Implementing a hybrid compliance–AI cybersecurity model for unified protection of banking and DeFi systems in Brazil

Today cyberattacks continue to evolve and are highly complex. They are also very expensive by the average cost of a breach-in cyberattack. The top ten most common cyberattack intrusion incidents for industrial, public, and private organizations are phishing attacks, negligent and malicious insiders, advanced persistent threats, zero day attacks, denial of service attacks, software vulnerabilities, social engineering attacks, and brute force attacks. Therefore, cybersecurity becomes an essential issue that generally focuses on the measures to protect valuable data, information, and business assets from malicious threat events that affect confidentiality, integrity, and availability of information. In this regard, it is vitally important that computer systems, networks and network-connected devices, infrastructure resources, and others stay up-to-date with current software operating systems, patches, and releases. Therefore, organizations need to institute policies and procedures that enforce the way their user’s access information and interact with network or system resources. Here the NIST Cybersecurity Framework and the MITRE Cybersecurity Criteria come into play. The NIST Cybersecurity Framework is a set of best practices, standards, and recommendations that support organizations to improve their cybersecurity measures. It focusses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organizations cybersecurity risk management. In this regard, the framework provides a common organizing structure for multiple cybersecurity approaches by assembling standards, guidelines, and practices that are working effectively today. The MITRE Cybersecurity Criteria enable a collective response against cybersecurity threat events, worked out in conjunction with industry and government authorities. It describes the common tactics, techniques, and procedures of advanced persistent threats against organizations’ computer systems and networks and was later expanded to industrial control systems. In this regard, the MITRE Cybersecurity Criteria are fully committed to defending and securing cyber-ecosystems. NIST’s and MITRE’s goal is to develop cyber resiliency approaches and controls to mitigate malicious cyberattacks. Cyber resiliency enables anticipating, withstanding, recovering from and adapting to adverse conditions, stresses, cyberattacks, or compromises on computer systems, networks, infrastructure resources, and others. Against this background, this chapter introduces in Sect. 5.1 the NIST Cybersecurity Framework (NIST CSF) with their manifold possible uses and their great impact improving industrial, public, and private organizations’ cybersecurity needs. Therefore, Sect. 5.1 introduces the process of cybersecurity risk management. Since NIST CSF is one of the most relevant cybersecurity frameworks, Sect. 5.1 introduces the NIST Cybersecurity Framework. Section 5.1.1 introduces CIS Critical Security Controls, Sect. 5.1.2 ISA/IEC 62443 Cybersecurity Standard, Sect. 5.1.3 MITRE Adversarial Tactics, Techniques, and Common Knowledge, Sect. 5.1.4 NIST 800-653, and in Sect. 5.1.5, the NIST Cybersecurity Framework. Section 5.2 focuses on the NIST Cybersecurity Framework for Critical Infrastructure and focuses in Sect. 5.2.1 on a NIST CSF Critical Infrastructure best practice use case, making use of a model approach in cybersecurity maturity. Against this background, Sect. 5.3 focusses on the MITRE Cybersecurity Criteria that provides a common taxonomy of Tactics, Techniques, and Procedures, applicable to defend cyberattacks, to withstand cyberattackers activities like unauthorized interaction with organizations’ computer systems, networks, and infrastructure resources, to recover from potential malicious cyberattacks. Section 5.4 introduce the MITRE Cybersecurity Taxonomy, which refers to cyberattack possibilities and how to conquer them. Section 5.5 contains comprehensive questions on the topics of NIST Cybersecurity Framework and MITRE Cybersecurity Criteria. Finally, “References” refers to the used references for further reading.

