Next Article in Journal
Evaluation of ESG Implementation Performance in the Textile Industry from a Transparency and Accountability Perspective Based on MCDM and Cluster Analysis
Previous Article in Journal
An Operation Mode Analysis Method for Power Systems with High-Proportion Renewable Energy Integration Based on Autoencoder Clustering
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Sustainability
Volume 18
Issue 3
10.3390/su18031699
sustainability-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Perceived Data and Privacy Security Threats for Stakeholders in the Context of Industry 5.0: Evidence from Poland

by
Dominika Kansy
* and
Dagmara Modrzejewska
Department of Business Informatics, University of Economics in Katowice, 40-287 Katowice, Poland
*
Author to whom correspondence should be addressed.
Sustainability 2026, 18(3), 1699; https://doi.org/10.3390/su18031699
Submission received: 29 December 2025 / Revised: 31 January 2026 / Accepted: 3 February 2026 / Published: 6 February 2026
Browse Figures
Versions Notes

Abstract

This article scientifically addresses the challenges related to data security and stakeholder privacy faced by companies operating in the European Union. These challenges stem largely from the global digital transformation, within which the European Union imposes regulations governing data protection and stakeholder privacy. The digital transformation in the European Union focuses on the integration of people and technology, sustainable development, and the resilience of management systems, which are the pillars of Industry 5.0. From a practical perspective, the paper examines the current level of awareness among employees of the enterprise in Poland regarding data and privacy risk management in today’s economic environment. The paper presents both a theoretical review and, in the empirical section, the results of primary research. The study was conducted in Poland on a sample of 556 enterprises from various economic sectors. The paper begins with Introduction. Background presents a literature review conducted on the conditions for enterprise functioning in the evolving paradigm of Industry 5.0, as well as the fundamental legal requirements regarding data security and stakeholder privacy across business activities. Materials and Methods presents the research methods employed to assess how respondents perceive threats to data security and stakeholder privacy. Results summarizes the research findings. In Discussion, both practical business implications are addressed, and the role of technology and organizational procedures in responsible data and privacy management is highlighted. Furthermore, the importance of creating ethical cyber–physical environments as an element of sustainable enterprise transformation is emphasized. Finally, Conclusions presents the results and key findings regarding the level of awareness among employees of Polish enterprises about data security and stakeholder privacy in the context of digital transformation.

1. Introduction

The European Union (EU) strives for sustainable social and economic development, taking into account care for the natural environment. Appropriate regulations are being created in line with this trend. Since 2021, sustainable development has become one of the main pillars of the EU, alongside human-centricity and resilience, as part of a broader concept called Industry 5.0, which is closely linked to digital transformation [1]. This means that all regulations introduced to achieve sustainable development, taking into account care for the well-being of people, use digitalization and are treated as part of the implementation of the I5.0 process. Under the digital transformation and sending data over the Internet, various types of threats associated with user activity are emerging. Therefore, information security, data security, and privacy security have important roles in sustainable development too [2].
Data security and privacy are increasingly embedded within consumer experience design. Any breach of cybersecurity may lead to a loss of stakeholder trust, including consumer confidence, and adversely affect the enterprise’s image. Therefore, data security constitutes an integral element in the design of phygital experiences.
In the digital world, every user should protect their identity and data, apply the principle of limited trust at all times, and, in this context, verify the information they receive in all kinds of forms (text messages, photos, videos). It is important to think critically and always check the sources of information rather than accepting the information as truth.
Therefore, it is very important for users in the digital space to have knowledge, awareness, and responsible attitudes and behaviors to avoid being vulnerable to hacking attacks. The human factor remains the weakest link in information security [3,4], including cybersecurity. Nowadays, digital transformation is forcing users to be lifelong learners, to have up-to-date knowledge of risks in cyber, and to be extra cautious and appropriately vigilant during user cyber activity.

Motivation and Research Problem

All participants in the socioeconomic reality use digital resources (such as photos, videos, and user data shared on social media platforms, websites, and blogs), digital tools and applications, and ICT systems. At the same time, these digital facilities are a source of danger, because they can enable unauthorized individuals to impersonate others rapidly. This can occur through textual manipulation (e.g., deface attacks involving website content alteration, as well as scam, spoofing, and phishing attacks) and through visual and auditory means, such as deepfakes, which modify a person’s appearance in images and videos, or voice cloning, which replicates speech patterns and vocal identity, and through other hacking attacks and data leaks [5]. Therefore, it is crucial to maintain up-to-date knowledge and awareness of potential threats, because today’s hackers operate like professionally organized enterprises. They function with a clear strategy, a sales plan, Critical Success Factors (CSFs), Key Performance Indicators (KPIs), and predetermined numerical targets for each month, specifying how many individuals should be defrauded. Hacking organizations operate creatively, developing new forms and methods of fraud and theft, while skilfully using social engineering to achieve their goals.
In response to the aforementioned threats in cyberspace, the European Union has introduced regulations governing data security and the protection of stakeholders’ privacy, which are binding on all entities conducting economic activity within the EU.
The development of the analytical framework for this study is based on institutional theory and the TOE (Technology–Organization–Environment) framework. These concepts were selected because they account for the broad context of organizational activity—both in organizational and environmental terms. The analytical framework of the study was divided into two components: a theoretical component, encompassing the institutional functioning of enterprises regarding data security and stakeholder privacy protection, and an empirical component, focusing on the conceptualization of the organizational context in this area.
The theoretical aim of this article is to describe the environment in which every enterprise in the European Union, including Poland as a member state, currently operates and will need to operate in the future, regarding data security and stakeholder privacy protection, and to identify the regulations to which enterprises must adhere. The considerations presented in the article are summarized as a theoretical framework for sustainable reporting, incorporating data security and stakeholder privacy, as illustrated in Figure 1.
The empirical objective is to diagnose the current approach to data protection and the privacy of stakeholders, based on the example of enterprises operating in Poland in the era of digital transformation. This era is now, in the EU, part of the I5.0 paradigm.
To date, no empirical studies have examined the issues and approaches of Polish employees of enterprises related to data security in the EU economic environment in digital transformation. In Poland, research on cybersecurity has been conducted; however, it has been carried out exclusively from a microeconomic perspective [6,7].
This is the reason why our research team wants to start a discussion on this matter—to show the broader context on a macro scale. In this approach, the research includes both perspectives:
  • Risks related to: inadequate protection of users’ personal data and privacy; threats to the security of networks and information systems; the threat of cybercrime and hacking;
  • Preventive measures such as: strengthening the control and supervision of companies operating in the technology sector; educating the public about the risks of security and privacy in the online environment; introducing stricter penalties for data security and privacy breaches.
A theoretical framework was developed linking data security and stakeholder privacy with sustainable development goals (ESG) and legal requirements (GDPR, AI Act), in the context of enterprises undergoing transformation towards Industry 5.0.
Both the perspectives related to Industry 5.0 and other regulations primarily reflect coercive isomorphism, as derived from institutional theory. Legal requirements and social expectations, presented in Figure 1, are already, or will soon be, determinants of changes in all enterprises operating in the EU with respect to information security. The research questions and hypotheses formulated in this article continue the theoretical considerations, where top-down imposed requirements influence respondents’ differing perceptions of security-related issues.
Against the backdrop of existing research on the transformation of enterprises towards Industry 5.0, a research gap emerges in the form of a lack of assessment of enterprises’ awareness and perception of data security and stakeholder privacy risks from their own perspective.
Taking this context into account, the research problem was formulated as follows:
What are the determinants of perceived data security and stakeholder privacy threats in Polish enterprises digitally transforming towards Industry 5.0?
Given the complexity of the research problem, four specific research questions (RQ1–RQ4) were formulated. In addition, hypotheses (H1–H4) were developed in relation to the research questions. The research questions and hypotheses are presented in Section 3.
With the ongoing technological revolution, an ever-increasing volume of data is transmitted online. Enterprises maintain records of suppliers, collect customer data, and gather information about products, services, and various specifications. More highly automated enterprises also record signals from devices used in their operations. Such a vast amount of data requires not only adequate storage and proper procedures but also efficient management. Furthermore, enterprises operating within the European Union (EU) must comply with relevant EU standards imposed by state authorities and EU institutions, including legislation increasingly focused on data security and the protection of stakeholder privacy.
Strong emphasis is placed on the obligation to protect consumer data collected and stored by enterprises for marketing purposes. Companies are required to obtain informed and voluntary consent for marketing activities. Moreover, regulations such as the GDPR (General Data Protection Regulation) mandate proper processing of such data and protection against unauthorized access. In the event of a data breach or improper use, enterprises are exposed not only to substantial fines but also to the loss of customer trust.

