Next Article in Journal
The Use of Artificial Intelligence in Cybercrime: Impact Analysis in Ecuador and Mitigation Strategies
Previous Article in Journal
Integrated Analysis of Malicious Software: Insights from Static and Dynamic Perspectives
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
JCP
Volume 5
Issue 4
10.3390/jcp5040099
jcp-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Zero Trust in Practice: A Mixed-Methods Study Under the TOE Framework

by
Angélica Pigola
1,* and
Fernando de Souza Meirelles
2
1
School of Applied Sciences, State University of Campinas, 1300 Pedro Zaccaria St., Limeira 13484-350, São Paulo, Brazil
2
Doctoral Program in Information Technology Management, Escola de Administração de Empresas de São Paulo Fundação Getulio Vargas, FGV_EAESP, 9 de Julho Avenue, 2029, São Paulo 01313-902, São Paulo, Brazil
*
Author to whom correspondence should be addressed.
J. Cybersecur. Priv. 2025, 5(4), 99; https://doi.org/10.3390/jcp5040099
Submission received: 10 October 2025 / Revised: 28 October 2025 / Accepted: 12 November 2025 / Published: 14 November 2025
(This article belongs to the Topic Recent Advances in Security, Privacy, and Trust)
Browse Figure
Versions Notes

Abstract

This study examines the adoption and implementation of the Zero Trust (ZT) cybersecurity paradigm using the Technology–Organization–Environment (TOE) framework. While ZT is gaining traction as a security model, many organizations struggle to align strategic intent with effective implementation. We adopted a sequential mixed-methods design combining 27 semi-structured interviews with cybersecurity professionals and a survey of 267 experts across industries. The qualitative phase used an inductive approach to identify organizational challenges, whereas the quantitative phase employed Partial Least Squares Structural Equation Modeling (PLS-SEM) to test the hypothesized relationships. Results show that information security culture and investment significantly influence both strategic alignment and the technical implementation of ZT. Implementation acted as an intermediary mechanism through which these organizational factors affected governance and compliance outcomes. Strategic commitment alone was insufficient to drive effective implementation without strong cultural support. Qualitative insights underscored the importance of leadership engagement, cross-functional collaboration, and legacy infrastructure readiness in shaping outcomes. The findings emphasize the need for cultural alignment, targeted investments, and process maturity to ensure successful ZT adoption. Organizations can leverage these insights to prioritize resources, strengthen governance, and reduce implementation friction. This research is among the first to empirically investigate ZT implementation through the TOE lens. It contributes to cybersecurity management literature by integrating strategic, cultural, and operational dimensions of ZT adoption and offers practical guidance for decision-makers seeking to institutionalize Zero Trust principles.

1. Introduction

The growing complexity of cyber threats, combined with the widespread adoption of hybrid work models, has catalyzed a surge of interest in Zero Trust (ZT) security frameworks [1]. Rooted in the principle of “never trust, always verify” [2], ZT rejects the traditional perimeter-based model and instead enforces continuous authentication, contextual access controls, and granular network segmentation to mitigate security risks [3]. More than an incremental evolution of security measures, ZT represents a disruptive paradigm that demands cultural, architectural, and regulatory transformation [4,5]. Unlike discrete tools such as firewalls, intrusion detection systems, or VPN hardening, ZT embeds trust-minimization principles into governance, compliance, and daily operations [6,7]. Despite its growing appeal and endorsement by global cybersecurity leaders such as the U.S. Department of Defense, CISA, and Google [8,9], most organizations remain in the early phases of ZT adoption [10].
The ZT security framework thus represents a paradigm shift in organizational cybersecurity, offering a proactive and adaptive response to the escalating complexity of cyber threats [11]. Real-world applications underscore ZT’s transformative potential: Google’s BeyondCorp—developed in response to the 2009 Operation Aurora attack—eliminated reliance on VPNs by enabling secure access from untrusted networks [12]. Sectors such as finance, energy, and healthcare have also embraced ZT. Bank of America applies network micro-segmentation, multifactor authentication, and advanced analytics; Duke Energy uses continuous monitoring and dynamic access controls to limit lateral movement; and Mayo Clinic employs encryption, identity management, and data loss prevention to meet HIPAA compliance and maintain patient trust [13]. Despite such practical relevance, academic research has predominantly emphasized ZT’s technical dimension, often overlooking its organizational and environmental complexities.
Empirical evidence also supports ZT’s effectiveness—particularly among micro, small, and medium-sized enterprises (MSMEs)—where its implementation has led to a 45% reduction in security incidents [14]. Furthermore, ZT-related patents have been positively associated with improvements in government effectiveness and regulatory quality [6]. Despite these advances, literature reviews indicate that ZT research has largely focused on technological components such as architectures, encryption, identity management, and micro-segmentation [15,16,17], while neglecting the distinct organizational and environmental complexities of ZT adoption. Compared to other cybersecurity solutions, ZT requires not only technical readiness but also organizational culture alignment, sustained financial investment, and adaptation to regulatory pressures—areas where empirical inquiry remains scarce [18,19,20].
Although ZT was introduced more than a decade ago [4], critical gaps remain regarding its effective management, with limited consensus on implementation criteria and insufficient attention to diverse organizational and environmental contexts [18,20,21]. Challenges such as limited resources, resistance rooted in organizational culture, skill shortages, and regulatory pressures continue to hinder effective implementation [1]. This gap underscores the theoretical and practical need to study ZT not as another security tool, but as a transformative paradigm whose adoption dynamics differ from conventional security technologies. In particular, empirical research applying structured frameworks such as Technology–Organization–Environment (TOE) remains limited, leaving unanswered questions about the interplay among organizational, technological, and environmental factors shaping ZT implementation.
Accordingly, this study draws on the TOE framework [22], which provides a holistic model for examining the technological readiness, organizational capacity, and environmental pressures shaping this innovative cybersecurity paradigm. TOE has proven valuable in research on digital transformation and artificial intelligence (AI) implementation [23,24], yet has not been comprehensively applied to the ZT paradigm. By employing TOE, this study addresses the lack of empirical work that systematically captures the organizational and environmental complexities of ZT implementation, offering a theoretical lens that extends beyond technical considerations.
This research adopts a sequential mixed-methods approach. First, an inductive phase involving semi-structured interviews with 27 information security professionals across multiple industries explored emergent challenges in ZT integration. Second, a deductive phase employed a structured survey of 267 cybersecurity practitioners to empirically validate the TOE framework’s applicability to ZT adoption. Guided by this perspective, the central research question asks:
How do technological, organizational, and environmental factors influence the implementation of the Zero Trust security paradigm in organizations, and what mechanisms explain its effects on governance and compliance?
Preliminary findings reveal the central role of organizational enablers in the successful adoption of the ZT paradigm. A strong information security culture emerged as a key driver, influencing both the formation of strategic commitments to ZT and the effective implementation of its principles. Likewise, organizational investment in cybersecurity infrastructure proved essential for fostering strategic alignment and translating it into operational execution. While strategic commitment alone did not guarantee implementation success, the study found that effective ZT implementation significantly contributes to improved governance and regulatory compliance. Furthermore, the results suggest that organizational culture and investment affect governance outcomes indirectly, by enabling robust technological adoption. These insights reinforce the importance of addressing not only technological readiness but also the organizational and environmental contexts that shape the success of ZT initiatives.
This study offers important theoretical and practical contributions by extending the TOE framework to the domain of cybersecurity, specifically to the ZT paradigm. It contributes to cybersecurity literature by demonstrating TOE’s capacity to explain not only technology adoption but also paradigm-level transformations that demand organizational and regulatory alignment. By theorizing ZT implementation as mediating mechanism and organizational culture as a moderating condition, the study advances TOE’s explanatory power in high-risk digital environments and provides a structured lens to differentiate ZT from conventional security technologies. Practically, the findings equip organizations with a structured approach to assess their readiness for ZT adoption by aligning internal capabilities with external demands. As cyber threats become increasingly sophisticated, this study provides a timely roadmap for reshaping cybersecurity postures—moving from reactive, perimeter-based models to proactive, trust-driven architectures. It underscores that sustainable adoption of emerging cybersecurity frameworks requires not only robust technologies but also deeply embedded organizational alignment and environmental foresight.
The remainder of this paper is structured as follows. Section 2 presents the theoretical foundations of ZT and the TOE framework. Section 3 outlines the research design and methodological approach. Section 4 reports empirical findings, while Section 5 discusses theoretical implications and managerial recommendations. Section 6 concludes with reflections on limitations and directions for future research.