In the digital age, maintaining patient confidentiality while ensuring effective care coordination poses significant challenges for healthcare providers, particularly nurses. To investigate the challenges and strategies associated with balancing patient confidentiality and effective care coordination in the digital age. A cross-sectional study was conducted in a general hospital in Egypt to collect data from 150 nurses across various departments with at least six months of experience in patient care. Data were collected using six tools: Demographic Form, HIPAA Compliance Checklist, Privacy Impact Assessment (PIA) Tool, Data Sharing Agreement (DSA) Framework, EHR Privacy and Security Assessment Tool, and NIST Cybersecurity Framework. Validity and Reliability were ensured through pilot testing and factor analysis. Participants were primarily aged 31-40 years (45%), with 75% female and 60% staff nurses. High compliance was observed in the HIPAA Compliance Checklist, especially in Administrative Safeguards (3.8 ± 0.5), indicating strong management and training processes, with an overall score of 85 ± 10. The PIA Tool showed robust privacy management, with Project Descriptions scoring 4.5 ± 0.3 and a total score of 30 ± 3. The DSA Framework had a mean total score of 20 ± 2, with Data Protection Measures scoring highest at 4.0 ± 0.4. The EHR assessments revealed high scores in Access Controls (4.4 ± 0.3) and Data Integrity Measures (4.3 ± 0.3), with an overall score of 22 ± 1.5. The NIST Cybersecurity Framework had a total score of 18 ± 2, with the highest scores in Protect (3.8) and lower in Detect (3.6). Strong positive correlations were found between HIPAA Compliance and EHR Privacy (r = 0.70, p < 0.05) and NIST Cybersecurity (r = 0.55, p < 0.05), reflecting effective data protection practices. The study suggests that continuous improvement in privacy practices among healthcare providers, through ongoing training and comprehensive privacy frameworks, is vital for enhancing patient confidentiality and supporting effective care coordination.

Since the outbreak of the global financial crisis, forestalling and defusing systemic financial risks has been a hot topic of social concerns. In China, with constant development and innovation of the financial system, higher level financial deepening and openness, and economic downside pressure under new normal” economy, risk-prevention becomes much more complicated. In this case, the financial system should better serve the real economy, reduce financial risks and deepen financial reforms—three tasks of China’s financial work. The report of the 19th National Congress of the Communist Party of China further emphasized that the government should improve the financial regulatory system to forestall systemic financial risks. Therefore, ensuring China’s financial stability and preventing systemic risks have become the priority and major challenges for China’s financial regulatory authorities. Accurate measurement of systemic risks is the basis for risk prevention, the improvement of financial regulations, and any effective regulatory actions. However, existing domestic studies measure financial institutions’ systemic risks from only one aspect—systemic risk contribution or systemic risk exposure, and lack a clear distinction between the two measures in theoretical and policy implications. Some scholars even use systemic risk exposure metrics to measure the systemic risk contribution of financial institutions and assess its systemic importance. Actually, the aggregate risks of financial institutions include both risk contribution and risk exposure—the former focuses on systemic importance while the latter underlines systemic vulnerability, so we should take both sides into risk measurement. This paper uses ΔCoVaR and Exposure-ΔCoVaR to comprehensively measure the systemic risks of financial institutions from both sides—systemic importance and systemic vulnerability. This paper finds no significant correlation between the systemic importance and vulnerability of financial institutions in the cross-sectional dimension, but significant correlation in the time-series dimension, which means the systemic importance and vulnerability of financial institutions change simultaneously and periodically. The results imply that, in China, the systemic importance of bank and insurance industry exceed that of securities industry, while the latter’s systemic vulnerability exceeds that of the former. These differences exist persistently in the time-series dimension. The big four” banks have high systemic importance but low systemic vulnerability, while a handful of financial institutions have both significantly high systemic importance and vulnerability. Furthermore, the size of financial institutions’ asset is an important influencing factor of systemic importance, and the leverage is an important influencing factor of systemic vulnerability, while the margin trading of securities has a significant positive effect on systemic vulnerability but no significant effect on systemic importance. This paper accurately measures the systemic risks of 33 listed financial institutions in China from two aspects—risk contribution and risk exposure, and makes a precise assessment on their systemic importance and vulnerability. We also investigate the influencing factors of financial institutions’ systemic importance and vulnerability. These findings help to understand the systemic risks of China’s financial institutions in cross-sectional and time-series dimensions and correct some wrong perceptions in existing academic studies, and further provide useful empirical references and policy suggestions to China’s financial regulatory authorities to forestall systemic risks and improve macro-regulation. The policy implications of the results are mainly reflected in the following three aspects. First, regulators need to select targeted regulatory objectives and policy tools to make differential regulations based on the features of institutions in systemic importance and vulnerability. Second, different institutions are different in systemic importance and vulnerability, so regulatory authorities should pick out key financial institutions through their performance in systemic importance and vulnerability, and enhance the supervision of key institutions. Third, financial regulators are able to choose proper and effective regulatory tools according to the main drivers of systemic importance and vulnerability.