2. Background of Analysis

2.1. Enterprises in the Transition Towards Industry 5.0

The concept of Industry 5.0 (I5.0) builds upon the foundations of Industry 4.0 (I4.0) and represents the next phase of the industrial revolution [8]. Industry 4.0 primarily focused on the optimal utilization of information and communication technologies (ICTs), such as Cloud Computing, Internet of Things (IoT), Industrial Internet of Things (IIoT), Big Data, artificial intelligence (AI), robotics, and augmented reality [9], to advance automation, develop cyber–physical systems, and implement Smart Factories. These implementations aimed to increase productivity and efficiency by enabling rapid responses to stimuli from the operational and economic environment and facilitating real-time decision-making [10,11]. However, Industry 4.0 primarily emphasized optimization through adaptation to current market demands. ICT technologies and horizontal–vertical integration systems enable communication between clients, suppliers, and producers of goods and services, thereby supporting responsiveness to market needs [12]. Nonetheless, the influence on consumer behavior is limited, and the impact on resource utilization is indirect, focusing mainly on reducing business costs rather than addressing broader societal well-being or sustainable development objectives.
This distinguishes the Industry 4.0 (I4.0) concept from the concept of Industry 5.0 (I5.0) proposed by the European Commission in 2021, according to which socioeconomic development should be based on three pillars: human-centricity, sustainability, and resiliency [9,13,14,15,16]. Although the I4.0 initiative increasingly considers a heterogeneous vision adapted to various perspectives and stakeholders, it addresses these issues more narrowly compared to I5.0. One such perspective was described by Kassen as the idea of open data in the public sector without copyright restrictions, enabling free access to information as well as the development of new innovative products. The role of humans in the processes of knowledge exchange, knowledge sharing, and the building of collective wisdom in the economy was clearly emphasized. The collaboration of stakeholders and the empowerment of individuals in decision-making processes related to the co-creation of services generating social value were also highlighted [17]. The I5.0 concept goes further by responding to critiques regarding social and environmental issues and by introducing resiliency, particularly in the wake of the COVID-19 pandemic and the ongoing climate crisis. As a result, the needs and requirements of a broader range of stakeholders are addressed, increasing the potential for widespread acceptance and long-term sustainable development, which aligns with the principle of human-centricity and cooperation, as well as with implementation approaches of human–machine collaboration, cobots, and resilience-oriented technologies [18].
The goal of human-centricity is to place humans at the forefront so that technology serves them, rather than the other way around. A crucial factor is employee well-being, as well as facilitating integration between humans and machines, ICT systems, and cobots, contributing both to increased productivity and workplace safety. Humans shape reality, while ICT technologies serve as tools for executing routine, repetitive, or hazardous operations [19,20].
Human-centricity is directly linked to the concept of sustainability, as the well-being of individuals is extended to the well-being of society through the responsible use of resources, safety-oriented approaches in both environmental and privacy contexts, and the ethical management of data [21].
Resilience, on the other hand, primarily refers to the application of ICT technologies to support production, decision-making, and management systems within organizations. These technologies are employed both to develop and simulate potential crisis scenarios, enabling rapid adaptation to changes, and to provide real-time responses to emerging issues arising not only from internal operational factors but also from external influences, such as supply chain disruptions or potential energy crises [1,22,23,24]. An alternative approach to the issue of resilience is associated with the concept of Worker-in-the-Loop, in which humans, as the primary participants in the decision-making loop, work in collaboration with automated systems, becoming the central element and overseer of the system. The synergy between humans and intelligent machines is key to building resilient systems [25].
The implementation of ICT technologies, including artificial intelligence, IIoT, and electronic data interchange, is associated with various types of risks, both physical, leading to hardware failures, and cyber, resulting from different types of cyberattacks and hacker activities. Other potential issues include the lack of proper procedures for ICT deployment within organizations, which may lead to limited or ineffective integration of implemented technologies, as well as gaps in information security systems. Additionally, human factors play a significant role, such as insufficient knowledge, lack of relevant competencies, or inadequate qualifications [26]. Cybersecurity factors encompass rules, techniques, and tools that protect IT systems, as well as the people and threats that influence system security. Key areas include confidentiality, integrity, and availability of data (the CIA triad). “CIA” is an acronym for confidentiality, integrity, and availability, which defines the core principles of information security. It also involves network protection, strong password policies, malware defense, and awareness of social engineering threats [27]. Beyond the CIA triad, authentication, authorization, and non-repudiation are also commonly required services in cyberspace [28].
In the transition towards Industry 5.0, the CIA triad is embedded in EU policy. The European Union has introduced the Corporate Sustainability Reporting Directive (CSRD) for enterprises. This directive includes new legislative and regulatory initiatives related to sustainability factors and the associated ESG (Environmental, Social, Governance) indicators, enabling companies to report on and compare their performance [29]. Enterprises registered in the EU, as well as those conducting significant business activities within the EU, are required to report on environmental and social impacts both of the enterprise on society and the environment, and of society and the environment on the enterprise. The implementation of reporting obligations depends on the size of the enterprise. The first stage targets large EU enterprises and publicly listed companies, with subsequent stages extending reporting requirements to all enterprises, with a final deadline of 1 January 2028 [30].
Regarding ESG indicators related to data security and stakeholder privacy risks, the Governance (G) pillar is most relevant, as companies should disclose their data protection policies, the number of incidents involving privacy breaches and cyberattacks, and the information security certifications they hold, and demonstrate the maturity of their technological risk management systems. In the Social (S) pillar, companies should report the number of employees trained in data protection and cybersecurity awareness [31,32].
Indirectly, the CSRD also generates implications and challenges in ensuring data security and stakeholder privacy. The directive mandates proper standardization and data verification, thereby indirectly necessitating the implementation of appropriate data management system safeguards, not only for internal data but also across the entire supply chain.
This requires enterprises to place particular emphasis on ethical interactions with stakeholders, especially customers. The increasing requirements for the standardization of collected, stored, and utilized digital data significantly enhance organizational responsibility for data security across the entire value chain. The integration of physical elements with their digital counterparts creates a phygital environment, in which every user experience amplifies the potential exposure to data security and privacy risks.

2.2. Personal Data Security in the Context of Digital Transformation

Data is currently considered a strategic resource that significantly influences a company’s ability to achieve competitive advantage. Consequently, data security has become an essential standard in the 21st century for building trust, credibility, collaboration, and operational effectiveness, particularly in the era of intensive digital transformation. Within the European Union, data security standards are enforced through the General Data Protection Regulation (GDPR), effective since 25 May 2018 [33]. This regulation requires EU member states to establish an independent supervisory authority which, in addition to raising awareness of data protection, is responsible for monitoring the application of the GDPR, conducting proceedings in cases of violations, and imposing administrative sanctions and fines. In Poland, this authority is the Personal Data Protection Office (UODO—an abbreviation derived from the Polish name Urząd Ochrony Danych Osobowych). The UODO operates in Poland based on the supplementary national legislation—the Personal Data Protection Act of 10 May 2018 [34]. These legal frameworks aim to guarantee that data is stored and processed securely while also protecting the digital identity of users who engage with services enabled by digital transformation.
Among the other important EU regulations are the NIS Directives (Network and Information Systems Directive), NIS1 [35], from 2016, which was created to harmonize cybersecurity rules, and NIS2, from 14 December 2022 [36], which supplemented NIS1 with an extended scope of responsibilities. NIS2 has been in force since 16 January 2023, and for EU member states, it became applicable from 17 October 2024. Under this directive, penalties for non-compliance with NIS2 are set at the following levels:
  • Critical entities—up to €10 million or 2% of global turnover;
  • Important entities—up to €7 million or 1.4% of global turnover.
These include sanctions for management in the form of personal liability (in accordance with national law). NIS2 defines and distinguishes these two types of entities as follows:
  • Critical entities—organizations that provide services essential for the functioning of the economy and society, whose operations have a direct impact on the continuity of state functions, stability, and security;
  • Important entities—organizations whose activities may have a significant impact on the continuity of state functions, economic stability, and societal security, particularly in the event of information security incidents, both virtual and physical.
Apart from the general regulations on digital data protection, the EU has also introduced legal act concerning IoT technology. The Data Act [37] primarily governs user access to data generated by network-connected devices and services (IoT). It is applicable as of 12 September 2025 and is also intended to support innovative business models whose operations are based on the reuse of data. Moreover, the potential value derived from data usage should be fairly distributed among all stakeholders—users, manufacturers, and service providers.
The implementation of the GDPR, as well as other EU directives and regulations concerning digital data management, has brought knowledge, broader awareness, and visibility of the fact that data security is crucial and indispensable in the face of digital transformation. However, for organizations that had implemented the ISO/IEC 27001 standard (first issued in 2005, a standard that helps in information security management) long before the EU regulations came into effect, ensuring data security has always been a priority, and the GDPR introduced nothing fundamentally new in this regard. The current version of the standard for information security management is PN-EN ISO/IEC 27001:2023-08/A1:2025-02 [38]. A complementary document to the ISO/IEC 27001 standard is ISO/IEC 27002 [39], which serves as a guideline for the implementation and application of information security control measures. The implementation of standards in enterprises greatly supports compliance with EU law. While voluntary, they offer a practical framework providing methods and procedures for effective organizational management and data protection.
Beyond compliance with formal standards, effective data and information security management requires well-defined operational processes, governance policies, and methodologies. The Data Governance framework, with a strong focus on data quality, is supported by approaches such as the DAMA methodology [40,41,42], which help organizations mitigate risks and avoid severe penalties for data breaches under EU regulations.
In order to ensure information security, including cybersecurity and physical security, organizations should implement standardization in the form of internal regulations, which constitute a system guaranteeing information security. Continuous monitoring of information security risk management is essential for constructing safeguards, minimizing risks, and identifying individuals responsible for specific tasks within this area.
Organizations should also manage information security incidents, for which purpose a Security Operations Centre (SOC) [43] should be established. Within an SOC, such incidents are addressed and resolved. In practice, the SOC operates through the following support lines:
  • Line 1—The first point of contact for the entire organization, responsible for initial identification and analysis of reports, categorization and prioritization, and forwarding to the next support line.
  • Line 2—A specialized team that performs detailed analysis and handles the resolution of security incidents; if necessary, incidents can be escalated to Line 3.
  • Line 3—A team dedicated to advanced analysis of complex security incidents, including forensic examination of malware and in-depth network traffic analysis. This team also addresses the root causes of incidents as part of corrective actions.
In the event of a data breach or theft, it is necessary, in addition to reporting the information security incident within the organization, to take formal steps to notify the supervisory authority within a maximum of 72 h from detection, as directly required by the GDPR. In Poland, this authority is the Personal Data Protection Office—UODO.

2.3. Stakeholder Privacy in Digital Transformation

Stakeholder privacy in digital transformation is possible only when Internet users take responsibility for protecting their privacy both individually and collectively—as an organization or community united around a common idea—by maintaining constant vigilance and adhering to the principle of limited trust. To address privacy concerns, the European Union has issued the relevant ePrivacy Directive [44].
This directive is highly noticeable to users in everyday Internet interactions. For example, when visiting previously unvisited websites, users encounter notifications requesting consent for storing cookies on their devices, in accordance with legal informational obligations. Cookies are small text files stored in the user’s browser and device (including tablets, phones, and computers). They are used for profiling users, recording login information, and personalizing content. If a user does not provide consent, access to the website may be denied, effectively forcing a choice between privacy and digital inclusivity.
Similarly, access to free software versions often requires users to consent to data usage, illustrating that there is no such thing as a completely “free” service, and highlighting the potential risk of losing one’s digital identity. This underscores the importance of reading terms and conditions on all platforms, such as social media, and consciously consenting only after understanding the implications.
In the era of artificial intelligence, where national legislation has struggled to keep pace with technological and business developments, users face significant risks if they irresponsibly rely on AI and grant it access to their personal data. The only currently enforceable regulation concerning the use of AI is the EU AI Act [45], which governs the development, deployment, and use of artificial intelligence systems with appropriate attention to data security and privacy.
In addition to EU legal acts concerning personal data privacy, the ISO/IEC 27701 standard [46] is also available. This standard extends ISO/IEC 27001 specifically to cover personal data privacy, including procedures for consent management, data anonymization, and privacy auditing.

2.4. Frameworks for Technology Adoption in Organizations

The adoption of information technologies in organizations has a direct impact on threats to data security and the privacy of stakeholders.
The literature describes numerous theories concerning technology implementation, both at the individual and organizational levels [47]. The adoption and acceptance of technologies in organizations depend on various internal factors, such as organizational culture and structure, as well as external factors, such as environmental pressures [48,49]. The most accurate, comprehensive, and holistic approach in the academic literature is represented by the TOE framework, developed by Tornatzky and Fleischer [50]. Due to its characteristics, the TOE framework allows for the integration of technological, organizational, and environmental—institutional—factors, making it one of the most important theoretical frameworks and establishing it as a model and reference point for other frameworks and theoretical models of technology adoption [49,51].
The technological context within an organization depends on numerous variables. Among these variables are the characteristics of the technology itself, which, in addition to its advantages over other technologies, must consider its potential for integration with existing organizational solutions and processes, as well as its complexity and potential benefits; factors posing security risks are also taken into account. Organizational-focused activities concentrate on the organization’s operations, industry, structure, and management culture, and also depend on the organization’s size and the allocation of resources, including human resources. The final dimension—the environmental context—aims to analyze the organization’s external environment, encompassing legal frameworks and governmental regulations, competitive pressures, existing technological trends within the organization’s sector, and the willingness of partners to adopt and utilize the technology [52,53].
The aforementioned TOE framework can be applied complementarily with institutional theory [54,55,56,57], which formalizes the standardization of socio-organizational processes in response to external pressures exerted on the organization [58]. Institutional theory is based on three mechanisms of isomorphism [58,59]:
  • Coercive isomorphism—arising from external pressures such as legal, governmental, institutional, or social regulations.
  • Normative isomorphism—resulting from professional standards and the adoption of similar procedures within specific sectors of activity.
  • Mimetic isomorphism—stemming from the imitation of market leaders to reduce risks associated with business operations.
In analyses of data security and privacy protection in organizations, the TOE framework can serve as a reference for organizational and environmental contexts, while institutional theory can function both as a reference framework for external pressures and expectations, and as an interpretive framework for explaining specific behaviors.

