Information security has become an important issue in the digital era due to increased cyber threats and data leaks. This study analyzes the influence of Organizational Culture, Risk Propensity, and Security Readiness on Organizational Security Performance, with Top Management Support as the moderation variable. This study uses a quantitative method with a survey approach and is analyzed using SPSS software for regression, mediation, and moderation tests. The results show that Organizational Culture, Risk Propensity, and Security Readiness have a significant influence on Organizational Security Performance. Security Readiness is proven to be a mediating variable that strengthens the relationship between Organizational Culture and Risk Propensity to organizational security performance. In addition, Top Management Support acts as a moderator that strengthens the relationship between independent variables and Organizational Security Performance. This research contributes by integrating Security Readiness as a mediator and Top Management Support as a moderator in the information security framework. These findings highlight the importance of a holistic approach that includes organizational culture, risk behavior, security readiness, and top management support to improve information security resilience amid the challenges of the digital age and the result can be a recommendation for the government and private sectors.

organizational culture, risk propensity, security readiness, organization security performance

S. Hasan, M. Ali, S. Kurnia, and R. Thurasamy, “Evaluating the Cyber Security Readiness of Organizations and its Influence on Performance,” Journal of Information Security and Applications, vol. 58, May 2021, doi: 10.1016/j.jisa.2020.102726.

A. Tsohou, M. Karyda, and S. Kokolakis, “Analyzing the Role of Cognitive and Cultural Biases in the Internalization of Information Security Policies: Recommendations for Information Security Awareness Programs,” Comput Secur, vol. 52, pp. 128–141, Jul. 2015, doi: 10.1016/j.cose.2015.04.006.

P. K. Sari et al., “Information Security Cultural Differences among Health Care Facilities in Indonesia,” Heliyon, vol. 7, no. 6, Jun. 2021, doi: 10.1016/j.heliyon.2021.e07248.

A. Zanke, T. Weber, P. Dornheim, and M. Engel, “Assessing Information Security Culture: A Mixed-Methods Approach to Navigating Challenges in International Corporate IT Departments,” Comput Secur, vol. 144, Sep. 2024, doi: 10.1016/j.cose.2024.103938.

A. H. Olafsen, E. R. Nilsen, S. Smedsrud, and D. Kamaric, “Sustainable Development Through Commitment to Organizational Change: The Implications of Organizational Culture and Individual Readiness for Change,” Journal of Workplace Learning, vol. 33, no. 3, pp. 180–196, 2020, doi: 10.1108/JWL-05-2020-0093.

K. U. Islam, S. A. Bhat, U. M. Lone, M. A. Darzi, and I. A. Malik, "Financial Risk Propensity and Investment Decisions: an Empirical Analysis using Behavioral Biases," IIMB Management Review, Jun. 2024, doi: 10.1016/j.iimb.2024.06.004.

S. Combrink and C. Lew, “Potential Underdog Bias, Overconfidence and Risk Propensity in Investor Decision-making Behavior,” Journal of Behavioral Finance, vol. 21, no. 4, pp. 337–351, Oct. 2020, doi: 10.1080/15427560.2019.1692843.

M. H. Shah, H. R. Peikari, and N. M. Yasin, “The Determinants of Individuals’ Perceived E-Security: Evidence from Malaysia,” Int J Inf Manage, vol. 34, no. 1, pp. 48–57, 2014, doi: 10.1016/j.ijinfomgt.2013.10.001.

M. Zhang et al., "Top of the Tide: Nexus between Organization Agility, Digital Capability and Top Management Support in SME Digital Transformation," Heliyon, vol. 10, no. 10, May 2024, doi: 10.1016/j.heliyon.2024.e31579.

C. Alexander and B. Soewito, “Convolutional Neural Network to Modify the Restoration of a CCTV E-Ticket Image,” International Journal of Engineering Trends and Technology, vol. 72, no. 4, pp. 366–377, Apr. 2024, doi: 10.14445/22315381/IJETT-V72I4P136.

V. Kumar, S. Ahmareen, M. Kumar, Y. N. Prajapati, B. Pant, and S. Bohra, Enhancing OTP Generation Efficiency through Cryptographic Techniques. in 2023 3rd International Conference on Advance Computing and Innovative Technologies in Engineering (ICACITE). Institute of Electrical and Electronics Engineers Inc., 2023. doi: 10.1109/ICACITE57410.2023.10182488.

