Measurement items
| Construct (source) | Code | Measurement items | Modifications |
|---|---|---|---|
| Organizational policy compliance (Hina et al., 2019) | OPC1 | My organization has established rules of behavior for computer use to comply with governmental regulations | Major modification |
| OPC2 | My organization has specific guidelines for computer use to comply with governmental regulations | Major modification | |
| OPC3 | My organization has a policy that forbids employees from accessing certain online websites when their computers contain confidential documents to comply with governmental regulations | Major modification | |
| OPC4 | My organization has defined code(s) of conduct explaining the do’s and don’ts of information security to comply with governmental regulations | Major modification | |
| Perceived severity (Hina et al., 2019) | PS1 | Protecting my organization’s information is important | Minor modification |
| PS2 | At work, having my confidential information accessed without my consent or knowledge can be a serious problem for me | No change | |
| PS3 | I understand that having someone successfully breach or damage my information resources at work is very dangerous | No change | |
| PS4 | Loss of data because of hackers is a serious problem for me | Major modification | |
| PS5 | Organizing staff training will be a critical first step to ensure information security | Major modification | |
| PS6 | Risks can be reduced as employees become more aware of the threats and consequences stemming from their negligence | Major modification | |
| PS7 | Through education, the provision of sufficient data and supporting information helps increase employees’ cybersecurity awareness | Major modification | |
| Perceived vulnerability (Hina et al., 2019; Li et al., 2019; Wong et al., 2022) | PV1 | I know that my organization could be vulnerable to security breaches if I do not adhere to its Information Security Policies | No change |
| PV2 | I may fall victim to a malicious attack if I fail to comply with my organization’s Information Security Policies | No change | |
| PV3 | In terms of information security risks at work, my computing resources can be vulnerable | No change | |
| PV4 | I believe that every individual who is conscious and makes efforts to protect the organization's information will reduce the risk of illegal access | Major modification | |
| PV5 | Organizations should invest in using modern cybersecurity technologies | Major modification | |
| PV6 | Organizations need to inform employees about potential cybersecurity threats regularly | Major modification | |
| PV7 | It is likely that a potential information security violation will occur to my organization’s information systems | Major modification | |
| Self-efficacy (Hina et al., 2019; Li et al., 2022) | SE1 | I believe that I have the necessary skills to protect myself from information security violations | No change |
| SE2 | I believe that I have developed the capability to prevent people from getting my confidential information | No change | |
| SE3 | I enable security measures (firewall, antivirus, etc.) on my work computing resources | No change | |
| SE4 | I believe that protecting myself from information security violations is within my control | Major modification | |
| SE5 | I feel confident in setting the Web browser to different security levels | No change | |
| SE6 | I feel confident in handling virus-infected files | No change | |
| SE7 | I feel confident in getting rid of spyware and malware from my computer | No change | |
| Response efficacy (Hina et al., 2019; Li et al., 2019; Wong et al., 2022) | RE1 | In my organization, efforts to ensure the safety of my confidential information are effective | No change |
| RE2 | In my organization, the available security measures to protect my work information from security violations are effective | No change | |
| RE3 | The preventive measures available to me at my organization to deal with malicious content are effective | No change | |
| RE4 | Security measures at my organization prevent hackers from gaining access to sensitive personal or educational information | No change | |
| RE5 | Complying with the information security policies in my organization will keep security breaches down | No change | |
| RE6 | If I comply with information security policies, then the chance of information security breaches occurring will be reduced | No change | |
| RE7 | Careful compliance with information security policies helps to avoid security problems | No change | |
| RE8 | Organizations can improve information security by showing their employees how security negligence can impact the security posture of an organization | Major modification | |
| RE9 | Organizations should have a General Data Protection Regulation | Minor modification | |
| RE10 | Organizations should upgrade antivirus and firewall software | Minor modification | |
| Government social media (Tang et al., 2021) | GSM1 | I always read and listen to cybersecurity recommendations posted by the GSM | Major modification |
| GSM2 | I always share cybersecurity recommendations posted by the GSM | Major modification | |
| GSM3 | I always communicate cybersecurity recommendations posted by the GSM | Major modification | |
| Information protection motivation (Ma, 2022; Posey et al., 2015) | IPM1 | I intend to protect my organization from its information security threats | No change |
| IPM2 | My organization’s success level in preventing information security threats is very high | Major modification | |
| IPM3 | I am always willing to engage in activities that protect my organization’s information systems from security threats | Major modification | |
| IPM4 | I always expend effort to protect my organization from its information security threats | Major modification | |
| IPM5 | I intend to try my best to prevent information security threats from happening in my organization | No change | |
| Employee protective behavior (Li et al., 2019) | EPB1 | I keep the anti-virus software on my computer up-to-date | No change |
| EPB2 | I watch for unusual computer behaviors/responses (e.g. computer slowing down or freezing up, pop-up windows, etc.) | No change | |