3. Materials and Methods

The structure of the conducted empirical studies is based on analytical frameworks drawing on elements of the TOE framework and institutional theory. The environmental context stems from legal regulations and pressure from the European Union, which seeks to transition the economy toward Industry 5.0. Moreover, the sectoral perspective results from similar organizational behaviors within the same industries and comparable standardization processes. Company size and the origin of capital, in turn, derive directly from the organizational context. In addition, the origin of capital is also linked to the environmental context—specifically, environmental pressures—since organizations with foreign or mixed capital typically have to comply with a greater number of standards due to their international nature. These theories can therefore be used to justify differences in the perception of information security threats among enterprises operating in different sectors, of varying sizes in terms of the number of employees, and with different origins of capital.
The quantitative study was conducted using a questionnaire survey from August to October 2024. The questionnaire was administered online using the CAWI (Computer-Assisted Web Interview) method. A non-probability sampling method was employed. The sample comprised 600 organizations, of which 556 complete responses were included in the analysis. The majority of respondents were representatives of middle or senior management in these organizations. Of these, 89.4% were companies with Polish capital, 6.7% with mixed capital, and 4% with foreign capital. The largest number of responses came from representatives of the IT sector (21.9%), followed by the services sector (21.2%), the automotive sector (20%), the banking and financial sector (18.5%), and the industrial sector (18.3%).
The study included representatives from small, medium, and large organizations. Among the respondents, 69.6% were employees of enterprises with 10–49 employees, 21.2% worked in medium-sized organizations (50–249 employees), 5.2% were employed in large organizations (250–500 employees), and 4% came from organizations with over 500 employees.
Using the formula for sample size with a finite population correction [60,61] and data on the number of enterprises in Poland obtained from EUROSTAT for 2023 [62], the permissible sample size was calculated at 383, which is smaller than the actual study sample of 556. The sample was selected to ensure balance across sectors, allowing for cross-sectoral comparisons. Based on a chi-square test for a single variable (χ2 (4) = 2.83, p = 0.5865), no statistically significant differences were found regarding group balance within the sample. The purpose of the sampling was not to replicate population proportions, but to ensure analytical equilibrium. The obtained results are not statistically generalizable to the population of enterprises in Poland or the EU.
The study was not intended to develop predictive models, but rather to diagnose the level of awareness among representatives of the surveyed organizations and to identify potential behavioral patterns and correlations across specific groups of characteristics. The study is exploratory in nature.
For the purpose of this article, the scope of the study corresponds to the following research questions (RQs):
  • RQ1: How do respondents evaluate their organization’s involvement in the ongoing transition towards Industry 5.0?
  • RQ2: How is the perception of data security and stakeholder privacy threats shaped across different sectors in the context of transformation towards I5.0?
  • RQ3: Does company size influence the perception of data security and stakeholder privacy threats during the transformation towards I5.0?
  • RQ4: Does the origin of company capital affect the perception of data security and stakeholder privacy threats in the process of transformation towards I5.0?
Based on the above research questions, the following hypotheses (Hs) were formulated:
H1. 
The perception of threats to data security and privacy depends on the degree of engagement in the transformation towards I5.0.
H2. 
The perception of threats to data security and privacy in the context of company engagement in the transformation towards I5.0 depends on the sector of the enterprise.
H3. 
The perception of threats to data security and privacy in the context of company engagement in the transformation towards I5.0 depends on the size of the enterprise.
H4. 
The perception of threats to data security and privacy in the context of company engagement in the transformation towards I5.0 depends on the origin of the company’s capital.
It should also be emphasized that “engagement in the transformation towards I5.0” is a subjective variable, based on respondents’ self-assessments. The conducted study addresses the perceptions and awareness of the respondents participating in the survey, rather than the objective level of Industry 5.0 implementation in the organizations where they are employed.
In the conducted analysis, the chi-square test was used to assess the relationship between two phenomena [63,64]. Where this was not possible due to insufficient cell counts (<5) in the contingency table, Fisher’s exact test was applied [64,65]. To identify enterprise characteristics influencing the perception of information security threats, multivariate logistic regression was employed [66,67].
The collected empirical data had a heterogeneous structure: some variables were ordinal, while others were categorical or binary. Some of the survey questions were multiple-choice questions. Therefore, the selected methods were considered the most appropriate for addressing the formulated research questions and hypotheses.
Multivariate logistic regression makes it possible to identify relationships among different types of data without requiring assumptions of data continuity or normality of distribution. It is also well suited for the analysis of discrete data. Moreover, it allows for the presentation of visualizations that are straightforward for potential readers to interpret.
All analyses and charts were generated using the R software (version 4.5.1) in the RStudio integrated development environment (version 2025.09.0+387), with the following libraries: ggplot2, dplyr, tidyr, stats, readxl, vcd, patchwork, effects, and broom [68,69].

4. Results

4.1. Transformation Engagement and Implementation Pace

Prior to addressing the main research questions and hypotheses, the overall level of respondents’ awareness of the Industry 5.0 concept was assessed. To this end, respondents were asked the following question: “To what extent are you familiar with the concept of Industry 5.0?” The response options were as follows:
  • Fully aware;
  • Have heard of it but do not have comprehensive knowledge;
  • Not aware at all.
The results showed that 25% of respondents were fully aware of the concept, while 66% indicated that although they had heard of it, their knowledge was incomplete. In contrast, 9% of respondents reported having no knowledge of the concept whatsoever.
The first stage of the analysis focused on identifying the developmental phase of the transformation process within organizations in the context of Industry 5.0 (I5.0). This was achieved by examining the correlation between two survey questions: the level of engagement in the transformation process and the pace of implementation, based on the organizations in which the respondents were employed. Subsequently, the analysis explored how these variables influenced the perception of data security and privacy risks. The level of engagement in the transformation process toward Industry 5.0 (L), as reported by the respondents, was determined based on the responses to the question summarized in Table 1.
The majority of respondents recognized the need for change, as nearly 60% answered positively to this question (L1, L2). Moreover, 30.9% of respondents are considering taking such steps. Only 10.3% do not regard this as a significant action within their company. The survey accounted not only for the enterprise’s approach to this process but also for the current pace of implementation (P) (see Table 2).
This allows for reference to both the ambitions and the realities of implementation. It should be noted that the assessment of the pace of I5.0 implementation in one’s organization (P) varies depending on the level of engagement in the process (L), and the respondents’ answers do not coincide (see Figure 2). Nevertheless, the differences between responses to these questions are not random, as confirmed by Fisher’s exact test conducted using a Monte Carlo simulation with 1,000,000 replications (a statistically significant relationship exists between variables L and P, p < 0.001).
Figure 2 illustrates the mutual relationships between these two characteristics. The width of each rectangle represents the proportion of respondents who simultaneously provided answers Lk and Pj (k, j = 1, …, 4) relative to the number of respondents who answered Pj, while its height represents the proportion of respondents who simultaneously provided answers Lk and Pj relative to the number of respondents who answered Lk. The figure also includes color and point markings, which reflect Pearson’s residuals [70]. Points were additionally added to improve the readability of the chart in cases where some rectangles represented very small response categories (i.e., a low number of responses). The obtained results confirm the consistency of respondents’ answers. Along the main diagonal, there is a strong positive association between the ways respondents answered the questions. Respondents most frequently paired these combinations.
As expected, the most intense red shading corresponds to the combination of active participation in the transformation process with the observation of significant resulting changes (L1, P1, accounting for 5.2% of all companies) and the lack of engagement in the transformation process with no opinion regarding the pace of Industry 5.0 implementation (L4, P4, 6.1% of all companies). Additionally,
  • 7.7% of respondents indicated that their company actively participates in the transformation process but does so gradually (L1, P2);
  • 34.7% reported gradually starting the process (L2, P2);
  • 9.2% stated that their company has started the process very slowly and believes that most companies are still not engaged (L2, P3);
  • 19.4% are considering the implementation of the process, but the preparations are progressing slowly (L3, P3).

4.2. Security Challenges in the Transition Towards I5.0

The general approach to data and network security, as well as personal data and privacy, was addressed through two survey questions. The first question focused on factors related to the implementation of transformation processes toward Industry 5.0 (F): Which factors were relevant during your organization’s transformation toward Industry 5.0? It was a multiple-choice question in which, apart from “Ensuring data and network security” (F2), respondents could also select “The need to modernize infrastructure and systems” (F1), “The need to train personnel” (F3), “The costs of implementing new technologies” (F4), and “Other” (F5). Factor F2 was selected by 53.1% of respondents (46.9% did not select it). It is worth noting that this was the second-most frequently chosen factor, following F3 (58.5%), and preceding F1 (52.3%), F4 (46.6%), while 35.1% of respondents indicated “Other.”
In the stacked column chart (see Figure 3a), the percentage distribution of Yes/No responses indicating the recognition of “ensuring data and network security” as a challenge is presented across different levels of engagement in the transformation process toward I5.0 within organizations. While Figure 3a appears to indicate that the higher the level of engagement in this process, the greater the proportion of respondents who perceive data and network security as a challenge or problem, a more rigorous analysis employing statistical tests revealed that this relationship is more complex.
The chi-square test of independence [63] revealed a statistically significant relationship between the level of engagement in the transformation process and the perception of ensuring data and network security as a challenge (χ2 (3) = 19.25, p < 0.001). Although the relationship between the variables is statistically significant, it primarily results from the fact that respondents who assessed their company’s engagement in the transformation process as non-essential (L4) were less likely to select “Yes” (Pearson residual < −2) and more likely than expected under the assumption of independence to select “No” (Pearson residual > 2), as illustrated in Figure 3b.
For engagement levels L1, L2, and L3, there is no statistically significant effect on the selection of “ensuring data and network security” as a major challenge for the enterprise. However, the direction of deviation from the expected values of the Pearson residuals is positive for (L1, Y) and (L2, Y), and negative for (L3, Y).

4.3. Concerns About Data Privacy

The second question, generally related to data security and privacy, is presented in Table 3. Only 21.6% of respondents perceive the potential occurrence of significant threats to personal data security and privacy as a major concern (C1). Meanwhile, 62.1% acknowledge these threats but do not consider them a primary issue (C2), and 16.4% are not concerned about them at all (C3).
The results of the chi-square test of independence (χ2 (6) = 42.93, p < 0.001) indicate a statistically significant relationship between engagement in the I5.0 transformation process and concerns regarding data security and privacy. However, this relationship is non-linear. It is driven largely by the distribution of responses in the L4 group and, to a lesser extent, in L2, highlighting a shift towards a lack of concern (C3) or moderate concern (C2) in these specific groups. Descriptively, Figure 4a suggests that among respondents describing their companies as actively engaged, the proportion expressing serious concerns is relatively the lowest. Visually, it might appear that the higher the level of organizational involvement, the lower this proportion. For instance, in organizations actively implementing Industry 5.0 (L1), 21.6% report no concerns, whereas in those just beginning (L2), only 11.1% feel the same. This may indicate that organizations actively participating in the process are effectively managing data protection, while those at the initial stages still face greater challenges. Among companies considering steps toward Industry 5.0 transformation, 14.5% of representatives do not worry about data security or privacy loss. For organizations that have not expressed interest in Industry 5.0, as many as 38.6% report no concerns regarding the related security issues.
Crucially, the statistical validation via standardized residuals analysis (Figure 4b) clarifies that the significant association is not a general trend but is primarily driven by specific deviations: (L4, C2)—a pronounced deficit compared to the expected value, (L4, C3)—a pronounced surplus compared to the expected value, and, to a lesser extent, (L2, C3)—a moderate deficit compared to the expected value.
This confirms that the statistical significance is largely a result of the L4 group’s distinct profile (high disregard for security risks) rather than a uniform correlation across all engagement levels.