A. Aljoghaiman and V. P. K. Sundaram, "Mitigating Ransomware Risks in Manufacturing and the Supply Chain: A Comprehensive Security Framework," International Journal of Cyber Criminology, vol. 17, no. 2, pp. 231–249, Nov. 2023, Accessed: Nov. 25, 2024. [Online]. Available: https://cybercrimejournal.com/menuscript/index.php/cybercrimejournal/article/view/214

S. E. Chang and C. S. Lin, “Exploring Organizational Culture for Information Security Management,” Industrial Management and Data Systems, vol. 107, no. 3, pp. 438–458, 2007, doi: 10.1108/02635570710734316.

T. O. Nævestad, J. H. Honerud, and S. F. Meyer, “Information Security Behaviour in an Organisation Providing Critical Infrastructure: A Pre-post Study of Efforts to Improve Information Security Culture,” SpringerBriefs in Applied Sciences and Technology, vol. Part F1246, pp. 103–117, 2023, doi: 10.1007/978-3-031-32633-2_10.

Š. Orehek and G. Petrič, “A Systematic Review of Scales for Measuring Information Security Culture,” Information and Computer Security, vol. 29, no. 1, pp. 133–158, 2020, doi: 10.1108/ICS-12-2019-0140/FULL/PDF.

A. da Veiga, L. V. Astakhova, A. Botha, and M. Herselman, "Defining Organizational Information Security Culture—Perspectives from Academia and Industry," Comput Secur, vol. 92, p. 101713, May 2020, doi: 10.1016/J.COSE.2020.101713.

J. S. Lim, S. Chang, A. Ahmad, and S. Maynard, “Towards an Organizational Culture Framework for Information Security Practices,” Strategic and Practical Approaches for Information Security Governance: Technologies and Applied Solutions, pp. 296–315, 2012, doi: 10.4018/978-1-4666-0197-0.CH017.

M. Choi, “Leadership of Information Security Manager on the Effectiveness of Information Systems Security for Secure Sustainable Computing,” Sustainability 2016, Vol. 8, Page 638, vol. 8, no. 7, p. 638, Jul. 2016, doi: 10.3390/SU8070638.

L. Alzahrani and K. P. Seth, “The Impact of Organizational Practices on the Information Security Management Performance,” Information 2021, Vol. 12, Page 398, vol. 12, no. 10, p. 398, Sep. 2021, doi: 10.3390/INFO12100398.

X. Zhang and C. H. Huang, “Investor Characteristics, Intention Toward Socially Responsible Investment (SRI), and SRI behavior in Chinese Stock Market: The Moderating Role of Risk Propensity,” Heliyon, vol. 10, no. 14, Jul. 2024, doi: 10.1016/j.heliyon.2024.e34230.

W. Yaokumah, “Evaluating the Effectiveness of Information Security Governance Practices in Developing Nations: A Case of Ghana,” Standards and Standardization: Concepts, Methodologies, Tools, and Applications, pp. 1317–1333, Feb. 2015, doi: 10.4018/978-1-4666-8111-8.CH062.

J. H. Hall, S. Sarkani, and T. A. Mazzuchi, “Impacts of Organizational Capabilities in Information Security,” Information Management & Computer Security, vol. 19, no. 3, pp. 155–176, 2011, Accessed: Nov. 25, 2024. [Online]. Available: https://www.academia.edu/66246228/Impacts_of_Organizational_Capabilities_In_Information_Security

H. Zafar, M. S. Ko, and J. G. Clark, “Security Risk Management in Healthcare: A Case Study,” Communications of the Association for Information Systems, vol. 34, no. 1, pp. 737–750, 2014, doi: 10.17705/1CAIS.03437.

A. Al-Sharhan, A. Alsaber, Y. Al Khasham, A. Al Kandari, R. Nafea, and P. Setiya, “The Influence of Governmental Support on Cyber-Security Adoption and Performance: The Mediation of Cyber Security and Technological Readiness,” https://services.igi-global.com/resolvedoi/resolve.aspx?doi=10.4018/IJBDCN.341264, vol. 19, no. 1, pp. 1–16, Jan. 1AD, doi: 10.4018/IJBDCN.341264.

F. M. Kaaffah, Darwan, B. Subaeki, A. B. A. Rahman, K. Manaf, and H. A. Sukardi, "The Information Security Readiness in Indonesian Government Institution: A Systematic Literature Review," International Conference on Telecommunication Systems, Services, and Applications, 2023, doi: 10.1109/TSSA59948.2023.10366969.