2. Theoretical Background: Technology–Organization–Environment Framework and the Zero Trust Paradigm

In a dynamic, digitized, and risk-prone environment, organizations are increasingly compelled to adopt security architectures that go beyond traditional perimeter-based models. One such paradigm, ZT, fundamentally redefines the security posture by emphasizing explicit and continuous trust verification over implicit trust assumptions [4,10]. As enterprises confront the rising complexity of cybersecurity threats [16,25], the ZT paradigm requires rethinking not only technical infrastructures but also organizational and environmental responses. The Technology–Organization–Environment (TOE) framework [22] offers a robust lens for examining the multifaceted influences on ZT adoption, making it a relevant and flexible theoretical foundation for this study.
The TOE framework identifies three core contexts that shape the adoption of technological innovations: technological, organizational, and environmental domains. Rather than viewing technology adoption as deterministic, TOE emphasizes the nonlinearity and socio-technical dynamics inherent in enterprise decision-making [26,27]. It acknowledges that adoption decisions are not merely technical judgments but are influenced by the alignment of new technologies with organizational capacity and environmental pressures [24,28]. TOE’s strength lies in its adaptive and evolutionary nature, as it continues to evolve through applications in new technological contexts [29,30], making it especially relevant for emerging paradigms such as ZT. Zero Trust thus represents an evolutionary test case for TOE, shifting the framework from explaining the adoption of technological innovations to accounting for the adoption of organizational security paradigms that require sustained cultural transformation and regulatory adaptation.

Intertwining TOE and Zero Trust: A Multi-Contextual View

The Zero Trust paradigm, while primarily conceptualized as a technological security model [4,5], represents a strategic and organizational transformation [1]. Its implementation involves new policies, cultural shifts, and infrastructure realignments that align well with the TOE’s triadic structure:
(i) From the technological perspective, ZT is embedded in a sophisticated ecosystem that includes multifactor authentication, microsegmentation, encryption, and continuous monitoring [5,15,31]. ZT’s emphasis on seamless integration and context-aware controls resonates with TOE’s focus on perceived simplicity and performance expectancy [26,32]. Importantly, it is the perception of complexity or simplicity—rather than the absolute technical difficulty—that drives adoption outcomes [33,34]. Organizations evaluate whether ZT integration reduces uncertainty and aligns with existing processes, and perceptions of excessive complexity may delay or even block adoption.
(ii) From the organizational perspective, ZT adoption requires strong top management support, cultural readiness, and adequate resource allocation [1]—all of which are critical factors in the TOE framework [35,36]. Firms with large operational scopes and mature digital infrastructures are more likely to possess slack resources and institutional support to engage in the structural transformation that ZT demands [37,38]. ZT is therefore not merely a technical upgrade but a strategic realignment that depends on managerial cognition, organizational culture, and change-management capacity [14,19]. Strategic commitment to ZT should thus be understood within the organizational domain, as it reflects managerial priorities and decision-making rather than a purely technological attribute.
(iii) From the environmental perspective, the rise of ZT is closely tied to external pressures, including regulatory requirements, client demands for stronger security guarantees, and competitive dynamics—elements directly addressed by the environmental dimension of TOE [39,40]. Normative and mimetic pressures, such as compliance mandates or influential competitors’ strategies, catalyze ZT adoption [11,41]. Additionally, increasing regulatory scrutiny around data protection and breach-response protocols strengthens the appeal—and, in many cases, the necessity—of adopting proactive security models such as ZT [42,43].
A critical nuance concerns the role of governance, which can be conceptualized in two complementary ways. On one hand, governance and compliance structures are internal organizational processes and outcomes of ZT adoption, reflecting how enterprises institutionalize security practices, strengthen accountability, and enhance resilience. On the other hand, governance also operates as an external environmental driver, since regulatory frameworks, industry standards, and stakeholder expectations impose governance requirements that organizations must satisfy to maintain legitimacy. Because of this duality, this study conceptualizes governance as an organizational outcome rather than an environmental factor, allowing it to be measured as a tangible result of effective ZT implementation while still acknowledging that many of its requirements are environmentally driven. This dual interpretation aligns with recent calls in information-systems research to treat governance as both an endogenous construct shaped by organizational choices and an exogenous pressure stemming from institutional environments [11,44]. Accordingly, governance is modeled as a dependent variable in this study, reflecting the organizational consequences of adopting ZT practices.
The integration of the TOE framework with the ZT paradigm offers a holistic theoretical perspective that extends beyond technological determinism. It enables a richer exploration of how organizational and environmental contingencies shape security-innovation adoption. For instance, while ZT requires granular access controls and dynamic trust mechanisms [44], its effective deployment depends on managerial commitment, organizational culture, and industry alignment—factors that TOE aptly captures. Furthermore, drawing from institutional theory embedded in the environmental context of TOE, organizations often adopt ZT not only out of internal necessity but also due to external legitimacy pressures [45,46]. Applying the TOE framework to the ZT paradigm thus enables a multidimensional and recursive understanding of the adoption process—one that captures the technical robustness, organizational feasibility, and environmental viability required for Zero Trust architectures to be fully realized in complex enterprise ecosystems.
Table 1 below summarizes this multi-contextual integration between the TOE dimensions and the governance roles emerging in ZT adoption, illustrating how technological, organizational, and environmental factors jointly shape security-governance outcomes.
In sum, while the TOE framework traditionally explains technology adoption, this study extends its scope to security-innovation contexts, where technology is not merely a tool but a governance mechanism shaping organizational accountability and trust relations. In the context of ZT, the organizational and environmental dimensions interact in a recursive, rather than linear, way—regulatory pressures shape governance structures, which in turn redefine organizational readiness and cultural alignment. This recursive interpretation refines TOE by introducing a governance-feedback loop that links environmental legitimacy pressures with internal control mechanisms.

3. Conceptual Model and Hypothesis Development

Understanding the drivers of ZT implementation requires more than identifying isolated factors; it demands a nuanced examination of how cybersecurity capabilities interact to shape security outcomes. While prior studies have established the relevance of organizational culture, investment, and compliance in shaping ZT adoption [1], this study extends that foundation by investigating not only direct effects, but also how and under what conditions these factors influence ZT implementation and governance performance. Specifically, this research captures both mediating mechanisms—such as the way implementation translates investments and culture into improved governance—and moderating dynamics, where the cultural context strengthens or weakens the impact of strategic intent. Such an approach aligns with calls for richer explanatory models that recognize the contingent and processual nature of innovation adoption [50,51]. By unpacking these layered relationships, the study offers a more integrative understanding of the conditions under which ZT is effectively deployed and governed in organizational settings. Figure 1 illustrates the theoretical research model, grounded in the TOE framework, capturing the direct, mediating, and moderating effects among organizational, technological, and environmental factors in adoption of ZT. The model highlights how Information Security Culture and Investment in Zero Trust Security directly influence Technical Implementation of Zero Trust Controls, how Strategic Commitment to Zero Trust mediates these effects, and how Information Security Culture moderates the translation of strategy into execution. We develop our hypotheses step by step in the following sections.