4.4. Threats and Actions in the Transition Towards I5.0

Next, the responses to multiple-choice questions regarding the Industry 5.0 transformation process were analyzed. The first question focused on perceived threats, “In which areas do you see the greatest risks to security and privacy in the transition towards Industry 5.0?” (T), with the following possible answers: “Protection of personal data and user privacy” (T1), “Security of networks and IT systems” (T2), “Risks related to cybercrime and hacking” (T3), and “Others” (T4). The second question asked “What actions, in your opinion, should be taken to ensure adequate security and privacy protection in the transition towards Industry 5.0?” (A), with the following possible answers “Increased monitoring and supervision of companies in the technology sector” (A1), “Public education on online security and privacy threats” (A2), “Stricter penalties for violations of data security and privacy” (A3), and “Others” (A4).
Regarding perceived threats (T), respondents identified the security of networks and IT systems (T2) as the most significant risk, with 67.8% selecting this option. Protection of personal data and user privacy (T1) was indicated by 54.9% of respondents, while 51.8% highlighted risks related to cybercrime and hacking (T3).
Concerning actions to ensure adequate security in the transition towards Industry 5.0, 76.3% of respondents emphasized the importance of public education (A2). Over half (56.1%) believed that increased monitoring and supervision of IT sector companies (A1) was necessary, whereas only 26.3% supported introducing stricter penalties for violations of data security and privacy (A3). The “Others” category (T4 for threats and A4 for actions) was selected by only two and one respondents, respectively, and therefore was not considered in further analysis.
This subsection first presents a descriptive analysis of the results regarding threats and actions across different levels of engagement in the transition towards I5.0, followed by a statistical analysis of these findings in the subsequent part.
Figure 5 illustrates how the percentage distribution of responses varied across different levels of engagement in the transition towards I5.0.
Respondents from companies more actively engaged in the transformation process (L1, L2) identified T1 and T3 as threats at a higher rate compared to the overall population average (specifically, 59.5% for L1 and 57.3% for L2, exceeding the population average of 54.9% for T1; and 66.2% for L1 and 53.8% for L2, exceeding the population average of 51.8% for T3). In contrast, respondents whose companies are not participating in the transformation process (L3, L4) selected these threats less frequently than the general population baseline. A relatively higher number of respondents, whose organizations are only beginning the transformation process or are considering initiating it, recognize threats to data and network security (T2) as key areas of concern. This aligns with previous findings where data and network security were identified as major challenges (F2). Respondents from companies already actively engaged in the transformation selected this answer relatively less frequently than those whose organizations were just starting or planning the process.
Analyzing the next area, i.e., which actions should be undertaken to ensure security and privacy protection, the following conclusions can be drawn: representatives of companies engaged in Industry 5.0 transformation, more frequently than would appear based on overall population proportions, emphasize the need for societal education (A2) and enhanced oversight in the IT sector (A1), unlike respondents in groups L3 and L4. Moreover, respondents demonstrating active participation in the transformation (L1) as well as those showing no need for engagement (L4) more strongly indicated the necessity of imposing stricter penalties for data and privacy violations (A3).
To complement the above descriptive analysis, the study examined whether the observed differences regarding information security threats and actions to mitigate them across different levels of engagement in the I5.0 transformation process are statistically significant. The chi-square test was applied, and variables with Pearson residuals exceeding the critical value ∣2∣ were highlighted, indicating a significant influence on the test outcome. The results are presented in Table 4.
Only in the case of examining the relationship between L and T1 does the chi-square test indicate no significant association between the variables. For the remaining analyzed variables, a statistically significant relationship is observed between L and T as well as L and A. However, the interpretation of these results should be approached with caution, as some p-values are close to the significance threshold, and some analyzed variables do not have Pearson residuals indicating a clear contribution to the test outcome. For variable levels with Pearson residuals exceeding ∣2∣, the observed association is unlikely to occur by chance, supporting the conclusion of the chi-square test’s statistical significance. The lack of randomness concerns only a small number of associations.
Regarding the threat related to the security of networks and IT systems in relation to the level of Industry 5.0 transformation, the largest contribution to the chi-square test result comes from respondents whose organizations are not interested in the transformation and did not select this threat as key. Additionally, levels L2 and L4 contribute most to the chi-square statistic for the analysis of the relationship between L and A2. The number of observations not selecting A2 is lower than expected for L2 and higher than expected for L4. In the case of the final activity, namely imposing strict penalties for data security breaches (A3), the interpretation of the data presented in Figure 5 aligns with the results shown in Table 4.

4.5. Regression Models and Sectoral Effects

To address the subsequent research questions, a multivariate logistic regression was applied [71]. For each of the binary variables T1, T2, T3, A1, A2, and A3, models were constructed including the following additional variables: engagement in the I5.0 transformation process (L), the business sector of the respondent’s organization (Sector), company size (Company size), and the type of capital held by the organization (Type).
The first dependency model was based on the variable T1, specified as T1~L + Sector + Company size + Type. This model was significantly better than the null model but demonstrated poor fit to the data. Applying a stepwise variable selection procedure using the AIC criterion allowed the identification of a new model where the key predictors were T1~Company size + Type. This resulted in the exclusion of L from the model.
A central focus of the analysis was to examine the effect of the level of engagement in the I5.0 transformation process in combination with other variables. Therefore, an interaction model was applied to allow a conditional assessment of the influence of Sector, Company size, and Type on T1 relative to L. Although the model accounted for complex dependencies, its explanatory power was limited, as indicated by the McFadden R2 of 0.096 (below the 0.1 threshold) [72]. At the same time, the chi-square test for the difference between the null and full model deviance was statistically significant (p = 0.0008), indicating that the model as a whole explains the data better than a model without predictors.
However, further analysis did not reveal statistically significant effects for any of the included variables or their interactions. The choice of T1 is not significantly associated with sector, capital type, or company size in the context of digital transformation engagement. This result may suggest that decisions regarding T1 are made independently of an organization’s involvement in I5.0 processes.
A model of T1 as a function of Company size and Type, selected based on the AIC criterion, was constructed. This model was statistically significantly better than the null model, but the McFadden R2 = 0.027 indicates limited explanatory power. This suggests that the decisions regarding the selection of data privacy and security threats are largely influenced by unobserved factors not captured in the quantitative analysis.
For the remaining types of information security threats and the potential actions to address them, an analogous modeling procedure was applied. The results of the best models are presented in Table 5.
Due to the way the stepwise procedure works, which does not test all possible combinations of variables, an additional analysis of models with single predictors was conducted. All combinations of the dependent variable with one explanatory variable were examined. The results did not provide a model that would meet the criteria for good fit explanatory power, which confirms the limited predictive power of the individual variables.
The results in Table 5 allow us to indicate two models moderately fitted to the data: T3~Sector, Company size and A3~L, Sector, Type.
Both models reached McFadden R2 values slightly above 0.1 with p-values < 0.001. Therefore, they are not models with high predictive power but do allow capturing certain decision patterns and differences between groups of entrepreneurs.
The first model (M1) showed that selecting cybercrime and hacking as one of the most important threats to data security and privacy in the transition toward Industry 5.0, with respect to factors such as the sector in which the enterprise operates and the number of employees in the respondent’s company, resulted in a moderate improvement in model fit compared to the null model (McFadden’s R2 = 11%). The second model (A3~L, Sector, Type; M2) is characterized by only a slightly higher McFadden’s R2 value of approximately 11.5%. The inclusion of the following variables—engagement in the Industry 5.0 transformation process, the company’s sector, and the origin of the company’s capital—into a model based solely on the binary variable A3 (choosing the introduction of stricter penalties for violations of data security and privacy as an action considered important for ensuring security and privacy in the transition toward Industry 5.0) increased its explanatory power by approximately 11.5%. This may suggest that, although the variables included in models M1 and M2 have a statistically significant effect, other unobserved variables exert a greater influence on respondents’ selection of threat T1 and activity A3, or that these choices are largely random in nature.
In the M1 model, the sector had a statistically detectable effect on the perception of threat T3. In the sectoral analysis, the IT sector was taken as the reference category, which, due to its high level of digitization and technological advancement, serves as a natural point of comparison in the context of the I5.0 concept. This allows assessing the extent to which other sectors differ from the IT industry in terms of perceived threats and actions taken regarding information security. Given the low explanatory power of the model, a statistically significant robust association was observed for the automotive sector (Estimate = 2.38, p < 0.001), the industrial sector (Estimate = 1.89, p < 0.001), the services sector (Estimate = 1.32, p < 0.001), and the financial and banking sector (Estimate = 1.40, p = 0.001). This means that representatives of companies from the automotive, industrial, services, and financial and banking sectors were more likely to consider cybercrime and hacking as significant threats compared to the IT sector [67]. This result may indicate a relatively lower risk perception among IT companies, which may result from their higher technological readiness or different risk management approaches.
The Company size variable was not statistically significant in the M1 model at the level of individual categories. However, its presence in the model improved the fit compared to a model containing only T3~Sector. This indicates the useful contribution of the Company size variable as a control variable in the M1 model. Its effect is not directly interpreted but justifies its inclusion in further analyses.
The subsequent stage of the analysis involved the presentation of odds ratios (ORs). ORs represent the logistic regression coefficients exponentiated. They indicate how many times greater (OR > 1) or smaller (OR < 1) the likelihood of a given event is in comparison to the reference category [65,66,71]. In the current model, the reference category for the Sector variable was the IT sector, which enables the assessment of the relative impact of other sectors on the perception of threats associated with cybercrime and hacking. For the Company size variable, the reference category comprised enterprises employing 10 to 49 individuals. The results are presented in Figure 6.
The largest association was observed in the automotive sector (OR = 10.79; 95% CI [5.85, 20.57]), suggesting that in this sector, the likelihood of perceiving T3 as a significant threat is more than ten times higher. Additionally, several statistically significant associations were noted for the financial sector (OR = 4.05; CI [2.25, 7.41]), the industrial sector (OR = 6.62; CI [3.44, 13.04]), and the service sector (OR = 3.72; CI [2.14, 6.61]), indicating a fourfold, over sixfold, and more than threefold higher probability of recognizing T3 as significant compared to the IT sector. For the variable Company size, all confidence intervals included the value of 1. Therefore, none of these categories were statistically significant in model M1, confirming previous findings that the effect of company size on the perception of T3 cannot be clearly determined. Consequently, there was no basis for interpreting its OR results.
The next stage of the analysis focused on model M2. The effects of the variables L, Sector, and Type on A3 were examined. In the analysis of the degree of engagement in the I5.0 transformation process, L4 was used as the reference category, representing respondents for whom the transformation is not significant. This choice allows the lack of engagement to serve as a baseline for evaluating the impact of I5.0 transformation on information security perception. In the sectoral analysis, the IT sector was adopted as the reference category due to its high level of digitization and technological advancement, providing a natural point of comparison in the context of the I5.0 concept. This allows assessment of how other sectors differ from the IT sector in terms of perceived threats and actions taken for information security. For the variable Type, which reflects the type of capital the company possesses, domestic capital (i.e., Polish) was selected as the reference category.
Given the limited explanatory power of the model, statistically detectable associations were observed for the following variables: L2 (Estimate = −0.98, p < 0.001), L3 (Estimate = −0.71, p < 0.01), the automotive sector (Estimate = 2.55, p < 0.001), the industrial sector (Estimate = 1.79, p < 0.001), the service sector (Estimate = 2.12, p < 0.001), and the financial and banking sector (Estimate = 1.32, p = 0.001). The results indicate that representatives of companies initiating or considering the I5.0 transformation process were more likely to perceive the introduction of stricter penalties for data and privacy breaches as necessary compared to those for whom the process is insignificant. Furthermore, respondents from the automotive, industrial, service, and financial and banking sectors were more likely to regard the introduction of stricter penalties for data and privacy breaches as necessary compared to the IT sector. The variable Type did not show statistical significance in model M2 at the level of individual categories. Odds ratios (OR) for the variables are presented in Figure 7.
Considering the low explanatory power of the model, the largest observed association was with the automotive sector (OR = 12.84; 95% CI [5.72, 33.01]), indicating that the likelihood of considering activity A3 in the field of security as significant is more than twelve times higher compared to the IT sector. Statistically significant associations were also observed for the service sector (OR = 8.36; CI [3.73, 21.43]), the industrial sector (OR = 5.98; CI [2.55, 15.80]), and the financial sector (OR = 3.76; CI [1.56, 10.09]), indicating, respectively, an eightfold, nearly sixfold, and over threefold higher probability of recognizing T3 as significant compared to the IT sector.
For the remaining variables, all confidence intervals included the value 1, indicating that none of these categories were statistically significant in model M2. Therefore, there is no basis for interpreting the OR results for these variables.
To deepen the analysis, an additional modeling procedure with interactions was conducted, both in a full form for each variable T and A (T~Sector + Company.size + Type × L, A~Sector + Company.size + Type × L) and in a single-variable form (T~variable × L, A~variable × L). Although some models met the selected fit criteria (e.g., McFadden R2 > 0.1 or statistically significant differences from the null model), they ultimately did not allow for clear conclusions. Confidence intervals for selected interaction coefficients were too wide or included the value 1, indicating a lack of precise relationships. For this reason, these results were not presented in detail, as their interpretation would be unjustified.

