Paper Number
ECIS2026-2104
Paper Type
SP
Abstract
Despite substantial investment in cybersecurity awareness training, the security awareness–behavior gap remains unresolved. This gap is often misdiagnosed and is more accurately understood as a failure of internalization. Internalization refers to the internally regulated processes through which training experiences are converted into enduring cognitive, affective, social, and behavioral structures that support behavioral change in practice. This process is operationalized through four core mechanisms: cognitive schema, affective valence, social anchoring, and behavioral enactment. Using fsQCA, this study identifies the configurational pathways through which these mechanisms combine to produce high and low levels of cybersecurity readiness. The findings reveal two equifinal pathways to high readiness and two to low readiness, challenging dominant assumptions about linear causality, singular drivers, and symmetric effects. The study advances Information Systems research by introducing internalization as a configurational lens for explaining how cybersecurity training and other sociotechnical interventions become embedded in sustained organizational behavior.
Recommended Citation
Safaei Pour, Morteza; Fathi, Farzad; Abhari, Kaveh; and Tavallaei, Stella, "Cybersecurity Readiness: Configurational Pathways To Internalizing Cybersecurity Training" (2026). ECIS 2026 Proceedings. 14.
https://aisel.aisnet.org/ecis2026/security/security/14
Cybersecurity Readiness: Configurational Pathways To Internalizing Cybersecurity Training
Despite substantial investment in cybersecurity awareness training, the security awareness–behavior gap remains unresolved. This gap is often misdiagnosed and is more accurately understood as a failure of internalization. Internalization refers to the internally regulated processes through which training experiences are converted into enduring cognitive, affective, social, and behavioral structures that support behavioral change in practice. This process is operationalized through four core mechanisms: cognitive schema, affective valence, social anchoring, and behavioral enactment. Using fsQCA, this study identifies the configurational pathways through which these mechanisms combine to produce high and low levels of cybersecurity readiness. The findings reveal two equifinal pathways to high readiness and two to low readiness, challenging dominant assumptions about linear causality, singular drivers, and symmetric effects. The study advances Information Systems research by introducing internalization as a configurational lens for explaining how cybersecurity training and other sociotechnical interventions become embedded in sustained organizational behavior.