A Systems Thinking Perspective on Cyber Awareness-to-Action in Organizations: Prioritizing Human-Centric Drivers Using a q-Rung Orthopair Fuzzy Approach

Abstract

This study examines how cyber awareness is translated into secure employee behavior in organizations through a systems thinking perspective that connects human resource management, organizational processes, and technological conditions. Rather than treating awareness as a final outcome, the study conceptualizes it as part of an awareness-to-action process shaped by individual cognition, organizational support, and governance mechanisms. Using survey data from white-collar employees in the banking and finance sector, the study applies a q-rung orthopair fuzzy decision framework to prioritize the drivers of this transition. The q-ROF-SWARA results identify self-efficacy, awareness/threat recognition, and awareness climate as the most important dimensions, indicating that employees are more likely to act securely when they can recognize risks, feel capable of responding, and work in an environment that reinforces cybersecurity. The q-ROF-MARCOS results show that remote employees have the strongest overall awareness-to-action profile, although the utility differences across on-site, hybrid, and remote work modes are relatively small and should be interpreted cautiously. The findings contribute to cybersecurity behavior research by integrating systems thinking with fuzzy multi-criteria prioritization and by showing that secure behavior depends on the interaction of cognitive, behavioral, HRM, and governance-related conditions. Practically, the study provides decision-makers with a structured basis for strengthening cybersecurity interventions beyond general awareness programs and toward sustainable behavioral change.

1. Introduction

As organizations become increasingly dependent on digital systems, cybersecurity can no longer be treated as an issue confined to technical departments alone. Employees now carry out routine work through e-mail systems, shared databases, cloud platforms, mobile devices, remote access tools, and digital communication channels. In such an environment, organizational security depends not only on technological safeguards but also on how employees perceive cyber risks and how they respond to them in practice. For this reason, cybersecurity awareness has become a strategic organizational concern rather than a purely technical matter. Earlier studies have already shown that information security awareness is closely associated with employee knowledge, attitudes, and behavior, rather than with technical understanding alone [1]. More recent research has further reinforced this broader view by demonstrating that employee cybersecurity awareness is a multidimensional phenomenon shaped by both individual and organizational factors [2,3].

From a systems perspective, this shift is especially important because organizational cybersecurity is not produced by isolated actions or independent units. It emerges from the interaction of multiple elements, including employee perceptions, managerial expectations, communication practices, security policies, technological infrastructures, and organizational support mechanisms. In other words, secure behavior is not simply the result of individual awareness, but the outcome of a broader socio-technical system in which people, structures, and technologies operate together. When one part of this system functions weakly, the effectiveness of the whole cybersecurity process may be reduced. This makes it necessary to understand cyber awareness not as a stand-alone attribute of employees, but as part of an interconnected organizational system that shapes whether knowledge is translated into action.

Despite this growing recognition, many organizations continue to face a fundamental problem: awareness does not always lead to secure workplace behavior. Employees may know that phishing e-mails are dangerous, that passwords should be protected, or that suspicious requests should be verified, yet they may still fail to act securely in everyday work situations. This reveals a clear gap between knowing and doing. Prior research suggests that awareness of security policies can positively influence cybersecurity behavior, but awareness alone is often insufficient to explain whether employees behave securely in practice [4]. This challenge becomes even more visible when awareness efforts are repetitive, overly generic, or disconnected from real work demands, because employees may gradually disengage rather than become more security conscious [5,6]. Therefore, the existence of awareness does not automatically produce secure action, and organizations must address the wider system in which employee behavior takes shape.

This problem may be understood more clearly as an awareness-to-action gap embedded within the organizational system. Employees may recognize cyber risks and understand security expectations, yet still fail to respond appropriately because the transition from awareness to secure behavior depends on more than information alone. Research has shown that self-efficacy, defined as confidence in one’s ability to act securely, is a major determinant of protective information security behavior [7,8]. At the same time, organizational conditions also play a critical role in influencing whether awareness is converted into practice. A supportive security climate can reinforce secure action, whereas fatigue, weak reinforcement, or inadequate organizational support may hinder it [5,9]. This suggests that cyber awareness should be viewed not simply as an individual state of knowledge, but as part of a wider organizational and behavioral process that requires coordination, support, and alignment across different components of the system.

Although the literature on cybersecurity awareness has expanded considerably, an important research gap remains. A substantial part of the existing literature either describes awareness levels or tests linear relationships among variables. While such studies provide useful insights, they often do not answer a more practical and system-oriented question: which factors should be prioritized when organizations seek to help employees move from awareness to action? For decision makers, it is not enough to know that awareness, self-efficacy, climate, or fatigue are relevant. It is also necessary to understand which of these dimensions should receive greater managerial attention in order to strengthen the system as a whole. This issue becomes especially important because employee responses to cybersecurity issues often involve hesitation, partial certainty, and subjective judgment. q-rung orthopair fuzzy sets are already well established in the decision sciences literature [10,11]. The gap addressed here is therefore not the invention of a new fuzzy method, but the limited application of q-rung orthopair fuzzy multi-criteria prioritization to cybersecurity awareness survey data and to the specific problem of awareness-to-action conversion.

Against this background, the present study aims to identify and prioritize the key drivers that transform cyber awareness into secure employee behavior. In doing so, the study adopts a systems-oriented view and treats the awareness-to-action process as the result of interacting organizational conditions rather than as a single linear outcome. The empirical analysis is based on survey data collected from white-collar employees in the banking and finance sector, where digitalization, information sensitivity, and cyber risk exposure make this issue especially significant. These responses are evaluated through an established q-rung orthopair fuzzy decision-making framework. More specifically, q-ROF-SWARA is employed to determine the relative importance of the main awareness-to-action dimensions, while q-ROF-MARCOS is used to rank the alternatives according to their performance within this process. This methodological choice is aligned with the study’s prioritization objective: instead of testing causal paths among latent constructs, the analysis identifies which dimensions carry greater relative importance under uncertainty.

The study makes three main contributions. First, it contributes theoretically by reframing cyber awareness as an awareness-to-action process embedded in a socio-technical organizational system rather than as a simple matter of knowledge possession. Second, it contributes analytically by applying q-ROF-SWARA and q-ROF-MARCOS to cybersecurity awareness survey data, thereby offering a structured fuzzy multi-criteria approach for prioritizing the conditions that support secure employee behavior under uncertainty. Third, it contributes practically by identifying the dimensions that organizations should prioritize to strengthen secure behavior and improve cybersecurity-related HRM and governance practices. In this way, the study provides a more integrated and decision-oriented understanding of how cyber awareness can be converted into action in digitally intensive work settings.

2. Integrated Theoretical Background and Conceptual Framework

2.1. Cyber Awareness and Secure Behavior in Organizations

Cyber awareness in organizations should be understood as an organizationally embedded capability rather than a narrow technical knowledge outcome. Contemporary employees work through e-mail systems, cloud platforms, databases, mobile devices, and remote access tools; therefore, secure behavior depends on how they recognize risks, interpret security expectations, and apply protective practices in routine tasks. Earlier awareness research shows that information security awareness includes knowledge, attitudes, and behavior, while recent studies emphasize policy awareness, technical protection awareness, proactive awareness, and regulatory understanding [1,2,3,12]. This view is especially relevant in digitally intensive sectors, where cybersecurity exposure is distributed across daily work rather than confined to IT units.

The literature also shows that awareness, intention, and behavior are related but distinct. Employees may know that phishing, weak passwords, unsafe data sharing, or unverified requests are risky, yet still fail to act securely because of time pressure, work overload, habitual shortcuts, unclear procedures, or weak managerial reinforcement. Studies on security policy awareness, social engineering resistance, and human cybersecurity behavior confirm that awareness can support secure conduct, but it does not automatically produce it [4,13,14,15]. Additional studies further show that cybersecurity awareness and secure behavior are shaped by individual differences, sector-specific training gaps, organizational governance, and broader workforce resilience considerations [16,17,18,19,20,21,22]. For this reason, the present study treats secure behavior as the result of a wider socio-technical system in which individual cognition, routines, leadership signals, organizational climate, and technology-enabled workflows interact.

2.2. The Awareness-to-Action Logic

The awareness-to-action perspective addresses the central problem that cybersecurity knowledge is valuable only when it is translated into practical workplace behavior. This conversion depends on several enabling conditions. Threat recognition provides the cognitive starting point; perceived relevance connects cyber risks to employees’ own tasks and responsibilities; self-efficacy reflects confidence in the ability to act securely; awareness climate indicates whether cybersecurity is visibly valued and reinforced; and secure behavior readiness captures willingness to follow secure practices in real situations. Protection motivation and compliance studies consistently show that threat appraisal and self-efficacy are critical for protective information security behavior [7,8,23].

Organizational conditions also shape whether awareness becomes action. A supportive security climate can normalize secure conduct, while repetitive warnings, generic training, and excessive security demands may cause cyber fatigue and reduce engagement [5,6,9,24]. Recent work on habits, situational support, culture, and human factors further indicates that employees should not be framed only as sources of error; they can also strengthen organizational resilience when systems, policies, and support mechanisms make secure action easier and more meaningful [25,26,27,28,29,30]. Thus, cyber awareness-to-action is conceptualized here as a conversion process shaped by cognitive, motivational, behavioral, and organizational conditions.

2.3. Evaluation Logic and Fuzzy Method Fit

The proposed framework is designed not only to explain the awareness-to-action process, but also to prioritize its main drivers. This is important because managers need to know which dimensions deserve greater attention when resources for training, HR interventions, and cybersecurity governance are limited. The evaluation therefore focuses on six dimensions: threat recognition, perceived relevance, self-efficacy, awareness climate, cyber fatigue, and secure behavior readiness. These dimensions are summarized in Table 1 and then assessed through a q-rung orthopair fuzzy decision-making framework.

A fuzzy approach is appropriate because employee judgments about cybersecurity are rarely fully crisp. Survey responses about confidence, relevance, fatigue, and climate often involve partial agreement, hesitation, and context-dependent interpretation. Fuzzy survey modeling and fuzzy data analysis are useful for such gradational social and behavioral judgments [31,32]. Within this family, q-rung orthopair fuzzy sets provide a flexible structure for representing membership, non-membership, and hesitation simultaneously, which is suitable for prioritizing uncertain linguistic evaluations [10,11,33,34,35,36,37].

Table 1. Core dimensions of the Cyber Awareness-to-Action framework.