4.6. Answers to Hypotheses and Research Questions

Based on the conducted research on the determinants of perceived data security and stakeholder privacy risks in Polish enterprises digitally transforming towards Industry 5.0, the following were distinguished:
  • Conceptual determinants—perception of the degree of engagement in the enterprise transformation process towards Industry 5.0 (L).
  • Organizational determinants—sector, company size, and capital origin.
The conducted survey data analysis allowed us to address the research questions as follows:
  • RQ1—How do respondents evaluate their organization’s involvement in the ongoing transition towards Industry 5.0?: The results are presented in Table 1. According to the data, 13.3% of respondents indicated that their company actively participates in the transformation process, 45.5% reported that the process has just begun, 30.9% are not yet engaged but are considering taking steps in this direction, and 10.3% stated that the topic is not relevant to them.
  • RQ2—Perceived threats to data and privacy security related to Industry 5.0 transformation: The analysis did not allow for a definitive answer to this question. Perceived threats to stakeholder data and privacy depend on the sector in which the company operates. Statistically significant effects were observed only for cybercrime and hacking-related threats (T3) and for the actions (A3) that should be undertaken. The strength of the correlation for T3 is dependent on company size, whereas for A3, it depends on the level of engagement in the I5.0 transformation process (L) and Type (see Table 5). However, the tests indicated significance but not the direction of the relationship. According to Figure 6, the probability of recognizing T3 as significant is over three times higher for the service sector, four times higher for the financial sector, over six times higher for the industrial sector, and over ten times higher for the automotive sector, compared to the IT sector. Regarding the actions to be taken in response to information security threats, the choice of implementing stricter penalties for data and privacy breaches as significant also depends on the business sector (see Table 5). According to Figure 7, the probability of considering A3 as significant is over eight times higher for the service sector, over three times higher for the financial sector, almost six times higher for the industrial sector, and over twelve times higher for the automotive sector, compared to the IT sector. These results should be interpreted with caution due to moderate model fit and wide confidence intervals for the ORs. Moreover, the tests did not show that the level of company engagement in the I5.0 transformation significantly influenced these responses.
  • RQ3—Company size: The analysis indicates that company size, measured by the number of employees, does not significantly affect the perception of data and privacy security threats (see Table 5, Figure 6).
  • RQ4—Type of capital: As shown in Table 5 and Figure 7, the origin of a company’s capital does not significantly influence the perception of data and privacy security threats among stakeholders in the I5.0 transformation process.
For clarity, the results for the hypotheses have been summarized in Table 6. This table does not include results for T and A indicators that were statistically insignificant for confirming the tested research hypotheses.

4.7. Robustness Check and Research Limitation

A limitation of the conducted research process was that the survey questions focused on respondents’ subjective assessments of their involvement in the transformation toward Industry 5.0, while their level of knowledge regarding this concept was low, with only 25% reporting full awareness of I5.0.
The research sample meets the criterion of numerical representativeness. However, the distribution of enterprises across sectors in the sample does not correspond to the distribution of enterprises across sectors in the total population of enterprises in Poland (based on 2023 data). Additionally, data on the number of enterprises in Poland broken down by sector and by company size or capital origin are not available. This limits the generalizability of the results to the entire population of enterprises in Poland or other EU countries. Therefore, the comparative analysis is exploratory in nature. The sample was purposive, aimed at enabling sectoral comparisons.
To enable generalization of the results to the entire population of Polish enterprises, data with a distribution of key characteristics, as described above—closely matching the distribution in the overall population of Polish enterprises—would be required. An alternative could be weighting the survey data. This could ensure the stability of the estimates. However, as mentioned earlier, no data are available that would allow for determining the structure for multiple groups of enterprises. Another way to examine the stability of the estimates could be a sensitivity analysis, which would allow testing how robust the results are to changes in the sample composition or in model specifications. However, this was not addressed in the analyses in the present study.
To verify the consistency of results and to explore additional relationships, an association rule analysis was also conducted. Its aim was to identify frequently co-occurring responses among respondents, particularly in the context of perceived threats and reported actions in the field of information security. Although the analysis revealed several interesting co-occurrence patterns, their interpretation was limited due to the lack of direct reference to the research questions and hypotheses. The identified rules also did not allow for definitive conclusions about causal relationships. This analysis primarily served as an attempt to apply alternative analytical methods. Consequently, although it was conducted, its results were not included in the main presentation of findings.
Furthermore, the models used exhibited low McFadden R2 values, typically at the lower boundary of acceptability for further interpretation; however, they indicated a modest but significant improvement over the null model. Additionally, for some variables, confidence intervals were very wide. This indicates the complex nature of the relationships and the potential influence of unobserved factors not accounted for in the quantitative analysis, such as security culture, experience with information security incidents, digital maturity, and top management engagement. Therefore, the interpretation of the results should take these limitations into consideration.
It should be noted that in socioeconomic research on awareness of a given phenomenon, such variables may be influenced by many factors outside the model. Therefore, low R2 values are relatively typical in this type of research. In GLM models estimated using the maximum likelihood method, McFadden’s R2 reflects only the improvement of the model relative to a model without predictors. In general, an R2 value above 0.1 is considered to have moderate exploratory value, while values in the range of 0.2–0.4 are regarded as good.
All models not described in the article and the association rules created are included in the Supplementary Materials.

5. Discussion

Industry 5.0 is a relatively recent concept, and the obligation to implement advanced technological solutions creates challenges in terms of data security and stakeholder privacy, as indicated by the authors in Section 2.1 based on scientific publications.
The aim of the study was to analyze respondents’ perceptions of threats, which determine organizational behaviors and influence both organizational culture and investment decisions. ESG and ethics serve as normative frameworks; however, they are not directly operationalized in the statistical models, as noted in the Section 1 (Motivation and Research Problem). Therefore, Figure 1 functions solely as a framework encompassing the interpretative context, excluding latent variables (such as security culture, experience with information security incidents, digital maturity, and top management engagement), as these were not measured in the present study.
The theoretical framework proposed in Figure 1 is universal and applies to all EU member states. In the future, comparative studies across the entire EU are planned, which will take into account, on the one hand, the specific culture of regulatory enforcement in Poland compared to other EU countries, and on the other hand, differences in digital maturity or economic structure, as well as demonstrate how these factors limit the external validity of the findings for other EU member states.
It should be noted that the empirical research conducted was the first of its kind in Poland. It was a pilot study. The relatively short survey questionnaire included questions from a variety of areas that were related to digital transformation in the context of I5.0. One of the areas addressed by the results presented in this article was data security and stakeholders’ privacy. The quantitative research conducted primarily measured the respondents’ level of awareness of digital transformation in the face of I5.0 challenges.
However, the empirical research revealed an unclear relationship between the perception of information security risks (T) and the level of development of companies towards I5.0, as well as the sector to which the company belongs, its size, and the origin of its capital. Similarly, the attitudes of company employees towards possible preventive measures under the state’s responsibility to enhance this security (A) also did not depend on conceptual determinants and organizational determinants.
Moreover, the analysis highlighted certain paradoxes, such as the finding that companies most engaged in the process of transformation towards Industry 5.0 (L1) exhibit lower concerns regarding data privacy compared to non-engaged companies (L4). On the one hand, this can be interpreted as a sign of preparedness for structured risk management. It may result from a high level of awareness regarding the role that privacy protection investments play in enhancing enterprise competitiveness [73]. The return on such investments can exceed costs and become a development opportunity [74], especially in the case of organizations with high digital trust maturity. Such entities achieve better performance through responsibility and superior privacy management, which translates into increased competitiveness and stakeholder trust [75,76]. At the same time, enterprises are aware that cyberattacks and data breaches entail legal consequences, investigations costs, and reputation damage, potentially leading to long-term impacts such as poorer operational results, declining sales, and reduced profitability. These potential consequences serve as a strong motivation for engaged companies to implement mitigation strategies to prevent future incidents, thereby lowering current anxiety levels of these organizations [77].
On the other hand, this lower level of concern could also signal a false sense of security—an assumption that merely operating in compliance with the law is sufficient protection against the potential effects of data breaches [76,78]. Furthermore, rapid digital transformation and the adoption of modern technologies may outpace the understanding of their impact on data security, as well as reflection on the risks associated with compromising that security [77,78]. However, the current data do not allow for a definitive determination of which interpretation is more accurate.
This raises the question of whether perceptions of data security and privacy are primarily shaped by the awareness of the digital product user. Every individual is first and foremost a consumer, and not necessarily an employee or employer. Consumers increasingly expect that their data are not only protected during the use of digital services, but also appropriately stored or deleted thereafter. The integration of physical and digital consumer interactions is fundamentally built on trust in data protection and security [79,80]. In the transition towards Industry 5.0, where sustainable development is a guiding principle, the design of phygital experiences must incorporate data ethics and compliance with regulatory frameworks such as CSRD [81,82]. Data privacy and cybersecurity are no longer merely technical concerns—they constitute elements of societal well-being and, consequently, components of brand sustainability. Ethical interactions with stakeholders thus become a source of competitive advantage [83].
Concluding the discussion based on the review and analysis of both primary and secondary sources, the authors formulated the following practical implications for enterprises and the state:
  • Lifelong learning, continuous improvement, and development of employees’ competencies in cybersecurity through the provision of up-to-date knowledge and the cultivation of awareness regarding threats, preventive measures, and best practices.
  • Greater emphasis on public education regarding Internet safety and privacy threats.
  • Introduction of stricter penalties for violations of data security and privacy.
  • Protection of personal data and user privacy.
  • Ensuring the security of ICT infrastructure in organizations.
  • The information security management system in a company should be tailored to the specifics of its operations and organizational context.
  • Technologies and security measures should be adapted to the current capabilities and size of the organization.
  • To minimize the risk of cyberattacks in enterprises undergoing digital transformation within the framework of Industry 5.0, it is essential to establish robust internal regulations and continuously monitor the security of resources in all aspects, i.e., material, financial, human, and data.
  • The design of ethical and transparent interactions with stakeholders in the context of phygital experiences is essential for building trust in the enterprise and its brand.