Internet of Things (IoT)-enabled devices are becoming integrated into a significant and increasing proportion of critical infrastructures, changing the cybersecurity-risk landscape. Risk is being introduced to industry sectors such as transport, energy, and manufacturing, with new attack surfaces exposed and potential for increased harm. Furthermore, risk and harm arising in the Industrial IoT (IIoT) could propagate across interconnected organisations and sectors, resulting in systemic risk. Aspects of this changing risk landscape are not addressed by current cybersecurity approaches, leaving cybersecurity-capability gaps. In this article, we show how current and emerging cybersecurity needs in the IIoT align with a key industry cybersecurity standard, the NIST Cyber Security Framework. The key capability gaps emerging in the IIoT are identified based on our findings from a series of workshops with over 100 expert participants. We present a comprehensive research agenda to enable researchers to prioritise research focus to address these gaps; this research agenda covers the full lifecycle of IIoT development (design, implementation, use and decommission). Furthermore, we conclude that there is a significant gap in understanding of the nature of systemic risk, which should be a key priority if we are to develop effective solutions for cybersecurity and safety in IIoT environments.

As cyber threats continue to evolve in complexity and frequency, organizations in the U.S. and Canada face significant challenges in making informed decisions to manage and mitigate risks effectively. This paper proposes a Quantified Cyber Risk Management Model (QCRMM) to enhance decision-making processes in the face of these dynamic threats. The model integrates quantitative risk assessment methodologies, advanced data analytics, and threat modeling techniques to enable organizations to identify, evaluate, and prioritize cyber risks in a structured manner. The QCRMM emphasizes a data-driven approach to risk management, utilizing key performance indicators (KPIs) and risk metrics to quantify potential impacts and the likelihood of cyber incidents. It incorporates tools such as Monte Carlo simulations and Bayesian networks for predicting and assessing the probability of various cyberattack scenarios, thus allowing organizations to make more accurate and informed decisions regarding risk mitigation strategies. Additionally, the model provides decision-makers with actionable insights that support cost-effective allocation of resources to safeguard critical assets. The model is designed to be flexible, adaptable, and scalable for organizations across diverse sectors, including finance, healthcare, energy, and critical infrastructure. By aligning with regional regulatory frameworks, such as the NIST Cybersecurity Framework in the U.S. and Canada’s Cyber Security Strategy, the QCRMM ensures compliance with best practices and legal requirements while fostering a robust cybersecurity posture. Case studies demonstrate the application of the QCRMM in improving risk prioritization and resource allocation in organizations, resulting in a reduction of potential financial losses, minimized operational disruptions, and improved organizational resilience to cyber threats. In conclusion, the QCRMM provides a comprehensive, quantifiable approach to enhancing cyber risk decision-making, helping organizations in the U.S. and Canada make informed, proactive decisions to defend against the evolving cyber threat landscape. This model empowers organizations to strategically address cyber risks with a focus on minimizing impacts while optimizing resources.

There is a growing demand to preserve transportation infrastructure utilizing limited funds, and the modeling of flexible pavement deterioration has become an integral component of any pavement preservation model. Markov chains have been used to model the performance of pavements in various pavement management systems (PMSs). The Markov property may be considered restrictive when modeling the deterioration of transportation assets, primarily because of the “memoryless” property and assumption of exponential distribution for sojourn times in the condition states. This paper outlines a semi-Markov model for modeling pavement deterioration in which the sojourn time in each condition state is assumed to follow a Weibull distribution and, thus, is more flexible than the traditional Markov chain model. The semi-Markov model does not possess the memoryless property if the sojourn time distribution is not exponential. Monte Carlo simulations are generated for the deterioration of flexible pavements over time based on both the traditional Markov chain model and the proposed semi-Markov model. The results of the work show that in some cases the semi-Markov model appears to be superior to the Markov chain model in modeling the actual deterioration patterns of the flexible pavements.

