Abstract
The subject of the study is behavioral models of regulating information and cybersecurity in public authorities in digital transformation conditions. The article aims to conduct a comparative analysis of leading behavioral models of information and cybersecurity and to develop recommendations for public authorities to improve behavioral information security based on them. The methodological foundation of the study includes the systemic and interdisciplinary approaches, structural and comparative analysis, synthesis, and modelling. The source base consists of scientific publications on the topic of the study indexed in Scopus, selected and verified using Scopus AI tools. The conceptual basis of the study is the taxonomy of unintentional, intentional, and malicious behavior in the system of information and cybersecurity, which allows one to consider the information and cyber space of public authorities as a complex systemic phenomenon encompassing the interaction of people, software, and networks. As a result of the study, three groups of behavioral models of information and cybersecurity are systematized: 1) traditional cognitive models; 2) multidimensional operational models; 3) risk management models. It is established that the quality of regulatory documents and policies of public authorities is a particularly important tool for ensuring compliance with information security requirements. The advisability of applying a comprehensive value‑oriented and multidimensional process‑oriented model of managing behavioral information security in public authorities in digital transformation conditions is substantiated.
References
1. Gebremeskel, B. Kasahun, Jonathan, G. Mekonnen, & Yalew, S. Demesie (2023). Information security challenges during digital transformation. Procedia Computer Science, (219), 44–51. https://doi.org/10.1016/j.procs.2023.01.262
2. Ogbanufe, O., Crossler, R. E., & Biros, D. (2023). The valued coexistence of protection motivation and stewardship in information security behaviors. Computers & Security, (124), Article 102960. https://doi.org/10.1016/j.cose.2022.102960
3. Maalem Lahcen, R. A., Caulkins, B., Mohapatra, R., & Kumar, M. (2020). Review and insight on the behavioral aspects of cybersecurity. Cybersecurity, 3(1), Article 10. https://doi.org/10.1186/s42400-020-00050-w
4. Cram, W. A., D'Arcy, J., & Proudfoot, J. (2019). Seeing the forest and the trees: A meta-analysis of the antecedents to information security policy compliance. MIS Quarterly, 43(2), 525–554. https://doi.org/10.25300/misq/2019/15117
5. Balagopal, N., & Mathew, S. K. (2024). Exploring the factors influencing information security policy compliance and violations: A systematic literature review. Computers & Security, (147), Article 104062. https://doi.org/10.1016/j.cose.2024.104062
6. Rostami, E., & Karlsson, F. (2024). Qualitative content analysis of actionable advice in information security policies — introducing the keyword loss of specificity metric. Information & Computer Security, 32(4), 492–508. https://doi.org/10.1108/ICS-10-2023-0187
7. Niemimaa, M. (2024). Incorrect compliance and correct noncompliance with information security policies: A framework of rule-related information security behaviour. Computers & Security, (145), Article 103986. https://doi.org/10.1016/j.cose.2024.103986
8. Sharma, A., Koohang, A., & Singh, S. P. (2025). Information security policy compliance: A structured review using scientometric analysis and topic modeling. Journal of Global Information Management, 33(1), 1–32. https://doi.org/10.4018/JGIM.389715
9. Fishbein, M., & Ajzen, I. (1975). Belief, attitude, intention, and behavior: An introduction to theory and research. Addison-Wesley. https://people.umass.edu/aizen/f&a1975.html
10. Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211. https://doi.org/10.1016/0749-5978(91)90020-T
11. Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548. https://www.academia.edu/download/30987003/bulgurcucavusoglubenbasat.pdf
12. Gibbs, J. P. (1975). Crime, punishment, and deterrence. Elsevier. https://archive.org/details/crimepunishmentd0000gibb
13. D'Arcy, J., & Herath, T. (2011). A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings. European Journal of Information Systems, 20(6), 643–658. https://doi.org/10.1057/ejis.2011.23
14. Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change. Journal of Psychology, 91(1), 93–114. https://doi.org/10.1080/00223980.1975.9915803
15. Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106–125. https://doi.org/10.1057/ejis.2009.6
16. Moody, G. D., Siponen, M., & Pahnila, S. (2018). Toward a unified model of information security policy compliance. MIS Quarterly, 42(1), 285–311. https://doi.org/10.25300/MISQ/2018/13853
17. Gerdin, M. (2025). Validating and extending the unified model of information security policy compliance. Information and Computer Security, 33(1), 25–48. https://doi.org/10.1108/ICS-12-2023-0263
18. Rohan, R., Pal, D., Hautamäki, J., Funilkul, S., Chutimaskul, W., & Thapliyal, H. (2023). A systematic literature review of cybersecurity scales assessing information security awareness. Heliyon, 9(3), Article e14234. https://doi.org/10.1016/j.heliyon.2023.e14234
19. Rohan, R., Chutimaskul, W., Roy, R., et al. (2025). Developing a scale for measuring the information security awareness of stakeholders in higher education institutions. Education and Information Technologies, 30(10), 13713–13777. https://doi.org/10.1007/s10639-024-13307-5
20. Goodman, S., Straub, D. W., Baskerville, R., & Baskerville, R. (2008). Information security: Policy, processes, and practices (1st ed.). Routledge. https://doi.org/10.4324/9781315288697
21. Wheeler, E. (2011). The risk management lifecycle. In Security Risk Management (pp. 43–60). Elsevier. https://doi.org/10.1016/B978-1-59749-615-5.00003-7
22. Razikin, K., & Soewito, B. (2022). Cybersecurity decision support model to designing information technology security system based on risk analysis and cybersecurity framework. Egyptian Informatics Journal, 23(3), 383–404. https://doi.org/10.1016/j.eij.2022.03.001

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
Copyright (c) 2026 Ivan Petroie