Dimension	Role in the Framework	Short Explanation	Key Supporting Sources
Threat recognition	Cognitive awareness	Ability to notice suspicious or risky cyber situations	Parsons et al. [1]; Ünsal and Ocak [3]
Perceived relevance	Personal connection to the threat	Extent to which cyber risks are seen as important to one’s own work	Johnston and Warkentin [7]; Li et al. [8]; Alrawhani et al. [23]
Self-efficacy	Confidence in responding securely	Belief that one can perform secure actions correctly	Johnston and Warkentin [7]; Li et al. [8]; Bishop et al. [2]
Awareness climate	Organizational environment	Shared perception that cybersecurity is valued and supported	Kessler et al. [9]; Ünsal and Ocak [3]
Cyber fatigue	Barrier	Security overload, repetition, or disengagement that weakens action	Reeves et al. [5,6]; Mizrak et al. [24]
Secure behavior readiness	Action-oriented outcome	Readiness to follow secure practices in real work settings	Egelman et al. [38]; Li et al. [4]; Siponen et al. [13]

Table 1. Core dimensions of the Cyber Awareness-to-Action framework.

Dimension	Role in the Framework	Short Explanation	Key Supporting Sources
Threat recognition	Cognitive awareness	Ability to notice suspicious or risky cyber situations	Parsons et al. [1]; Ünsal and Ocak [3]
Perceived relevance	Personal connection to the threat	Extent to which cyber risks are seen as important to one’s own work	Johnston and Warkentin [7]; Li et al. [8]; Alrawhani et al. [23]
Self-efficacy	Confidence in responding securely	Belief that one can perform secure actions correctly	Johnston and Warkentin [7]; Li et al. [8]; Bishop et al. [2]
Awareness climate	Organizational environment	Shared perception that cybersecurity is valued and supported	Kessler et al. [9]; Ünsal and Ocak [3]
Cyber fatigue	Barrier	Security overload, repetition, or disengagement that weakens action	Reeves et al. [5,6]; Mizrak et al. [24]
Secure behavior readiness	Action-oriented outcome	Readiness to follow secure practices in real work settings	Egelman et al. [38]; Li et al. [4]; Siponen et al. [13]

The framework therefore proposes that employees first recognize cyber risks, but secure behavior becomes more likely only when awareness is personally meaningful, supported by self-efficacy, reinforced by organizational climate, and not weakened by fatigue.

Figure 1 presents the revised integrated framework. The figure shows the conversion path from awareness to secure behavior and highlights the supporting role of leadership, HR practices, and work context, as well as the constraining role of cyber fatigue.

3. Methodology

3.1. Research Design

This study adopts a quantitative survey-based design to examine the core drivers of cyber awareness-to-action among white-collar employees in the banking and finance sector. The structured questionnaire captures six dimensions: threat recognition, perceived relevance, self-efficacy, awareness climate, cyber fatigue, and secure behavior readiness. This design is consistent with cybersecurity awareness studies that measure employee perceptions, attitudes, and security-related behavioral tendencies through standardized instruments [1,4,39].

The analysis uses a q-rung orthopair fuzzy multi-criteria framework because the study aims to prioritize uncertain employee evaluations rather than test only linear associations among variables. q-ROF-SWARA is used to determine the relative importance of the six dimensions, and q-ROF-MARCOS is used to rank the work-mode alternatives. Figure 2 summarizes the research workflow.

3.2. Population and Sample

The population of this study consists of employees working in the banking and finance sector, where cybersecurity awareness and secure digital behavior are especially important because of the intensive use of digital systems, the sensitivity of financial data, and the presence of strict regulatory and compliance requirements. In line with the purpose of the study, the sample was limited to white-collar employees in this sector, since these employees are more directly involved in digital communication, information processing, system use, and policy-based cybersecurity practices. Concentrating on a single sector also provides a more consistent contextual basis for evaluating the cyber awareness-to-action framework and reduces the institutional differences that may arise in cross-sector comparisons.

The study employed a survey-based non-probability sampling approach and targeted accessible white-collar employees working in banking and finance organizations. This approach was considered appropriate because the study aimed to collect structured evaluations from respondents who actively operate in digitally intensive work settings and are therefore regularly exposed to cybersecurity-related expectations and routines. Based on the final dataset used in the analysis, the study includes 580 valid responses. The sample reflects variation in both hierarchical position and work arrangement, which supports within-sector comparison and provides a suitable empirical basis for examining differences in cyber awareness-to-action patterns across employee groups.

The achieved sample size is adequate for the purposes of this study, which focuses on prioritizing the core dimensions of cyber awareness-to-action rather than producing strict probabilistic generalizations for the entire sector. Because the analysis relies on a q-rung orthopair fuzzy multi-criteria framework, the main objective is to derive meaningful weights and rankings from employee evaluations under conditions of uncertainty. In this respect, the final sample provides a sufficiently broad and internally varied basis for identifying the most influential dimensions and the most critical intervention areas in the banking and finance context.

Table 2. Descriptive profile of respondents.

Variable	Category/Statistic	Frequency	Percentage
Gender	Male	302	52.1
	Female	278	47.9
Position	Employee	344	59.3
	Manager	176	30.3
	Senior Manager	60	10.3
Work mode	On-site	242	41.7
	Hybrid	237	40.9
	Remote	101	17.4
Prior cybersecurity training	Yes	393	67.8
	No	187	32.2
Age	Mean (SD)	40.80 (8.94)	—
	Min–Max	22–59	—
Work experience (years)	Mean (SD)	19.34 (8.31)	—
	Min–Max	1–29	—
Total sample	N	580	100.0

Note. The sample consists entirely of white-collar employees from the banking and finance sector. Percentages may not sum exactly to 100 due to rounding.

presents the descriptive profile of the respondents, including gender, position, work mode, prior cybersecurity training, age, and work experience.

As presented in Table 2, the respondents include employees from different hierarchical levels and work arrangements, with 344 employees, 176 managers, and 60 senior managers. The sample also reflects different work modes, including 242 on-site, 237 hybrid, and 101 remote employees. In addition, 393 respondents reported prior cybersecurity training, whereas 187 respondents indicated that they had not received such training. The demographic structure is further supported by a relatively balanced gender distribution, a mean age of 40.80 years, and an average work experience of 19.34 years, which together strengthen the empirical basis of the study for comparing perceptions across respondent groups within the same sector.

3.3. Survey Instrument

Data were collected through a structured questionnaire designed to measure the core dimensions of the Cyber Awareness-to-Action framework. A structured survey format was preferred because the study aims to obtain standardized and comparable employee evaluations and to process these evaluations within a q-rung orthopair fuzzy multi-criteria framework. Rather than developing the instrument entirely from the beginning, the questionnaire items were adapted from well-established scales in the cybersecurity literature. This approach strengthened the theoretical grounding of the instrument and improved its content validity by linking the measurement structure to previously validated constructs.

The final instrument was organized around six core dimensions: threat recognition, perceived relevance, self-efficacy, awareness climate, cyber fatigue, and secure behavior readiness. Threat recognition items were adapted from the Organizational Cybersecurity Awareness Scale and the Human Aspects of Information Security Questionnaire, which focus on employees’ ability to identify cyber threats and recognize secure digital practices. The perceived relevance and self-efficacy dimensions were based on studies emphasizing threat appraisal and confidence in responding to cybersecurity risks. Awareness climate was included to capture the extent to which cybersecurity is embedded in the broader organizational environment, whereas cyber fatigue was incorporated to reflect disengagement, repetition, and overload associated with security demands. Finally, secure behavior readiness was used to assess employees’ willingness and preparedness to translate awareness into actual secure digital conduct.

All questionnaire items were evaluated using a 7-point linguistic response scale, ranging from very low to very high. This scale was selected to allow respondents to express cybersecurity-related perceptions in a more flexible and realistic way than would be possible through rigid numerical scoring alone. Because the subsequent analysis is based on q-rung orthopair fuzzy sets, the use of linguistic terms provided an appropriate bridge between subjective human judgment and formal fuzzy modeling. After data collection, these linguistic responses were transformed into q-rung orthopair fuzzy values and used in the weighting and ranking stages of the analysis.

As shown in

Table 3. Survey dimensions, sources, and sample items.

Dimension	Purpose	Main Source(s)	Sample Item(s)
Awareness/threat recognition	Identify employees’ ability to recognize cyber threats and risky situations	Ünsal and Ocak [3]; Parsons et al. [1]	“I can recognize a suspicious email or phishing attempt.”/“I am aware of common cybersecurity risks in my daily work.”
Perceived relevance	Assess how personally important cybersecurity threats are to employees	Johnston and Warkentin [7]; Li et al. [8]	“Cybersecurity threats can directly affect my work performance.”/“Ignoring cybersecurity risks may have serious consequences for my organization.”
Self-efficacy	Measure confidence in performing secure actions	Johnston and Warkentin [7]; Li et al. [8]	“I feel confident in my ability to follow cybersecurity policies correctly.”/“I can respond appropriately when I encounter a cyber threat.”
Awareness climate	Measure the extent to which cybersecurity is embedded in organizational culture	Kessler et al. [9]	“Cybersecurity is taken seriously in my organization.”/“Employees are encouraged to follow secure digital practices.”
Cyber fatigue	Capture overload and disengagement caused by repeated security demands	Reeves et al. [5,6]	“I feel overwhelmed by repeated cybersecurity warnings.”/“Cybersecurity training is often too repetitive or not useful.”
Secure behavior readiness	Assess readiness to engage in secure actions	Egelman et al. [38]; Siponen et al. [13]	“I follow cybersecurity rules even under time pressure.”/“I am willing to report suspicious activities immediately.”

, the survey instrument integrates cognitive, motivational, organizational, and behavioral dimensions within a single measurement structure. This design reflects the main argument of the study: cybersecurity awareness does not automatically result in secure behavior unless it is supported by perceived relevance, individual confidence, an awareness-supportive organizational climate, and manageable levels of cyber fatigue. By combining awareness/threat recognition, perceived relevance, self-efficacy, awareness climate, cyber fatigue, and secure behavior readiness, the questionnaire captures both employees’ awareness of cybersecurity risks and the conditions that facilitate or constrain the translation of that awareness into secure behavior.

3.4. Linguistic Scale Design

Each survey statement was evaluated through a seven-point linguistic scale ranging from Very Low to Very High. The scale was used consistently across all constructs and then converted into q-rung orthopair fuzzy numbers by assigning membership and non-membership values and calculating hesitancy with q = 3. This procedure preserves the nuance of employee perceptions while enabling formal fuzzy prioritization.

Table 4. Seven-point linguistic scale and q-ROF design.

Likert Code	Linguistic Term	Membership (μ)	Non-Membership (ν)	Hesitancy (π)
1	Very Low	0.05	0.98	0.3886
2	Low	0.20	0.90	0.6407
3	Slightly Low	0.35	0.75	0.8119
4	Moderate	0.50	0.60	0.8702
5	Slightly High	0.65	0.40	0.8713
6	High	0.80	0.25	0.7788
7	Very High	0.95	0.10	0.5213

presents the seven-point linguistic scale, together with the corresponding membership, non-membership, and hesitancy values used in the fuzzy transformation process.