Stochastic methods, such as stochastic modeling and simulation, risk neutral valuation, derivative pricing, etc., are widely used in the finance industry. Under Solvency II framework, in order to protect the benefit of shareholder and policyholder, the insurance company should be adequately capitalized to fulfill the capital requirement for solvency. Therefore, two main quantities are taken into account, i.e. the available capital (or basic own funds) and the required capital. In general, these two quantities are calculated by means of stochastic simulation and hence an Economic Scenario Generator (ESG) is used to simulate the potential evolution of risk factors of the economies and financial markets over time. For the calculation of available capital (defined as the difference between the market value of assets and liabilities), the stochastic cash flow projection model is used to perform the market consistent valuation of assets and liabilities given the risk neutral scenarios. For the calculation of required capital, the probability distribution of available capital over a one-year time horizon and a risk measure based on such distribution is taken into account. For instance, the Solvency Capital Requirement (SCR) is measured by the Value-at-Risk at confidence level of 99.5%. We began by reviewing the existing literature and found that most authors used stochastic methods in risk management under Solvency II framework on one of the three components of the partial internal model, i.e. the input model, the valuation model or the risk capital model. In this thesis, we aimed to build a partial internal model including all components and show how we can use stochastic methods to do market consistent valuation and calculate the required capital. For the input model, instead of using academic preferred simple ESG models, e.g. one factor short rate interest rate model along with geometric Brownian motion equity model, we developed advanced models that are more suitable in practice. For the modeling of interest rate, we used the extended three-factor Cox-Ingersoll-Ross model, which is able to capture the three main principle components of yield curve. We derived the pricing of zero coupon options by Fourier transformation of the characteristic function of the linear combination of state variables and subsequently the pricing of swaption using stochastic duration approximation. For the modeling of equity, we used the stochastic volatility model (Heston model) along with above-mentioned stochastic interest rate. Similarly, we first showed the closed-form of discounted characteristic function of log equity price by solving a system of Ordinary Differential Equations (ODEs) resulting from an affine Partial Differential Equation (PDE). We then derived the price of European options by Fourier techniques as well. In addition, we formulated the method of generating economic scenarios by using Monte Carlo simulation with Euler discretization scheme and variance reduction technique of antithetic variates. For the valuation model, we built a stochastic cash flow projection model to capture the development of balance sheet as well as the asset portfolio consisting of coupon bonds and stocks and the liability portfolio consisting of German traditional participating life insurance contracts. We then derived market consistent valuation of assets and liabilities based on the cash flows projected by the stochastic model along with the input of risk neutral economic scenarios. Furthermore, we modeled the management rules. For instance, we developed a constant asset allocation strategy to rebalance the asset portfolio. We considered the unrealized gain and loss by modeling the book value and market value of assets. Additionally, we modeled the MUST-case for the investment surplus distribution between shareholders and policyholders. For the risk capital model, we first implemented the nested stochastic simulation to determine the required risk capital. Since nested simulation requires high computational time, we also investigated the proxy methods of least squared Monte Carlo, replicating portfolio and curve fitting. In particular, we developed a general strategy to construct a good replicating portfolio. First, we described the construction of asset pool. Second, we illustrated the construction of sensitivity sets through recalibration or reweighting techniques. Third, we proposed a calibration procedure, by using the least square optimization and subset selection with certain criteria, to select the optimal replicating portfolio and calculate the required capital. Finally, we performed an empirical application to illustrate the full process, including the calibration of ESG models to real market data, economic scenario generation and validation, market consistent valuation and determination of SCR by nested simulation and replicating portfolio.

To increase the calculation speed of the computational fluid dynamics (CFD)-based simulation for the gas–solid flow in fluidized beds, a Markov chain model (MCM) was developed to simulate the particle movement in a two-dimensional (2D) circulating fluidized bed (CFB) riser. As a statistic model, the MCM takes the results obtained from a CFD–discrete element method (DEM) as samples for calculating transition probability matrixes of particle movement. The transition probability matrixes can be directly used to describe the macroscopic regularities of particle movement and further used to simulate the particle motion combined with the Monte Carlo method. Particle distribution snapshots, residence time distribution (RTD), and mixing obtained from both MCM and CFD-DEM are compared. The results indicate that the MCM offers a computational speed that is approximately 100 times faster than that of the CFD-DEM. The discrepancy in the mean particle residence time, as computed by the two models, is under 2%. Furthermore, the MCM provides an accurate depiction of time-averaged particle motion. In sum, the MCM can well describe the time-averaged particle mixing compared to the CFD-DEM.