3.1. Direct Effects

Organizational culture plays a foundational role in shaping how institutions respond to technological innovations [48]. Information security culture can be defined as the shared values, norms, and practices within an organization that influence employee behaviors and managerial decisions regarding the protection of information assets [1]. It reflects the degree to which security is internalized as a collective organizational priority rather than imposed solely through compliance mechanisms. In the context of ZT—where traditional security assumptions are replaced by principles such as continuous verification, least privilege, and adaptive access control—a culture that values security, accountability, and change readiness becomes critical [52]. Within the TOE framework, culture is captured under the organizational context, representing the internal norms, values, and behavioral expectations that influence the adoption of innovation [32].
A robust security culture creates a climate in which employees and leaders recognize cybersecurity as a shared organizational value [53]. This includes cultivating awareness of security threats, fostering a proactive mindset toward risk mitigation, and maintaining a commitment to compliance and continuous improvement [54]. These cultural attributes directly support the operationalization of ZT principles, which require organizations to continuously evaluate access permissions, minimize trust boundaries, and maintain high levels of accountability across systems and users [55]. In such environments, the implementation of ZT is more likely to be both technically successful and behaviorally reinforced. Therefore, we propose the following hypothesis:
H1. 
Organizations with a robust security culture are more likely to implement Zero Trust controls effectively.
Culture does not only influence how technologies are implemented; it also shapes how strategic priorities are defined. Strategic commitment to Zero Trust (ZT) refers to the organization’s conscious and deliberate prioritization of ZT principles within its overarching cybersecurity vision, encompassing leadership intent, long-term planning, and the integration of ZT into enterprise-wide security policies [1,7]. When security is embedded in an organization’s shared values, leaders are more likely to prioritize long-term cybersecurity investments and align their strategic objectives with frameworks such as ZT [56]. Strategic alignment with ZT involves recognizing the need to transition from reactive security postures to proactive, trust-minimization architectures [3,5]. Cultures that emphasize resilience, continuous learning, and cross-functional collaboration provide the social and institutional foundation for such strategic shifts [57]. Within the TOE framework, this reflects how internal norms and beliefs shape strategic orientation toward technology adoption [26]. Organizations with weak or compliance-driven cultures may implement ZT under regulatory pressure but fail to embed its principles into strategic thinking, leading to fragmented or symbolic adoption. In contrast, when culture supports innovation and risk-aware thinking, strategy formation is more likely to incorporate comprehensive ZT objectives [1], such as architectural redesign, sustained investment in authentication infrastructure, and policy integration. Thus, we propose the following hypothesis:
H1a. 
Organizations with a strong information security culture are more likely to align their strategy effectively with Zero Trust principles.
Effective adoption of the ZT paradigm requires organizations to commit both strategically and operationally to the transformation of their security infrastructure [58]. At the center of this transformation lies investment in ZT security, defined as the allocation of financial, technological, and human resources directed toward developing and sustaining cybersecurity capabilities—particularly those aligned with ZT principles [1,38,59]. Within the TOE framework, investment reflects a key dimension of the organizational context, representing the firm’s readiness to innovate, its absorptive capacity, and its willingness to allocate resources toward long-term technological transformation [38,60].
Organizational investment not only provides the means to procure new technologies but also serves as a strategic signal [61]. When firms make deliberate and sustained investments in cybersecurity, they demonstrate heightened awareness of digital risks and a proactive orientation toward resilience [62]. These investments often precede or accompany the formulation of comprehensive security strategies, such as the adoption of ZT principles, which require a departure from perimeter-based security thinking toward an architecture centered on explicit and continuous trust evaluation [52,63].
Strategic commitment to ZT entails more than technology deployment; it requires architectural redesign, long-term planning, policy overhaul, and organizational alignment [1]. Organizations that invest early and substantially in cybersecurity are more likely to develop strategic intent around ZT, as investment reflects both prioritization and capability—two prerequisites for robust strategic engagement [39,64]. Hence, we propose the following hypothesis:
H2. 
Higher organizational investment in ZT security increases the likelihood of developing its strategic commitment.
Beyond its strategic signaling function, organizational cybersecurity investment also plays a direct operational role in enabling ZT implementation [20,59]. ZT implementation refers to the extent to which organizations operationalize ZT principles—such as continuous authentication, microsegmentation, identity and access management, encryption, and behavioral analytics—into their security architecture, policies, and day-to-day practices [1,5,43]. Deploying ZT requires a complex array of technologies, including identity and access management systems, microsegmentation tools, behavioral analytics, continuous monitoring platforms, and encryption frameworks [5,31,43]. These technologies cannot be deployed effectively without adequate resources. Therefore, the level of investment directly influences an organization’s ability to implement ZT controls in a comprehensive and sustainable manner.
Within the TOE framework, this relationship reflects the importance of resource availability as a driver of technology adoption [22]. Investment enables firms to overcome operational barriers such as outdated infrastructure, limited technical skills, and integration complexity [65,66]. Furthermore, financial commitment allows for the phased adoption and scaling of ZT technologies across diverse systems and user environments, ensuring that implementation is not symbolic or fragmented but embedded and continuous [1]. This leads to the following hypothesis:
H2a. 
Organizational investment in ZT security directly facilitates its implementation.
The successful implementation of the ZT paradigm is also a foundational component of broader governance and compliance frameworks [11]. Information security governance is defined as the set of structures, processes, and practices through which organizations direct and control their security efforts, ensuring alignment with regulatory requirements, organizational objectives, and stakeholder expectations [44,67]. As organizations transition toward dynamic and identity-aware security models, ZT becomes instrumental in supporting enterprise-wide efforts to enhance accountability, enforce policy compliance, and mitigate risk [68]. Within the TOE framework, the implementation of new technologies—when well-integrated—enables organizations respond more effectively to environmental demands and institutional pressures, particularly those related to regulation, audit, and compliance [22,69].
The ZT paradigm, by design, promotes continuous verification, least-privilege access, and granular policy enforcement—principles that align closely with governance mechanisms aimed at ensuring that systems operate within defined security parameters [5,70]. Empirical studies have shown that security architectures capable of segmenting network access, verifying identities dynamically, and auditing user activity not only reduce the risk of internal and external threats but also support organizations in meeting regulatory standards and strengthening risk management systems [6,52,71]. These functions are central to modern governance structures, where compliance is increasingly data-driven and enforced through real-time control systems.
From the TOE perspective, effective implementation of ZT represents the technological context interacting with environmental expectations (e.g., GDPR, HIPAA, or industry-specific mandates), allowing firms to operationalize regulatory requirements and enhance transparency in data access and handling processes [11,43,49]. ZT frameworks thus act as technical enablers of governance by embedding verification, traceability, and control mechanisms into core information systems (IS). Hence, we propose the following hypothesis:
H3. 
The effective implementation of Zero Trust enhances organizational security governance.
In parallel, organizational efforts to implement ZT principles often begin at the strategic level. Strategic commitment represents the organization’s conscious decision to prioritize ZT principles within its overarching cybersecurity vision. This includes allocating resources, revising architectural blueprints, and integrating ZT concepts into enterprise-wide security policies [7,52]. According to the TOE framework, strategic intent—part of the organizational context—is a key determinant of successful adoption, as it aligns leadership vision, resource mobilization, and execution priorities [64,69]. Organizations that articulate a clear ZT strategy are better positioned to move from fragmented or reactive security measures to fully integrated ZT architectures [72].
This alignment between strategic planning and operational deployment enables smoother implementation of technical controls such as multifactor authentication, access segmentation, and behavioral analytics [15,31]. Furthermore, research in information systems adoption underscores the importance of top-down alignment, where leadership vision and enterprise strategy drive technological change at scale [73,74]. Therefore, we propose the following hypothesis:
H4. 
Organizational commitment to a Zero Trust strategy drives the effective implementation of its principles and controls.