3.5. Determination of Dimensions and Alternatives

The evaluation structure of this study was developed around two main elements: criteria and alternatives. The criteria were derived directly from the conceptual logic of the Cyber Awareness-to-Action framework and from the six dimensions measured through the survey instrument. Rather than adopting a very broad set of variables, the study focused on the dimensions that most directly explain how cybersecurity awareness can be translated into secure employee behavior. Accordingly, the evaluation framework includes six criteria: awareness/threat recognition, perceived relevance, self-efficacy, awareness climate, cyber fatigue, and secure behavior readiness. Together, these criteria represent the main cognitive, motivational, organizational, and behavioral components of the proposed model.

The first criterion, awareness/threat recognition (C1), refers to employees’ ability to identify cyber risks, suspicious activities, and insecure digital practices encountered in routine work settings. This dimension forms the cognitive basis of the framework, because employees cannot be expected to act securely unless they first recognize the existence of a cyber threat. The second criterion, perceived relevance (C2), captures the extent to which employees regard cybersecurity threats as personally important and directly related to their own tasks and responsibilities. The third criterion, self-efficacy (C3), reflects employees’ confidence in their capacity to respond appropriately to cyber risks and to apply protective actions correctly. Taken together, these three criteria represent the individual-level side of the awareness-to-action process by addressing what employees notice, how they interpret cyber risks, and whether they believe they can act effectively.

In addition to these individual-level dimensions, the framework incorporates organizational and constraining factors that may influence whether awareness is translated into action. Awareness climate (C4) represents the broader organizational environment in which cybersecurity is emphasized, supported, and normalized. This criterion is important because employees are more likely to maintain secure routines when cybersecurity is embedded in daily organizational expectations and practices. Cyber fatigue (C5) is included as a limiting factor, since repeated warnings, generic training activities, or excessive security demands may reduce attention, weaken motivation, and discourage secure action over time. The final criterion, secure behavior readiness (C6), represents the action-oriented component of the framework. It reflects employees’ willingness and preparedness to comply with cybersecurity requirements, apply secure practices consistently, and sustain secure behavior in their everyday work.

The alternatives were defined in a way that would allow meaningful comparison within the boundaries of the study. Because the research focuses specifically on the banking and finance sector, the evaluation does not compare different sectors or organizations. Instead, the alternatives were established according to employee work mode, which offers a practically relevant basis for within-sector comparison. In this context, three alternatives were included in the analysis: on-site employees (A1), hybrid employees (A2), and remote employees (A3). This choice is theoretically appropriate because work mode may shape how employees experience cybersecurity risks, organizational reinforcement, fatigue, and readiness for secure action in different ways.

Work mode was retained as the primary alternative structure because it represents the immediate socio-technical context in which employees convert cybersecurity awareness into secure conduct. On-site, hybrid, and remote employees differ in their exposure to digital systems, access to informal peer or managerial support, reliance on remote communication channels, and vulnerability to security-related fatigue. These differences are directly aligned with the awareness-to-action framework, which treats secure behavior as a context-dependent organizational process rather than as an individual knowledge outcome alone. At the same time, the dataset also includes other relevant grouping variables, particularly prior cybersecurity training. Therefore, an additional trained-versus-untrained comparison was added in Appendix A.5 as a supplementary analysis, while work mode remains the main comparison because it captures the daily work environment in which secure behavior is enacted.

Table 5. Criteria and alternatives used in the evaluation framework.

Code	Element	Description	Supporting Source(s)
C1	Awareness/threat recognition	Ability to recognize cyber risks, suspicious situations, and secure practices	Parsons et al. [1]; Ünsal and Ocak [3]
C2	Perceived relevance	Extent to which cyber threats are seen as important and relevant to one’s work	Johnston and Warkentin [7]; Li et al. [8]
C3	Self-efficacy	Confidence in responding securely and applying protective actions correctly	Johnston and Warkentin [7]; Li et al. [8]
C4	Awareness climate	Organizational environment in which cybersecurity is supported and emphasized	Kessler et al. [9]
C5	Cyber fatigue	Fatigue, overload, or disengagement caused by repeated cybersecurity demands	Reeves et al. [5,6]
C6	Secure behavior readiness	Readiness and willingness to engage in secure cyber behavior	Egelman et al. [38]; Siponen et al. [13]; Li et al. [4]
A1	On-site employees	Employees working mainly at the physical workplace	Defined within the scope of this study
A2	Hybrid employees	Employees working partly on-site and partly remotely	Defined within the scope of this study
A3	Remote employees	Employees working mainly in remote settings	Defined within the scope of this study

presents the six criteria and three alternatives included in the evaluation framework, together with their operational descriptions and supporting sources.

As shown in Table 5, the evaluation framework combines conceptually grounded criteria with practically relevant alternatives. This structure makes it possible to identify which dimensions carry greater importance in the cyber awareness-to-action process and to compare how different employee groups perform within the banking and finance sector.

3.6. q-Rung Orthopair Fuzzy Environment

The survey data were analyzed within a q-rung orthopair fuzzy set (q-ROFS) environment to represent uncertainty, partial agreement, and hesitation in employee evaluations. This is suitable because cybersecurity perceptions such as confidence, fatigue, and awareness climate are expressed through linguistic judgments rather than fully precise numerical values.

A q-rung orthopair fuzzy set defined on a universe of discourse $X$ can be written as:

$$A=\{⟨x,{\mu }_A\left(x\right),{\nu }_A\left(x\right)⟩| x\in X\}$$

(1)

where ${\mu }_A\left(x\right)\in [0,1]$ denotes the membership degree of element $x$, and ${\nu }_A\left(x\right)\in [0,1]$ denotes the non-membership degree of element $x$. These values must satisfy the following q-rung orthopair condition:

$${\mu }_A(x{)}^q+{\nu }_A(x{)}^q\le 1,q\ge 1$$

(2)

The parameter q determines the flexibility of the fuzzy environment. Higher q values expand the feasible space for membership and non-membership values, allowing more nuanced representation of hesitant judgments.

In the present study, the hesitancy degree was computed as:

$${\mathit{\pi }}_A\left(x\right)={\left(1-{\mu }_A(x{)}^q-{\nu }_A(x{)}^q\right)}^{{\displaystyle \frac{1}{q}}}$$

(3)

Each evaluation is therefore represented through membership, non-membership, and hesitancy components. This structure captures support, non-support, and residual uncertainty in the same analytical representation.

The 7-point linguistic questionnaire further supports the use of q-ROFS because the meaning of categories such as moderate, high, or very high may vary across respondents. Fuzzy conversion reduces the loss of nuance caused by treating such responses as exact values.

Compared with classical, intuitionistic, and Pythagorean fuzzy structures, q-ROFS provides a broader and more flexible decision space for modeling uncertain survey judgments.

Table 6. Comparison of fuzzy environments and the rationale for q-ROFS adoption.

Fuzzy Environment	Main Components	Constraint	Strength	Limitation	Key Source(s)
Classical fuzzy set	Membership only $\left(\mu \right)$	$0\le \mu \le 1$	Simple representation of gradual belonging	Does not model non-membership or hesitation explicitly	Zadeh [40]
Intuitionistic fuzzy set	Membership $\left(\mu \right)$, non-membership $\left(\nu \right)$	$\mu +\nu \le 1$	Captures support and opposition together	Constraint is relatively restrictive for hesitant judgments	Atanassov [41]
Pythagorean fuzzy set	Membership $\left(\mu \right)$, non-membership $\left(\nu \right)$	${\mu }^2+{\nu }^2\le 1$	More flexible than intuitionistic fuzzy sets	Still less adaptable than q-rung forms for complex evaluations	Yager [42]
q-Rung orthopair fuzzy set	Membership $\left(\mu \right)$, non-membership $\left(\nu \right)$, hesitancy $\left(\mathit{\pi }\right)$	${\mu }^q+{\nu }^q\le 1$	Provides the widest and most flexible space for uncertain and hesitant judgments	Requires an explicit choice of the q parameter	Yager [43]

summarizes these differences and clarifies the rationale for adopting q-ROFS in this study.

Table 6 summarizes the main differences among the fuzzy environments relevant to this study and clarifies why q-rung orthopair fuzzy sets were selected as the analytical basis.

In this study, the q-rung parameter was set to q = 3. The linguistic responses were converted into predefined q-rung orthopair fuzzy numbers, and the resulting fuzzy values were then used in the q-ROF-SWARA and q-ROF-MARCOS procedures.

Table 7. Notation used in the q-rung orthopair fuzzy environment.

Symbol	Meaning	Interpretation in This Study
$x$	Element of the universe	A survey evaluation or linguistic response under analysis
$A$	q-rung orthopair fuzzy set	The fuzzy representation of employee judgments
${\mu }_A\left(x\right)$	Membership degree	Extent to which the response supports a given assessment
${\nu }_A\left(x\right)$	Non-membership degree	Extent to which the response does not support a given assessment
${\mathit{\pi }}_A\left(x\right)$	Hesitancy degree	Remaining uncertainty in the response
$q$	q-rung parameter	Flexibility level of the fuzzy environment; set to 3 in this study
${\mu }_A(x{)}^q+{\nu }_A(x{)}^q\le 1$	q-rung orthopair condition	Ensures logical admissibility of the fuzzy evaluation
${\mathit{\pi }}_A(x)={\left(1-{\mu }_A(x{)}^q-{\nu }_A(x{)}^q\right)}^{1/q}$	Hesitancy formula	Computes the uncertainty level associated with each linguistic response

presents the key symbols and interpretations used in the q-rung orthopair fuzzy transformation process applied in this study.

Overall, the q-ROF environment provides the methodological basis for transforming linguistic employee evaluations into comparable fuzzy scores while retaining hesitation and partial certainty.

3.7. Q-Rof-Swara Procedure

In this study, the relative importance of the six Cyber Awareness-to-Action dimensions was determined by using the q-rung orthopair fuzzy Step-wise Weight Assessment Ratio Analysis (q-ROF-SWARA) method. SWARA is a well-established multi-criteria decision-making technique that derives criterion weights through sequential comparative assessment rather than through simultaneous pairwise comparisons. This feature makes the method especially appropriate when the purpose of the analysis is to identify which criteria deserve greater priority within a structured evaluation framework. In the present study, this is particularly important because the research does not merely aim to observe associations among dimensions, but rather to determine which dimensions are more influential in transforming cyber awareness into secure behavior. The integration of SWARA with q-rung orthopair fuzzy sets further strengthens the method by allowing the weighting process to reflect uncertainty, hesitation, and linguistic judgment, all of which are highly relevant in survey-based evaluations of employee perceptions [11,44].

The application of q-ROF-SWARA in this study began with the use of the six criteria defined in the evaluation framework: awareness/threat recognition (C1), perceived relevance (C2), self-efficacy (C3), awareness climate (C4), cyber fatigue (C5), and secure behavior readiness (C6). These criteria were first represented in the q-rung orthopair fuzzy environment using the transformed linguistic responses obtained from the questionnaire. In other words, the original 7-point linguistic evaluations were not treated as crisp numerical values; instead, they were converted into q-rung orthopair fuzzy numbers containing membership, non-membership, and hesitancy information. This approach preserves the uncertainty embedded in employee judgments and allows the weighting process to reflect more realistic decision conditions. After this transformation, the aggregated fuzzy evaluations for each criterion were used to establish an ordered list of criteria according to their relative importance.

The first formal stage of SWARA is the ranking of criteria from the most important to the least important. This stage is necessary because SWARA is inherently sequential: each criterion is evaluated relative to the one that precedes it in the ordered list. In the context of the present study, the ranking reflects respondents’ overall fuzzy perceptions of which dimensions play a stronger role in the cyber awareness-to-action process. To make this survey-based adaptation explicit, the ordered list was obtained from the aggregated q-rung orthopair fuzzy score of each criterion after score conversion. The criteria were then sorted from the highest score to the lowest score before calculating the stepwise comparative importance coefficients. For example, if self-efficacy or awareness climate receives stronger aggregated fuzzy evaluations than other dimensions, it appears earlier in the ordered sequence. This ranking step is conceptually important because it transforms a set of measured dimensions into a structured priority order, thereby preparing the ground for stepwise importance assessment. Such a procedure is consistent with the original SWARA logic proposed by Keršulienė et al. [44], where decision-makers first determine an importance order and then assess relative differences between successive criteria.

Once the criteria have been ranked, the next step is to determine the comparative importance of each criterion relative to the criterion immediately preceding it in the ordered list. In the standard SWARA procedure, the comparative importance coefficient $\left(s_j\right)$ is usually elicited from expert judgment. Since the present study relies on survey-derived employee evaluations rather than a separate expert panel, a data-driven q-ROF-SWARA adaptation was used. Accordingly, $s_j$ was calculated from the relative difference between the aggregated q-ROF score of each criterion and the aggregated q-ROF score of the preceding criterion:

$$\begin{gathered} s_j={\displaystyle \frac{\mid G_{j-1}-G_j\mid }{\mid G_{j-1}\mid }},j=2,3,\dots ,n \\ s_1=0 \end{gathered}$$

(4)

where $G_j$ denotes the aggregated q-ROF score of criterion $j$ after score conversion, and $G_{j-1}$ denotes the aggregated q-ROF score of the criterion immediately preceding it in the ranked list. Absolute values were used because the score function produces centered signed values; therefore, the coefficient reflects the magnitude of the relative decrease between two consecutive criteria. Since the first-ranked criterion has no preceding criterion, its comparative importance coefficient is set to zero. The SWARA coefficient is then calculated as follows:

$$k_j=1+s_j$$

(5)

with

$$k_1=1$$

For example, if self-efficacy is ranked first and awareness/threat recognition is ranked second, the comparative importance coefficient for awareness/threat recognition is calculated by comparing its aggregated q-ROF score with the score of the preceding criterion. The corresponding SWARA coefficient and preliminary weight are then obtained through the equations presented above.

$$\begin{gathered} s_{AW}={\displaystyle \frac{\mid -0.0553-(-0.0791)\mid }{\mid -0.0553\mid }} \\ s_{AW}={\displaystyle \frac{0.0238}{0.0553}}=0.4304 \end{gathered}$$

The corresponding SWARA coefficient is:

$$k_{AW}=1+0.4304=1.4304$$

and the preliminary weight is:

$$q_{AW}={\displaystyle \frac{1}{1.4304}}=0.6991$$

These calculations allow the weighting procedure to be replicated directly from the reported criterion scores.After determining the coefficient values, the initial unnormalized weights of the criteria are computed. These values are denoted by $q_j$ and are obtained recursively:

$$q_j=\{\begin{array}{cc}1,& j=1\\ {\displaystyle \frac{q_{j-1}}{k_j}},& j>1\end{array}$$

(6)

The first-ranked criterion is assigned an initial value of 1, and each subsequent criterion receives a value derived from the previous criterion’s weight divided by its comparative coefficient. In this way, the method gradually reduces the importance of lower-ranked criteria according to the sequential judgments established in the previous stage. These values represent the relative importance structure before normalization. In the present study, this process was carried out within the q-rung orthopair fuzzy setting, meaning that the underlying ranking and comparative judgments were based on fuzzy evaluations rather than rigid crisp inputs. This makes the weighting process more suitable for employee perception data, where precise boundaries between importance levels may not exist [11,33].

In the final stage, the initial values are converted into normalized weights so that the total importance across all criteria equals one. The normalized weight of each criterion, denoted by $w_j$, is obtained through the following equation:

$$w_j={\displaystyle \frac{q_j}{{\displaystyle {\sum }_{j=1}^n}{q}_j}}$$

(7)

This normalization step ensures that all weights are expressed on a common proportional scale while preserving the relative ordering and magnitude produced by the earlier SWARA stages. The resulting values indicate the relative contribution of each criterion to the Cyber Awareness-to-Action framework. In practical terms, these final weights show which dimensions deserve greater strategic attention in the banking and finance context. They also constitute the criterion weights used in the subsequent q-ROF-MARCOS stage, where the alternatives are evaluated and ranked.

The q-ROF-SWARA method offers several practical advantages for the specific purpose of this study. First, it supports prioritization, which is central to the research question. Rather than assessing whether dimensions are statistically associated, the method identifies which dimensions carry greater weight in shaping cyber awareness-to-action. Second, the method can accommodate linguistic and uncertain judgments, which makes it appropriate for survey-based employee data. Third, its stepwise structure creates a transparent and interpretable weighting process, allowing readers to follow how criterion importance is derived from ordered comparisons. Fourth, the integration with q-rung orthopair fuzzy sets allows the method to incorporate membership, non-membership, and hesitancy simultaneously, thereby preserving the richer structure of the original linguistic evaluations [10,34]. The study does not argue that structural equation modeling is inappropriate in general; rather, it adopts q-ROF-SWARA because the objective is criterion weighting and priority identification, not hypothesis testing or causal path estimation. These characteristics make q-ROF-SWARA suitable for determining the relative importance of the six dimensions included in this study.

3.8. Q-Rof-Marcos Procedure

In this study, the alternatives were ranked using the q-rung orthopair fuzzy Measurement Alternatives and Ranking according to the Compromise Solution (q-ROF-MARCOS) method. MARCOS is a relatively recent multi-criteria decision-making approach that evaluates alternatives by comparing them simultaneously with both an ideal solution and an anti-ideal solution. In this way, the method does not assess an alternative in isolation; instead, it determines how close each alternative is to the best possible condition and how far it is from the worst possible condition. This dual-comparison structure makes MARCOS especially useful when the purpose is to obtain a balanced and realistic ranking of alternatives under multiple criteria. When integrated with q-rung orthopair fuzzy sets, the method becomes particularly suitable for situations involving uncertainty, hesitancy, and linguistically expressed judgments, as is the case with cybersecurity-related employee survey data [11,45].

In the present study, the q-ROF-MARCOS procedure was applied after the criterion weights had been obtained through the q-ROF-SWARA method. These weights represent the relative importance of the six Cyber Awareness-to-Action dimensions: awareness/threat recognition, perceived relevance, self-efficacy, awareness climate, cyber fatigue, and secure behavior readiness. The alternatives evaluated in the MARCOS stage were defined according to employee work mode: on-site employees (A1), hybrid employees (A2), and remote employees (A3). The purpose of this stage was to determine which employee group demonstrates stronger overall performance in translating cyber awareness into secure behavior within the banking and finance sector.

The first stage of the q-ROF-MARCOS method involves the construction of the initial decision matrix. In this matrix, each alternative is evaluated under each criterion. Because the original data were collected through a 7-point linguistic response scale and later converted into q-rung orthopair fuzzy values, the entries in the decision matrix are expressed as fuzzy evaluations rather than crisp scores. This allows the matrix to preserve the uncertainty and partial judgment embedded in the respondents’ perceptions. Thus, the decision matrix reflects the fuzzy performance of on-site, hybrid, and remote employees under each of the six criteria included in the study.

After the initial decision matrix is formed, the next step is to create the extended decision matrix by adding the ideal and anti-ideal solutions. The ideal solution represents the most desirable value for each criterion, whereas the anti-ideal solution represents the least desirable one. These reference points provide the benchmark against which the observed alternatives are evaluated. For each criterion $j$, the ideal and anti-ideal values are determined differently depending on whether the criterion is treated as a benefit-type or cost-type criterion. For benefit-type criteria, higher values indicate better performance. In this case, the ideal and anti-ideal solutions are defined as follows:

$$x_j^{\ast }=\underset{i}{\mathrm{m}\mathrm{a}\mathrm{x} }{x}_{ij},x_j^{-}=\underset{i}{\mathrm{m}\mathrm{i}\mathrm{n} }{x}_{ij}$$

(8)

For cost-type criteria, lower values indicate better performance. In this case, the ideal and anti-ideal solutions are determined as:

$$x_j^{\ast }=\underset{i}{\mathrm{m}\mathrm{i}\mathrm{n} }{x}_{ij},x_j^{-}=\underset{i}{\mathrm{m}\mathrm{a}\mathrm{x} }{x}_{ij}$$

(9)

This distinction is important in the present study because most criteria, such as awareness, self-efficacy, and secure behavior readiness, are benefit-oriented, whereas cyber fatigue is conceptually treated as a cost-oriented criterion, since higher fatigue weakens the awareness-to-action process.

Once the ideal and anti-ideal values are identified, the extended decision matrix is normalized to ensure comparability across criteria. Normalization is necessary because the criteria may differ in their performance ranges and directional meaning. In the MARCOS framework, normalization converts all criterion values into a comparable form relative to the ideal and anti-ideal benchmarks. In the q-rung orthopair fuzzy environment, this step is carried out while preserving the fuzzy structure of the data, meaning that the membership and non-membership characteristics of the evaluations remain embedded in the normalized values. This is one of the reasons why q-ROF-MARCOS is especially appropriate for survey-based judgment data, where strict crisp transformations may oversimplify the underlying evaluations [11].

After normalization, the weighted normalized matrix is obtained by multiplying the normalized values by the criterion weights derived from the q-ROF-SWARA method. This stage is crucial because it ensures that the final ranking does not treat all criteria as equally important. Instead, criteria that have received higher SWARA weights exert a stronger influence on the overall evaluation of the alternatives. In the context of this study, this means that if a criterion such as self-efficacy or awareness climate is found to be more important in the cyber awareness-to-action process, it will contribute more heavily to the final performance score of each work-mode alternative.

The next stage involves calculating the overall performance values and utility degrees of the alternatives. For each alternative $i$, a summary performance value $S_i$ is first obtained from the weighted normalized matrix. This value reflects the overall criterion-based performance of the alternative. The utility degree of the alternative in relation to the ideal solution is then calculated as:

$$K_i={\displaystyle \frac{S_i}{S^{\ast }}}$$

(10)

where denotes the total performance value of alternative, and represents the performance value of the ideal solution. In addition to this comparison with the ideal solution, MARCOS also considers the relationship between each alternative and the anti-ideal solution. This two-sided comparison is one of the defining features of the method. Unlike some traditional ranking approaches that focus only on closeness to the best alternative, MARCOS evaluates alternatives in relation to both extremes, thereby offering a more robust and balanced ranking logic [45].

Based on these calculations, the alternatives are ranked according to their utility values, with higher utility indicating stronger overall performance. In the present study, the final ranking shows which employee work mode demonstrates a stronger overall configuration for translating cyber awareness into secure behavior. This provides practically valuable insights because work arrangement may influence employees’ exposure to cyber risks, their access to organizational support, their level of fatigue, and their readiness to engage in secure practices. Accordingly, the q-ROF-MARCOS stage does not simply compare employee groups descriptively; rather, it evaluates them systematically by combining fuzzy criterion performance with weighted importance values.

The q-ROF-MARCOS method offers several advantages for the purposes of this study. First, it supports comprehensive alternative evaluation by considering both ideal and anti-ideal reference points. Second, it provides a clear ranking of alternatives, which is essential because the study aims not only to identify influential dimensions but also to compare employee groups meaningfully. Third, it accommodates uncertain and linguistic survey data through q-rung orthopair fuzzy modeling. Fourth, it integrates naturally with the q-ROF-SWARA weighting stage, thereby ensuring internal consistency across the overall analytical framework. Finally, the method produces results that are sufficiently transparent and interpretable for managerial use, which is particularly important in organizational cybersecurity decision-making.

3.9. Reliability and Validity Considerations

Reliability and validity were considered throughout both the development of the survey instrument and the preparation of the final dataset used in the empirical analysis. First, content validity was supported through a careful review of the cybersecurity awareness and information security behavior literature. The questionnaire was designed around six conceptually grounded dimensions—threat recognition, perceived relevance, self-efficacy, awareness climate, cyber fatigue, and secure behavior readiness—which reflect the central logic of the Cyber Awareness-to-Action framework. The item pool was adapted from established studies in cybersecurity awareness, threat appraisal, self-efficacy, organizational climate, fatigue, and secure behavior, so that the instrument would capture the main psychological, organizational, and behavioral components relevant to the study. In addition, the wording of the adapted items was reviewed to ensure conceptual relevance, clarity, and consistency with the banking and finance context, thereby strengthening the alignment between the theoretical model and the measurement structure.

Before the main data collection stage, a pilot test with 30 participants was conducted. These participants were selected from a profile similar to the final target population, namely white-collar employees working in the banking and finance sector. The purpose of the pilot application was to assess whether the item wording was understandable, whether the cybersecurity-related expressions were sufficiently clear, whether the ordering of the questions was appropriate, and whether the questionnaire could be completed in a coherent and practical manner. Feedback from the pilot application indicated that some statements required minor wording adjustments, especially in cases where cybersecurity terminology could be interpreted too narrowly or too technically. Based on this feedback, several items were revised to improve clarity, reduce repetition, and make the final questionnaire more suitable for full-scale administration.

Reliability was further supported during the data preparation and screening stage. The final dataset consisted of 580 valid responses, and the uploaded workbook showed no missing values and no duplicate records. This indicates that the dataset was structurally suitable for measurement evaluation. Because the study relies on self-reported survey responses, the use of multiple items under each construct also contributed to measurement stability by reducing dependence on single-item indicators. In addition, the item structure within each dimension was reviewed to ensure that the statements grouped under the same construct reflected a coherent conceptual pattern.

Beyond these preliminary checks, the internal consistency and convergent validity of the instrument were evaluated empirically using the final dataset. Cronbach’s alpha was calculated to assess internal consistency, while composite reliability (CR), average variance extracted (AVE), and factor loading ranges were used to evaluate convergent validity. These indicators are particularly important in the present study because the instrument serves as the basis for the subsequent q-rung orthopair fuzzy transformation and weighting procedures. A reliable and valid measurement structure is therefore necessary before the fuzzy analysis can be interpreted with confidence.

Table 8. Reliability and convergent validity results.

Construct	Number of Items	Cronbach’s Alpha	Composite Reliability	AVE	Factor Loading Range
Threat recognition/awareness	5	0.867	0.867	0.566	0.722–0.774
Perceived relevance	5	0.844	0.844	0.520	0.691–0.747
Self-efficacy	5	0.899	0.899	0.641	0.774–0.816
Awareness climate	6	0.876	0.876	0.541	0.718–0.763
Cyber fatigue	5	0.867	0.867	0.566	0.728–0.762
Secure behavior readiness	6	0.893	0.893	0.582	0.718–0.793

presents the internal consistency and convergent validity results of the six constructs measured in the study.

As shown in Table 8, all six constructs demonstrate satisfactory internal consistency. Cronbach’s alpha values range from 0.844 to 0.899, which exceeds the commonly accepted threshold of 0.70 and indicates acceptable to strong reliability. Composite reliability values also remain above 0.70 for all constructs, while all AVE values exceed 0.50, supporting convergent validity. In addition, the factor loading ranges are consistently acceptable across the six dimensions, indicating that the items contribute meaningfully to their intended constructs. Taken together, these results show that the measurement structure performs adequately in terms of both reliability and convergent validity.

To examine whether the six constructs are sufficiently distinct from one another, discriminant validity was assessed using the Fornell–Larcker criterion. According to this approach, the square root of the AVE for each construct should be greater than its correlations with the other constructs. This test is particularly useful in the present study because several of the dimensions—such as threat recognition, perceived relevance, and self-efficacy—are theoretically related but should nevertheless remain empirically distinguishable within the measurement model.

Table 9. Fornell–Larcker discriminant validity matrix.

Construct	AW	PR	SE	CL	CF	SB
AW	0.752	0.244	0.235	0.246	−0.112	0.212
PR	0.244	0.721	0.221	0.262	−0.074	0.211
SE	0.235	0.221	0.801	0.251	−0.081	0.272
CL	0.246	0.262	0.251	0.735	−0.147	0.271
CF	−0.112	−0.074	−0.081	−0.147	0.752	−0.134
SB	0.212	0.211	0.272	0.271	−0.134	0.763

Abbreviations: AW = Threat recognition/awareness; PR = Perceived relevance; SE = Self-efficacy; CL = Awareness climate; CF = Cyber fatigue; SB = Secure behavior readiness.

reports the Fornell–Larcker discriminant validity matrix for the six constructs.

As presented in Table 9, the square root of AVE for each construct is greater than the corresponding off-diagonal correlations in the same row and column. This indicates that the constructs are empirically distinguishable from one another and that the Fornell–Larcker criterion is satisfied. The result is important because it shows that, although the six dimensions are conceptually related within the Cyber Awareness-to-Action framework, they do not collapse into a single undifferentiated factor.

Finally, the use of a 7-point linguistic response format also contributes to the validity of the study. Employees do not always hold perfectly precise judgments about cybersecurity awareness, fatigue, confidence, or readiness for secure action. In many cases, these perceptions are partial, gradational, and context dependent. A linguistic scale allows respondents to express such judgments more naturally than rigid numerical coding alone. After collection, these linguistic responses were converted into q-rung orthopair fuzzy values, thereby preserving membership, non-membership, and hesitancy information in the subsequent analysis. This strengthens the methodological fit between the nature of the survey data and the fuzzy multi-criteria framework applied in the study.

4. Findings

4.1. Overview of the Empirical Results

The empirical findings of this study are presented in a sequential manner so that the analytical logic of the q-rung orthopair fuzzy evaluation framework can be followed clearly. Based on the 580 valid responses included in the final dataset, the results are organized into three main stages. The first stage reports the aggregated fuzzy evaluation results, showing how the six dimensions of the Cyber Awareness-to-Action framework are reflected in the dataset at both the construct level and the alternative level. This stage provides the descriptive fuzzy structure of the empirical results by summarizing how employees’ linguistic survey responses were transformed into q-rung orthopair fuzzy values and then aggregated across the relevant dimensions and work-mode groups. The second stage presents the criterion-weighting results obtained through q-ROF-SWARA, which identify the relative importance of the six dimensions in shaping the awareness-to-action process. The third and final stage reports the alternative-ranking results generated through q-ROF-MARCOS, where the employee groups are evaluated comparatively in relation to ideal and anti-ideal performance conditions.

In line with the revised framework of the study, the empirical analysis is based on six constructs: awareness/threat recognition (AW), perceived relevance (PR), self-efficacy (SE), awareness climate (CL), cyber fatigue (CF), and secure behavior readiness (SB). These constructs were first represented in the q-rung orthopair fuzzy environment and then incorporated into the weighting and ranking procedures. Accordingly, the findings section moves from a general descriptive picture of fuzzy construct and alternative scores to a more focused evaluation of criterion importance and, finally, to the overall ranking of the work-mode alternatives. This structure allows the results to be interpreted in a logically progressive way, beginning with the empirical fuzzy profile of the dataset, continuing with the prioritization of the core dimensions, and concluding with the comparative performance of on-site, hybrid, and remote employees within the banking and finance sector.

The first stage of the empirical analysis presents the aggregated fuzzy evaluation results derived from the survey responses. After the linguistic responses were transformed into q-rung orthopair fuzzy values, the results were summarized at two levels. First, the six constructs were examined at the overall criterion level in order to identify the general fuzzy profile of the dataset. Second, the evaluations were aggregated by work mode so that the relative standing of on-site, hybrid, and remote employees could be compared across the six dimensions. This stage provides the descriptive fuzzy basis of the empirical analysis before moving to the weighting and ranking procedures.

At the criterion level, the aggregated results show that the overall fuzzy profile of the dataset is relatively moderate, with most dimensions producing score values close to zero. This indicates that employee evaluations are not strongly polarized but instead reflect a balanced structure shaped by partial support, partial non-support, and hesitation. Among the six constructs, awareness/threat recognition (AW) produced the highest overall fuzzy score, followed by self-efficacy (SE). This suggests that employees generally demonstrate a comparatively stronger capacity to recognize cyber risks and a relatively more favorable perception of their own ability to respond securely. By contrast, secure behavior readiness (SB) and cyber fatigue (CF) yielded the lowest overall fuzzy scores. In the case of secure behavior readiness, this pattern implies that the translation of awareness into everyday secure conduct remains more limited than the preceding cognitive and motivational dimensions. In the case of cyber fatigue, the negative score reflects the presence of fatigue-related perceptions within the sample and indicates that repeated security demands may function as a constraining condition in the awareness-to-action process.

Table 10. Aggregated fuzzy scores by criterion.

Criterion	Mean Membership (μ)	Mean Non-Membership (ν)	Mean Hesitancy (π)	Mean Score
Awareness/threat recognition (AW)	0.545	0.528	0.768	0.004
Perceived relevance (PR)	0.508	0.568	0.766	−0.070
Self-efficacy (SE)	0.524	0.550	0.757	−0.035
Awareness climate (CL)	0.513	0.560	0.758	−0.057
Cyber fatigue (CF)	0.505	0.570	0.761	−0.075
Secure behavior readiness (SB)	0.504	0.570	0.754	−0.076

presents the aggregated fuzzy results for the six criteria, including the mean membership, non-membership, hesitancy, and score values.

As shown in Table 10, the highest mean score belongs to awareness/threat recognition, indicating that the recognition of suspicious situations, cyber risks, and insecure digital practices constitutes the strongest descriptive component of the dataset at the aggregate level. Self-efficacy follows as the second most favorable construct, suggesting that employees report a comparatively stronger sense of confidence in responding to cybersecurity risks than in some of the other dimensions. Awareness climate occupies a middle position, while perceived relevance, cyber fatigue, and secure behavior readiness remain less favorable. It is also notable that the hesitancy values remain relatively close across all six constructs, which indicates that uncertainty and partial judgment are present throughout the dataset rather than being concentrated in only one dimension.

In addition to the overall criterion profile, the fuzzy evaluations were aggregated by work mode in order to compare the three alternatives used in the study. This comparison is important because the alternatives are not evaluated through raw survey averages alone; instead, they are assessed through construct-level fuzzy scores that preserve membership, non-membership, and hesitation information. The work-mode comparison reveals that the three employee groups do not display the same pattern across the six dimensions. Rather, each group shows relative strengths and weaknesses, which provides an important descriptive basis for the later ranking stage.

Table 11. Aggregated fuzzy decision matrix by alternative and criterion.

Alternative	AW	PR	SE	CL	CF	SB
On-site employees (A1)	0.032	−0.075	−0.039	−0.087	−0.081	−0.062
Hybrid employees (A2)	−0.014	−0.063	−0.084	−0.037	−0.077	−0.162
Remote employees (A3)	−0.019	−0.073	0.090	−0.034	−0.059	0.095

Note. AW = awareness/threat recognition; PR = perceived relevance; SE = self-efficacy; CL = awareness climate; CF = cyber fatigue; SB = secure behavior readiness. For CF, lower numerical scores indicate more favorable performance because cyber fatigue is treated as a cost-oriented criterion.

presents the aggregated fuzzy decision matrix by work mode and criterion, using the mean score values obtained from the q-rung orthopair fuzzy aggregation process.

Table 11 shows that the alternatives differ meaningfully across the six dimensions. On-site employees demonstrate the strongest fuzzy score in awareness/threat recognition, suggesting that this group performs relatively better in recognizing cyber risks and suspicious digital situations. Hybrid employees display the most favorable score in perceived relevance, which suggests that they see cybersecurity issues as slightly more directly connected to their own work responsibilities than the other two groups. Remote employees, however, show the strongest scores in self-efficacy, awareness climate, and secure behavior readiness, indicating a more favorable overall profile in terms of confidence, perceived cybersecurity support, and readiness to engage in secure digital behavior.

The pattern for cyber fatigue requires separate interpretation because this construct represents a cost-oriented criterion. Unlike the benefit-type dimensions, a higher fatigue score does not indicate a more desirable condition; rather, it reflects a stronger fatigue burden. For this cost criterion, the most favorable profile is always the lowest numerical score. Accordingly, on-site employees exhibit the most favorable fatigue profile (−0.081), followed closely by hybrid employees (−0.077), whereas remote employees show the highest fatigue score (−0.059), indicating a comparatively stronger fatigue-related burden in this group. This result is important because it suggests that remote employees may simultaneously display stronger readiness and self-efficacy while also reporting greater exposure to fatigue-related pressure.

Overall, the aggregated fuzzy evaluation results reveal that the empirical structure of the dataset is not uniform across either criteria or alternatives. At the criterion level, awareness/threat recognition and self-efficacy emerge as relatively stronger dimensions, whereas secure behavior readiness and cyber fatigue appear less favorable. At the alternative level, remote employees display a particularly strong profile in several benefit-oriented dimensions, while on-site employees appear stronger in awareness and more favorable in terms of fatigue. Hybrid employees occupy an intermediate position, with their clearest relative advantage appearing in perceived relevance. These descriptive fuzzy patterns provide the empirical foundation for the next stage of the analysis, in which the six criteria are weighted through q-ROF-SWARA.

Figure 3 visually presents the aggregated fuzzy scores of the three work-mode alternatives across the six evaluation criteria, making it easier to observe the relative strengths and weaknesses of each group.

As shown in Figure 3, the fuzzy performance patterns differ across work modes rather than converging around a single dominant profile. Remote employees display comparatively stronger scores in self-efficacy and secure behavior readiness, whereas on-site employees perform more favorably in awareness/threat recognition. Hybrid employees occupy a more intermediate position across most criteria. The visual pattern also highlights that cyber fatigue should be interpreted differently from the benefit-oriented criteria, since higher fatigue reflects a less desirable condition.

4.2. Criterion Weighting Results from Q-Rof-Swara

The aggregated criterion scores were ordered and then processed through the q-ROF-SWARA procedure in order to obtain the final normalized weights of the six Cyber Awareness-to-Action dimensions. This stage of the analysis shows that the criteria do not contribute equally to the awareness-to-action process. Instead, the weighting structure reveals a clear priority pattern in which some dimensions emerge as more influential than others in shaping secure employee behavior. The results indicate that the strongest contribution comes from dimensions related to employee capability and organizational reinforcement, whereas dimensions such as perceived relevance and secure behavior readiness receive comparatively lower weights.

Table 12. q-ROF-SWARA weighting results.

Rank	Criterion	Mean Score	Comparative Importance (sj)	Coefficient (kj)	Preliminary Weight (qj)	Normalized Weight (wj)
1	SE—Self-efficacy	−0.0553	0.0000	1.0000	1.0000	0.2486
2	AW—Awareness/threat recognition	−0.0791	0.4304	1.4304	0.6991	0.1738
3	CL—Awareness climate	−0.0812	0.0265	1.0265	0.6810	0.1693
4	CF—Cyber fatigue	−0.0888	0.0936	1.0936	0.6227	0.1548
5	PR—Perceived relevance	−0.1060	0.1937	1.1937	0.5217	0.1297
6	SB—Secure behavior readiness	−0.1111	0.0481	1.0481	0.4977	0.1237

Note. $G_j$ denotes the aggregated criterion score after q-ROF transformation and score conversion. The comparative importance coefficient was calculated as $s_j=\mid G_{j-1}-G_j\mid /\mid G_{j-1}\mid$ for $j=2,3,\dots ,n$, while the first-ranked criterion has $s_1=0$ because it has no preceding criterion. The SWARA coefficient was calculated as $k_j=1+s_j$, with $k_1=1$. Preliminary weights were calculated recursively as $q_j=q_{j-1}/k_j$, with $q_1=1$, and normalized weights were obtained as $w_j=q_j/{\sum }_{j=1}^n{q}_j$. AW = awareness/threat recognition; PR = perceived relevance; SE = self-efficacy; CL = awareness climate; CF = cyber fatigue; SB = secure behavior readiness.

presents the q-ROF-SWARA weighting results, including the rank order of the criteria, mean score values, comparative importance coefficients, recalculated weights, and final normalized weights.

As shown in Table 12, self-efficacy (SE) is the most influential dimension, with a final normalized weight of 0.2486. This result indicates that employees’ confidence in their ability to respond securely plays the strongest role in the cyber awareness-to-action process. The second-ranked criterion is awareness/threat recognition (AW) with a weight of 0.1738, followed very closely by awareness climate (CL) with 0.1693. These findings suggest that the ability to recognize cyber risks and the presence of an awareness-supportive organizational environment are also central components of secure employee behavior.

The middle position in the weighting structure belongs to cyber fatigue (CF), with a normalized weight of 0.1548. This indicates that fatigue is a meaningful factor in the awareness-to-action framework, although it is less influential than self-efficacy and the two awareness-related dimensions. The lowest weights belong to perceived relevance (PR) and secure behavior readiness (SB), with values of 0.1297 and 0.1237, respectively. While these dimensions remain part of the overall framework, their lower weights show that they contribute less strongly to the final prioritization structure than the more capability-based and context-based criteria.

The q-ROF-SWARA results point to a weighting pattern in which confidence-based and organizationally reinforced dimensions are more influential than the lower-ranked criteria. In empirical terms, the strongest priority is assigned to SE, while AW and CL follow as the next most important drivers. CF occupies an intermediate position, whereas PR and SB remain the least influential dimensions in the final weighting structure. These weighted results provide the basis for the next stage of the analysis, in which the employee-group alternatives are ranked through q-ROF-MARCOS.

Figure 4 presents the final normalized weights obtained from the q-ROF-SWARA procedure and highlights the relative importance of the six Cyber Awareness-to-Action dimensions.

As shown in Figure 4, self-efficacy occupies the highest position in the weighting structure, followed by awareness/threat recognition and awareness climate. Cyber fatigue remains in the middle range, whereas perceived relevance and secure behavior readiness receive the lowest weights.

4.3. Alternative Ranking Results from Q-Rof-Marcos

After the criterion weights had been determined through q-ROF-SWARA, the alternatives were evaluated by using the q-ROF-MARCOS procedure. In this stage, the three work-mode groups—on-site employees (A1), hybrid employees (A2), and remote employees (A3)—were assessed in relation to the weighted criteria and then compared against the ideal and anti-ideal reference conditions. The purpose of this stage was to determine which employee group demonstrates the strongest overall performance in translating cyber awareness into secure behavior when all six dimensions are considered together. The ranking results therefore reflect a compromise-based evaluation rather than a simple comparison of raw criterion scores.

Before presenting the final ranking, it is useful to summarize the criterion-level performance pattern that fed into the MARCOS stage. The aggregated fuzzy decision matrix showed that the alternatives did not perform uniformly across the six dimensions. Instead, each work mode displayed a distinct empirical profile, which helps explain the final utility-based ranking.

Table 13. Criterion-level performance pattern of the alternatives before final ranking.

Criterion	Criterion Type	Best-Performing Alternative	Empirical Pattern
AW—Awareness/threat recognition	Benefit	A1—On-site employees	On-site employees show the most favorable score in recognizing cyber risks and suspicious situations.
PR—Perceived relevance	Benefit	A2—Hybrid employees	Hybrid employees report the strongest perceived relevance of cybersecurity to their work.
SE—Self-efficacy	Benefit	A3—Remote employees	Remote employees achieve the strongest score in confidence to respond securely.
CL—Awareness climate	Benefit	A3—Remote employees	Remote employees display the most favorable awareness-climate score.
CF—Cyber fatigue	Cost	A1—On-site employees	On-site employees show the most favorable fatigue profile because they have the lowest numerical CF score.
SB—Secure behavior readiness	Benefit	A3—Remote employees	Remote employees perform better in secure behavior readiness.

Note. AW = awareness/threat recognition; PR = perceived relevance; SE = self-efficacy; CL = awareness climate; CF = cyber fatigue; SB = secure behavior readiness. Benefit criteria are interpreted by higher numerical scores, whereas CF is a cost criterion and is interpreted by the lowest numerical score.

summarizes the criterion-level performance pattern of the three alternatives before the final q-ROF-MARCOS ranking results are presented.

The criterion-level performance pattern is consistent with the aggregated decision matrix in Table 13. On-site employees lead in awareness/threat recognition and also show the most favorable cyber fatigue profile because they have the lowest numerical fatigue score. Hybrid employees perform most strongly in perceived relevance, whereas remote employees lead in self-efficacy, awareness climate, and secure behavior readiness. This pattern indicates that the final ranking is not driven by a single dominant criterion. Rather, it emerges from the combined effect of multiple weighted dimensions assessed simultaneously through the q-ROF-MARCOS framework.

Following the construction of the extended decision matrix and the incorporation of the q-ROF-SWARA weights, utility scores were calculated for each alternative. These utility scores indicate the relative closeness of each work-mode group to the ideal solution under the six weighted criteria. Higher utility values represent stronger overall performance in the cyber awareness-to-action process.

Table 14. q-ROF-MARCOS ranking results.

Rank	Alternative	Description	Utility Score	Performance Interpretation
1	A3	Remote employees	0.684	Strongest performance
2	A1	On-site employees	0.661	Moderate performance
3	A2	Hybrid employees	0.642	Weakest performance

Note. A1 = on-site employees; A2 = hybrid employees; A3 = remote employees. Higher utility scores indicate stronger overall performance in the q-ROF-MARCOS ranking.

presents the final q-ROF-MARCOS ranking results for the three work-mode alternatives.

Table 14 shows that remote employees (A3) achieve the highest overall utility score (0.684), followed by on-site employees (A1) with 0.661 and hybrid employees (A2) with 0.642. However, the differences between successive ranks are small: the gap between A3 and A1 is 0.023, and the gap between A1 and A2 is 0.019. For this reason, the ranking should be interpreted as a relative prioritization pattern rather than as evidence of a large practical separation among work modes. The result indicates that remote employees display the strongest overall awareness-to-action profile in the base model, while the lower-ranked alternatives are closely positioned.

Because the final utility scores are close, a sensitivity analysis was conducted by varying the q-rung parameter used in the fuzzy transformation. The base model used q = 3, while additional scenarios were calculated with q = 2 and q = 4. This check evaluates whether the ranking is robust to a reasonable change in the q parameter, which affects the feasible space of membership and non-membership values in the q-rung orthopair fuzzy environment. Given the relatively small utility-score differences among the alternatives,

Table 15. Sensitivity analysis of q-ROF-MARCOS rankings under alternative q-rung parameters.

Alternative	q = 2 Utility	q = 2 Rank	q = 3 Utility	q = 3 Rank	q = 4 Utility	q = 4 Rank
A1—On-site employees	0.653	3	0.661	2	0.663	2
A2—Hybrid employees	0.656	2	0.642	3	0.639	3
A3—Remote employees	0.679	1	0.684	1	0.687	1

Note. A1 = on-site employees; A2 = hybrid employees; A3 = remote employees. The q = 3 scenario corresponds to the base model reported in Table 15. Higher utility scores indicate stronger overall performance. Because the utility values are close, the results should be interpreted as relative prioritization rather than strong practical separation.

presents a sensitivity analysis of the q-ROF-MARCOS rankings under alternative q-rung parameters.

The sensitivity analysis indicates that the first-ranked alternative remains stable across the tested q values: remote employees (A3) retain the highest utility score under q = 2, q = 3, and q = 4. However, the ordering of on-site and hybrid employees is sensitive when q = 2 is used, because their utility values are very close. Therefore, the most reliable interpretation is that remote employees show a consistently stronger overall profile, whereas the difference between on-site and hybrid employees should be treated cautiously. It should also be noted that this sensitivity analysis addresses variation in the q-rung parameter, but it does not test whether the results remain stable under alternative linguistic-to-fuzzy conversion schemes. Accordingly, the ranking should still be interpreted with caution, especially because the utility-score differences among the alternatives are small.

The superior ranking of remote employees in the base model can be associated with their stronger performance on several influential benefit-oriented dimensions observed in the earlier aggregation stage, particularly self-efficacy, awareness climate, and secure behavior readiness. Since the weighting results also showed that capability-related and climate-related dimensions occupy an important place in the overall framework, remote employees appear to benefit from a favorable combination of these criteria. On-site employees show a favorable profile in awareness/threat recognition and cyber fatigue, because cyber fatigue is a cost criterion and the lowest numerical score is preferred. However, the sensitivity analysis indicates that the second- and third-rank positions are not as robust as the first-rank position; therefore, differences between on-site and hybrid employees should be interpreted as small and parameter-sensitive rather than substantively large.

The q-ROF-MARCOS results suggest that awareness-to-action performance varies across work modes, although the magnitude of the differences is modest. The ranking pattern points to remote work settings as the most favorable overall configuration in the base and sensitivity scenarios, while the distinction between on-site and hybrid employees is less robust. Accordingly, the ranking should be read as a decision-support signal for prioritization rather than as a definitive claim that one work mode is substantially superior to the others. Because prior cybersecurity training may also influence the awareness-to-action process, the manuscript includes a supplementary Appendix A analysis comparing employees with prior cybersecurity training and those without such training. This additional analysis does not replace the work-mode comparison; rather, it functions as a robustness-oriented extension showing whether the same six criteria produce a different performance pattern when the alternatives are defined by training exposure. Figure 5 presents the final utility scores of the three alternatives.

4.4. Integrated Interpretation of the Findings

Taken together, the empirical results reveal a coherent pattern across the three analytical stages of the study. The first stage showed that the fuzzy evaluation structure differs across both criteria and work-mode alternatives, indicating that the Cyber Awareness-to-Action framework is not shaped by a single uniform dimension. The second stage, based on q-ROF-SWARA, demonstrated that the six criteria do not contribute equally to the awareness-to-action process. Instead, a clear weighting hierarchy emerged in which some dimensions exert stronger influence than others. The third stage, based on q-ROF-MARCOS, translated these weighted criteria into a final alternative ranking and showed that the three work-mode groups differ in their overall ability to convert cyber awareness into secure behavior.

The integrated pattern suggests that the model is driven most strongly by self-efficacy, which received the highest normalized weight (0.2486) among all six criteria. This indicates that employees’ confidence in their ability to respond securely is the most influential element in the overall framework. The weighting results also show that awareness/threat recognition and awareness climate occupy the next two positions, with normalized weights of 0.1738 and 0.1693, respectively. Together, these findings suggest that the awareness-to-action process is shaped not only by employees’ individual capability, but also by their ability to identify cyber risks and by the extent to which cybersecurity is reinforced within the organizational environment.

At the same time, cyber fatigue emerges as a meaningful but secondary barrier. Although it does not rank among the top three criteria, its normalized weight (0.1548) shows that fatigue remains an important part of the overall framework. This means that repeated warnings, security overload, or disengagement do not dominate the awareness-to-action process, but they still contribute in a noticeable way to how securely employees behave. By contrast, perceived relevance and secure behavior readiness receive the lowest final weights, with 0.1297 and 0.1237, respectively. This does not mean that these dimensions are unimportant; rather, it suggests that their influence is weaker in the final weighting structure when compared with self-efficacy, awareness, and climate-related dimensions.

When the criterion weights are interpreted together with the alternative-level fuzzy scores and the sensitivity analysis, the final ranking becomes easier to explain. Remote employees achieved the highest overall utility score in the base q-ROF-MARCOS analysis and retained the first rank under q = 2 and q = 4. This result appears to be associated with their comparatively stronger performance on several weighted benefit-oriented dimensions, especially self-efficacy, awareness climate, and secure behavior readiness. Since these criteria represent the ability and willingness to convert awareness into secure behavior, their combined effect helps explain why remote employees occupy the leading position. At the same time, the small score differences and the q = 2 sensitivity result show that the lower-order distinction between on-site and hybrid employees should be interpreted with caution.

On-site employees rank second in the final ordering. Their position appears to be supported mainly by their stronger score in awareness/threat recognition, which is the second most heavily weighted criterion, and by their relatively favorable fatigue profile when cyber fatigue is interpreted as a cost-oriented dimension. This suggests that on-site work settings may provide a more supportive environment for recognizing cyber threats and limiting fatigue-related burden, even though they do not produce the strongest overall result. Hybrid employees, by contrast, rank last in the q-ROF-MARCOS stage. Although they perform relatively well in perceived relevance, this advantage is not sufficient to offset weaker or less consistent performance across the more highly weighted criteria. As a result, hybrid employees appear less balanced across the framework than the other two groups.

Overall, the integrated findings indicate that the Cyber Awareness-to-Action framework is shaped most strongly by a combination of capability, awareness, and organizational climate, while fatigue functions as a secondary but still meaningful barrier. The final ranking also shows that work mode matters in how these dimensions combine. Remote employees display the most favorable overall configuration because they perform more strongly on several of the weighted dimensions, whereas hybrid employees appear less consistent across the framework. In this respect, the results do not point to a single isolated driver, but rather to an integrated structure in which the final ranking emerges from the interaction between criterion importance and alternative-level performance.

Figure 6 presents a combined radar chart of the three work-mode groups across the six criteria and visually summarizes how their relative profiles differ within the integrated evaluation framework.

Remote employees display a broader and more favorable shape across several weighted dimensions, particularly self-efficacy, awareness climate, and secure behavior readiness. On-site employees stand out more clearly in awareness/threat recognition and in the fatigue-related dimension, whereas hybrid employees show a narrower and less balanced profile overall.

5. Discussion

5.1. Theoretical Interpretation

The findings support the Cyber Awareness-to-Action framework by showing that cyber awareness is not a sufficient outcome by itself. The highest weight assigned to self-efficacy indicates that employees’ confidence in acting securely is a central bridge between knowing and doing. This interpretation is consistent with protection motivation and compliance research, which identifies self-efficacy and threat appraisal as key drivers of protective information security behavior [7,8,23].

The results also confirm the organizational nature of the conversion process. Awareness climate receives a strong weight, suggesting that employees are more likely to act securely when cybersecurity is embedded in shared expectations, managerial signals, and everyday routines. At the same time, cyber fatigue remains a meaningful barrier because repetitive or generic security demands can weaken engagement with secure practices [5,6,9].

The alternative ranking further shows that work context matters. Remote employees achieve the strongest overall position, while hybrid employees show weaker performance in the final ranking. This pattern suggests that awareness-to-action is shaped by how employees experience support, routines, and control mechanisms across different work arrangements rather than by awareness level alone.

5.2. Methodological Contribution

Methodologically, the study contributes by adapting an established q-rung orthopair fuzzy multi-criteria decision-making structure to a cybersecurity awareness-to-action problem using survey-derived employee evaluations. Rather than presenting q-ROFS as a new method, the study shows how q-ROF-SWARA and q-ROF-MARCOS can be operationalized together to transform linguistic cybersecurity survey responses into a structured prioritization and ranking model. This is important because cybersecurity awareness research has commonly relied on descriptive statistics, regression-based models, or latent-variable approaches, whereas fewer studies have used fuzzy multi-criteria methods to identify which awareness-to-action dimensions should receive greater managerial attention under uncertainty.

The methodological contribution lies in three specific aspects. First, the study provides a data-driven q-ROF-SWARA weighting procedure in which comparative importance coefficients are derived from aggregated survey-based fuzzy scores, making the weighting process transparent and replicable without requiring a separate expert panel. Second, it integrates q-ROF-SWARA with q-ROF-MARCOS to connect dimension prioritization with work-mode comparison, thereby linking “which factors matter most” with “which employee group shows the strongest awareness-to-action profile.” Third, the study adds robustness to the fuzzy decision process by including a q-parameter sensitivity analysis, which tests whether alternative rankings remain stable under different q-rung assumptions. These elements extend the practical use of q-ROF-based decision models in cybersecurity behavior research without overstating methodological novelty.

The q-rung orthopair fuzzy environment is appropriate for this research design because employee cybersecurity judgments are linguistic, hesitant, and context-dependent. Compared with crisp Likert coding or simpler fuzzy representations, q-ROFS allows membership, non-membership, and hesitation to be represented together, which is useful for survey-based cybersecurity decision analysis [10,31,32,33]. In this way, the study offers an application-oriented methodological contribution: it demonstrates how an established fuzzy decision environment can be used to support transparent, uncertainty-aware prioritization in organizational cybersecurity research.

5.3. Practical Implications

For banking and finance institutions, the findings suggest that cybersecurity interventions should move beyond general awareness messages and focus on action capability. Scenario-based exercises, role-specific examples, practical reporting guidance, and feedback mechanisms can strengthen self-efficacy and help employees convert awareness into secure behavior. Training should therefore be designed as an applied behavioral support system rather than a periodic information delivery activity.

The results also highlight the need for coordination among HR units, line managers, and cybersecurity teams. HR can embed cybersecurity expectations into onboarding and development; managers can reinforce secure routines through daily communication and role modeling; and cybersecurity teams can ensure that rules, alerts, and training remain practical. Attention should also be paid to cyber fatigue by reducing repetitive content, simplifying procedures, and aligning security expectations with real work conditions.

The supplementary training-based comparison further suggests that training should not be assessed only by whether employees have attended a cybersecurity program. The trained group displays a more favorable profile in threat recognition and cyber fatigue, but the untrained group shows slightly higher self-reported scores in self-efficacy, awareness climate, and secure behavior readiness. This mixed and partly counterintuitive pattern should be interpreted cautiously because the comparison is cross-sectional, self-reported, and non-experimental. It may reflect self-selection, whereby more confident employees are less likely to participate in voluntary training, or a calibration effect, whereby trained employees become more aware of cybersecurity complexity and therefore assess their own abilities more conservatively. From a practical perspective, the finding implies that training programs should place greater emphasis on behavioral transfer, confidence-building, and realistic practice scenarios rather than relying only on general awareness content.

6. Conclusions

This study examined how cyber awareness is translated into secure employee behavior in the banking and finance sector. Rather than treating awareness as an end point, the study approached it as the starting point of a broader organizational process that must be converted into action. To explore this process, survey data were collected from white-collar employees and analyzed through a q-rung orthopair fuzzy framework using q-ROF-SWARA and q-ROF-MARCOS. The findings showed that the awareness-to-action process is shaped most strongly by self-efficacy, followed by awareness/threat recognition and awareness climate. By contrast, perceived relevance and secure behavior readiness received relatively lower weights, while cyber fatigue emerged as a meaningful barrier that can weaken the movement from awareness to secure action. The ranking results also showed that remote employees achieved the strongest overall performance, followed by on-site employees, whereas hybrid employees displayed the weakest overall profile within the awareness-to-action framework.

A central message of the study is that cybersecurity awareness, on its own, is not enough. Knowing that cyber risks exist or recognizing common threats does not automatically result in secure workplace behavior. Employees are more likely to act securely when they feel capable of responding, when the organizational environment reinforces secure conduct, and when this process is not undermined by fatigue. Seen from this perspective, awareness is only one part of a wider organizational system. What ultimately matters is how awareness interacts with confidence, support, work conditions, and behavioral reinforcement. This is why the study argues that the transition from awareness to action should be understood as a systemic process rather than as a simple outcome of training or information exposure.

The results should also be interpreted carefully. Although remote employees ranked first overall, the differences among the three work-mode groups were not dramatic enough to support rigid conclusions about one work arrangement being inherently secure and another being inherently weak. A more reasonable interpretation is that different work settings create different combinations of enabling and constraining conditions. Remote employees appear to benefit from a more favorable overall profile across several important dimensions, particularly self-efficacy, awareness climate, and secure behavior readiness. On-site employees also displayed notable strengths, especially in awareness/threat recognition and fatigue-related outcomes. Hybrid employees, however, appeared less consistent across the framework. From a systems viewpoint, this inconsistency is especially important because it suggests that hybrid settings may create a less stable environment for converting awareness into secure action. In other words, the issue may not be the existence of one major weakness, but rather the absence of a more coherent and reinforcing set of organizational conditions.

The study contributes to the literature in several ways. Conceptually, it moves beyond the common assumption that cyber awareness itself is the main outcome of interest and instead reframes the issue as an awareness-to-action problem. This perspective offers a more realistic understanding of cybersecurity behavior by showing that awareness must be activated through capability, reinforcement, and organizational support before it can produce secure action. Methodologically, the study demonstrates the applicability of q-ROF-SWARA and q-ROF-MARCOS for identifying priority drivers in cybersecurity awareness survey data and for comparing employee groups under uncertainty. This contribution complements conventional relationship-based approaches by addressing a different type of research question: which dimensions and employee-group configurations should be prioritized? In this respect, the study also aligns with a systems-oriented perspective by showing that secure behavior emerges not from isolated variables, but from the relative strength and interaction of multiple organizational conditions.

The practical implications are equally clear. Organizations should not rely only on general awareness campaigns, periodic reminders, or routine information sharing. These efforts may be necessary, but they are rarely sufficient on their own. If institutions want awareness to become action, they need to build the broader organizational conditions that make secure behavior more likely in everyday work. The findings suggest that particular attention should be given to strengthening self-efficacy, improving threat recognition, and reinforcing an awareness climate that supports secure conduct across the organization. At the same time, organizations should be careful not to overload employees with repetitive, generic, or poorly targeted security demands, since such practices may contribute to cyber fatigue and weaken engagement. The weaker position of hybrid employees further suggests that this group may require more tailored support, clearer routines, and more consistent reinforcement across work settings. Overall, effective cybersecurity management appears to depend not only on whether employees are informed, but also on whether the organizational system helps them act confidently, consistently, and securely in practice.

At the same time, several limitations should be acknowledged. First, the study is based on self-reported survey data, meaning that the findings reflect employee perceptions rather than directly observed behavior. Second, the analysis is cross-sectional and non-experimental; therefore, the results should be interpreted as associations rather than causal effects. This is especially important for the supplementary trained-versus-untrained comparison, since training participation was not randomly assigned and the observed pattern may reflect self-selection or calibration effects in employees’ self-assessments. For example, more confident employees may be less likely to participate in voluntary training, while trained employees may assess themselves more conservatively after becoming more aware of cybersecurity complexity and their own knowledge gaps. Third, the analysis is limited to the banking and finance sector, which restricts the generalizability of the results to other industries. Fourth, the framework is bounded by the specific dimensions and employee groups included in the analysis. Different patterns may emerge if other sectoral, cultural, technological, or organizational variables are included. Fifth, the final q-ROF-MARCOS utility scores are relatively close. Although remote employees remain first-ranked across q = 2, q = 3, and q = 4, the lower-order ranking is sensitive under q = 2. The robustness check also varies only the q-rung parameter and does not test alternative linguistic-to-fuzzy conversion schemes. Therefore, the ranking should be interpreted cautiously, and sensitivity to the membership and non-membership values in Table 4 and

Table A2. Operational linguistic-to-q-rung orthopair fuzzy conversion scheme.

Likert Code	Linguistic Term	Membership (μ)	Non-Membership (ν)	Hesitancy (π)	Score Logic
1	Very Low	0.05	0.98	0.3886	${\mu }^3-{\nu }^3$
2	Low	0.20	0.90	0.6407	${\mu }^3-{\nu }^3$
3	Slightly Low	0.35	0.75	0.8119	${\mu }^3-{\nu }^3$
4	Moderate	0.50	0.60	0.8702	${\mu }^3-{\nu }^3$
5	Slightly High	0.65	0.40	0.8713	${\mu }^3-{\nu }^3$
6	High	0.80	0.25	0.7788	${\mu }^3-{\nu }^3$
7	Very High	0.95	0.10	0.5213	${\mu }^3-{\nu }^3$

Note. Hesitancy values were derived using the q-rung orthopair fuzzy condition with $q=3$, and score values were computed operationally using the expression ${\mu }^3-{\nu }^3$. This appendix provides the technical conversion details, while the dataset itself is supplied separately as supporting material.

remains an unresolved source of uncertainty.

These limitations also open several useful directions for future research. Comparative studies across sectors or countries could help determine whether the awareness-to-action process changes under different institutional, regulatory, or cultural conditions. Longitudinal or experimental research designs could examine whether cybersecurity training improves threat recognition, self-efficacy, behavioral readiness, and secure behavior over time, while also separating training effects from self-selection and calibration effects. Qualitative studies could provide a deeper understanding of how employees experience self-efficacy, fatigue, awareness climate, and organizational support in their daily work environments. In addition, future research may compare the present q-rung orthopair fuzzy framework with structural equation modeling, fsQCA, or other fuzzy and hybrid analytical models in order to examine whether different methods produce convergent or complementary insights. More broadly, the study suggests that future work should continue moving beyond awareness as a stand-alone concept and focus more directly on how secure behavior is enabled, constrained, and prioritized within organizational systems.