The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts. The CSF does not prescribe how outcomes should be achieved. Rather, it links to resources that provide additional guidance on practices and controls that could be used to achieve those outcomes. This document explains CSF 2.0 and its components and describes some of the many ways that it can be used.

The NIST Cybersecurity Framework 2.0 provides guidance to industry, government agencies, and other organizations to reduce cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts. The Framework does not prescribe how outcomes should be achieved. Rather, it maps to resources that provide additional guidance on practices and controls that could be used to achieve those outcomes. This document explains Cybersecurity Framework 2.0 and its components and describes some of the many ways that it can be used.

This white paper highlights a recent mapping effort between the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards and the NIST Cybersecurity Framework. Mappings of these two frameworks have been performed in the past; this effort updated the mapping to reflect the currently enforceable NERC CIP Standards and the NIST Cybersecurity Framework v1.1. This white paper helps organizations understand how they can use the mapping to achieve a more mature CIP requirement compliance program while improving their security posture and potentially reducing the organization's security and business risk.

This research aims to propose the use of the methodology based on the NIST Framework for adequate management of cybersecurity in government organizations within the framework of the delivery of digital services. Many government organizations have been managing cybersecurity without a defined process; this generates that the management is deficient and without indicators. Concerning whether they are implementing the methodology based on the NIST cybersecurity framework”, shows that 36.8% of respondents present a level in disagreement, 31.6% (6) an undecided level, 15.8% (3) a level of agreement, 10.5% (2) a level totally in disagreement and 5.3% (1) a level totally in agreement. Meanwhile, the variable “The management of cybersecurity” shows that 36.8% (7) of the Ministries surveyed present a level in disagreement; 36.8% (7) an undecided level, 15.8% (3) a level of agreement, and 10.5% (2) a level totally in disagreement In conclusion: It has been shown that the use of the methodology based on the NIST cybersecurity framework influences cybersecurity management in government organizations and it is clear that they are currently not using it which causes a relatively poor level of leadership in the implementation of security measures concerning cybersecurity management.

The Framework is the guideline for the organizations. There are different specialized frameworks for the use of organizations. Organizations implementing them in their environment to become more secure, easy to handle workloads, minimize the cyber-space risks. NIST Cybersecurity Framework and Secure Control Framework cover five functions, which are Identify, Protect, Detect, Respond, and Recover Functions. Secure Control Framework has more subdomains than the NIST Cybersecurity Framework. Before the implementation, each function needs wellorganized plans and continuous actions. CSF has a wide scope of Information Technology, Cyber-Physical Systems, Industrial Control Systems, and the Internet of Things. Protection of Critical Infrastructure is more important for governments, they develop National Cyber Governance Bureau, and try to keep them safer from cyber-attacks.

The relevance of this work is due to the approval by the Administration of the State Service for Special Communications and Information Protection of Ukraine “Methodological recommendations for increasing the level of cyber protection of critical information infrastructure” in October 2021. The recommendations were developed based on the world's best approaches - the NIST CyberSecurity Framework. At the moment, the developed Recommendations of the State Special Communications Service have partially lost their relevance and require adjustment with the release of NIST Special Publication 800-53A Revision 5 “Assessing Security and Privacy Controls in Information Systems and Organizations” Governance Oversight”, publication date: January 2022. These documents complete the cycle of integrating cybersecurity risk management (CSRM) and enterprise risk management (ERM). These projects describe methods for combining risk information of all system assets, an organization (enterprise) network, including conditional examples for aggregating and normalizing results from cybersecurity risk registers (CSRR) taking into account risk parameters, criteria and impact on the continuous functioning of communication systems. As a result, the integration and normalization of risk information enables decision-making and monitoring of risks at all levels of the system, which allows you to create a comprehensive picture of the overall cyber risk. These documents describe the creation of an Organizational Risk Profile (ERP) that supports the comparison and management of cyber risks along with other risk types in general.Quite interesting are the views of the authors of the developed documents regarding the control of confidentiality associated with systems and their distribution environment, their functioning. It is substantiated that a qualitative system assessment helps to determine the existing controls contained in the organization in accordance with the security and confidentiality plan, which are subsequently used in organizational systems and the operating environment. In this environment, the assessment control is an indication of the implementation of specific steps in the risk management structure, which contributes around the clock to an effective approach to sustainable risk management processes by identifying weaknesses or deficiencies in systems, which allows the organization to determine how to respond to certain cyber threats. Therefore, in order to solve the problems of settling and implementing the norms and rules of international organizations in the field of cybersecurity and cyberdefence, it is proposed to analyze the above documents and put forward appropriate proposals for correcting and supplementing the previously approved State Communications “Methodological recommendations ...”. In turn, this will allow not only to ensure the protection of the state's critical information infrastructure from cyber attacks, but also to conduct preventive offensive operations in cyberspace, which includes disabling critical enemy infrastructure facilities by destroying communication systems that control such facilities.