3.2. Mediation Effects

In the context of cybersecurity transformation—particularly the adoption of paradigms such as ZT—understanding how and through what mechanisms organizational factors affect governance outcomes is critical. Mediation analysis offers a way to uncover these underlying processes. Rather than viewing the relationship between organizational culture or investment and governance as direct and linear, mediation enables a more nuanced understanding by recognizing the implementation of ZT as the intervening mechanism that translates inputs into outcomes. This is especially relevant in cybersecurity, where strategy or values alone do not suffice—success depends on how these are embedded into systems, policies, and operational practices. The relevance of mediation in information systems (IS) research is well established, with scholars highlighting that the success of complex technological initiatives often hinges on intervening implementation behaviors [75,76]. Within the TOE framework, such mediators represent the dynamic interplay between the organizational context (e.g., culture, resources) and environmental outcomes (e.g., governance, compliance) [77].
A strong security culture is often regarded as foundational to cyber resilience [78]. However, its effects are not automatically realized. A culture that emphasizes awareness, accountability, and adaptability must still be translated into action—particularly through the implementation of security architectures that embody those values [79,80]. ZT implementation serves as that bridge: organizations with robust cultures are more likely to embed security-conscious behaviors and support structures that facilitate the adoption of verification-based models [55]. Research in IS confirms that the pathway from values to outcomes is frequently mediated by how effectively those values are enacted through technology and processes [81,82]. As such, the benefits of security culture on governance and compliance materialize only when ZT practices are actively implemented. This leads to the following hypothesis:
H5. 
The influence of information security culture on governance outcomes is mediated by the implementation of Zero Trust controls.
Similarly, organizational investment in cybersecurity—while crucial—does not guarantee improved governance performance. Resources must be strategically deployed and operationalized through implementation activities that align with the principles of Zero Trust (ZT) (e.g., segmentation, access control, real-time analytics). Prior research in IT adoption has shown that financial commitment enhances technological performance only when coupled with effective deployment and user engagement [83,84]. In this light, implementation functions as the mechanism through which investment generates returns in the form of resilience, compliance, and oversight. From a TOE perspective, investment represents organizational readiness, but it is implementation that determines whether that readiness is translated into technological value realization [77]. Without a mature implementation phase, investments may be underutilized or fail to respond adequately to evolving threats and regulatory mandates [85]. Recent studies have demonstrated that implementation quality mediates the effects of IT resources on firm-level outcomes such as process maturity, auditability, and risk mitigation [14,86]. This leads to the following hypothesis:
H6. 
Investment in Zero Trust security positively influences information security governance through the mediating role of Zero Trust implementation.
By conceptualizing ZT implementation as a mediating construct, this study contributes to a more layered understanding of how internal organizational factors produce meaningful security and governance outcomes. It emphasizes that performance gains in security contexts emerge not merely from having resources or values in place but from how these elements are operationalized through structured, principle-driven architectures such as ZT.

3.3. Moderation Effects

In this study, moderation represents the conditional influence of information security culture on the strength of the relationship between strategic commitment to ZT and its implementation, highlighting how internal cultural factors can amplify or weaken strategic execution. A strong security culture fosters shared values, norms, and behaviors that align employees’ actions with organizational cybersecurity objectives [53,54]. In the context of ZT—where the paradigm demands a shift from implicit trust to continuous verification and role-based access—cultural readiness becomes a critical enabler of change acceptance and policy compliance [19,78].
From the perspective of the TOE framework, culture is a key organizational determinant that shapes how strategic decisions are internalized and translated into practice [22,26]. Organizations with a well-established culture of security awareness and accountability are more likely to exhibit the behavioral and procedural alignment necessary to implement ZT strategies effectively [55]. Thus, the relationship between strategic commitment to ZT and the implementation of its principles is not uniform across organizations—it is conditioned by the degree of cultural alignment.
Accordingly, we posit that security culture moderates the relationship between strategic commitment to ZT and its implementation, such that organizations with a robust security culture are better equipped to translate strategic intent into operational outcomes. This interaction effect highlights the integrative role of cultural readiness in shaping cybersecurity execution, further enriching the TOE framework’s explanatory power in security-innovation contexts. This leads to the final hypothesis in our model:
H7. 
The relationship between strategic commitment with Zero Trust and its implementation is moderated by information security culture, such that the effect is stronger in organizations with a robust security culture.
In summary, this study integrates the TOE framework with the ZT paradigm to explain how organizational and technological factors jointly shape governance performance in cybersecurity contexts. The conceptual model (Figure 1) posits that information security culture and investment in ZT security serve as organizational enablers influencing both strategic commitment and technical implementation, while ZT implementation functions as the mediating mechanism through which these enablers improve information security governance. The model further introduces a moderating effect of culture, emphasizing that a robust security culture strengthens the translation of strategic intent into operational outcomes. Collectively, these relationships extend the TOE framework to the domain of security innovation by conceptualizing governance not only as an organizational outcome but also as a reflection of environmental accountability.
Building on this conceptual foundation, the following section details the research design and methodological approach employed to empirically test these hypotheses through a sequential mixed-methods strategy combining qualitative exploration and quantitative validation.

4. Methodological Approach

To investigate our research model, we employed a sequential mixed-methods design, integrating both qualitative and quantitative techniques within a single study [87,88,89]. Mixed-methods research is characterized by the deliberate combination of distinct methodological approaches to deepen and broaden the understanding of a phenomenon [90]. Among the various configurations of mixed methods, we adopted a sequential explanatory strategy, in which the qualitative component complements and contextualizes the quantitative findings. Specifically, we first collected survey data to test the theoretical model, followed by in-depth interviews to explore the underlying dynamics and interpretations.
The integration of both data types enables methodological triangulation, reinforcing the robustness of the findings by cross-validating results across multiple sources [90]. In line with established guidelines, the qualitative insights were used to elaborate and interpret the patterns identified in the quantitative phase, thereby enhancing both the credibility and depth of the overall analysis.

4.1. Quantitative Method: Survey Design and Data Collection

To test the research model illustrated in Figure 1, a large-scale survey was conducted among information security professionals from diverse industries and regions. The instrument was developed using constructs validated in prior information systems and cybersecurity research [17,21,56,58,70,91,92] and was approved by the institutional ethics committee in compliance with human-subjects research protocols [87,88].
Data were collected between January and June 2024. Invitations were distributed via personalized emails containing unique survey links. The sampling frame consisted of 1864 cybersecurity experts identified on LinkedIn based on their professional profiles. Participation was voluntary and uncompensated, minimizing response bias. Before full deployment, a pretest with 40 cybersecurity experts confirmed item clarity and face validity, and no revisions were required. In total, 301 responses were received. After excluding incomplete submissions, responses with extremely short completion times, and inconsistent patterns, 267 valid responses remained, yielding an effective response rate of 14.32% (See Table 2).
Nonresponse bias was evaluated by comparing early and late respondents across key demographics and construct means, and no significant differences were found (p > 0.05). These results suggest that attrition did not materially affect the representativeness of the final sample, although generalization should be limited to similar professional populations rather than to the broader workforce.
Respondents represented a wide range of organizational sizes and sectors (finance, healthcare, manufacturing, technology, and public administration) as well as geographic locations, providing a heterogeneous sample suitable for examining the generalizability of ZT implementation factors.