6. Conclusions

The article presents the conditions under which organizations operating within the European Union function, with reference to policies related to Industry 5.0 in the context of data security and the protection of stakeholders’ privacy. The conducted research process constitutes a foundation for future studies and comparative analyses. The study focuses on assessing the level of awareness of employees in Polish organizations regarding information security, as well as the influence of the organizations’ immediate and broader environments.
In organizations where engagement in the Industry 5.0 transformation process is not considered important or is not pursued at all, concerns regarding personal data security and privacy are substantially lower.
Further analysis, including interactions between the level of engagement in the transformation and organizational characteristics, did not reveal clear relationships in the perception of information security threats. Although some combinations of variables were statistically significant, wide confidence intervals and the lack of consistent effects prevented drawing definitive conclusions.
Such a state may suggest that the level of awareness among employees of Polish enterprises regarding information security—both in terms of the identified threats and the necessary preventive measures at the state level—is not significantly dependent on the size of the organization, the origin of capital, or the sector in which the enterprise operates.
Positive information is the fact that over 76% of respondents considered public education on online security and privacy threats to be a key component of data protection. This underscores the societal importance of continuously enhancing the competencies not only of employees but of all stakeholders engaged in the convergence of the physical and digital realms, resulting in the emergence of phygital experiences.

Supplementary Materials

The following supporting information can be downloaded at: https://www.mdpi.com/article/10.3390/su18031699/s1, Rmarkdown GLM.html.

Author Contributions

Conceptualization, D.K. and D.M.; methodology, D.K.; software, D.K.; validation, D.K.; formal analysis, D.K.; investigation, D.K.; resources, D.K. and D.M.; data curation, D.K.; writing—original draft preparation, D.K. and D.M.; writing—review and editing, D.K. and D.M.; visualization, D.K.; supervision, D.K. and D.M.; project administration, D.K. and D.M. All authors have read and agreed to the published version of the manuscript.

Funding

Co-financed by the Minister of Science under the “Regional Initiative of Excellence” program.

Institutional Review Board Statement

The study was conducted in accordance with the Declaration of Helsinki, and the protocol was approved by the Human Subject Research Ethics Committee of the University of Economics in Katowice (Rector’s Orders No. 40/22 and No. 41/22).

Informed Consent Statement

Informed consent was obtained from all subjects involved in the study.

