approach to usable and effective security. BT Technology Journal, 19(3), 122–131. https://doi.org/10.1023/A:1011902718709
  • Schwab, K. (2020). The Global Competitiveness Report 2020. World Economic Forum. https://www.weforum.org/reports/the-global-competitiveness-report-2020
  • Siponen, M., & Willison, R. (2009). Information security management standards: Problems and solutions. Information & Management, 46(5), 267–270. https://doi.org/10.1016/j.im.2009.03.009
  • United Nations General Assembly. (2002). Creation of a global culture of cybersecurity (A/RES/57/239). New York, NY: United Nations. https://digitallibrary.un.org/record/482184
  • Vilander, J. (2021). Bridging the knowing–doing gap: The role of attitude in information security awareness (Master’s thesis). University of Jyväskylä.
© Institute of Information Technology, 2026 www.ict.az |  secretary@iit.ab.az |  info@science.az
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.