Framework for Assessing Secure Information Behavior in Organizational Context
Summary
In the context of increasing cyberthreats and the widespread use of shadow IT, organisations increasingly recognise the need to address the human dimension of cybersecurity. Despite the growing investment in Security Education Training and Awareness (SETA) programmes, many initiatives do not achieve meaningful behavioural change among employees. This study investigates how organisations can assess and categorise prevalent employee Mental Models (MMs) toward Shadow IT usage, to enhance cybersecurity culture and tailor awareness efforts more effectively.
Drawing on the concept of MMs, internal representations that shape an individual’s reasoning and decisions, this research develops a novel framework that combines theoretical taxonomies with practical assessment strategies. A narrative literature review and semi-structured interviews with cybersecurity experts and researchers informed the framework. The study focuses mainly on extending traditional security axonomies by obtaining metrics related to employee Knowledge, Attitudes, and Behaviour (KAB) dimensions through various elicitation approaches.
The findings highlight that inaccurate or incomplete MMs can lead to risky behaviour, such as the unintentional use of unauthorised technologies. However, when identified and categorised, these models offer valuable insight into how and why individuals perceive security threats. The proposed framework enables organisations to systematically measure subjective and objective proxy indicators, providing a more holistic and data-informed approach to cybersecurity awareness.