Data Availability Statement

The data will be made available upon request.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Ionescu, A.-M.; Ionescu, A.-C. Exploring the Future of Manufacturing: An Analysis of Industry 5.0’s Priorities and Perspectives. Sustainability 2025, 17, 7842. [Google Scholar] [CrossRef]
  2. Rusu, D.; Mantulescu, M. Development of an Application-Based Framework for Information Security Management in SMEs. Sustainability 2025, 17, 8314. [Google Scholar] [CrossRef]
  3. Sulaiman, N.S.; Fauzi, M.A.; Wider, W.; Rajadurai, J.; Hussain, S.; Harun, S.A. Cyber–Information Security Compliance and Violation Behaviour in Organisations: A Systematic Review. Soc. Sci. 2022, 11, 386. [Google Scholar] [CrossRef]
  4. Gratian, M.; Bandi, S.; Cukier, M.; Dykstra, J.; Ginther, A. Correlating human traits and cyber security behavior intentions. Comput. Secur. 2018, 73, 345–358. [Google Scholar] [CrossRef]
  5. FitzGerald, J.; Dennis, A.; Durcikova, A. Komunikowanie Danych i Zastosowanie Sieci Komputerowych w Biznesie, 13th ed.; Grażyński, A., Translator; Helion: Gliwice, Poland, 2020; pp. 413–480. ISBN 978-83-283-5768-6. [Google Scholar]
  6. KPMG; Microsoft. Monitor Transformacji Cyfrowej Biznesu. Edycja 2024. Available online: https://assets.kpmg.com/content/dam/kpmg/pl/pdf/2024/04/pl-Monitor-Transformacji-Cyfrowej-Biznesu-Edycja-2024-KPMG-Microsoft.pdf (accessed on 25 December 2025).
  7. CERT Polska. Available online: https://cert.pl/publikacje/ (accessed on 25 December 2025).
  8. Santos, B.; Costa, R.L.C.; Santos, L. Cybersecurity in Industry 5.0: Open Challenges and Future Directions. In Proceedings of the 2024 21st Annual International Conference on Privacy, Security and Trust (PST), Sydney, Australia, 28–30 August 2024; pp. 1–6. [Google Scholar] [CrossRef]
  9. Hassan, M.A.; Zardari, S.; Farooq, M.U.; Alansari, M.M.; Nagro, S.A. Systematic Analysis of Risks in Industry 5.0 Architecture. Appl. Sci. 2024, 14, 1466. [Google Scholar] [CrossRef]
  10. Vaidya, S.; Ambad, P.; Bhosle, S. Industry 4.0—A Glimpse. Procedia Manuf. 2018, 20, 233–238. [Google Scholar] [CrossRef]
  11. Gajdzik, B.; Wolniak, R. Influence of Industry 4.0 Projects on Business Operations: Literature and Empirical Pilot Studies Based on Case Studies in Poland. J. Open Innov. Technol. Mark. Complex. 2022, 8, 44. [Google Scholar] [CrossRef]
  12. Suleiman, Z.; Shaikholla, S.; Dikhanbayeva, D.; Shehab, E.; Turkyilmaz, A. Industry 4.0: Clustering of Concepts and Characteristics. Cogent Eng. 2022, 9, 2034264. [Google Scholar] [CrossRef]
  13. Industry 5.0, A Transformative Vision for Europe: Governing Systemic Transformations Towards a Sustainable Industry. Publications Office of the European Union. 2021. Available online: https://data.europa.eu/doi/10.2777/17322 (accessed on 22 October 2025).
  14. Fogaça, D.R.; Grijalvo, M.; Sacomano Neto, M. What Are Industry 4.0 and Industry 5.0 All About? An Integrative Institutional Model for the New Industrial Paradigms. Adm. Sci. 2025, 15, 118. [Google Scholar] [CrossRef]
  15. Zizic, M.C.; Mladineo, M.; Gjeldum, N.; Celent, L. From Industry 4.0 towards Industry 5.0: A Review and Analysis of Paradigm Shift for the People, Organization and Technology. Energies 2022, 15, 5221. [Google Scholar] [CrossRef]
  16. Ghobakhloo, M.; Iranmanesh, M.; Fathi, M.; Rejeb, A.; Foroughi, B.; Nikbin, D. Beyond Industry 4.0: A Systematic Review of Industry 5.0 Technologies and Implications for Social, Environmental and Economic Sustainability. Asia Pac. J. Bus. Adm. 2025, 17, 889–914. [Google Scholar] [CrossRef]
  17. Kassen, M. Adopting and managing open data: Stakeholder perspectives, challenges and policy recommendations. Aslib J. Inf. Manag. 2018, 70, 518–537. [Google Scholar] [CrossRef]
  18. Modrzejewska, D. Metamodel Komputerowego Wspomagania Innowacyjności Organizacji i Mikrofundamentów Innowacyjności; Wydawnictwo Uniwersytetu Ekonomicznego w Katowicach: Katowice, Poland, 2024; pp. 17–27. ISBN 978-83-7875-908-9. [Google Scholar]
  19. Keshvarparast, A.; Berti, N.; Chand, S.; Guidolin, M.; Lu, Y.; Battaia, O.; Xu, X.; Battini, D. Ergonomic Design of Human–Robot Collaborative Workstation in the Era of Industry 5.0. Comput. Ind. Eng. 2024, 198, 110729. [Google Scholar] [CrossRef]
  20. Martín-Gómez, A.M.; Agote-Garrido, A.; Lama-Ruiz, J.R. A Framework for Sustainable Manufacturing: Integrating Industry 4.0 Technologies with Industry 5.0 Values. Sustainability 2024, 16, 1364. [Google Scholar] [CrossRef]
  21. Grabowska, S.; Saniuk, S.; Gajdzik, B. Industry 5.0: Improving Humanization and Sustainability of Industry 4.0. Scientometrics 2022, 127, 3117–3144. [Google Scholar] [CrossRef]
  22. Bukowski, L.; Werbinska-Wojciechowska, S. Towards Maintenance 5.0: Resilience-Based Maintenance in AI-Driven Sustainable and Human-Centric Industrial Systems. Sensors 2025, 25, 5100. [Google Scholar] [CrossRef]
  23. Agote-Garrido, A.; Martín-Gómez, A.M.; Lama-Ruiz, J.R. Manufacturing System Design in Industry 5.0: Incorporating Sociotechnical Systems and Social Metabolism for Human-Centered, Sustainable, and Resilient Production. Systems 2023, 11, 537. [Google Scholar] [CrossRef]
  24. Gajdzik, B.; Wolniak, R.; Nagaj, R.; Žuromskaitė-Nagaj, B.; Grebski, W.W. The Influence of the Global Energy Crisis on Energy Efficiency: A Comprehensive Analysis. Energies 2024, 17, 947. [Google Scholar] [CrossRef]
  25. Cortés-Leal, A.; Cárdenas, C.; Del-Valle-Soto, C. Maintenance 5.0: Towards a Worker-in-the-Loop Framework for Resilient Smart Manufacturing. Appl. Sci. 2022, 12, 11330. [Google Scholar] [CrossRef]
  26. Czeczot, G.; Rojek, I.; Mikołajewski, D.; Sangho, B. AI in IIoT Management of Cybersecurity for Industry 4.0 and Industry 5.0 Purposes. Electronics 2023, 12, 3800. [Google Scholar] [CrossRef]
  27. Mammeri, Z.Z. Introduction to Computer Security. In Cryptography: Algorithms, Protocols, and Standards for Computer Security; Wiley: Hoboken, NJ, USA, 2024; pp. 1–32. [Google Scholar] [CrossRef]
  28. Avizienis, A.; Laprie, J.-C.; Randell, B.; Landwehr, C. Basic Concepts and Taxonomy of Dependable and Secure Computing. IEEE Trans. Dependable Secur. Comput. 2004, 1, 11–33. [Google Scholar] [CrossRef]
  29. European Parliament & Council of the European Union. Directive (EU) 2022/2464 (14 December 2022) Amending Regulation (EU) No 537/2014, Directive 2004/109/EC, Directive 2006/43/EC and Directive 2013/34/EU, as Regards Corporate Sustainability Reporting. Off. J. Eur. Union 2022, L322, 15–80. Available online: https://eur-lex.europa.eu/eli/dir/2022/2464/oj/eng (accessed on 13 October 2025).
  30. Meynier, T.; Mishkin, S.H.; Triggs, M. EU Finalizes ESG Reporting Rules with International Impacts. In Harvard Law School Forum on Corporate Governance; Harvard Law School: Cambridge, MA, USA, 2023; Available online: https://corpgov.law.harvard.edu/2023/01/30/eu-finalizes-esg-reporting-rules-with-international-impacts/ (accessed on 13 October 2025).
  31. KPMG. Cybersecurity in ESG. KPMG International. 2023. Available online: https://assets.kpmg.com/content/dam/kpmg/pl/pdf/2023/10/cybersecurity-in-esg.pdf (accessed on 13 October 2025).
  32. MSCI. ESG Ratings Methodology: Privacy & Data Security Key Issue. 2024. Available online: https://www.msci.com/documents/1296102/34424357/MSCI%20ESG%20Ratings%20Methodology%20-%20Privacy%20%26%20Data%20Security%20Key%20Issue.pdf (accessed on 13 October 2025).
  33. European Parliament and Council. Regulation (EU) 2016/679 of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation). Off. J. Eur. Union 2016, L119, 1–88. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679 (accessed on 30 July 2025).
  34. Ustawa o Ochronie Danych Osobowych (Personal Data Protection Act), Dz. U. 2018 poz. 1000. Available online: https://isap.sejm.gov.pl/isap.nsf/DocDetails.xsp?id=WDU20180001000 (accessed on 30 July 2025).
  35. European Parliament and Council. Directive (EU) 2016/1148 of 6 July 2016 Concerning Measures for a High Common Level of Security of Network and Information Systems Across the Union. Off. J. Eur. Union 2016, L194, 1–30. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148 (accessed on 30 July 2025).
  36. European Parliament and Council. Directive (EU) 2022/2555 of 14 December 2022 on Measures for a High Common Level of Cybersecurity Across the Union, Amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and Repealing Directive (EU) 2016/1148 (NIS 2 Directive). EUR-Lex. Available online: https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng (accessed on 30 July 2025).
  37. European Parliament and Council. Regulation (EU) 2023/2854 of 13 December 2023 on Measures for a High Common Level of Cybersecurity Across the Union, Amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and Repealing Directive (EU) 2016/1148 (NIS 2 Directive). Off. J. Eur. Union 2023, L300, 1–44. Available online: https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng (accessed on 30 July 2025).
  38. PN-EN ISO/IEC 27001:2023-08/A1:2025-02; English Version: Information Security Management Systems—Requirements. Polski Komitet Normalizacyjny (PKN, Polish Committee for Standardization): Warsaw, Poland, 2025. Available online: https://sklep.pkn.pl/pn-en-iso-iec-27001-2023-08-a1-2025-02e.html?options=cart (accessed on 30 July 2025).
  39. ISO/IEC 27002; New Edition of the ISO/IEC 27002 Standard. Polski Komitet Normalizacyjny (PKN, Polish Committee for Standardization): Warsaw, Poland, 2023. Available online: https://www.pkn.pl/informacje/2023/01/nowa-edycja-normy-27002 (accessed on 30 July 2025).
  40. DAMA International. DAMA-DMBOK: Data Management Body of Knowledge. Available online: https://dama.org/learning-resources/dama-data-management-body-of-knowledge-dmbok/ (accessed on 13 October 2025).
  41. Ismail, A.; Suroso, A.I.; Hermadi, I. Data Governance Design with the DAMA-DMBOK Framework: A Case Study. Int. J. Res. Rev. 2024, 11, 23. [Google Scholar] [CrossRef]
  42. Karkošková, S. Data Governance Model to Enhance Data Quality in Financial Institutions: A Case Study. Int. J. Account. Inf. Manag. 2023, 31, 90–110. [Google Scholar] [CrossRef]
  43. IBM. What is a Security Operations Center (SOC)? Available online: https://www.ibm.com/think/topics/security-operations-center (accessed on 13 October 2025).
  44. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications). Available online: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2002L0058:20091219:EN:HTML (accessed on 30 July 2025).
  45. European Parliament and Council. Regulation (EU) 2024/1689 of 13 June 2024 Laying Down Harmonised Rules on Artificial Intelligence and Amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act). Off. J. Eur. Union 2024, L1689, 1–30. Available online: https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng (accessed on 30 July 2025).
  46. PN-ISO/IEC 27701:2019; English Version: Security Techniques—Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management—Requirements and Guidelines. Polski Komitet Normalizacyjny (PKN, Polish Committee for Standardization): Warsaw, Poland, 2019. Available online: https://www.iso.org/obp/ui/en/#iso:std:iso-iec:27701:ed-1:v1:en (accessed on 13 October 2025).
  47. Hadwer, A.A.; Tavana, M.; Gillis, D.; Rezania, D. A Systematic Review of Organizational Factors Impacting Cloud-based Technology Adoption Using Technology-Organization-Environment Framework. Internet Things 2021, 15, 100407. [Google Scholar] [CrossRef]
  48. Ahmad, S.F.; Alam, M.M.; Rahmat, M.K.; Shahid, M.K.; Aslam, M.; Salim, N.A.; Al-Abyadh, M.H.A. Leading edge or bleeding edge: Designing a framework for the adoption of AI technology in an educational organization. Sustainability 2023, 15, 6540. [Google Scholar] [CrossRef]
  49. Satyro, W.C.; Contador, J.C.; Gomes, J.A.; Monken, S.F.d.P.; Barbosa, A.P.; Bizarrias, F.S.; Contador, J.L.; Silva, L.S.; Prado, R.G. Technology-Organization-External-Sustainability (TOES) Framework for Technology Adoption: Critical Analysis of Models for Industry 4.0 Implementation Projects. Sustainability 2024, 16, 11064. [Google Scholar] [CrossRef]
  50. Tornatzky, L.; Fleischer, M. The Process of Technology Innovation; Lexington Books: Lanham, MD, USA, 1990. [Google Scholar]
  51. Badghish, S.; Soomro, Y.A. Artificial Intelligence Adoption by SMEs to Achieve Sustainable Business Performance: Application of Technology–Organization–Environment Framework. Sustainability 2024, 16, 1864. [Google Scholar] [CrossRef]
  52. Nguyen, T.H.; Le, X.C.; Vu, T.H.L. An Extended Technology-Organization-Environment (TOE) Framework for Online Retailing Utilization in Digital Transformation: Empirical Evidence from Vietnam. J. Open Innov. Technol. Mark. Complex. 2022, 8, 200. [Google Scholar] [CrossRef]
  53. Prakash, C. Evaluating the TOE Framework for Technology Adoption: A Systematic Review of Its Strengths and Limitations. Int. J. Recent Innov. Trends Comput. Commun. 2025, 13, 76–82. [Google Scholar]
  54. Gibbs, L.J.; Kraemer, K.L. A cross-country investigation of the determinants of scope of e-commerce use: An institutional approach. Electron. Mark. 2004, 14, 124–137. [Google Scholar] [CrossRef]
  55. Li, Y.H. An empirical investigation on the determinants of e-procurement adoption in Chinese manufacturing enterprises. In Proceedings of the 15th International Conference on Management Science & Engineering, Long Beach, CA, USA, 10–12 September 2008; Volume 1–2, pp. 32–37. [Google Scholar]