4.1.1. Operationalization of Constructs

All latent variables were modeled reflectively and measured using multi-item scales adapted from validated instruments [1,53,55,72]. Appendix A (Table A1) presents the complete measurement instrument. Each construct was conceptually defined and operationalized to capture its behavioral, organizational, and technological manifestations.
  • Strategic Commitment to Zero Trust: The degree to which an organization aligns its security vision, planning, and governance priorities with ZT principles. It reflects strategic intent, awareness of business implications, prioritization of technical requirements, and the formal integration of ZT initiatives (e.g., “My company currently has a defined Zero Trust security initiative.”)
  • Information Security Culture: The shared values, norms, and behaviors that shape collective commitment to information protection. It assesses how security best practices are embedded in daily routines and internalized as organizational norms rather than enforced solely through compliance (e.g., “At my company, best practices in information security are the accepted way of doing business.”)
  • Investment in Zero Trust Security: The tangible and intangible commitments enabling ZT adoption, including financial capacity, technological modernization, and human-resource development (e.g., “My company invests in Zero Trust architecture.”)
  • Technical Implementation of Zero Trust Controls: The extent to which technical mechanisms translate ZT principles into practice—such as multifactor authentication, contextual access control, network segmentation, and modernization of legacy systems (e.g., “My company employs multifactor authentication for external users and employees.”)
  • Information Security Governance: The policies, compliance routines, and accountability structures that institutionalize ZT practices. Items capture risk reporting, communication of governance updates, and alignment with governance, risk, and compliance (GRC) functions (e.g., “My company provides timely risk management updates to GRC stakeholders.”)
All items used a five-point Likert scale (1 = strongly disagree; 5 = strongly agree). Construct reliability and validity were assessed through indicator loadings, average variance extracted (AVE), composite reliability (CR), and discriminant-validity analyses, confirming the robustness of the measurement model for replication.

4.1.2. Assessment of Common-Method Bias (CMB)

To mitigate potential common-method variance, respondents were assured of anonymity and confidentiality and were instructed to answer based on organizational practices observed during the previous 12 months. Item randomization was implemented through the Research.net platform to minimize ordering effects [90].
In addition to these procedural remedies, two quantitative tests were conducted. First, Harman’s single-factor test was performed using unrotated principal-axis factoring across all measurement items to assess whether a single latent factor dominated the variance [93]. Second, full collinearity variance-inflation factors (VIFs) were computed for each latent variable in SmartPLS [94,95]. These complementary procedures are widely recommended in PLS-SEM research to ensure that common-method variance does not bias model estimates [95,96].

4.1.3. Method Application

Partial least squares structural equation modeling (PLS-SEM) was conducted using SmartPLS 4 [97,98]. Both the measurement and structural models were assessed in accordance with established guidelines [93,99].
For the measurement model, indicator loadings were evaluated via bootstrapping (target > 0.70), internal consistency via Cronbach’s α and composite reliability (CR; 0.70–0.95), convergent validity via AVE (>0.50), and discriminant validity via the heterotrait–monotrait (HTMT) ratio (<0.85–0.90). Nomological validity was confirmed within the theoretical framework, and predictive validity was assessed using Q2 (cross-validated redundancy) and f2 (effect size) metrics, where Q2 > 0, 0.25, and 0.50 indicate small, medium, and large predictive relevance, respectively. Collinearity was examined using VIF (<3.0), and R2 values were reported for all endogenous constructs.
To control potential endogeneity, the Gaussian Copula (GC) method proposed by Park and Gupta [95] was applied. This nonlinear transformation detects whether explanatory variables correlate with model error terms, which could bias path estimates. Non-significant copula terms indicate that endogeneity does not affect the corresponding relationships, thereby increasing causal robustness [94,95].
PLS-SEM is well suited for complex models involving mediation and moderation, and sample-size requirements were determined using multiple-regression power heuristics [95,100,101,102]. Using α = 0.05 and a target power of 0.80, benchmarks indicate that detecting a medium effect (f2 = 0.15) with up to five predictors (our most complex specification, including the interaction term) requires N ≈ 92, while detecting a large effect (f2 = 0.35) requires N ≈ 52 [101]. The final sample of N = 267 thus comfortably exceeds these thresholds, ensuring adequate power for both mediation (bootstrapped indirect effects) and moderation analyses.
The interaction term (Information Security Culture × Strategic Commitment to ZT) was modeled using the product-indicator approach with mean-centered indicators, as implemented in SmartPLS. Mean-centering minimizes multicollinearity between the latent predictors and their interaction term, providing unbiased estimates of the moderation effect within the PLS framework [93,95,99].

4.2. Qualitative Method: Interview Design and Data Analysis

To enrich and contextualize the findings from the quantitative phase, we conducted a qualitative study grounded in an interpretivist paradigm and informed by ontological pragmatism, which emphasizes the practical construction of meaning through experts’ perspectives [103]. Given the emergent and complex nature of ZT in organizational information security, a qualitative approach was essential to uncover the nuanced challenges, contradictions, and contextual mechanisms that shape ZT adoption [103,104,105].
We conducted 27 semi-structured interviews with information-security professionals across multiple sectors, employing purposeful sampling to initially target senior-level executives (e.g., CISOs, CIOs, IT Directors) with direct oversight of security strategies. Snowball sampling was subsequently used to capture a broader spectrum of perspectives across managerial, operational, and advisory roles, thereby ensuring both strategic- and implementation-level viewpoints [106,107]. Interviews averaged approximately 32 min in length and continued until data saturation was reached, consistent with prior literature [108].
All but one interview were audio-recorded and transcribed verbatim; in one case, due to privacy concerns, the participant provided written responses. Participants were fully informed of the study’s scope, confidentiality procedures, and the voluntary nature of participation prior to data collection. A flexible interview guide was developed to explore core themes while accommodating emergent insights and sensemaking narratives that surfaced during the conversations. Table 3 summarizes participant demographics and organizational affiliations.
In mixed-methods research, the generation of inferences often stems from the reciprocal integration of quantitative findings with qualitative insights, whereby statistical relationships among variables are interpreted through participants’ subjective experiences, rationales, and institutional contexts [89,90]. Accordingly, the qualitative phase in this study was not designed merely to confirm survey results but to explain, reinterpret, and extend them by uncovering the organizational processes through which ZT principles are enacted—or resisted—in practice.
The qualitative data analysis was guided by established interpretive procedures. Anchored in the TOE framework, we translated the latent variables examined in the quantitative phase into initial analytical categories—referred to by Miles and Huberman [109] as “intellectual bins”—which served as coding anchors. These predefined categories structured the initial round of thematic analysis of the interview transcripts. However, the analysis also incorporated inductive coding to capture emergent subthemes—such as leadership alignment, institutional resistance, symbolic compliance, and trust negotiation—that provided deeper interpretive insights beyond the original constructs.
To reinforce and expand upon the quantitative findings, which examined relationships among organizational, technological, and environmental factors, we applied axial coding to link these themes and identify cross-cutting mechanisms connecting strategy, culture, and governance. This iterative integration ensured that the qualitative data not only supported or challenged the hypotheses tested in the structural model but also revealed how and why these relationships materialize in organizational contexts. In this way, the qualitative phase contributed to theory building by clarifying the socio-cultural and institutional conditions under which the statistical relationships observed in the quantitative analysis hold true or become attenuated.

Coding Reliability and Validation Procedures

To ensure the credibility and reliability of the qualitative coding process, we employed an iterative and collaborative validation procedure rather than relying solely on quantitative inter-coder statistics. The first author developed the initial coding framework inductively based on repeated readings of the interview transcripts, following open and axial coding procedures consistent with grounded theory principles. The second author independently reviewed approximately one-third of the transcripts and applied the emerging codebook to assess conceptual alignment and coding consistency.
Discrepancies in code interpretation were discussed during reflexive consensus meetings with two additional independent researchers, during which both coders compared excerpts, refined category boundaries, and merged semantically overlapping codes. This process continued until full agreement was achieved across all thematic categories. The final codebook thus reflects a consensual validation approach, emphasizing interpretive convergence over numerical agreement measures.
To further enhance dependability, all coding decisions and analytical memos were systematically documented in an audit trail, ensuring transparency in how analytical themes evolved from the raw data. This triangulated validation process ensured that the final thematic structure accurately represented experts’ perspectives on ZT adoption and implementation challenges.

5. Findings

The following section presents the results of the quantitative analysis. It begins with an evaluation of the measurement model’s validity and reliability, followed by a description of the analytical procedures used to test the hypotheses. Finally, the results of the hypothesis testing are reported.

5.1. Quantitative Results

All measurement instruments demonstrated strong internal consistency reliability, with Cronbach’s α and composite reliability (CR) values exceeding the recommended threshold of 0.70 [93] (Table 4). Convergent validity was established for all constructs, as the average variance extracted (AVE) values ranged from 0.591 to 0.805, surpassing the 0.50 criterion.
Discriminant validity was confirmed through two complementary tests. First, the Fornell–Larcker criterion [98] indicated that the square root of each construct’s AVE was greater than its correlations with other constructs. Second, all heterotrait–monotrait (HTMT) ratios [95] fell below the conservative threshold of 0.85 (Table 5), confirming empirical distinctiveness among the constructs. All indicator loadings exceeded 0.70 and were statistically significant (p < 0.001), reinforcing indicator reliability and the robustness of the measurement model.
Multicollinearity diagnostics indicated that all variance inflation factors (VIFs) were below 5.0 (maximum = 3.3), confirming the absence of critical collinearity issues. The complete set of measurement indicators is provided in Appendix A (Table A1).
Tests for common-method bias (CMB) confirmed that it did not pose a threat to the validity of the results. Harman’s single-factor test revealed that the first factor explained less than 50% of the total variance, while all full collinearity VIFs were ≤3.0, below the conservative threshold of 3.3 [94].
Although the SRMR value (0.102) slightly exceeded the conventional 0.08 cut-off, such values are acceptable for complex PLS-SEM models that include multiple mediators and moderators [95,99]. Examination of the cross-loading matrix (Appendix A, Table A2) confirmed that all indicators loaded highest on their intended constructs, with cross-loadings at least 0.20 lower, thus ruling out redundancy or misspecification. Complementary fit indices (d_ULS = 1.768; d_G = 0.489; NFI = 0.815; χ2 = 660.719) further supported satisfactory global model fit.
Structural model significance and precision were evaluated through bootstrapping with 5000 subsamples (two-tailed, α = 0.05), following Hair et al. [93]. Effect sizes (f2) were computed to assess the practical relevance of each exogenous construct in explaining its respective endogenous variable. Information Security Culture exerted medium-sized effects on both the Technical Implementation of Zero Trust Controls (f2 = 0.141) and Strategic Commitment to Zero Trust (f2 = 0.148), underscoring its substantive role in fostering organizational readiness and strategic alignment with Zero Trust principles. The interaction term (Information Security Culture × Strategic Commitment to Zero Trust) produced a very small effect (f2 = 0.014), consistent with the marginal moderation observed in the structural analysis and suggesting that cultural strength slightly conditions the influence of strategic intent on technical outcomes.
The Technical Implementation of Zero Trust Controls demonstrated an exceptionally large effect on Information Security Governance (f2 = 1.222), reaffirming its central role as the operational mechanism translating organizational enablers into governance performance. Likewise, Investment in Zero Trust Security exhibited a large effect on Strategic Commitment to Zero Trust (f2 = 1.391) but only a small effect on Technical Implementation of Zero Trust Controls (f2 = 0.046), indicating that financial and technical investments contribute more to the formulation of ZT strategy than to its immediate operational realization. Conversely, the Strategic Commitment to Zero Trust → Technical Implementation of Zero Trust Controls path showed a negligible effect (f2 = 0.006), reinforcing that strategic vision alone—without complementary cultural and resource support—is insufficient to drive technical deployment.
Collectively, these f2 values indicate that the structural model is dominated by high-impact pathways—notably Technical Implementation of Zero Trust Controls → Information Security Governance and Investment in Zero Trust Security → Strategic Commitment to Zero Trust—while cultural and interactive mechanisms, though secondary, play essential enabling roles that sustain long-term adoption and governance maturity.
Predictive performance was further evaluated using the PLS-Predict procedure with 10-fold cross-validation. All Q2_predict values were positive and well above zero, confirming strong out-of-sample predictive accuracy: Q2_predict = 0.604 for Information Security Governance, 0.535 for Technical Implementation of Zero Trust Controls, and 0.763 for Strategic Commitment to Zero Trust. The corresponding RMSE and MAE values (0.635 and 0.506; 0.688 and 0.524; 0.490 and 0.365, respectively) demonstrate that the PLS model consistently outperformed the linear benchmark across all endogenous constructs.

5.1.1. Structural Model and Hypothesis Testing

Table 6 summarizes all hypothesized relationships. Consistent with H1, Information Security Culture had a strong, positive effect on the Technical Implementation of Zero Trust Controls (β = 0.385, p < 0.001), indicating that organizations with a stronger security culture are more effective in operationalizing Zero Trust principles. H1a was also supported (β = 0.233, p < 0.001), showing that a strong security culture enhances Strategic Commitment to Zero Trust.
Support was likewise found for H2 and H2a, demonstrating that Investment in Zero Trust Security positively influences both Strategic Commitment to Zero Trust (β = 0.715, p < 0.001) and Technical Implementation of Zero Trust Controls (β = 0.277, p = 0.002). These findings highlight the critical role of resource allocation and investment capacity in enabling both strategic planning and operational execution of ZT initiatives.
H3 received strong support (β = 0.742, t = 21.545, p < 0.001), confirming that Technical Implementation of Zero Trust Controls significantly enhances Information Security Governance through strengthened policy enforcement, improved risk communication, and consistent compliance routines. In contrast, H4 was not supported (β = 0.110, p = 0.223), suggesting that Strategic Commitment to Zero Trust, without supportive cultural and operational structures, is insufficient to drive technical adoption.
Mediation analyses further confirmed the central role of Technical Implementation of Zero Trust Controls. The construct mediated the effects of Information Security Culture on Information Security Governance (H5: β = 0.286, p < 0.001) and of Investment in Zero Trust Security on Information Security Governance (H6: β = 0.206, p = 0.003). These findings emphasize that ZT implementation functions as the operational bridge linking organizational enablers to governance outcomes.
The moderation test (H7) revealed a marginally significant interaction (β = −0.075, p = 0.081), indicating that a strong Information Security Culture may attenuate the effect of Strategic Commitment to Zero Trust on the Technical Implementation of Zero Trust Controls—possibly due to misalignments between formal strategic directives and deeply embedded organizational practices.
The adjusted R2 values show that the model explains 54.8% of the variance in Information Security Governance, 55.1% in the Technical Implementation of Zero Trust Controls, and 76.6% in Strategic Commitment to Zero Trust, reflecting moderate to substantial explanatory power. Overall, these findings reaffirm the centrality of technical implementation in realizing the benefits of Zero Trust and validate the TOE framework as an effective lens for understanding the organizational and technological enablers of cybersecurity innovation.

5.1.2. Robustness and Endogeneity Assessment

Potential endogeneity and distributional biases were examined using the Gaussian Copula (GC) approach [104,105]. None of the copula terms reached statistical significance at p < 0.05—for instance, the paths from Information Security Culture to the Technical Implementation of Zero Trust Controls (p = 0.704) and from Investment in Zero Trust Security to Strategic Commitment to Zero Trust (p = 0.389) were non-significant—indicating that the structural relationships are not biased by endogeneity.
As clarified by Hair et al. [104] and Hult et al. [105], non-significant GC terms confirm the absence of endogeneity, thereby supporting the causal interpretation of the PLS-SEM results. The consistent PLS (PLSc) algorithm [95,106] was additionally applied to correct for potential attenuation bias in reflective constructs. Bootstrapping with 5000 resamples was employed to ensure distributional stability and robustness.
Together, these robustness tests confirm that endogeneity and non-normality do not compromise the validity of the structural model or the reliability of the estimated path coefficients.

5.2. Qualitative Results

The qualitative phase deepened and contextualized the statistical findings by uncovering how organizational actors interpret, negotiate, and enact the ZT paradigm in practice. Regarding direct effects, the qualitative results substantiated and expanded the quantitative evidence on the critical role of organizational culture and investment in driving ZT implementation.
Numerous participants emphasized that fostering a strong security culture is foundational to successful implementation and trust realignment. One interviewee remarked, “The cultural impact, I think, is the main impact you have within any security principle” (ID1), while another noted, “The IT culture itself. I talked about the impact on users, budget, investments, and the IT culture itself” (ID7). These perspectives highlight that a security-oriented mindset must permeate organizational routines to overcome resistance and support ZT execution. Interview narratives also revealed “symbolic compliance” patterns—instances where formal controls were implemented without genuine behavioral change—illustrating the gap between technical enforcement and cultural assimilation. A third interviewee underscored this challenge, stating, “Cultural aspects are extremely important from the point of view of trust” (ID22).
With respect to investment, participants consistently identified resource allocation as a key enabler of ZT adoption, encompassing not only financial capacity but also long-term planning and upskilling. For instance, one professional stated, “I think that any company has a barrier… which is the investment in security. In other words, security is not cheap, it never was and never will be” (ID1). Another echoed this view, explaining, “The financial issue in terms of architecture… I think it is essential to be able to implement zero trust” (ID20). Several respondents further described investment as a form of organizational signaling to employees and partners, reinforcing the enterprise’s security commitment. Training and professional development were equally prioritized, with one interviewee emphasizing, “The training of professionals. Having a trained professional who understands the concept and who can overcome these first two barriers, which is to make management aware and to prepare the environment technologically” (ID5). Together, these accounts show that culture and investment interact recursively: financial commitment legitimizes security as a shared organizational value, while a mature culture ensures that such investments translate into behavioral change.
Turning to the mediation effects, the data suggest that ZT implementation acts as a bridge between organizational conditions (such as culture and investment) and governance outcomes. Interviewees explained that tangible improvements in policy compliance, control enforcement, and risk communication only emerge when implementation is thorough and iterative. For example, one participant explained, “Today the company already has a policy… in fact, we are currently readjusting the policies for a higher level of the zero trust, to make it even more stratified” (ID9). Another elaborated, “From the moment you apply an information security policy, you start working with encrypted data, the employees’ access itself requires authentication, depending on where you are working, you need to have an even higher level of security” (ID12). These accounts illuminate the mechanism underlying the mediation effect identified in the model: implementation operationalizes strategic intent and converts cultural and financial readiness into measurable governance outcomes.
Finally, in relation to the moderation effect, qualitative data provide strong evidence that security culture influences the strength and durability of strategic execution. Several participants noted that without a culturally embedded appreciation for security, formal strategies often fail to gain traction. As one interviewee candidly observed, “If it does not come from the top down, it is no use coming from an analyst or a specialist consultant” (ID20). Another explained, “The support of the board as a whole, because you can start at the bottom, but if you do not have people at the top setting an example and spreading the word, it does not work” (ID2). These statements emphasize the need for leadership alignment and cultural reinforcement to translate strategy into operational change. Conversely, participants described institutional resistance in environments where entrenched hierarchies or competing priorities undermined security initiatives, demonstrating how weak cultural endorsement can nullify even well-articulated strategic plans.
Beyond confirming the quantitative results, the qualitative analysis revealed deeper interpretive patterns—such as trust negotiation between employees and systems, symbolic compliance in policy enforcement, and institutional resistance to security transformation—that refine the TOE-based understanding of ZT adoption. These findings show that culture and investment are not merely contextual variables but dynamic forces that shape how ZT is enacted, contested, and sustained within enterprises. They also demonstrate that governance improvements are realized through iterative execution rather than planning alone, and that cultural embeddedness moderates the translation of strategic intent into sustained operational change.
In sum, integrating both phases produces a more interpretive and recursive view of ZT adoption, consistent with the governance-feedback loop proposed in Section Intertwining TOE and Zero Trust: A Multi-Contextual View. These results reinforce the importance of a holistic, TOE-informed approach that captures not only formal structures and technological capabilities but also informal norms, leadership dynamics, and sensemaking processes that determine implementation success.
The semi-structured interview protocol is provided in Appendix B, while Appendix C presents the qualitative evidence base through Table A3 (sample of coding scheme and representative excerpts) and Table A4 (additional quotations supporting quantitative results). These materials collectively ensure transparency and traceability of the analytical process. Because the original transcripts contain personally identifiable and organizational information, they cannot be publicly released in compliance with institutional ethics approval. Instead, the curated excerpts in Appendix C faithfully reflect the conceptual content and diversity of expert perspectives while safeguarding participant confidentiality.

6. Discussion

The integration of quantitative and qualitative evidence reveals that the adoption of ZT extends far beyond a technical reconfiguration of security architectures—it constitutes an organizational transformation shaped by cultural, strategic, and institutional dynamics. The mixed-methods design demonstrates that implementation functions as the operational bridge linking culture, investment, and governance, while security culture conditions the durability of strategic execution. Moreover, the findings refine the TOE framework by introducing a recursive governance-feedback loop, in which regulatory and environmental pressures influence internal governance structures that, in turn, reshape cultural and strategic readiness for Zero Trust. This integrative insight sets the stage for the discussion that follows, where we interpret these relationships, elaborate on their theoretical and managerial implications, and outline how organizations can cultivate the socio-technical conditions required for effective Zero Trust implementation.
This research represents an empirical effort to examine the organizational adoption of ZT as a cybersecurity strategy through an integrated mixed-methods lens. By combining quantitative survey data from a broad, cross-industry sample with qualitative insights from information-security professionals, the study develops a multilayered understanding of how organizational culture, investment, strategic alignment, and governance interrelate within the process of ZT implementation. Drawing on the TOE framework, we explore how these factors act as enablers or constraints in translating ZT principles into operational practices and institutional outcomes.
Beyond triangulating data, the integration of both phases added interpretive depth. The quantitative phase identified statistically significant relationships among culture, investment, strategy, and governance, while the qualitative analysis revealed how these relationships materialize in practice—for instance, through trust negotiation, institutional resistance, and symbolic compliance. This integration enabled a recursive interpretation of ZT adoption, illustrating that implementation success depends on both structural alignment and the socio-cultural processes that sustain organizational change.
Table 7 provides a summary of our main findings based on this multi-method investigation. In synthesizing these insights, we show that ZT adoption involves dynamic interactions between formal strategy and lived practice, where cultural readiness and leadership engagement determine the translation of technical principles into sustainable governance outcomes. In the sections that follow, we outline the theoretical contributions and practical implications of these results for IS management and cybersecurity research.