Cybersecurity threats and risks have increased, leading to substantial financial losses for organisations worldwide. The COVID-19 pandemic has further accelerated the digital transformation of businesses, adding complexity to an already challenging digital infrastructure for organisations. As a result, digital workers bore the brunt of preventing and responding to cyber incidents. Efforts to improve cybersecurity have focused on a technology-first approach, overlooking the human element of the people-process- technology triad. The only human-centred interventions thus far focus around awareness training to enhance cybersecurity literacy among digital workers. However, measuring resulting improvements in secure behaviours proved challenging. The thesis proposed to use self-efficacy as a measure of proxy for skills, given its established correlation with confidence and motivation, to adhere to cybersecurity best practices. However, the literature on self-efficacy presented a divide regarding the application of self-efficacy scales, distinguishing between specific and generalised self- efficacy. Additionally, in the digital realm, the lack of standardisation of cybersecurity- related terminology posed a challenge in identifying cybersecurity-related self-efficacy scales. Moreover, the question arose on whether a validated scale remained up to date considering rapid technological advancements and the evolving cyber threat landscape. The research aimed to address the two gaps identified in the existing literature. First, the lack of a specific self-efficacy assessment for cybersecurity self-efficacy. Second, the absence of a Cybersecurity Self-efficacy Scale rooted in an industry framework. These gaps led to the identification of four research questions: 1.) What are the existing measures of an individual’s self-efficacy related to cybersecurity self- efficacy? 2.) How can one be developed based on an industry framework like the NIST cybersecurity framework? 3.) How relevant is such a Cybersecurity Self-efficacy Scale from an industry perspective? 4.) How reliable is such a Cybersecurity Self-efficacy Scale from an academic perspective? To answer these research questions, the thesis had been structured into three studies. In Study 1, a mixed method approach was adopted. Through a systematic literature review (SLR), the study examines the existing scales that measured cybersecurity-related self-efficacy and its corresponding constructs. Study 2 focused on developing and validating a Cybersecurity Self-efficacy Scale based on Bandura’s self- efficacy theory and operationalised using the NIST cybersecurity framework (NIST CSF). A mixed method approach for Study 2 included a pre-interview of participants, followed by individual interviews with 10 cybersecurity professionals, focus group interviews with digital workers (PMETs) and statistical analysis (i.e. exploratory and confirmatory factor analysis). Study 3’s objective was to further validate the scale. This was done through statistical analysis (i.e. confirmatory factor analysis and structure equation modelling) by adopting an established research model to determine the criterion validity of the Cybersecurity Self-efficacy Scale as well as correlation with antecedent constructs of the adopted research model. Results of the three studies culminated in a 20-item scale comprising two factors that measures an individual’s self-belief in their ability to proactively address cybersecurity concerns and respond effectively to cybersecurity incidents. The results from this research could provide valuable insights for organisations to understand the cybersecurity posture of digital workers in their workforce. This understanding could enable organisations to plan suitable interventions such as cyber awareness training, to empower individuals as the crucial line of defence (human firewall) against cyber adversaries. By improving their self-efficacy in cybersecurity, individuals could effectively counter attempts from cyber adversaries to compromise organisational systems, potentially saving organisations from significant financial losses. Limitations of this research to be noted include the self-reporting nature of responses, the limited geographical coverage of participants in Study 2 and Study 3 to Singapore, the sourcing of survey participants from a research company, and the interchangeable use of terms across the literature.