| EPB3 | I am always concerned about any malware that is reported through media channels | Major modification |
| Construct (source) | Code | Measurement items | Modifications |
|---|---|---|---|
| Organizational policy compliance ( | OPC1 | My organization has established rules of behavior for computer use to comply with governmental regulations | Major modification |
| OPC2 | My organization has specific guidelines for computer use to comply with governmental regulations | Major modification | |
| OPC3 | My organization has a policy that forbids employees from accessing certain online websites when their computers contain confidential documents to comply with governmental regulations | Major modification | |
| OPC4 | My organization has defined code(s) of conduct explaining the do’s and don’ts of information security to comply with governmental regulations | Major modification | |
| Perceived severity ( | PS1 | Protecting my organization’s information is important | Minor modification |
| PS2 | At work, having my confidential information accessed without my consent or knowledge can be a serious problem for me | No change | |
| PS3 | I understand that having someone successfully breach or damage my information resources at work is very dangerous | No change | |
| PS4 | Loss of data because of hackers is a serious problem for me | Major modification | |
| PS5 | Organizing staff training will be a critical first step to ensure information security | Major modification | |
| PS6 | Risks can be reduced as employees become more aware of the threats and consequences stemming from their negligence | Major modification | |
| PS7 | Through education, the provision of sufficient data and supporting information helps increase employees’ cybersecurity awareness | Major modification | |
| Perceived vulnerability ( | PV1 | I know that my organization could be vulnerable to security breaches if I do not adhere to its Information Security Policies | No change |
| PV2 | I may fall victim to a malicious attack if I fail to comply with my organization’s Information Security Policies | No change | |
| PV3 | In terms of information security risks at work, my computing resources can be vulnerable | No change | |
| PV4 | I believe that every individual who is conscious and makes efforts to protect the organization's information will reduce the risk of illegal access | Major modification | |
| PV5 | Organizations should invest in using modern cybersecurity technologies | Major modification | |
| PV6 | Organizations need to inform employees about potential cybersecurity threats regularly | Major modification | |
| PV7 | It is likely that a potential information security violation will occur to my organization’s information systems | Major modification | |
| Self-efficacy ( | SE1 | I believe that I have the necessary skills to protect myself from information security violations | No change |
| SE2 | I believe that I have developed the capability to prevent people from getting my confidential information | No change | |
| SE3 | I enable security measures (firewall, antivirus, etc.) on my work computing resources | No change | |
| SE4 | I believe that protecting myself from information security violations is within my control | Major modification | |
| SE5 | I feel confident in setting the Web browser to different security levels | No change | |
| SE6 | I feel confident in handling virus-infected files | No change | |
| SE7 | I feel confident in getting rid of spyware and malware from my computer | No change | |
| Response efficacy ( | RE1 | In my organization, efforts to ensure the safety of my confidential information are effective | No change |
| RE2 | In my organization, the available security measures to protect my work information from security violations are effective | No change | |
| RE3 | The preventive measures available to me at my organization to deal with malicious content are effective | No change | |
| RE4 | Security measures at my organization prevent hackers from gaining access to sensitive personal or educational information | No change | |
| RE5 | Complying with the information security policies in my organization will keep security breaches down | No change | |
| RE6 | If I comply with information security policies, then the chance of information security breaches occurring will be reduced | No change | |
| RE7 | Careful compliance with information security policies helps to avoid security problems | No change | |
| RE8 | Organizations can improve information security by showing their employees how security negligence can impact the security posture of an organization | Major modification | |
| RE9 | Organizations should have a General Data Protection Regulation | Minor modification | |
| RE10 | Organizations should upgrade antivirus and firewall software | Minor modification | |
| Government social media ( | GSM1 | I always read and listen to cybersecurity recommendations posted by the GSM | Major modification |
| GSM2 | I always share cybersecurity recommendations posted by the GSM | Major modification | |
| GSM3 | I always communicate cybersecurity recommendations posted by the GSM | Major modification | |
| Information protection motivation ( | IPM1 | I intend to protect my organization from its information security threats | No change |
| IPM2 | My organization’s success level in preventing information security threats is very high | Major modification | |
| IPM3 | I am always willing to engage in activities that protect my organization’s information systems from security threats | Major modification | |
| IPM4 | I always expend effort to protect my organization from its information security threats | Major modification | |
| IPM5 | I intend to try my best to prevent information security threats from happening in my organization | No change | |
| Employee protective behavior ( | EPB1 | I keep the anti-virus software on my computer up-to-date | No change |
| EPB2 | I watch for unusual computer behaviors/responses (e.g. computer slowing down or freezing up, pop-up windows, etc.) | No change | |
| EPB3 | I am always concerned about any malware that is reported through media channels | Major modification |
Sharing content requires targeting cookies to be enabled. Please update your cookie preferences to use this feature.