S. Aziz and M. J. Zickar, “A Cluster Analysis Investigation of Workaholism as a Syndrome,” J Occup Health Psychol, vol. 11, no. 1, pp. 52–62, Jan. 2006, doi: 10.1037/1076-8998.11.1.52.

M. Frank and V. Kohn, “How to Mitigate Security-Related Stress: The Role of Psychological Capital,” Proceedings of the Annual Hawaii International Conference on System Sciences, vol. 2020-January, pp. 4538–4547, Jan. 2021, doi: 10.24251/HICSS.2021.550.

S. Kraemer, P. Carayon, and J. Clem, “Human and Organizational Factors in Computer and Information Security: Pathways to Vulnerabilities,” Comput Secur, vol. 28, no. 7, pp. 509–520, Oct. 2009, doi: 10.1016/J.COSE.2009.04.006.

O. Viberg et al., “Cultural Differences in Students’ Privacy Concerns in Learning Analytics Across Germany, South Korea, Spain, Sweden, and the United States,” Computers in Human Behavior Reports, vol. 14, p. 100416, May 2024, doi: 10.1016/J.CHBR.2024.100416.

S. Mikuletič, S. Vrhovec, B. Skela-Savič, and B. Žvanut, "Security and Privacy-Oriented Information Security Culture (ISC): Explaining Unauthorized Access to Healthcare Data by Nursing Employees," Comput Secur, vol. 136, Jan. 2024, doi: 10.1016/j.cose.2023.103489.

X. Zhang and C. H. Huang, “Investor Characteristics, Intention Toward Socially Responsible Investment (SRI), and Sri Behavior in Chinese Stock Market: The Moderating Role of Risk Propensity,” Heliyon, vol. 10, no. 14, p. e34230, Jul. 2024, doi: 10.1016/J.HELIYON.2024.E34230.

A. Zanke, T. Weber, P. Dornheim, and M. Engel, “Assessing Information Security Culture: A Mixed-Methods Approach To Navigating Challenges In International Corporate It Departments,” Comput Secur, vol. 144, p. 103938, Sep. 2024, doi: 10.1016/J.COSE.2024.103938.

S. Sharma and E. Aparicio, “Organizational and Team Culture as Antecedents of Protection Motivation among It Employees,” Comput Secur, vol. 120, p. 102774, Sep. 2022, doi: 10.1016/J.COSE.2022.102774.

M. Thangavelu, V. Krishnaswamy, and M. Sharma, “Impact of Comprehensive Information Security Awareness and Cognitive Characteristics on Security Incident Management – an Empirical Study,” Comput Secur, vol. 109, p. 102401, Oct. 2021, doi: 10.1016/J.COSE.2021.102401.

A. Wiley, A. McCormac, and D. Calic, “More than the Individual: Examining the Relationship between Culture and Information Security Awareness,” Comput Secur, vol. 88, p. 101640, Jan. 2020, doi: 10.1016/J.COSE.2019.101640.

M. Sas, G. Reniers, K. Ponnet, and W. Hardyns, "The Impact of Training Sessions on Physical Security Awareness: Measuring Employees' Knowledge, Attitude and Self-Reported Behavior," Saf Sci, vol. 144, Dec. 2021, doi: 10.1016/j.ssci.2021.105447.

A. B. Ruighaver, S. B. Maynard, and S. Chang, “Organisational Security Culture: Extending the End-User Perspective,” Comput Secur, vol. 26, no. 1, pp. 56–62, Feb. 2007, doi: 10.1016/j.cose.2006.10.008.

K. M. Parsons, E. Young, M. A. Butavicius, A. McCormac, M. R. Pattinson, and C. Jerram, “The Influence of Organizational Information Security Culture on Information Security Decision Making,” J Cogn Eng Decis Mak, vol. 9, no. 2, pp. 117–129, Jun. 2015, doi: 10.1177/1555343415575152.

R. Baber, P. Baber, and S. Narula, “Examining the Moderating Role of Online Celebrity Trustworthiness and Risk Propensity in Utaut2 Framework: A Mixed-Method Approach,” International Journal of Information Management Data Insights, vol. 4, no. 2, Nov. 2024, doi: 10.1016/j.jjimei.2024.100239.

C. M. Wang, B. B. Xu, S. J. Zhang, and Y. Q. Chen, “Influence of Personality and Risk Propensity on Risk Perception of Chinese Construction Project Managers,” International Journal of Project Management, vol. 34, no. 7, pp. 1294–1304, Oct. 2016, doi: 10.1016/j.ijproman.2016.07.004.