  56. Soares-Aguiar, A.; Palma-Dos-Reis, A. Why do firms adopt e-procurement systems? Using logistic regression to empirically test a conceptual model. IEEE Trans. Eng. Manag. 2008, 55, 120–133. [Google Scholar] [CrossRef]
  57. Lutfi, A.; Al-Hiyari, A.; Elshaer, I.A.; Alrawad, M.; Almaiah, M.A. Green environmental management system and environmental performance: Results from PLS-SEM and fsQCA. Sustain. Futures 2024, 8, 100276. [Google Scholar] [CrossRef]
  58. Berlilana; Noparumpa, T.; Ruangkanjanases, A.; Hariguna, T.; Sarmini. Organization Benefit as an Outcome of Organizational Security Adoption: The Role of Cyber Security Readiness and Technology Readiness. Sustainability 2021, 13, 13761. [Google Scholar] [CrossRef]
  59. Magnano, D.G.; Grimstad, S.M.; Glavee-Geo, R.; Anwar, F. Disentangling circular economy practices and firm’s sustainability performance: A systematic literature review of past achievements and future promises. J. Environ. Manag. 2024, 353, 120138. [Google Scholar] [CrossRef]
  60. Cochran, W.G. Sampling Techniques, 3rd ed.; John Wiley & Sons: New York, NY, USA, 1977; pp. 56–59. [Google Scholar]
  61. Kochański, B. Statystyka 2; Bookdown, GitHub Repository. 2022, pp. 45–48. Available online: https://bankonomia.nazwa.pl/statystyka2/ (accessed on 5 September 2025).
  62. Eurostat. Foreign Direct Investment (FDI) Inward Stock Relative to GDP in Poland. Available online: https://ec.europa.eu/eurostat/databrowser/view/bd_size__custom_18368065/default/table (accessed on 20 September 2025).
  63. Everitt, B.S. The Analysis of Contingency Tables, 2nd ed.; Chapman & Hall: London, UK, 1992; pp. 1–10. [Google Scholar]
  64. Agresti, A. Categorical Data Analysis, 3rd ed.; Wiley: Hoboken, NJ, USA, 2013; pp. 21–78. [Google Scholar]
  65. Moore, D.S.; McCabe, G.P.; Craig, B.A. Introduction to the Practice of Statistics, 9th ed.; W. H. Freeman and Company: New York, NY, USA, 2017; pp. 72–78. [Google Scholar]
  66. Agresti, A. Foundations of Linear and Generalized Linear Models; Wiley: Hoboken, NJ, USA, 2015; pp. 201–220. [Google Scholar]
  67. Menard, S. Applied Logistic Regression Analysis, 2nd ed.; SAGE Publications: Thousand Oaks, CA, USA, 2002; pp. 58–78. [Google Scholar]
  68. Zelterman, D. Applied Multivariate Statistics with R; Springer: Cham, Switzerland, 2022; pp. 45–120. [Google Scholar]
  69. Biecek, P. Exploratory Data Analysis with R; Publisher PWN: Warsaw, Poland, 2013. [Google Scholar]
  70. Agresti, A. An Introduction to Categorical Data Analysis, 2nd ed.; Wiley: Hoboken, NJ, USA, 2007; pp. 35–39. [Google Scholar] [CrossRef]
  71. Dobson, A.J.; Barnett, A.G. An Introduction to Generalized Linear Models, 4th ed.; CRC Press: Boca Raton, FL, USA, 2018; pp. 115–160. [Google Scholar]
  72. McFadden, D. Conditional Logit Analysis of Qualitative Choice Behavior. In Frontiers in Econometrics; Zarembka, P., Ed.; Academic Press: New York, NY, USA, 1974; pp. 105–142. [Google Scholar]
  73. Cisco. Cisco’s 2025 Data Privacy Benchmark Study: Privacy Landscape Grows Increasingly Complex in the Age of AI. Cisco Newsroom. 2025. Available online: https://newsroom.cisco.com/c/r/newsroom/en/us/a/y2025/m04/cisco-2025-data-privacy-benchmark-study-privacy-landscape-grows-increasingly-complex-in-the-age-of-ai.html (accessed on 3 December 2025).
  74. ENISA. Industry 4.0—Cybersecurity Challenges & Recommendations. 2019. Available online: https://www.enisa.europa.eu/sites/default/files/publications/Industry%204.0%20-%20Cybersecurity%20Challenges%20and%20Recommendations.pdf (accessed on 3 December 2025).
  75. Deloitte. Digital Trust Maturity Survey. 2023. Available online: https://www.deloitte.com/content/dam/assets-shared/docs/services/risk-advisory/2023/digital-trust-maturity.pdf (accessed on 3 December 2025).
  76. TrustArc. 2025 Global Privacy Benchmarks Report. 2025. Available online: https://trustarc.com/wp-content/uploads/2025/06/2025-trustarc-global-privacy-benchmarks-report.pdf (accessed on 3 December 2025).
  77. Liu, C. Corporate cybersecurity risk and data breaches: A systematic review of empirical research. Aust. J. Manag. 2024, 51, 03128962241293658. Available online: https://journals.sagepub.com/doi/10.1177/03128962241293658 (accessed on 3 December 2025). [CrossRef]
  78. Stefani, E.; Costa, I.; Gaspar, M.A.; Goes, R.d.S.; Monteiro, R.C.; Petrili, B.R.; Pereira, A.d.P. Information Security Risk Framework for Digital Transformation Technologies. Systems 2025, 13, 37. [Google Scholar] [CrossRef]
  79. Gündüzyeli, B. Cyber Resilience in Digital Marketing Within the Framework of Sustainable Management. Sustainability 2025, 17, 2080. [Google Scholar] [CrossRef]
  80. Mele, C.; Spena, T.R.; Marzullo, M.; Di Bernardo, I. The phygital transformation: A systematic review and a research agenda. Ital. J. Mark. 2023, 2023, 323–349. [Google Scholar] [CrossRef]
  81. Sukheeja, N.; Shekhawat, P. The rise of phygital marketing: How brands are merging physical and digital experiences for customer engagement. Int. J. Innov. Res. Anal. 2025, 5, 167–171. [Google Scholar] [CrossRef]
  82. Urdea, A.-M.; Constantin, C.P.; Purcaru, I.-M. Implementing Experiential Marketing in the Digital Age for a More Sustainable Customer Relationship. Sustainability 2021, 13, 1865. [Google Scholar] [CrossRef]
  83. Kumar, V.; Reinartz, W. Customer experience management in the age of phygital. J. Interact. Mark. 2023, 52, 30–49. [Google Scholar]
Sustainability 18 01699 g001
Figure 1. The theoretical framework for sustainable reporting, taking into account data security and stakeholder privacy. Source: authors’ own elaboration.
Figure 1. The theoretical framework for sustainable reporting, taking into account data security and stakeholder privacy. Source: authors’ own elaboration.
Sustainability 18 01699 g001
Sustainability 18 01699 g002
Figure 2. Level of engagement in the transformation process versus the pace of I5.0 implementation in the organization. Source: authors’ own elaboration.
Figure 2. Level of engagement in the transformation process versus the pace of I5.0 implementation in the organization. Source: authors’ own elaboration.
Sustainability 18 01699 g002
Sustainability 18 01699 g003
Figure 3. (a) The percentage of respondents indicating data and network security as a significant factor (Y/N) in relation to the level of engagement toward I5.0. (b) Enhanced mosaic plot showing proportions of responses with Pearson residuals. Source: authors’ own elaboration.
Figure 3. (a) The percentage of respondents indicating data and network security as a significant factor (Y/N) in relation to the level of engagement toward I5.0. (b) Enhanced mosaic plot showing proportions of responses with Pearson residuals. Source: authors’ own elaboration.
Sustainability 18 01699 g003
Sustainability 18 01699 g004
Figure 4. (a) Percentage of respondents by reported level of concern about data security and privacy, by level of engagement in the I5.0 transformation process. (b) Enhanced mosaic plot showing proportions of responses with Pearson residuals. Source: authors’ own elaboration.
Figure 4. (a) Percentage of respondents by reported level of concern about data security and privacy, by level of engagement in the I5.0 transformation process. (b) Enhanced mosaic plot showing proportions of responses with Pearson residuals. Source: authors’ own elaboration.
Sustainability 18 01699 g004
Sustainability 18 01699 g005
Figure 5. Percentage share of responses regarding perceived threats and actions that could be taken to ensure security across different levels of enterprise engagement in the Industry 5.0 transformation process. Source: authors’ own elaboration.
Figure 5. Percentage share of responses regarding perceived threats and actions that could be taken to ensure security across different levels of enterprise engagement in the Industry 5.0 transformation process. Source: authors’ own elaboration.
Sustainability 18 01699 g005
Sustainability 18 01699 g006
Figure 6. Odds ratios (OR) with 95% confidence intervals for the explanatory variables in model M1. Source: authors’ own elaboration.
Figure 6. Odds ratios (OR) with 95% confidence intervals for the explanatory variables in model M1. Source: authors’ own elaboration.
Sustainability 18 01699 g006
Sustainability 18 01699 g007
Figure 7. Odds ratios (OR) with 95% confidence intervals for the explanatory variables in model M2. Source: authors’ own elaboration.
Figure 7. Odds ratios (OR) with 95% confidence intervals for the explanatory variables in model M2. Source: authors’ own elaboration.
Sustainability 18 01699 g007
Table 1. The distribution of responses to the question concerning the level of engagement in the transformation process toward Industry 5.0.
Table 1. The distribution of responses to the question concerning the level of engagement in the transformation process toward Industry 5.0.
LIs the Company in Which You Work Engaged in the Transformation Process Towards I5.0?Percentage of Respondents
L1Yes, actively participating in the transformation13.3%
L2Yes, but the process is only at an initial stage45.5%
L3No, but such actions are being considered30.9%
L4No, it is not relevant for us10.3%
Source: authors’ own elaboration.
Table 2. Distribution of responses to the question regarding the assessment of the implementation pace of I5.0 in the organization.
Table 2. Distribution of responses to the question regarding the assessment of the implementation pace of I5.0 in the organization.
PHow Do You Assess the Pace of I5.0 Implementation in Your Organization?Percentage of Respondents
P1Fast7.2%
P2Gradually52.7%
P3Slowly32.2%
P4No opinion7.9%
Source: authors’ own elaboration.
Table 3. The distribution of responses regarding concerns about personal data security and privacy.
Table 3. The distribution of responses regarding concerns about personal data security and privacy.
CAre You Concerned That the Development of Industry 5.0 Could Lead to Greater Risks to Personal Data Security and Privacy?Percentage of Respondents
C1Yes, I have serious concerns regarding data security and privacy.21.6%
C2A little, but I don’t consider it a major issue.62.1%
C3No, I’m not concerned about it.16.4%
Source: authors’ own elaboration.
Table 4. Results of the chi-square test and variables with Pearson residuals exceeding the critical value ∣2∣ for the analyzed threats and actions in relation to the level of engagement in the I5.0 transformation process.
Table 4. Results of the chi-square test and variables with Pearson residuals exceeding the critical value ∣2∣ for the analyzed threats and actions in relation to the level of engagement in the I5.0 transformation process.
L~T, L~Aχ2 (3)p-ValueStatistical SignificanceResid < −2Resid > 2
T15.120.1631p > 0.05--
T28.870.0311p < 0.05-(L4, N)
T311.340.01p < 0.05--
A111.980.0074p < 0.05--
A215.530.0014p < 0.05(L2, N)(L4, N)
A316.0450.0011p < 0.05-(L1, Y), (L4, Y)
Source: authors’ own elaboration.
Table 5. Comparison of GLM model results for T1–T3 and A1–A3.
Table 5. Comparison of GLM model results for T1–T3 and A1–A3.
ModelParametersAICMcFadden R2p-Value
T1Company size, Type756.80.0270.001
T2Sector683.790.036<0.001
T3Sector, Company size701.790.109<0.001
A1 L, Sector, Type 741.44 0.054 <0.001
A2 L, Sector 601.63 0.039 0.001
A3 L, Sector, Type 586.84 0.115 <0.001
Source: authors’ own elaboration.
Table 6. Answers to hypotheses.
Table 6. Answers to hypotheses.
HReference to the Indicator, Type of Test or Model; Response
H1F2, χ2 (3) = 19.25, p < 0.001; statistically significant relationship (Figure 3)
C1, χ2 (6) = 42.93, p < 0.001; statistically significant relationship (Figure 4)
T1, χ2 (3) = 5.12, p > 0.05; statistically non-significant relationship (Table 4)
T2, χ2 (3) = 8.87, p < 0.05; statistically significant relationship (Table 4)
T3, χ2 (3) = 11.34, p < 0.05; statistically significant relationship (Table 4)
A1, χ2 (3) = 11.98, p < 0.05; statistically significant relationship (Table 4)
A2, χ2 (3) = 15.53, p < 0.05; statistically significant relationship (Table 4)
A3, χ2 (3) = 16.045, p < 0.05; statistically significant relationship (Table 4)
H2T3, model M1, statistically significant relationship without including L (Table 5, Figure 6)
A3, model M2, statistically significant relationship including L as a supporting factor (Table 5, Figure 7)
H3No statistically significant relationship was found (Table 5, Figure 6)
H4No statistically significant relationship was found (Table 5, Figure 7)
Source: authors’ own elaboration.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Kansy, D.; Modrzejewska, D. Perceived Data and Privacy Security Threats for Stakeholders in the Context of Industry 5.0: Evidence from Poland. Sustainability 2026, 18, 1699. https://doi.org/10.3390/su18031699

AMA Style

Kansy D, Modrzejewska D. Perceived Data and Privacy Security Threats for Stakeholders in the Context of Industry 5.0: Evidence from Poland. Sustainability. 2026; 18(3):1699. https://doi.org/10.3390/su18031699

Chicago/Turabian Style

Kansy, Dominika, and Dagmara Modrzejewska. 2026. "Perceived Data and Privacy Security Threats for Stakeholders in the Context of Industry 5.0: Evidence from Poland" Sustainability 18, no. 3: 1699. https://doi.org/10.3390/su18031699

APA Style

Kansy, D., & Modrzejewska, D. (2026). Perceived Data and Privacy Security Threats for Stakeholders in the Context of Industry 5.0: Evidence from Poland. Sustainability, 18(3), 1699. https://doi.org/10.3390/su18031699

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop