Exploring Determinants of Information Security Systems Adoption in Saudi Arabian SMEs: An Integrated Multitheoretical Model

Abstract

High cybersecurity risks and attacks cause information theft, unauthorized access to data and information, reputational damage, and financial loss in small and medium enterprises (SMEs). This creates a need to adopt information security systems of SMEs through innovation and compliance with information security policies. This study seeks to develop an integrated research model assessing the adoption of InfoSec systems in SMEs based on three existing theories, namely the technology acceptance model (TAM), theory of reasoned action (TRA), and unified theory of acceptance and use of technology (UTAUT). A thorough review of literature identified prior experience, enjoyment of new InfoSec technology, top management support, IT infrastructure, security training, legal-governmental regulations, and attitude as potential determinants of adoption of InfoSec systems. A self-developed and self-administered questionnaire was distributed to 418 employees, mid-level managers, and top-level managers working in SMEs operating in Riyadh, Saudi Arabia. The study found that prior experience, top management support, IT infrastructure, security training, and legal-governmental regulations have a positive impact on attitude toward InfoSec systems, which in turn positively influences the adoption of InfoSec systems. Gender, education, and occupation significantly moderated the impact of some determinants on attitude and, consequently, adoption of InfoSec systems. Such an integrated framework offers actionable insights and recommendations, including enhancing information security awareness and compliance with information security policies, as well as increasing profitability within SMEs. The study findings make considerable theoretical contributions to the development of knowledge and deliver practical contributions towards the status of SMEs in Saudi Arabia.

1. Introduction

The continuous innovation in technology and the emerging development of artificial intelligence (AI) put significant pressure on current information security (InfoSec) systems. It calls for advanced InfoSec systems that would prevent the misuse, leakage, and risk of hacking of personal and financial information of businesses and individuals [1]. In particular, business organizations are heavily investing in InfoSec technologies to secure, process, and transmit their most sensitive information, making the development of advanced information security measures essential to prevent asset loss, reputational damage, and financial loss [2]. Modern automated InfoSec systems offer a low possibility of accidents and hardware failures and provide a high level of data reliability, better protection of information, better control of physical access to equipment and networks, and better measures of software authentication and user identification [3]. As a result, businesses face a low risk of virus penetration, information theft, and reduced efficiency of computers [3]. Considering that information system security threats continue to pose a significant challenge for both individuals and organizations [4], there is still a strong need to evaluate the means to improve attitudes toward and adoption of InfoSec systems.

The global cybersecurity market size was valued at USD 193.73 billion in 2024 and is expected to grow from USD 218.98 billion in 2025 to USD 562.77 billion by 2032 [5]. The industry-specific adoption rate of advanced security technologies revealed that the most targeted cybersecurity industries were healthcare organizations (with an adoption rate of 70%), finance and banking (85%), manufacturing (41%), retail and e-commerce (60%), and education (55%) [6,7]. The increasing risks of phishing, ransomware, and other cybercrimes forces 100% organizations in all these sectors to plan the adoption of information security systems within their organization [6,7]. The global cost of cybercrimes was projected to reach approximately USD 10.55 trillion by 2025 and expected to grow further in the coming years, reaching unprecedented levels by 2031 [8]. Considering its importance and significant growth, the current market statistics further intensified the need to assess the adoption of InfoSec systems, as well as the determinants influencing such adoption in the current market situation.

Despite the presence of precise awareness of InfoSec policies, employees in Saudi firms lack security awareness and create five possible risk scenarios, namely the lack of security policies, personal information leakage from the website, the risk of damage to the CEO’s device, lack of employees’ outsourcing awareness, and employees’ conflict and overlap in tasks [9]. Employees in the Saudi government perceive InfoSec awareness as a means to protect against risks linked to InfoSec misconduct, unauthorized access, disruption, disclosure, modification, or destruction—InfoSec compliance [10]. To gain InfoSec awareness, training activities should be institutionalized as mandatory and regular, and formal evaluation methods should be conducted to assess awareness levels and extract feedback for the redesign and continuous improvement of InfoSec awareness training interventions [10]. Another study in Saudi Arabia [11] highlighted severe security risks, including data leakage, financial damages (of 6.52 million in 2020), copyright infringement, identity theft, phishing, and piracy, which are all linked to a low level of awareness among people in Saudi Arabia. Another study of FinTech service companies in Saudi Arabia [12] highlighted cybersecurity risks, data privacy concerns, and a lack of awareness as the primary challenges in the adoption of FinTech services in their daily financial activities. Considering these risks and challenges, it is essential to create information security awareness practices in SMEs operating in Saudi Arabia.

The precise awareness of InfoSec policy enables large organizations and SME firms to prevent potential security threats and information leakage [9]. With the rising demand for digitalization since COVID-19, confidentiality, integrity, and availability of information and data have become crucial for protecting sensitive information and securing the digitalization of products and services [13,14]. As a result, users value services and a relationship built on trust, which leads to a better company reputation [9]. Furthermore, it is also critical to secure firms from financial loss, lawsuits, and reputational damage caused by unprotected information and unsecured digital products and services [2]. In corporate sectors, there is a strong need to educate employees about these policies and train them onsite to apply best InfoSec practices, which might enable them to identify and prevent potential security risks [15]. The situation further escalates with the increasing number of cyber incidents and overwhelming skills shortage, which highlights a knowledge gap between the information security expertise of the workforce and the industrial needs of large corporations [16].

The current study seeks to develop an integrated model representing the determinants influencing information security (InfoSec) systems in Saudi Arabia. InfoSec systems primarily focus on protecting a firm’s assets from potential threats and vulnerabilities [17]. These systems face a challenge to prevent unauthorized access to sensitive information and safeguard computing resources from malicious activities [18]. When an organization faces InfoSec security threats, its employees are likely to be affected [19]. If employees are aware of the security risks in cyberspace and the policies and procedures that companies have put in place, they are more likely to adopt the InfoSec systems and become more competent in managing cybersecurity tasks [20]. Several confounding determinants, including innovation or technology characteristics (i.e., perceived usefulness, perceived ease of use, compatibility, complexity, and perceived gain), organizational factors (i.e., top management support and organizational readiness), and external factors (i.e., external pressures and visibility), would assist in the adoption of InfoSec systems [21]. This study further refines the determinants influencing the adoption of InfoSec systems with a thorough review of three technological models, with a prime focus on employees’ perception, attitudes, and other behavioral/cognitive perspectives. Hence, considering the ongoing security concerns in Saudi organizations, it would be crucial to develop an integrated model representing the determinants influencing the adoption of InfoSec systems in Saudi Arabia.

2. Literature Review and Development of an Integrated Research Model

2.1. InfoSec Systems in SMEs

Considering their significance in economic development, small and medium enterprises (SMEs) have intensified the growth and business competitiveness through strategic positioning in the global market [22]. Information security (InfoSec) systems assist SMEs in preventing threats from attackers, spammers, and criminal organizations when they become involved in e-commerce or even in information communication technology (ICT) [22]. Past literature focused on SMEs in the Middle East highlighted that one in five SMEs had experienced cyberattacks in their first five years, and only around 56% of SMEs are aware of cybersecurity needs [23]. SMEs hold a blind spot for information security and cybersecurity management. The firms still need to incorporate confidentiality, privacy, integrity, and availability into the valuable resources of data and information under ISO-27001:2013 [24]. The worsening situation can only be mitigated through the implementation of several advanced IS systems that are tailored to the needs and risks of cyberattacks in the current market. To implement new rules from ISO-27001:2013, Yigit Ozkan et al. [25] also proposed an adaptive information security model that is tailored to the organizational characteristics of SMEs in particular. The study advocated that the model creates a base of common or shared knowledge in SMEs and covers the cost of implementing InfoSec capabilities for SMEs with scarce resources [25]. Similarly, Antunes et al. [26] presented a generic and web-integrated auditing information system that SMEs would employ to meet the requirements as per ISO-27001:2013 and NIST Cybersecurity framework, as well as ISO-27009 [26]. The implementation of these technologies would increase the effectiveness of cybersecurity risk management and make companies less vulnerable to cybersecurity threats [27].

The development of InfoSec systems is often based on mature cybersecurity standard frameworks that provide several updated cybersecurity controls, which, if implemented, save SMEs from financial and reputational damage [23]. However, only a small proportion of SMEs adopted these frameworks, including ISO 27001 (23%), GDPR (10%), and NIST Cybersecurity Framework (CSF) (8%). Furthermore, a recent study identified that SMEs have the highest self-efficacy in using strong and secure passwords, but the lowest self-efficacy in keeping mobile devices safe and in phishing avoidance [28]. Currently, SMEs have low cybersecurity resilience [27]. In addition, the high number of cybersecurity breaches in Saudi SMEs highlighted a gap in corporate security policies and actual security practices, as well as a poor understanding of how InfoSec practices, controls, and measures can be implemented in these firms [29]. Literature on assessing InfoSec systems in SMEs should be a major concern in academic research. At the same time, practitioners should continue implementing an integrated model for improving risk awareness among SMEs.

2.2. Adoption of InfoSec System

The concept of technology adoption has changed over time, with the usage of technology [30,31,32]. Recently, in Unified Theory of Acceptance and Use of Technology (UTAUT), the adoption of a technology can be referred to as the user’s actual use of any information system after the realization of that information system [33]. In particular, InfoSec solutions have been diffused into the organizational security management practices and cover both ‘adoption’ and ‘assimilation’ of ICT [34]. Here, adoption means the intention or likelihood of adoption of an information security management system [34].

With the increasing cybersecurity threats, the adoption of InfoSec systems become a necessity to reduce disruptions in daily business operations and to avoid negative financial and reputational effects [21]. SMEs spend millions of dollars to acquire InfoSec systems [35], but lack successful implementation due to the lack of awareness and positive attitudes from employees and managers [36]. Antunes et al. [24] highlighted that the cybersecurity risks can be mitigated with the adoption of InfoSec auditing processes and their continuous improvement, as well as training and certification of SMEs’ collaborators. The effective training of employees can reduce security risks and threats to information and data assets, and enhance their awareness of monitoring the latest security threats, which in turn promotes security-compliant behaviors [37]. Previous studies revealed that enhancing information security culture in organizations is unattainable without intensive and sufficient security training for all employees at all different levels of the organization [38]. Conducting regular security training programs is essential for developing a security culture and adopting information security systems. To mitigate the risks, SMEs should focus on educating and training their employees, as the successful implementation of cybersecurity systems and security policies is highly dependent on their behavior and actions [20].

2.3. Theoretical Framework and Development of the Integrated Model Adoption of InfoSec Systems

The integrated research model was developed and adopted by combining three theories: the Theory of Reasoned Action (TRA), the Technology Acceptance Model (TAM), and the Unified Theory of Acceptance and Use of Technology (UTAUT). SMEs are characterized by resource constraints, less formalized structures, and often a reactive rather than strategic approach to cybersecurity. These established technology adoption theories individually offer valuable but partial insights into this complex phenomenon. Hence, it is essential to develop an integrated model that investigates the determinants of InfoSec systems in the unique context of SMEs.

The TRA provides the foundation by showing how a person’s beliefs and attitudes shape behavioral intentions that lead to actual technology usage behavior [39,40]. In particular, the TRA theory holds that an individual’s volitional behavior is directly determined by their behavioral intention, which in turn is shaped by their attitude toward the behavior and subjective norms [39,40]. To ensure compliance in response to cybersecurity threats and vulnerabilities, understanding the formative role of internal attitude becomes paramount, especially when top-level management lacks top-down enforcement. Hence, our integrated model adopts attitude as the central mediating psychological state, the pivotal link through which other factors ultimately influence adoption behavior.

Building on the TRA, the TAM introduces perceived usefulness and perceived ease of use as two primary antecedents of attitude [41]. In particular, the TAM explains how people evaluate the effort and benefits of using new technologies and systems [41]. Both constructs, i.e., perceived usefulness and perceived ease of use, are packed together in ‘enjoyment of new InfoSec technology’ that measures productivity enhancement through utilitarian evaluation (H₃). Prior experience is also added to our integrated model as it defines the ways through which InfoSec systems can be enjoyable but still monitored (H₂). In addition to the identification of specific, context-relevant beliefs, the TAM informs our integrated model’s focus on the critical pathway from beliefs and perceptions to attitude toward adoption of InfoSec systems in SMEs.

The UTAUT expands and extends these theories by adding social influence and facilitating conditions, which highlight the importance of organizational and environmental support for the adoption of InfoSec systems [42]. Here, social influence (the degree to which an individual perceives that others believe they should use the system) and facilitating conditions (the degree to which an individual believes that an organizational and technical infrastructure exists to support system use) are added to our integrated model, as they are exceptionally pertinent to SMEs. In our integrated model, social influence is captured through the construct of Top Management Support, a critical resource allocation and cultural signaling mechanism in smaller, flatter organizations (H₄). Facilitating conditions are operationalized as IT Infrastructure (H₅) and Security Training (H₆), directly addressing the common resource and knowledge gaps that hinder technology implementation in SMEs. Furthermore, the UTAUT’s explicit incorporation of moderating variables (gender, age, experience, and voluntariness) provides a direct theoretical basis for our inclusion of demographic factors (Gender, Age, Education, and Occupation) to test for heterogeneous effects within the SME workforce, leading to specific moderation hypotheses (H₁₀–H₁₃).

Following Baskerville [43] and Siponen and Willison [44], the integrated model was further molded to the organizational characteristics of SMEs to include people and processes in order to design secure and usable work systems. By focusing on people and processes, following Granić [45], the study identified a set of variables that could influence the attitude and, consequently, adoption of InfoSec systems, each of which is explained subsequently. While each theory is informative, applying them in isolation presents limitations for the SME InfoSec context. TRA and TAM are often critiqued for their individual-level focus, underemphasizing the organizational and environmental constraints that are defining features of the SME landscape. The UTAUT, while broader, does not explicitly account for factors like prior hands-on experience with security incidents (H₂) or the coercive pressure of external regulations (H₇), which are highly salient in the cybersecurity domain. Therefore, theoretical integration is necessary to overcome these individual limitations and provide a more complete explanation.

Overall, this integrated model offers a parsimonious yet comprehensive framework. It preserves the core psychological mechanism (attitude-to-behavior) from the TRA/TAM while enriching it with the organizational, resource-based, and environmental dimensions from the UTAUT, all tailored to address the salient challenges and drivers of InfoSec adoption in Saudi Arabian SMEs. The resultant hypotheses are structured as follows: the direct determinants of Attitude (H₂–H₇) and its effect on Adoption (H₁); the mediating role of Attitude (H_8a–f); and the moderating effects of demographic factors (H_10a–g through H_13a–g).

2.4. From Attitude Towards InfoSec Systems to Adoption of InfoSec Systems

Attitude refers to a positive or negative evaluation of one’s behavior and emotions towards the adoption of new systems and technologies [46]. Similarly to artificial intelligence (AI) [47] and mobile wallets [48], employees’ attitudes toward InfoSec systems can considerably influence the adoption of InfoSec systems. According to the TRA theory, attitude toward technology is the first step of technology adoption, and is influenced by various factors [45]. The Innovation Diffusion Theory (IDT) suggests that adoption is a choice to make full use of technology innovation as the best possible outcome available [49]. At the individual level, the successful adoption lies in the perception of having a new or innovative idea, product, or behavior [45]. A limited literature assessed the relationship between attitude towards and adoption of InfoSec systems in SMEs. However, reflecting on the employees’ feelings and behavioral change, a similar study [50] explained that the attitude is necessary for improving the adoption of electronic systems, which together assure the tax compliance in small business enterprises of an African developing economy. Hence, the study proposed that employees’ favorable attitudes can translate into sustainable adoption of InfoSec systems, or in other words:

H₁. 

Attitude towards InfoSec systems positively influences the adoption of InfoSec systems in Saudi SMEs.

2.5. Determinants Influencing Attitudes Toward InfoSec Systems

As explained by the TRA theory [45], the attitude toward technology, or in this case, InfoSec systems, is influenced by several other determinants and, consequently, affected adoption of InfoSec systems.

2.5.1. Prior Experience

Employees’ prior experience is defined as direct and hands-on involvement with the system [51]. From the technological aspect, experience can improve the accuracy of information search and the ability to revisit the information and engage in repeated behaviors [52]. The TRA theory states that subjective norms and beliefs, influenced by past experiences and perceptions, shape attitude, which in turn drives experiences [39]. The present study proposes that employees’ prior experience of handling and addressing InfoSec risks and incidents greatly shapes their attitudes toward the adoption of InfoSec systems. Prior experience creates a difference in beliefs and attitudes between inexperienced and experienced users within an organization, whereby inexperienced users might feel stressed out during their first exposure to technology [53]. Hence, experienced users or employees can identify or handle cybersecurity risks or threats more efficiently and, thus, perceive a positive perception or verify the advantage of adoption of the InfoSec system [53]. Hence, the study proposed the following:

H₂. 

Prior experience positively influences attitude towards InfoSec systems in Saudi SMEs.

2.5.2. Enjoyment of New InfoSec Technology

Enjoyment of new technology in the UTAUT is referred to as the users’ expectation that using a technology is enjoyable, or in other words, interesting and fun [42]. In the context of information security systems, enjoyment is referred to as the extent to which InfoSec technologies, systems, policies, and procedures are enjoyable and satisfactory according to the needs and demands of individuals working in SMEs. Enjoyment acts as an intrinsic motivation that triggers emotional arousal [54]. Such motivation and anticipated enjoyment assist the employees in reducing resistance and positively accepting InfoSec technologies [55]. Past literature revealed that users are driven by hedonic motivations when interacting with technology [56]. Hedonic motivation creates trust toward the technology [57,58], which is essential to create valuable benefits like fun, particularly when consumers interact with IS technologies [59]. The TAM theory also stated that enjoyment is an essential predictor of technology adoption [41]. Like all other modern technologies, such as voice-activated assistants [59], enjoyment has a positive influence on employees’ attitude to use of the technology. Hence, the study proposed the following:

H₃. 

Enjoyment of new InfoSec technology positively influences the attitude towards InfoSec systems in Saudi SMEs.

2.5.3. Top Management Support

Top management support is referred to as the extent to which top management actively supports the systems by establishing clear and adaptable organizational policies [60]. Adoption of InfoSec systems is a strategic decision made by top managers. They play a key role in allocating resources for adoption, integrating new processes in existing practices and procedures, and re-engineering business processes [61]. Top management actively takes InfoSec initiatives by allocating resources, periodically assesses InfoSec policies, and evaluates and controls strategic plans to successfully implement digital transformation in SMEs [62]. Past literature highlighted that top management shows a lack of support when it comes to InfoSec security risks [63]. To mitigate this issue, support from top management can boost IS policy compliance, as their beliefs over InfoSec-related issues significantly influence employees’ attitudes toward InfoSec policy compliance [64]. Top management is responsible for driving the firm’s decision-making and designing the firm’s strategy to control the environment, to manage risks relating to the confidentiality, integrity, and availability of information, and its supporting processes and systems [64,65]. Top management support creates a strong InfoSec culture in the organization to ensure that employees feel important and safe to adopt InfoSec technologies and systems [66]. It is also essential to achieve financial and managerial strategic objectives, i.e., to maximize profits and comply with the policies within SMEs [67]. Ultimately, both organizational culture and strategic objectives influence employees’ attitudes towards the adoption of InfoSec systems [68]. Hence, the study proposed the following:

H₄. 

Top management support positively influences the attitude towards InfoSec systems in Saudi SMEs.

2.5.4. IT Infrastructure

IT infrastructure refers to the hardware and software components that support the operational and information management needs of a business [69]. To avoid InfoSec risks, the firm’s security infrastructure needs to be characterized by integrity (remaining unchanged from the original state and maintaining unmodified and accurate at all costs), confidentiality (keeping all user information private or inaccessible to unauthorized personnel), and availability (accessibility of data to authorized personnel upon request) [70]. IT infrastructure reduces the gaps between the availability of information and the lack of awareness and knowledge of InfoSec systems. These gaps would create extensive problems, including a poor attitude of staff toward InfoSec compliance and adoption of InfoSec systems [71]. It enables SMEs to implement ISO 27001 standards and incorporate best practices for InfoSec management systems [71]. Innovation in the IT sector significantly improves the efficiency and productivity of employees in all sectors. However, severe security risks, including data leakage, financial losses, and even loss of life, create a need to develop InfoSec systems and practices to spread awareness and bring a positive attitude among employees [11]. Essentially, SMEs need basic IT infrastructure and continuous updates of specialized security tools and software to realize and eliminate these security threats [72]. Such integration and upgradation are tightly linked with users’ and systems’ reports of cyberattacks. Such reporting can only be possible when users show dedication to operate InfoSec systems in line with InfoSec practices within an organization [73]. Following the UTAUT theory, the availability of the right IT infrastructure can create facilitating conditions, which makes employees believe that they have organizational and technical support to use the system, leading to high potential of adoption [74]. Hence, the study proposed the following:

H₅. 

IT infrastructure positively influences the attitude towards InfoSec systems in Saudi SMEs.

2.5.5. Security Training

Security training is an instructional tool that aims to improve employees’ understanding of security policies and procedures, foster their thinking processes, and convince them to act appropriately [75]. Zwilling et al. [63] elaborated that cybersecurity training programs enhanced cybersecurity knowledge to create users’ exposure to cybersecurity protection tools, leading to a better attitude and behavior relating to cyber threats. Considering the severity of cybersecurity attacks, companies actively provide training concerning cybersecurity practices to their employees [20]. These training helps employees in gaining more experience with cybersecurity attacks, convincing them to take security as a personal responsibility, and report any suspicious situations [76]. Security training and information security awareness programs or techniques often employed by organizations include simulations, virtual labs, serious games, and themed awareness videos and modules [77]. Each techniques have their own limitations and usage in improving employee preparedness and decision-making skills when targeted with real attacks [78]. Training enables employees to adapt to changing conditions created by the external environment, such as the COVID-19 pandemic [79]. SMEs, in particular, design specialized security training to establish and maintain information security due to the mere existence of corporate security policies or the inefficiency of general security training [29]. Following UTAUT theory, training enables employees to create awareness that would be fruitful to help them understood about performance expectancy within their current title [80]. Hence, the study hypothesized the following:

H₆. 

Security training positively influences the attitude towards InfoSec systems in Saudi SMEs.

2.5.6. Legal-Governmental Regulations

Legal-governmental regulations are referred to as a set of established laws, regulations, and policies imposed by the government authorities that are necessary to protect an organization’s data and information, as well as ensure compliance with InfoSec policies [81]. Information Security Policies (ISP) set guidelines, standards, and best practices for InfoSec security that shape employees’ attitude and behavior towards InfoSec security [82]. From the legal and governmental perspectives, SMEs are required to follow the ISO/IEC 27001 standards to manage business risks, optimize problem-solving capacity, and maximize the output legitimacy of IT and InfoSec systems [83]. Malik et al. [84] also applied the technology-organization-environment (TOE) framework to determine the impact of the external environment on integrating technology within an organization. The study also highlighted that legal-governmental regulations can either prevent or support the adoption of new technology—blockchain technology (BCT) [85,86], reflecting the contracting findings in existing literature. Such modern technologies, particularly blockchain-empowered Internet of Things (IoT) platforms, can help firms follow laws, standards, and security requirements during the automation of InfoSec systems in several sectors [87]. Legislative rules on privacy and protection of information and data are crucial to create awareness, making them more efficient in identifying cybersecurity attacks and potential risks in real time [88]. Akai et al. [89] highlighted that new constructs like rules and regulations have recently surfaced under the UTAUT theory, the system theory, and the institutional theory to protect users from cybersecurity threats, thefts, and other vulnerabilities. Considering the legal requirements and organizational measures involving cybersecurity, the study proposed the following:

H₇. 

Legal-government regulations positively influence the attitude toward InfoSec systems in Saudi SMEs.

2.5.7. Mediating Role of Attitude

The integrated model posits attitude as the central mechanism through which the six identified determinants influence the actual adoption of InfoSec systems. This is consistent with the theoretical flow of TRA and TAM, where external and belief factors shape attitude, which in turn drives behavioral intention and use. In the context of mandatory technologies like security systems, employees’ final adoption behavior is less likely to be a direct, volitional act based solely on a single factor (e.g., training or regulations). Instead, these factors collectively cultivate a favorable or unfavorable disposition (attitude), which then translates into consistent usage patterns [45,50]. Therefore, the study proposed that the influence of the determinants on adoption is indirect, mediated by attitude. This leads to the following formal hypotheses:

H_8-a. 

Attitude towards InfoSec systems mediates the relationship between prior experience and the adoption of InfoSec systems.

H_8-b. 

Attitude towards InfoSec systems mediates the relationship between enjoyment of new InfoSec technology and the adoption of InfoSec systems.

H_8-c. 

Attitude towards InfoSec systems mediates the relationship between top management support and the adoption of InfoSec systems.

H_8-d. 

Attitude towards InfoSec systems mediates the relationship between IT infrastructure and the adoption of InfoSec systems.

H_8-e. 

Attitude towards InfoSec systems mediates the relationship between security training and the adoption of InfoSec systems.

H_8-f. 

Attitude towards InfoSec systems mediates the relationship between legal-governmental regulations and the adoption of InfoSec systems.

The integrated research model, summarizing the proposed relationships (H₁–H₈), is visually presented in Figure 1.

2.5.8. Moderation of Demographic Variables in Determinants Influencing Attitude Towards and Adoption of InfoSec Systems

The UTAUT model specified in the theoretical framework has integrated the demographic variables into the model. It specified gender, age, experience, and voluntariness of use as demographic variables that moderate the relationships of performance expectancy, effort expectancy, social influence, and facilitating conditions on behavioral intention [33,42]. Following the UTAUT, the present study also integrated the demographic factors, including gender, age, occupation (employees, mid-level managers, and high-level managers), and education as moderators into the model. Such integration allows for determining the effect of a variation in sociodemographic characteristics on InfoSec adoption and related behavior.

Past literature strongly supported the moderating role of gender in IT adoption and related behavior. Shahbaz et al. [90] highlighted that gender differences should be assessed for their impact on the adoption and implementation of IT—an essential part of life. Shaouf and Altaqqi [91] highlighted that men are more likely to purchase and give a positive evaluation of websites as compared to women. Anwar et al. [92] reported that gender can significantly impact the relationships between security self-efficacy, prior experience, computer skills, and cybersecurity beliefs and behavior of employees. Daengsi et al. [93] also reported that employees having high cybersecurity awareness have significantly reduced cybersecurity risks, and that such an impact is different across male and female employees. Hence, the study also proposed the following:

H_9-a. 

Gender moderates the relationship between prior experience and attitude toward InfoSec systems in Saudi SMEs.

H_9-b. 

Gender moderates the relationship between enjoyment of new InfoSec technology and attitude toward InfoSec systems in Saudi SMEs.

H_9-c. 

Gender moderates the relationship between top management support and attitude toward InfoSec systems in Saudi SMEs.

H_9-d. 

Gender moderates the relationship between IT infrastructure and attitude toward InfoSec systems in Saudi SMEs.

H_9-e. 

Gender moderates the relationship between security training and attitude toward InfoSec systems in Saudi SMEs.

H_9-f. 

Gender moderates the relationship between legal-governmental regulations and attitude toward InfoSec systems in Saudi SMEs.

H_9-g. 

Gender moderates the relationship between attitude toward and adoption of InfoSec systems in Saudi SMEs.

Past literature strongly supported the moderating role of age in IT adoption and related behavior. The UTAUT model also integrated the moderation of age in assessing the factors influencing behavioral intention and adoption of technology [42]. Young and elderly people can have different levels of technology awareness, experience, and practice with legal-governmental regulations [94,95,96]. Younger employees are more comfortable with and admire change linked with the adoption of advanced technology, while older employees tend to be less tech-savvy and more safety-conscious in using the new technology [97]. Hence, the study proposed the moderating role of age in determinants influencing attitude toward and adoption of InfoSec systems in Saudi SMEs, and hence hypothesized the following:

H_10-a. 

Age moderates the relationship between prior experience and attitude toward InfoSec systems in Saudi SMEs.

H_10-b. 

Age moderates the relationship between enjoyment of new InfoSec technology and attitude toward InfoSec systems in Saudi SMEs.

H_10-c. 

Age moderates the relationship between top management support and attitude toward InfoSec systems in Saudi SMEs.

H_10-d. 

Age moderates the relationship between IT infrastructure and attitude toward InfoSec systems in Saudi SMEs.

H_10-e. 

Age moderates the relationship between security training and attitude toward InfoSec systems in Saudi SMEs.

H_10-f. 

Age moderates the relationship between legal-governmental regulations and attitude toward InfoSec systems in Saudi SMEs.

H_10-g. 

Age moderates the relationship between attitude toward and adoption of InfoSec systems in Saudi SMEs.

Prior literature strongly supported the moderating role of occupation in IT adoption and related behavior. Chalwa and Joshi [98] argued that occupation is central to consumer attitude formation and technology adoption. Yildirim et al. [99] explained that InfoSec systems in SMEs combine a complicated process involving several factors, including education, technology, and human factors, which cannot necessarily be managed under one security model. Occupation can further intensify the relationship between security education and security behavior [100]. Trenerry et al. [101] reported that occupation moderated the relationship between peer and top management support and technology adoption. Acosta-Enriquez et al. [102] highlighted that attitudes toward the adoption and use of technology and its factors varied across different professional careers. Hence, the study proposed the moderating role of occupation in determinants influencing attitude toward and adoption of InfoSec systems in Saudi SMEs and, hence, hypothesized the following:

H_11-a. 

Occupation moderates the relationship between prior experience and attitude toward InfoSec systems in Saudi SMEs.

H_11-b. 

Occupation moderates the relationship between enjoyment of new InfoSec technology and attitude toward InfoSec systems in Saudi SMEs.

H_11-c. 

Occupation moderates the relationship between top management support and attitude toward InfoSec systems in Saudi SMEs.

H_11-d. 

Occupation moderates the relationship between IT infrastructure and attitude toward InfoSec systems in Saudi SMEs.

H_11-e. 

Occupation moderates the relationship between security training and attitude toward InfoSec systems in Saudi SMEs.

H_11-f. 

Occupation moderates the relationship between legal-governmental regulations and attitude toward InfoSec systems in Saudi SMEs.

H_11-g. 

Occupation moderates the relationship between attitude toward and adoption of InfoSec systems in Saudi SMEs.

Past literature strongly supported the moderating role of education in IT adoption and related behavior. Past literature revealed that higher education provides employees with the skills and knowledge needed to understand and implement effective InfoSec practices [103]. Higher levels of education create greater awareness of InfoSec systems and the potential risks associated with those systems [103]. Like other demographic variables, education is central to consumer attitude formation and behavioral intention toward technological adoption [98]. Education level also forms the cultural background of employees, which can influence their interactions with other technical and managerial variables to affect the attitude towards and adoption of AI applications [104]. Hence, the study proposed the moderating role of education in determinants influencing attitude toward and adoption of InfoSec systems in Saudi SMEs, and hence hypothesized the following:

H_12-a. 

Education moderates the relationship between prior experience and attitude toward InfoSec systems in Saudi SMEs.

H_12-b. 

Education moderates the relationship between enjoyment of new InfoSec technology and attitude toward InfoSec systems in Saudi SMEs.

H_12-c. 

Education moderates the relationship between top management support and attitude toward InfoSec systems in Saudi SMEs.

H_12-d. 

Education moderates the relationship between IT infrastructure and attitude toward InfoSec systems in Saudi SMEs.

H_12-e. 

Education moderates the relationship between security training and attitude toward InfoSec systems in Saudi SMEs.

H_12-f. 

Education moderates the relationship between legal-governmental regulations and attitude toward InfoSec systems in Saudi SMEs.

H_12-g. 

Education moderates the relationship between attitude toward and adoption of InfoSec systems in Saudi SMEs.

3. Materials and Methods

3.1. Research Design

The study employed an explanatory research design to explore determinants that influence attitude and adoption of InfoSec systems in SMEs. This allowed the researcher to assess the relationships between study variables and develop an integrated framework for the adoption of InfoSec systems in SMEs. The data was collected through a questionnaire at a single point in time, i.e., between 1 July 2025, and 10 September 2025.

3.2. Sampling

The study employed a purposive sampling technique to collect data from the employees, mid-level managers, and top-level managers working in SMEs located in Riyadh, Saudi Arabia, who were willing to participate in this study. Riyadh Province was selected for this study as it has the highest concentration of SMEs, with a total of 571,298 or 43.7% firms operating in the region, making it an economic and political hub for businesses in Saudi Arabia [105]. It is also the capital of Saudi Arabia and has more advanced technological infrastructure and more reliable internet connectivity [106]. This facilitated the efficient distribution of the online survey and enabled respondents to access and complete it with convenience and the least possible risk of internet-related issues [107].

The study primarily focused on employees, mid-level managers, and top-level managers who are directly responsible for making decisions regarding the adoption of InfoSec systems in their organizations. These individuals are directly involved in working on InfoSec systems to enhance their productivity and ensure the security of data and information stored on their computers. Hence, they understand what drives them to show a positive attitude toward InfoSec systems and a high willingness toward adoption of InfoSec systems within the organization.

3.3. Sample Size Estimation

The study estimated the sample size using G-Power [108]. The parameters of the linear multiple regression method with fixed model and R² deviation from zero were applied for the estimation of sample size: effect size (f²) = 0.04; alpha = 0.05; power = 0.88; and number of predictors = 6. This method gave a total sample size of 418 respondents.

3.4. Setting

An online survey was designed and published on the SurveyMonkey platform and distributed among employees, mid-level managers, top-level managers, and IS professionals working in SMEs located in Riyadh, Saudi Arabia. These SMEs were currently operating in telecommunication, car repairs and maintenance, construction and building materials, wholesale, retail trade, insurance, food and beverage, agriculture, and information technology (IT) sectors. The database of these SMEs was obtained from the official records of the Small and Medium Enterprises General Authority of Saudi Arabia, namely Monsha’at.

3.5. Research Instruments

The questionnaire consisted of two main sections. The first section comprised demographic characteristics, in which the respondents were asked about gender, age, education, and occupation. For gender in particular, the study covered only male and female populations, as transgender population has no legal protections for LGBTQ rights in Saudi Arabia [109]. For age groups, the study targeted adults above 20 years who are currently working in SMEs. For the education group, the study targeted all educational levels, starting from high school to Master’s level. Furthermore, for occupation, the study targeted all employees and employers, placing them in groups by their job descriptions, i.e., employees, mid-level managers, and top-level managers. The second section consisted of survey questions measuring all study variables, including prior experience (5 items), enjoyment of new InfoSec technology (5 items), top management support (5 items), IT infrastructure (5 items), security training (5 items), legal-governmental regulation (5 items), attitude towards InfoSec systems (5 items), and adoption of InfoSec systems (4 items). The survey questions relating to all study variables were selected and adopted based on an extensive literature review, particularly within the context of information security and cybersecurity, with a focus on prioritizing key determinants [75,110,111,112,113,114,115,116,117,118,119,120,121,122]. The questionnaire was thoroughly reviewed and approved by the Human Research Ethics Committee at Jazan University, a government-affiliated institution in the Ministry of Education of Saudi Arabia (Ref No. REC-46/06/1315). Additionally, ethical approval was obtained from the University of Canberra in Australia (Ref No. 202514325). This ensures that the survey does not contravene any existing security protocols or conflict with the policies and regulations governing SMEs in Saudi Arabia. All study variables were measured on a 5-point Likert scale, ranging from 1 (i.e., strongly disagree) to 5 (i.e., strongly agree). The data collection using SurveyMonkey enabled the researcher to distribute the survey in both English and Arabic. The operational definitions of all study variables, along with the source of adaptation of the measurement instrument for each variable, are represented in

Table 1. Operational definition of study variables.

Variables	Operational Definition	References
Prior Experience	Employees’ level of knowledge acquired from past experience in adopting the InfoSec system	Al-Rahmi et al. [123]; Li et al. [20]
Enjoyment of New InfoS Technology	Employees’ perception regarding convenience, enjoyment, pleasant experience, and engagement obtained from the adoption of InfoSec technology	Al-Adwan et al. [124]; Faqih and Jaradat [125]; Lee et al. [126]; Quezada et al. [127]; Shen et al. [128]
Top Management Support	Employees’ perception regarding the support, motivation, commitment to providing all resources, and awareness of the benefits that top management provides to them during their employment	Hsu et al. [129]; Lo et al. [130]; Zhang et al. [131]
IT Infrastructure	Employees’ perception regarding a shared collection of IT resources that supports organizational communication and enables current and future business applications	Chanopas et al. [132]
Security Training	An instructional tool and communication tool to activate employees’ thinking processes, persuade them to act appropriately, and enable them to gain a better understanding of security policies and procedures	Hu et al. [75]
Legal-Governmental Regulation	Employees’ perception of designing and implementing all necessary rules and regulations needed to control personnel and InfoSec systems within an organization	D’Arcy and Lowry [113]; David et al. [130]; Hong and Furnell [131]
Attitude towards InfoSec systems	Employees’ feelings, normative beliefs, and evaluations about InfoSec systems in terms of usefulness, usability, and effectiveness	Abdaljaleel et al. [132]; Rather [133]
Adoption of InfoSec systems	Frequency, time, level of usage of InfoSec systems, and level of usage of advanced features of InfoSec systems	Çallı [134]; Huang et al. [135]

, while the questionnaire is given in Appendix A.

3.6. Statistical Analysis

Descriptive statistics assessed the composition of respondents across different demographic characteristics and represented the average responses and variations in those responses given by the respondents. To determine the fit of data for covariance-based structural equation modeling (CB-SEM), normality of all items measuring the study variables was assessed using skewness and kurtosis, while the association between study variables was analyzed using Pearson’s correlation analysis. Exploratory factor analysis (EFA) was conducted to assess the factor structure of all study variables, while confirmatory factor analysis (CFA) was conducted to assess the reliability and validity of all study variables. Once achieved, CB-SEM analysis was conducted to assess the direct relationships between all study variables. Mediation analysis was also conducted to assess the mediating role of attitude toward InfoSec system in the relationship between independent variables, including prior experience, enjoyment of new InfoSec technology, top management support, IT infrastructure, security training, and legal-governmental regulation, and dependent variable, including adoption of InfoSec system. Moderation analysis was also conducted to assess the moderating role of gender, age, education, and occupation in the relationships between study variables. To assess moderation, the assumption of measurement invariance was assessed by comparing chi-square scores between unconstrained and fully constrained models for significant differences, and then each path was compared across groups of moderators to determine which paths were significantly different and hence moderated by a certain demographic factor. All analyses were conducted in SPSS v29 and SPSS AMOS v27.

3.7. Ethical Consideration

A pilot test of the questionnaire was conducted with a diverse group of 32 participants who reflected their literacy levels on the underlying topic. This process involved assessing statements for language complexity and identifying statements that might be misunderstood or misinterpreted by the respondents, leading to incorrect responses or non-responsiveness. This procedure was further strengthened by obtaining ethical approval from the Human Research Ethics Committee and the University of Canberra in Australia for questionnaire review and data collection. Such a process ensured the instrument’s reliability and validity as well as inclusivity and fairness in research participation. During the data collection, the respondents were informed about the scope and purpose of the research to ensure objectivity of the research. To maintain the fairness of the research, the respondents were asked for their voluntary participation and given the full right to leave the survey at any point in time. Furthermore, anonymity was maintained by avoiding all questions relating to personal information (e.g., name, email address, contact details, etc.). In addition, to maintain confidentiality, the collected data was stored in a password-protected computer, which was only accessible to the researcher. Lastly, the study followed a scientific approach of research by identifying the problem, assessing its background, developing a hypothesis, designing a questionnaire, collecting data, analyzing data, and presenting results to draw conclusions.

4. Results

4.1. Demographic Analysis

The study evaluated the demographic characteristics of the respondents using frequency distribution analysis. Results in

Table 2. Demographic statistics.

Characteristics	Categories	Frequency	Percentage
Gender	Male	175	41.9%
	Female	243	58.1%
Age	20–30 years	81	19.4%
	31–40 years	206	49.3%
	Over 41 years	131	31.3%
Education	High School	59	14.1%
	Diploma	77	18.4%
	Bachelor’s Degree	186	44.5%
	Master’s Degree or above	96	23.0%
Occupation	Employee	167	40.0%
	Mid-level Manager	130	31.1%
	Top-level Manager	121	28.9%

indicate that female respondents were in a higher proportion (58.1%) than male respondents (41.9%). Furthermore, half of the respondents were between 31 and 40 years (49.3%), followed by respondents aged over 41 years (31.3%) and respondents of the age group between 20 and 30 years (19.4%). In terms of education, the largest group of respondents holds a Bachelor’s degree (44.5%), while the second biggest group of respondents holds a Master’s degree or above (23.0%). Lastly, in terms of occupation, 40% of the respondents were working as employees, while the remaining respondents were equally distributed among mid-level managers (31.1%) and top-level managers (28.9%).

4.2. Descriptive Statistics

The study evaluated the average responses and variability in those responses using mean and standard deviation. Results indicated that on average, the respondents rated ‘disagree’ on all statements of the variables ‘enjoyment of new InfoSec technology’ (M = 1.73–1.83; SD = 0.838–0.895) and ‘IT infrastructure’ (M = 2.28–2.43; SD = 1.270–1.329), with low variability in the responses. Furthermore, on average, the respondents rated ‘neutral’ on the statements of the variables ‘prior experience’ (M = 2.88–2.93; SD = 0.952–1.010) and ‘security training’ (M = 2.43–2.50; SD = 0.968–1.022), with low variability in the responses. Lastly, on average, the respondents rated ‘agreed’ on all statements of the variables ‘top management support’ (M = 3.61–3.64; SD = 1.050–1.100), ‘legal-governmental regulations’ (M = 3.82–3.96; SD = 1.093–1.155), ‘attitude towards InfoSec systems’ (M = 4.37–4.45; SD = 0.674–0.685), and ‘adoption of InfoSec systems’ (M = 3.79–3.88; SD = 1.045–1.156).

The study also evaluated the normality of all items of the variability using skewness and kurtosis. All items of variables had skewness scores ranging between −1.249 and 1.057, which fell within the threshold level of ±2 as guided by Byrne [136] and Hair et al. [137]. Furthermore, all items of variables had kurtosis scores ranging between −1.266 and 1.941, which fell within the threshold level of ±7 as guided by Byrne [136] and Hair et al. [137]. Hence, the study achieved normality of study variables, and hence, covariance-based structural equation modeling (CB-SEM) analysis proceeded.

4.3. Exploratory Factor Analysis

Exploratory factor analysis identified the factor structure of all variable items by evaluating the underlying patterns of correlation and condensing them to a smaller, more manageable number of factors [138]. Here, the study applied the maximum likelihood method for the extraction of factors and promax with Kaiser normalization for rotation to achieve the optimal factor structure. Results in

Table 3. Exploratory factor analysis.

	Factor 1: Legal- Governmental Regulations	Factor 2: Top Management Support	Factor 3: IT Infrastructure	Factor 4: Prior Experience	Factor 5: Security Training	Factor 6: Enjoyment of New InfoSec Technology	Factor 7: Adoption of InfoSec Systems	Factor 8: Attitude Toward InfoSec Systems
ADPT.1							0.824
ADPT.2							0.859
ADPT.3							0.629
ADPT.4							0.698
ATT.1								0.695
ATT.2								0.747
ATT.3								0.792
ATT.4								0.782
ATT.5								0.758
TRN.1					0.761
TRN.2					0.830
TRN.3					0.796
TRN.4					0.690
TRN.5					0.731
PE.1				0.795
PE.2				0.806
PE.3				0.795
PE.4				0.762
PE.5				0.743
ENJ.1						0.676
ENJ.2						0.750
ENJ.3						0.782
ENJ.4						0.738
ENJ.5						0.623
TMS.1		0.818
TMS.2		0.826
TMS.3		0.836
TMS.4		0.803
TMS.5		0.784
ITI.1			0.842
ITI.2			0.784
ITI.3			0.843
ITI.4			0.767
ITI.5			0.848
G.REG.1	0.812
G.REG.2	0.841
G.REG.3	0.829
G.REG.4	0.825
G.REG.5	0.803

indicate that the Kaiser-Meyer-Olkin measure of sampling adequacy was computed to be 0.884, which fell within the threshold values between 0.80 and 0.90 [138,139,140]. Hence, the sample size was found to be adequate. Furthermore, Bartlett’s test of sphericity was also significant at 0.1% level (χ² (741) = 9547.651, p < 0.001), which suggested that all variables’ items were correlated enough to proceed with factor analysis [140]. Results from exploratory factor analysis in Table 3 identified a total of 8 factors among all 39 items of variables that had an eigenvalue higher than 1 (1.014–8.114). All items achieved a factor loading higher than the minimum threshold of 0.60 [137] and, hence, were considered applicable in the study. The construct’s measurements collectively yielded a total explained variance of 61.701%, which surpassed the minimum threshold of 60% [137] and, hence, achieved an acceptable level of total variance explained.

4.4. Pearson’s Correlation Analysis

Pearson’s correlation analysis assessed the associations between all study variables (

Table 4. Pearson’s correlation analysis.

			1	2	3	4	5	6	7	8
1	Prior Experience	r	1
		p-value
2	Enjoyment of New InfoSec Technology	r	−0.160 **	1
		p-value	0.001
3	Top Management Support	r	0.171 ***	−0.038	1
		p-value	<0.001	0.435
4	IT Infrastructure	r	0.264 ***	0.139 **	−0.299 ***	1
		p-value	<0.001	0.005	<0.001
5	Security Training	r	0.268 ***	0.128 **	−0.001	0.263 ***	1
		p-value	<0.001	0.009	0.987	<0.001
6	Legal-Governmental Regulations	r	0.326 ***	−0.222 ***	0.501 ***	−0.088	0.045	1
		p-value	<0.001	< 0.001	<0.001	0.072	0.361
7	Attitude toward InfoSec Systems	r	0.420 ***	−0.129 **	0.651 ***	0.057	0.171 ***	0.596 ***	1
		p-value	<0.001	0.008	<0.001	0.241	<0.001	<0.001
8	Adoption of InfoSec Systems	r	0.029	0.003	0.062	0.086	0.119 *	0.075	0.164 ***	1
		p-value	0.560	0.952	0.202	0.077	0.015	0.127	<0.001

* p < 0.05, ** p < 0.01, *** p < 0.001.

). Results indicated that all determinants, except for ‘IT infrastructure’, had a significant association with ‘attitude towards InfoSec systems’ (p < 0.05), while the variables ‘security training’ and ‘attitude towards InfoSec systems’ had a significant association with ‘adoption of InfoSec systems’ (p < 0.001). This indicated a possibility to explain the determinants influencing attitude toward and adoption of InfoSec systems. Furthermore, all independent variables had Pearson’s correlation scores lower than the maximum threshold of 0.80, as guided by Shrestha [141]. Hence, the study indicated a low level of collinearity among study variables. Multicollinearity was also assessed using the Variance Inflation Factor (VIF). Results indicated that all study variables had VIF scores between 1.138 and 1.516, which was less than the acceptable level of 5 [137,141]. Hence, the study found no concern of multicollinearity among the study variables.

4.5. Confirmatory Factor Analysis

Confirmatory factor analysis assessed the reliability and validity of the study variables as well as how well the model fits the data, i.e., goodness-of-fit indices. Firstly, upon assessment, the standardized factor loadings of all items of the study variables were found to be scored between 0.624 and 0.863 and, hence, were higher than the minimum threshold value of 0.60, as guided by Kline [142] (

Table 5. Mean, standard deviation, reliability, and convergent validity.

		Mean	Std. Deviation	SFL	α	CR	AVE
Prior Experience	PE.1	2.92	1.010	0.801	0.885	0.885	0.607
	PE.2	2.88	0.971	0.813
	PE.3	2.93	0.958	0.783
	PE.4	2.93	0.952	0.755
	PE.5	2.93	0.989	0.741
Enjoyment of New InfoSec Technology	ENJ.1	1.83	0.860	0.675	0.837	0.839	0.511
	ENJ.2	1.79	0.867	0.750
	ENJ.3	1.81	0.847	0.779
	ENJ.4	1.80	0.895	0.736
	ENJ.5	1.73	0.838	0.624
Top Management Support	TMS.1	3.64	1.100	0.812	0.907	0.907	0.661
	TMS.2	3.64	1.089	0.825
	TMS.3	3.62	1.051	0.834
	TMS.4	3.61	1.050	0.806
	TMS.5	3.61	1.056	0.788
Security Training	TRN.1	2.45	1.022	0.762	0.873	0.874	0.581
	TRN.2	2.46	1.015	0.826
	TRN.3	2.43	1.020	0.796
	TRN.4	2.50	0.968	0.693
	TRN.5	2.39	1.008	0.728
IT Infrastructure	ITI.1	2.28	1.286	0.844	0.908	0.909	0.666
	ITI.2	2.43	1.312	0.788
	ITI.3	2.39	1.270	0.833
	ITI.4	2.42	1.305	0.762
	ITI.5	2.33	1.329	0.850
Legal-Governmental Regulations	G.REG.1	3.89	1.117	0.802	0.912	0.912	0.675
	G.REG.2	3.93	1.093	0.830
	G.REG.3	3.82	1.155	0.834
	G.REG.4	3.87	1.106	0.827
	G.REG.5	3.96	1.104	0.815
Attitude toward InfoSec Systems	ATT.1	4.45	0.674	0.699	0.873	0.873	0.580
	ATT.2	4.37	0.685	0.752
	ATT.3	4.37	0.678	0.794
	ATT.4	4.44	0.677	0.780
	ATT.5	4.39	0.678	0.780
Adoption of InfoSec Systems	ADPT.1	3.80	1.156	0.812	0.840	0.841	0.574
	ADPT.2	3.79	1.126	0.863
	ADPT.3	3.84	1.080	0.631
	ADPT.4	3.88	1.045	0.702

). Secondly, reliability was assessed using Cronbach’s alpha (α) and composite reliability (CR). Cronbach’s alpha (α) of all study variables ranged from 0.837 to 0.912, while all variables had composite reliability (CR) scores ranging from 0.839 to 0.912. Both statistics had scores exceeding the minimum threshold level of 0.70, as guided by Hair et al. [143], indicating that reliability was achieved. Thirdly, convergent validity was assessed using average variances extracted (AVE). AVE of all study variables ranged from 0.511 to 0.675, which exceeded the minimum threshold level of 0.50, as guided by Hair et al. [143], indicating that convergent validity was achieved. Fourthly, discriminant validity was assessed using the Heterotrait-Monotrait (HTMT) criterion and the Fornell-Larcker criterion. All scores in the HTMT criterion were less than the threshold level of 0.85, as guided by Hair et al. [143] (see

Table 6. Discriminant validity—Heterotrait-Monotrait criterion.

		1	2	3	4	5	6	7	8
1	Attitude toward InfoSec Systems
2	Prior Experience	0.379
3	Top Management Support	0.606	0.153
4	Security Training	0.164	0.239	0.004
5	Legal-Governmental Regulations	0.739	0.293	0.460	0.044
6	IT Infrastructure	0.067	0.245	0.275	0.246	0.076
7	Adoption of InfoSec Systems	0.165	0.024	0.040	0.134	0.051	0.114
8	Enjoyment of New InfoSec Technology	0.120	0.145	0.049	0.116	0.210	0.120	0.004

), while the AVE scores were higher than the squared correlations between a particular construct and other constructs, as guided by Fornell and Larcker [144] (see

Table 7. Discriminant validity—Fornell-Larcker criterion.

		1	2	3	4	5	6	7	8
1	Enjoyment of New InfoSec Technology	0.715
2	Attitude toward InfoSec Systems	−0.114	0.762
3	Prior Experience	−0.142	0.381	0.779
4	Top Management Support	−0.032	0.601	0.155	0.813
5	Security Training	0.114	0.152	0.240	−0.001	0.762
6	Legal-Governmental Regulations	−0.199	0.738	0.297	0.461	0.040	0.822
7	IT Infrastructure	0.124	0.054	0.241	−0.277	0.238	−0.082	0.816
8	Adoption of InfoSec Systems	0.003	0.158	0.011	0.048	0.129	0.053	0.095	0.757

). Hence, discriminant validity was achieved. Fifthly, model fit was assessed using goodness-of-fit measures and found to be achieved, as χ²/df of 1.482 (<3), CFI of 0.964 (>0.90), GFI of 0.928 (>0.90), AGFI of 0.918 (>0.90), TLI of 0.961 (>0.90), SRMR of 0.037 (<0.08), and RMSEA of 0.034 (<0.08) achieved the respective threshold level, as guided by Hair et al. [143]. Hence, model fit was achieved.

4.6. Common Method Bias (CMB)

Harman’s one-factor test assessed common method bias (CMB), which exists when the amount of variance explained by a single factor is more than 50% [145]. The test results indicated that a single factor emerging from the covariances of all items explained only 19.109% of the variance, which was below the threshold level of 50%. Hence, the study established no concerns of common method bias, suggesting that the measurement model did not inflate or deflate the relationships between variables.

4.7. Path Analysis

Path analysis using covariance-based structural equation modeling (CB-SEM) was conducted to test the study hypotheses (

Table 8. Structural equation modeling—path analysis.

H	Path	Estimate	S.E.	C.R.	p-Value	Decision
H1	ATT → ADPT	0.222 ***	0.066	3.390 ***	***	Supported
H2	PE → ATT	0.069 ***	0.019	3.575 ***	***	Supported
H3	ENJ → ATT	−0.006	0.025	−0.241	0.810	Not Supported
H4	TMS → ATT	0.253 ***	0.018	14.297 ***	***	Supported
H5	ITI → ATT	0.086 ***	0.012	7.033 ***	***	Supported
H6	TRN → ATT	0.049 **	0.017	2.934 **	0.003	Supported
H7	G.REG → ATT	0.335 ***	0.016	20.475 ***	***	Supported

** p < 0.01, *** p < 0.001. Note: ATT = attitude towards InfoSec systems, ADPT = adoption of InfoSec systems, PE = prior experience, ENJ = enjoyment of new InfoSec technology, TMS = top management support, ITI = IT infrastructure, TRN = security training, G.REG = legal-governmental regulations.

; Figure 2). Before the analysis, model fit was assessed using goodness-of-fit measures and found to be achieved, as χ²/df of 1.722 (<3), CFI of 0.996 (>0.90), GFI of 0.994 (>0.90), AGFI of 0.964 (>0.90), TLI of 0.980 (>0.90), SRMR of 0.014 (<0.08), and RMSEA of 0.042 (<0.08) achieved the respective threshold level, as guided by Hair et al. [143]. Hence, model fit was achieved. Results from path analysis in Table 8 indicate that prior experience (β = 0.069, p < 0.001), top management support (β = 0.253, p < 0.001), IT infrastructure (β = 0.086, p < 0.001), security training (β = 0.09, p < 0.01), and legal-governmental regulations (β = 0.335, p < 0.001) have a significant positive association with attitude towards InfoSec systems. However, enjoyment of new InfoSec technology did not have a significant impact on attitude towards InfoSec systems (β = −0.006, p = 0.810). Furthermore, attitude towards InfoSec systems had a significant positive impact on adoption of InfoSec systems (β = 0.222, p < 0.001). Hence, hypotheses H₁, H₂, H₄, H₅, H₆, and H₇ were accepted. The coefficient of determination (R²) of 0.783 for attitude towards InfoSec systems and 0.051 for adoption of InfoSec systems suggested that five determinants, including prior experience, top management support, IT infrastructure, security training, and legal-governmental regulations, explained 78.3% of the variance in attitude towards InfoSec systems, while attitude towards InfoSec systems explained 5.1% variances in adoption of InfoSec systems. Furthermore, considering the beta values, total management support and legal-governmental regulations had a stronger impact on attitude. Comparatively, the impact of security training on attitude was very minimal, reflecting the limited influence of training alone on shaping employees’ attitudes toward InfoSec systems [146].

4.8. Mediation Analysis

Mediation analysis using indirect effects was conducted to assess the mediating role of attitude towards InfoSec systems in the relationship between six determinants, including prior experience, enjoyment of new InfoSec technology, top management support, IT infrastructure, security training, and legal-governmental regulations, and adoption of InfoSec systems (

Table 9. Mediation analysis.

H	Path	Estimate	S.E.	p-Value	Decision
H8_a	PE → ATT → ADPT	0.016 **	0.006	0.002	Supported
H8_b	ENJ → ATT → ADPT	−0.001	0.005	0.784	Not Supported
H8_c	TMS → ATT → ADPT	0.066 **	0.022	0.005	Supported
H8_d	ITI → ATT → ADPT	0.030 **	0.011	0.003	Supported
H8_e	TRN → ATT → ADPT	0.012 **	0.006	0.006	Supported
H8_f	G.REG → ATT → ADPT	0.094 **	0.031	0.005	Supported

** p < 0.01. ATT = attitude towards InfoSec systems, ADPT = adoption of InfoSec systems, PE = prior experience, ENJ = enjoyment of new InfoSec technology, TMS = top management support, ITI = IT infrastructure, TRN = security training, G.REG = legal-governmental regulations.

). Results indicated that attitude towards InfoSec systems significantly mediated the impact of prior experience, top management system, IT infrastructure, security training, and legal-governmental regulations on adoption of InfoSec systems (p < 0.001). However, attitude towards InfoSec systems did not significantly mediate the relationship between enjoyment and adoption of InfoSec systems (β = −0.001, p = 0.784). Hence, only hypotheses H_{8_a}, H_{8_c}, H_{8_d}, H_{8_e}, and H_{8_f} were accepted.

4.9. Moderation Analysis

Multiple-group analysis was conducted to examine the moderation of all four demographic variables (i.e., gender, age, education, and occupation) in the relationships between six determinants (i.e., prior experience, enjoyment of new InfoSec technology, top management support, IT infrastructure, security training, and legal-governmental regulations) and attitude towards InfoSec systems. For this purpose, groups were created based on the classification of the demographic variables (see Table 2), and respondents were assigned to those groups by specifying the ‘variable’ and its respective ‘value’ within the dataset. The chi-square difference test was performed to compare the chi-square scores of unconstrained and fully constrained models, and the significant differences indicate that the assumption of measurement invariance does not hold, and groups differ at the path level.

Firstly, the moderation of gender was assessed. The model showed an excellent fit, as all goodness-of-fit indices achieved the respective threshold level, as guided by Hair et al. [143] (χ²/df = 1.469, CFI = 0.994, GFI = 0.990, AGFI = 0.939, TLI = 0.994, SRMR = 0.015, RMSEA = 0.034). The chi-square differences testing identified a significant difference in chi-square values between the unconstrained and the fully constrained model (χ² = 66.681, df = 7, p < 0.001) and hence, suggested that groups differed at the path level. Upon constraining each path individually (

Table 10. Moderation analysis—gender.

H	Path	Male β (p-Value)	Female β (p-Value)	χ2 (p-Value)	Δχ2 (p-Value)	Decision
	Unconstraint Model			17.628 (0.127)
	Fully Constraint Model			84.309 *** (<0.001)	66.681 *** (<0.001)	Supported
H9_a	PE → ATT	0.138 *** (<0.001)	0.034 (0.083)	25.184 * (0.022)	7.556 ** (0.006)	Supported
H9_b	ENJ → ATT	0.037 (0.433)	−0.043 (0.075)	19.904 (0.908)	2.276 (0.131)	Not Supported
H9_c	TMS → ATT	0.344 *** (<0.001)	0.175 *** (<0.001)	41.142 *** (<0.001)	23.514 * (0.023)	Supported
H9_d	ITI → ATT	0.076 *** (<0.001)	0.078 *** (<0.001)	17.635 (0.172)	0.007 (0.933)	Not Supported
H9_e	TRN → ATT	0.060 * (0.046)	0.053 ** (0.002)	18.640 (0.135)	1.011 (0.315)	Not Supported
H9_f	G.REG → ATT	0.326 *** (<0.001)	0.274 *** (<0.001)	20.235 (0.090)	2.607 (0.106)	Not Supported
H9_g	ATT → ADPT	0.336 * (0.014)	0.274 ** (0.003)	−0.032 (0.806)	4.704 (0.095)	Not Supported

* p < 0.05, ** p < 0.01, *** p < 0.001. ATT = attitude towards InfoSec Systems, ADPT = adoption of InfoSec systems, PE = prior experience, ENJ = enjoyment of new InfoSec technology, TMS = top management support, ITI = IT infrastructure, TRN = security training, G.REG = legal-governmental regulations.

; Figure 3), results indicated that gender significantly moderated the relationships between prior experience and attitude towards InfoSec systems (Δχ² (1) = 7.556, p < 0.01) as well as between top management support and attitude towards InfoSec systems (Δχ² (1) = 23.514, p < 0.001). In terms of prior experience, the path estimate indicated that the impact of prior experience on attitude towards InfoSec systems was significant for male respondents only (Male: β = 0.138, p < 0.001; Female: β = 0.034, p = 0.083). In terms of top management support, the path estimate indicated that the impact of top management support on attitude towards InfoSec systems was stronger in the male group (β = 0.344, p < 0.001) as compared to the female group (β = 0.175, p < 0.001). Hence, hypotheses H_{9_a} and H_{9_c} were accepted.

Secondly, the moderation of age was assessed. The model showed an excellent fit, as all goodness-of-fit indices achieved the respective threshold level, as guided by Hair et al. [143] (χ²/df = 0.852, CFI = 0.996, GFI = 0.991, AGFI = 0.946, TLI = 0.994, SRMR = 0.017, RMSEA = 0.003). The chi-square differences testing did not identify any significant difference in chi-square values between the unconstrained and the fully constrained model (χ² = 21.883, df = 14, p = 0.081), and hence, groups did not differ at the path level. As supported by the path analysis across age groups (

Table 11. Moderation analysis—age.

H	Path	20–30 Years β (p-Value)	31–40 Years β (p-Value)	Over 41 Years β (p-Value)	χ2 (p-Value)	Δχ2 (p-Value)	Decision
	Unconstraint Model				15.335 (0.639)
	Fully Constraint Model				37.218 (0.241)	21.883 (0.081)	Supported
H10_a	PE → ATT	0.090 * (0.050)	0.083 * (0.028)	0.099 * (0.012)	18.609 (0.547)	3.273 (0.195)	Not Supported
H10_b	ENJ → ATT	0.040 (0.532)	−0.024 (0.485)	−0.018 (0.698)	16.135 (0.708)	0.800 (0.670)	Not Supported
H10_c	TMS → ATT	0.235 *** (<0.001)	0.261 *** (<0.001)	0.250 *** (<0.001)	15.645 (0.738)	0.309 (0.857)	Not Supported
H10_d	ITI → ATT	0.140 * (0.039)	0.102 *** (<0.001)	0.084 *** (<0.001)	18.976 (0.523)	3.640 (0.162)	Not Supported
H10_e	TRN → ATT	0.095 * (0.010)	0.083 * (0.038)	0.058 * (0.036)	18.887 (0.529)	3.551 (0.169)	Not Supported
H10_f	G.REG → ATT	0.386 *** (<0.001)	0.351 *** (<0.001)	0.285 *** (<0.001)	20.584 (0.422)	5.248 (0.073)	Not Supported
H10_g	ATT → ADPT	0.336 * (0.014)	0.274 ** (0.003)	0.326 * (0.001)	15.335 (0.639)	4.704 (0.095)	Not Supported

* p < 0.05, ** p < 0.01, *** p < 0.001. ATT = attitude towards InfoSec systems, ADPT = adoption of InfoSec systems, PE = prior experience, ENJ = enjoyment of new InfoSec technology, TMS = top management support, ITI = IT infrastructure, TRN = security training, G.REG = legal-governmental regulations.

; Figure 4), results indicated that all paths, except for the relationship between enjoyment of new InfoSec systems and attitude towards InfoSec systems, were significant at 5% level in all age groups (p < 0.05). This suggested that regardless of age, prior experience, top management support, IT, security training, government regulations, and attitude toward InfoSec systems were not rated significantly differently across respondents with different age groups. Hence, hypotheses H_{10_a} to H_{10_g} was rejected.

Thirdly, the moderation of education was assessed. The model fit was excellent, as all goodness-of-fit indices achieved the respective threshold level, as guided by Hair et al. [143] (χ²/df = 1.092, CFI = 0.998, GFI = 0.985, AGFI = 0.910, TLI = 0.989, SRMR = 0.023, RMSEA = 0.015). A significant chi-square difference between unconstrained and fully constrained models was observed (Δχ² = 35.533, df = 21, p < 0.05), and hence, the groups differed at the path level. As supported by the path analysis across educational groups (

Table 12. Moderation analysis—education.

H	Path	High School β (p-Value)	Diploma β (p-Value)	Bachelor’s Degree β (p-Value)	Master’s Degree β (p-Value)	χ2 (p-Value)	Δχ2 (p-Value)	Decision
	Unconstraint Model					26.208 (0.343)
	Fully Constraint Model					61.741 * (0.049)	35.533 * (0.025)	Supported
H11_a	PE → ATT	0.190 * (0.042)	0.238 * (0.036)	0.290 * (0.026)	0.240 * (0.049)	26.768 (0.476)	0.561 (0.905)	Not Supported
H11_b	ENJ → ATT	0.040 (0.532)	−0.062 (0.281)	0.035 (0.327)	−0.056 (0.243)	29.889 (0.319)	3.681 (0.298)	Not Supported
H11_c	TMS → ATT	0.279 *** (<0.001)	0.220 *** (<0.001)	0.254 *** (<0.001)	0.234 *** (<0.001)	31.357 (0.257)	5.150 (0.161)	Not Supported
H11_d	ITI → ATT	0.071 * (0.049)	0.087 * (0.049)	0.197 * (0.036)	0.296 *** (<0.001)	38.638 (0.068)	12.430 ** (0.006)	Supported
H11_e	TRN → ATT	0.095 * (0.010)	0.034 * (0.048)	0.067 ** (0.005)	0.080 * (0.007)	27.195 (0.453)	0.987 (0.804)	Not Supported
H11_f	G.REG → ATT	0.257 *** (<0.001)	0.330 ** (<0.001)	0.389 *** (<0.001)	0.486 *** (<0.001)	34.779 (0.145)	8.571 * (0.036)	Supported
H11_g	ATT → ADPT	0.292 ** (0.002)	0.271 * (0.004)	0.250 * (0.039)	0.266 * (0.021)	28.232 (0.399)	2.024 (0.567)	Not Supported

* p < 0.05, ** p < 0.01, *** p < 0.001. ATT = attitude towards InfoSec systems, ADPT = adoption of InfoSec systems, PE = prior experience, ENJ = enjoyment of new InfoSec technology, TMS = top management support, ITI = IT infrastructure, TRN = security training, G.REG = legal-governmental regulations.

; Figure 5), results indicated that education significantly moderated the relationship between IT and attitude toward InfoSec systems (Δχ² (3) = 23.430, p < 0.01) as well as government regulations and attitude toward InfoSec systems (Δχ² (3) = 8.571, p < 0.05). In terms of IT, the impact was strongest for Master’s degree respondents (β = 0.296, p < 0.001), followed by Bachelor’s degree respondents (β = 0.197, p < 0.05), diploma respondents (β = 0.087, p < 0.05), and high school respondents (β = 0.071, p < 0.05). Similarly, in terms of government regulations, the impact was strongest for Master’s degree respondents (β = 0.486, p < 0.001), followed by Bachelor’s degree respondents (β = 0.389, p < 0.001), diploma respondents (β = 0.330, p < 0.001), and high school respondents (β = 0.257, p < 0.001). However, the impact of prior experience, enjoyment, top management support, and security training on attitude toward InfoSec systems, as well as the impact of attitude toward InfoSec systems on adoption of InfoSec systems, was not significantly different across respondents from different educational backgrounds (p > 0.05). Hence, hypotheses H_{11_d} and H_{11_f} were accepted.

The moderation of occupation was assessed. The model fit was excellent, as all goodness-of-fit indices achieved the respective threshold level, as guided by Hair et al. [143] (χ²/df = 1.020, CFI = 0.999, GFI = 0.989, AGFI = 0.936, TLI = 0.998, SRMR = 0.015, RMSEA = 0.007). A significant chi-square difference between unconstrained and fully constrained models was observed (Δχ² = 55.549, df = 14, p < 0.001), and hence, the groups differed at the path level. As supported by the path analysis across occupation groups (

Table 13. Moderation analysis—occupation.

H	Path	Employee β (p-Value)	Mid-Level Manager β (p-Value)	Top-Level Manager β (p-Value)	χ2 (p-Value)	Δχ2 (p-Value)	Decision
	Unconstraint Model				18.367 (0.432)
	Fully Constraint Model				73.916 *** (<0.001)	55.549 *** (<0.001)	Supported
H12_a	PE → ATT	0.118 *** (<0.001)	−0.012 (0.663)	0.042 (0.179)	27.086 (0.133)	8.719 *** (<0.001)	Supported
H12_b	ENJ → ATT	0.048 (0.288)	−0.012 (0.702)	−0.013 (0.762)	26.471 (0.151)	2.104 (0.517)	Not Supported
H12_c	TMS → ATT	0.266 *** (<0.001)	0.183 *** (<0.001)	0.263 *** (<0.001)	24.470 (0.222)	6.103 * (0.047)	Supported
H12_d	ITI → ATT	0.092 *** (<0.001)	0.115 *** (<0.001)	0.069 *** (<0.001)	21.241 (0.383)	2.874 (0.238)	Not Supported
H12_e	TRN → ATT	0.095 * (0.029)	0.071 ** (0.004)	0.063 ** (0.008)	19.111 (0.515)	0.744 (0.690)	Not Supported
H12_f	G.REG → ATT	0.335 *** (<0.001)	0.246 *** (<0.001)	0.328 *** (<0.001)	24.831 (0.208)	6.464 * (0.039)	Supported
H12_g	ATT → ADPT	0.050 (0.533)	0.498 ** (0.008)	0.684 *** (<0.001)-	35.866 * (0.016)	17.499 * (0.018)	Supported

* p < 0.05, ** p < 0.01, *** p < 0.001. ATT = attitude towards InfoSec systems, ADPT = adoption of InfoSec systems, PE = prior experience, ENJ = enjoyment of new InfoSec technology, TMS = top management support, ITI = IT infrastructure, TRN = security training, G.REG = legal-governmental regulations.

; Figure 6), results indicated that occupation significantly moderated the relationships between prior experience and attitude (Δχ² = 8.719, df = 2, p < 0.01), between top management support and attitude (Δχ² = 6.103, df = 2, p < 0.05), between government regulations and attitude (Δχ² = 6.464, df = 2, p < 0.05), as well as between attitude and adoption of InfoSec system (Δχ² = 17.499, df = 14, p < 0.001). In terms of prior experience, results indicated that its impact on attitude toward InfoSec systems was significant for employees only (β = 0.118, p < 0.001). In terms of top management support, its impact on attitude toward InfoSec systems was significant and higher for employees (β = 0.266, p < 0.001) and top-level managers (β = 0.263, p < 0.001) as compared to mid-level managers (β = 0.183, p < 0.001). Lastly, the impact of attitude on the adoption of InfoSec systems was significantly strong for employees (β = 0.335, p < 0.001), followed by top-level managers (β = 0.328, p < 0.001) and mid-level managers (β = 0.246, p < 0.001). Hence, hypotheses H_{12_a}, H_{12_c}, H_{12_f} and H_{12_g} were accepted.

5. Discussion

5.1. Key Findings

The study conducted a path analysis to develop an integrated framework representing the determinants influencing the adoption of InfoSec systems. The study found that prior experience, top management support, IT infrastructure, security training, and legal-governmental regulations significantly and positively influence the attitude towards InfoSec systems, which directly and indirectly influence the adoption of InfoSec systems. The significant relationship between prior experience and attitude toward InfoSec systems was consistent with the studies of Ashenden [146], Charness et al. [94], and D’Arcy and Lowry [113], which also reported the same findings. If employees have previous experience of an information security incident, they are more likely to have a better attitude towards the adoption of InfoSec systems. Similarly, the significant relationship between top management support and attitude toward InfoSec systems was consistent with the studies of Almaiah et al. [147], Ali et al., [100], Georgiadou et al. [148], and Humaidi and Balakrishnan [149], which also reported the significant relationship. This suggested that enterprises that showed employees continuous support from the top management level by providing cybersecurity guidelines tend to have a better attitude or perception toward InfoSec systems. The significant relationship between IT infrastructure and attitude toward InfoSec systems was consistent with the findings of Almaiah et al. [79], Georgiadou et al. [148], Hina and Dominic [150], and Zwilling et al. [63], who also reported similar findings. This suggested that technology infrastructure acts as a motivating factor to accept and use the InfoSec systems. Providing adequate technology infrastructure is essential for implementing new technology. The significant relationship between security training and attitude toward InfoSec systems was consistent with the findings of Abdallah et al. [151], Mushi and Dutta [152], and Stankov and Tsochev [153], who also reported the same findings. This suggested that training employees about the usage of InfoSec systems and InfoSec policies enhances the technical and software skills of the personnel and enables them to have a better attitude toward InfoSec systems. The significant impact of legal-governmental regulations on attitude toward InfoSec systems was consistent with the findings of Merhi [154], who also reported the same findings. This suggested that having a legal system supported by governmental regulations in place assists SMEs in protecting information and data privacy and, hence, creates a positive attitude toward the adoption of IS systems. Overall, it should be considered that total management support and legal-governmental regulations exhibited a stronger impact on employees’ attitudes, suggesting their higher contribution to achieving desired attitudes toward InfoSec systems within the critical scenario. However, the study found that enjoyment of new InfoSec technology did not have any significant effect on attitude toward InfoSec systems. This finding was inconsistent with the studies of Khan et al. [155], Osman et al. [156], and Ng et al. [157], which reported a significant effect of enjoyment on attitude. The insignificance of enjoyment in our context can be explained by the mandatory nature of InfoSec systems. Unlike voluntary technologies, where hedonic motivations are key, security tools are often implemented as organizational necessities to mitigate risks [157]. Employees may perceive them as compulsory requirements for compliance and data protection rather than voluntary tools for personal enjoyment. This aligns with the protection motivation theory [158,159], as our findings suggest that the primary driver for adoption is the perceived necessity to protect against threats, not the pursuit of pleasure or enjoyment. Furthermore, an in-depth analysis of descriptive statistics revealed that respondents reported InfoSec systems as ‘less enjoyable,’ which corroborates the view that for such mandatory systems, ‘pleasantness’ is not a prerequisite for adoption. Similar findings have been reported in studies on mandatory enterprise systems, where intrinsic factors like enjoyment were less influential than extrinsic factors like job requirements and security needs [160]. Lastly, the study found that attitude had a significant positive effect on the adoption of InfoSec systems. This study finding was consistent with the studies of Namahoot and Rattanawiboonsom [161], Night et al. [50], and Rahman et al. [162], which also reported a significant relationship between these variables. This suggests that if employees have a positive attitude toward adopting new technology and perceive it as a way to improve efficiency and performance at their job, they are more likely to adopt new InfoSec technology.

The integrated framework also extended to the demographic characteristics as moderators, including gender, age, education, and occupation. The study findings showed that, firstly, gender significantly moderated the significant relationships of prior experience and top management support on attitude towards InfoSec systems. These study findings were consistent with the studies of Anwar et al. [92] and Daengsi et al. [93]. Past literature suggested that men with more prior experience with computer security had high self-efficacy and exhibited a higher tendency of cybersecurity behavior as compared to women [92]. Daengsi et al. [93] also reported a higher level of cybersecurity awareness for female employees compared to male employees, which results in more victims of phishing among male employees. Furthermore, employees with similar experience at the same period of time have similar beliefs, values, and attitudes [93]. Furthermore, gender did not moderate the relationship between the enjoyment of new InfoSec technology, IT, training, and legal-governmental regulations on attitude towards InfoSec systems. A possible explanation would be that SMEs assure equal rights for men and women, protect them from discriminatory practices, and promote equal participation in economic growth and social development [163]. Another significant implication of these study findings is the gender gap in the study sample (58.1% female to 41.9% male). This gender gap is unusual in the context of Saudi Arabia, as currently the gap is closing up with 59% women and 41% men for every 100 men in every technical and assistant jobs [164]. Similarly to Aldhafeeri [163], the study has studied the perception of women and aims to help close the gender gap in the near future.

Secondly, the study findings showed that age did not moderate the influence of any determinants on attitude toward InfoSec systems, as well as the impact of attitude on adoption of InfoSec systems. This finding was inconsistent with the study of Nguyen and Le [103], which reported that younger workers tend to have a positive attitude and behavior toward InfoSec systems as compared to older workers. Here, the findings indicated that members of Generation Z, millennials, Generation X, and baby boomers all had an impact on their attitude toward InfoSec systems through prior experience, top management support, IT infrastructure, security training, and legal-governmental regulation, as well as an impact on the adoption of InfoSec systems through resultant attitude toward InfoSec systems. This suggests that there is no technological divide related to the adoption of InfoSec systems in terms of age. Hence, age did not affect the adoption processes of InfoSec systems when they were targeted to a wider population, as identified by Belanche-Gracia et al. [164]. Fazi et al. [165] also confirmed no moderating role of age in the relationship between attitude towards and adoption of InfoSec systems.

Thirdly, the study findings showed that occupation significantly moderated the relationships of prior experience, top management support, and legal-governmental regulations on attitude toward InfoSec systems, as well as the relationship between attitude and adoption of InfoSec systems. These study findings were consistent with the studies of Chawla and Joshi [98], Yildirim et al. [99], Ali et al. [100], Trenerry et al. [101], and Acosta-Enriquez et al. [102], who reported a significant moderation of occupation in the adoption of IT. Several determinants, such as government regulations and top management support, have a stronger impact on attitude toward InfoSec systems among employees and top-level managers, as they are directly engaged in the implementation of InfoSec systems within SMEs. Similarly, the impact of IT infrastructure was stronger on attitude toward InfoSec systems in the case of mid-level managers, as they are directly engaged in purchasing, developing, and integrating InfoSec systems into the existing systems. Hence, the occupational position can control or maximize the impact of each factor that influences the adoption of InfoSec systems.

Fourthly, the study findings showed that education significantly moderated the relationships between IT and legal-governmental regulations on attitude toward InfoSec systems. The significant relationship between IT and attitude was consistent with the study of Nguyen and Le [103], who also reported that higher education levels enhanced the positive impact of information security knowledge on attitude toward InfoSec systems. Kavandi and Jaana [166] highlighted that employees with higher education have a higher level of usage of ICTs in order to ensure the successful adoption of health information technology. Hwang et al. [62] highlighted that a higher level of security education enhanced the impact of knowledge of physical systems and security awareness. Hence, in the context of this study, the availability of IT infrastructure gave the employees a positive emotion and perception toward having InfoSec systems. Similarly, legal-governmental regulations, when combined with higher education, make learning more meaningful and impactful in the development and adoption of new technologies [167]. Hence, consistent with the study findings, higher education contributes to better understanding and implementation of legal-governmental regulations and, hence, a better attitude toward new technology, i.e., InfoSec systems. However, education did not moderate the relationships of prior experience, enjoyment of new InfoSec technology, top management support, and security training on attitude toward InfoSec systems. The study findings were consistent with the studies of Ali et al. [100], Almaiah et al. [147], An et al. [168], Mungo [76], Pollini et al. [167], Sadok et al. [29], and Won et al. [55] that having prior experience, finding a new technology enjoyable, having better support from top management, and a high level of security training were not associated with education. Finally, the study implies that education significantly enhanced the impact of only the predictors that can be taught through theory and practice.

Lastly, the study found that attitude towards InfoSec systems was only significantly related to adoption of InfoSec systems when users were top-level managers. This reflects the organizational vision that emphasizes the adoption of InfoSec systems in the dire need to fight against cybersecurity threats and attacks in SMEs [169]. Across gender, age, and education, all users were found to have a similar impact of attitude on the adoption of InfoSec systems. This implied that socio-demographic factors did not contribute to enhance adoption rate through attitudes, but occupation and job description did. As Karanja reports [169], top-level managers, such as the chief information security officer, can play a vital role in the implementation and management of InfoSec systems.

The integrated framework represented in the current study addresses the cybersecurity risks and attacks faced by SMEs in their day-to-day operational activities. Strengthening the internal business infrastructure and maintaining compliance with ISO27001 rules and regulations enables firms to reduce the apparent gap between strategic awareness and technical know-how and effectively detect and respond to cyber threats. As a result, a business can quickly adopt advanced cybersecurity solutions to enhance employee preparedness. This framework can truly assure the adoption of InfoSec systems in SMEs with fewer technical resources and utilization.

5.2. Key Theoretical Implications

The study has several key theoretical implications. Firstly, the study adds to three fundamental theories that explain how and why people adopt technologies: TRA, UTAUT, and TAM. These theories provide the basic foundation behind the identification of the determinants necessary to enhance the adoption of InfoSec systems among employees. Secondly, the integrated model was modified to identify the specific determinants that influence the adoption of InfoSec systems in Saudi SMEs. These specific determinants, as identified through a thorough review of literature and supported by the study findings, contribute to minimizing cybersecurity attacks in SMEs. Thirdly, the integrated model also identified demographic characteristics that can be modified for the successful implementation of newly-developed InfoSec systems. Building teams with employees from diverse backgrounds can give a competitive edge to SMEs and minimize their costs to achieve optimal efficiency. Furthermore, the inclusion of demographic variables as moderators, such as gender, age, occupation, and education, within the integrated model has broadened the influential determinants on the adoption of InfoSec systems. Lastly, the study can serve as a resource for researchers and academicians to refine existing adoption theories and models, thereby deepening our understanding of the adoption of InfoSec systems.

5.3. Key Practical Implications

The study has several key practical implications. Firstly, the study provided a detailed insight of how employees can be persuaded to adopt InfoSec systems in Saudi SMEs. The integrated framework has linked employees’ adoption to their attitude and its key determinants so as to ensure awareness and reduced cybersecurity risks within the firms. Secondly, the study provided an integrated framework to address an ongoing concern of cybersecurity risks and threats in Saudi SMEs. The study findings provide the reasoning behind the low adoption of InfoSec systems in SMEs operating in Saudi Arabia and provide a comprehensive plan to improve the adoption level among employees, mid-level managers, and top-level managers, or, in other words, in the entire organization. Thirdly, the study findings took into account the sociodemographic characteristics of employees (gender, occupation, and education) that shaped the attitude toward and adoption of SMEs in Saudi Arabia. Hence, to improve adoption through a certain factor, organizational structure can be designed to incorporate employees with certain demographics in a certain workplace. Fourthly, the integrated model presented in the current study will add to the broader efforts toward secure and sustainable digital transformation by focusing on IT infrastructure, legal-governmental regulations, and top management support, besides employees’ specific variables to encounter the cyber threats. Lastly, the integrated model also implies that those who are in charge of InfoSec security management in Saudi SMEs should target IT infrastructure, legal-governmental regulations, top management support, employees’ prior experience, and employees’ security training. It explained what factors should be considered to achieve effective and efficient change for the successful implementation of InfoSec systems in Saudi SMEs.

5.4. Limitations and Suggestions for Future Research

The study had several limitations. Firstly, the study employed a cross-sectional research design to determine the determinants influencing the adoption of InfoSec systems in Saudi SMEs in the current context of cybersecurity. Future studies should conduct a longitudinal research design to capture the growing and changing nature of cybersecurity risks in Saudi SMEs. Secondly, the study focused on SMEs operating in Saudi Arabia. Since cybersecurity is an ongoing concern for large organizations, future studies should replicate the designed integrated model in large organizations in order to increase the generalizability of the study findings. Thirdly, the study did not consider the socio-cultural determinants such as religious beliefs, peer support, and cultural values in the adoption of InfoSec systems in SMEs. As the socio-cultural pressures can also shape employees’ attitude toward and adoption of InfoSec systems [170], future studies should add the socio-cultural determinants and other external variables for determining the impact of external environmental variables on the adoption of SMEs in Saudi Arabia. Fourthly, the study did not consider the differences in the industries in which the SMEs operate. Past literature clearly highlighted the importance of cybersecurity in healthcare, finance and banking, manufacturing, retail and e-commerce, and education [6,7]. Future research can develop an industry-specific integrated framework to determine the determinants influencing the adoption of InfoSec systems in a specific industry, so as to capture the needs and demands tailored to the industry. Fifthly, the study did not capture the perspectives of top-level management to a greater extent, as they represented a smaller proportion of the sample size. Future studies can conduct the interviews with top-level management, especially in the information technology department, in order to understand how firms value InfoSec systems and create awareness and adoption behaviors of employees toward them. Lastly, though the majority of SMEs are located in Riyadh, the collection of data from Riyadh only might not be sufficient to represent the entire country. Future research can replicate the theoretical model in other regions to improve the generalizability, reliability, and validity of the study findings.

6. Conclusions

The study seeks to develop an integrated framework representing the determinants influencing the adoption of InfoSec systems in SMEs working in Saudi Arabia. Designed on the theoretical foundations of TAM, TRA, and UTAUT, the study determined that prior experience, top management support, IT infrastructure, security training, and legal-governmental regulations are key determinants of attitudes, which in turn influence the adoption of InfoSec systems. The demographic variables, i.e., gender, education, and occupation, play a key moderating role in defining the adoption of InfoSec systems: only male employees found a significant influence of prior experience on attitude towards InfoSec systems, while female employees had a stronger effect on attitude when top management support is an influencing factor. Respondents of all age groups found the same effect of prior experience, top management support, IT, security training, and legal-government regulations on attitude and consequent adoption of InfoSec systems. Respondents who had completed up to high school had a stronger effect of IT and legal-governmental regulations on attitude toward InfoSec systems, followed by diploma, Master’s degree, and Bachelor’s degree. Lastly, in terms of occupation, only employees found a significant influence of prior experience on their attitude toward InfoSec systems. While being significant in other groups, the influence of top management support on employee attitude toward the adoption of InfoSec systems was especially notable. This integrated framework captures the employees’ skills, knowledge, technical and managerial support, and regulatory framework as a means of attitude and adoption of InfoSec systems in SMEs working in Saudi Arabia. The study has several key theoretical contributions to the development of knowledge and practical contributions towards the status of Saudi SMEs as a developing country in the Middle East.