6.1. Implications for Practice

The findings of this study yield several practical implications for organizations seeking to adopt the ZT security paradigm. First, the results reaffirm that ZT adoption must be approached as an enterprise-wide transformation rather than a purely technical project. Successful implementation requires alignment among strategy, culture, and investment decisions. The strong influence of organizational culture on both strategic alignment and implementation effectiveness underscores the need to cultivate a shared security mindset across all levels of the enterprise [53,55]. This includes promoting security as a core organizational value, embedding it in day-to-day operations, and aligning internal practices with risk-aware behaviors that enhance readiness for ZT transformation.
Second, while investment remains essential, our results indicate that financial resources alone do not guarantee success unless accompanied by strategic intent, managerial commitment, and coordinated execution. Prior research emphasizes that financial capacity must translate into coherent priorities, training, and measurable capability building [1,10]. Organizations should therefore view investment as a signaling mechanism of strategic seriousness—an enabler of long-term trust alignment rather than a one-time expenditure. Sustained investment in technical infrastructure, professional development, and change-management processes ensures that ZT principles are consistently operationalized across the enterprise.
Third, the study highlights that strategic alignment is a necessary but insufficient condition for successful ZT adoption. Strategy must be reinforced by a supportive culture, governance clarity, and the integration of technology into business processes. This finding aligns with the broader literature on organizational transformation, which stresses the interdependence of top-down strategic intent and bottom-up implementation capacity [24,29,39]. To achieve this, enterprises should establish governance mechanisms that facilitate cross-functional collaboration and leadership accountability, linking executive strategy with operational execution.
Fourth, the mediating role of ZT implementation between organizational inputs (culture and investment) and governance outcomes underscores the importance of execution maturity. Effective implementation enhances compliance, transparency, and risk management—key priorities for both regulators and executive leadership [6,103]. For practitioners, this means emphasizing not only the design of ZT strategies but also their iterative, data-driven deployment through technologies such as microsegmentation, identity-centric access control, and continuous monitoring. Implementation must therefore be managed as a continuous learning process, where technical outcomes inform organizational adaptation.
Finally, leaders should adopt a systems-level view of ZT transformation—one that integrates technological, organizational, and environmental considerations, as described by the TOE framework. This holistic perspective positions ZT not merely as a cybersecurity upgrade but as a governance and trust-management mechanism that strengthens institutional resilience. By embedding ZT principles within existing governance structures and cultural practices, organizations can ensure more sustainable protection against evolving threats and regulatory demands.

6.2. Implications for Theory

This study yields several theoretical implications and opens new avenues for re-search into ZT as a strategic information-security paradigm, particularly when viewed through the lens of the TOE framework [22,26]. While prior research on ZT has pre-dominantly focused on its technical architectures and control mechanisms [58,72,91], our study shifts attention to the organizational, institutional, and environmental dynamics that underpin ZT adoption and implementation. By empirically validating the roles of organizational culture, investment, and strategy, this work advances TOE theory by extending it into cybersecurity-management contexts, a domain in which it has historically been underutilized.
Specifically, the findings position ZT as a paradigm-level innovation that challenges TOE’s traditional explanatory boundaries. ZT adoption involves not only the diffusion of technical solutions but also the institutionalization of new forms of governance, accountability, and trust. Accordingly, this study refines TOE by introducing the concept of a “governance-feedback loop,” whereby environmental legitimacy pressures (e.g., regulation, client expectations) shape internal governance structures that, in turn, influence organizational readiness and cultural alignment. This recursive relationship challenges the linear interpretation of TOE and demonstrates its adaptability to complex, security-driven transformations.
In particular, the findings encourage researchers to move beyond viewing ZT as merely a configuration of technical controls. Instead, ZT should be understood as a multi-level innovation whose success depends on the interplay among organizational readiness, environmental pressures, and technological capabilities. This perspective reframes TOE as a theory of continuous adaptation, highlighting its capacity to capture the co-evolution of technological and institutional forces in security innovation. Future research could extend this approach by integrating individual-level or inter-organizational factors—such as leadership cognition, industry standards, or supply-chain influence—which are increasingly recognized as determinants of security-transformation outcomes [19,55].
Moreover, the results regarding mediating and moderating effects highlight that implementation serves as the central conduit through which strategy, culture, and in-vestment influence governance and compliance outcomes. This finding advances a more nuanced understanding of how organizational factors operate synergistically rather than independently to shape information-security performance. Researchers may build on this by employing longitudinal or multi-level designs to examine how these dynamics evolve over time, or by integrating TOE with complementary theoretical perspectives—such as Dynamic Capabilities Theory or Institutional Theory—to enrich its explanatory depth for paradigm-level transformations.
This study also offers a methodological contribution by demonstrating the explanatory value of a sequential mixed-methods design in cybersecurity research. While quantitative modeling identified significant relationships, the qualitative phase revealed behavioral, cultural, and contextual mechanisms that deepened theoretical interpretation. Such methodological pluralism enhances the theory’s external validity and encourages future IS security studies to combine statistical modeling with interpretive inquiry to better capture socio-technical complexity.
Finally, this study advances the TOE framework beyond its traditional innovation-adoption role by embedding the concepts of governance reflexivity, institutional legitimacy, and continuous verification—dimensions essential for explaining the re-cursive and trust-driven dynamics of ZT adoption. This refined interpretation positions TOE as a generative and adaptive theory for analyzing security innovations that simultaneously reshape technological systems, organizational cultures, and institutional environments, providing a comprehensive foundation for future research on socio-technical resilience.

6.3. Limitations and Future Research Directions

While this study provides valuable insights into the organizational adoption of ZT security frameworks, several limitations must be acknowledged, as they also present opportunities for further scholarly inquiry.
First, although the quantitative component employed validated constructs adapted from prior studies [53] and refined through expert interviews, the contextual nature of ZT adoption means that measurement items—particularly those related to strategic alignment, culture, and governance—may be interpreted differently across industries or regions. Future research should aim to refine and validate these con-structs across broader and more diverse organizational samples to enhance their generalizability and measurement robustness.
Second, while the study applied the TOE framework to analyze the organizational, technological, and environmental dimensions influencing ZT, the complexity of the phenomenon may require the integration of complementary theories. For example, Institutional Theory or Dynamic Capabilities Theory may offer additional explanatory power for understanding how organizations adapt to regulatory pressures or build in-ternal competencies over time. Moreover, this study treated the TOE components as distinct, linear constructs. Future studies could explore potential interactions among these dimensions—such as how environmental factors moderate the relationship between organizational culture and implementation—to further refine TOE’s explanatory reach.
Third, although the quantitative results revealed significant direct, mediating, and marginal moderation effects, causality cannot be firmly established due to the cross-sectional design. Longitudinal and panel-based studies are therefore recommended to track how ZT adoption evolves over time and to determine whether strategic commitment and cultural alignment produce sustained improvements in security governance. Additionally, given that our sample included cybersecurity professionals across industries, future research could examine sector-specific variations in ZT implementation—such as comparing highly regulated environments (e.g., finance and healthcare) with less regulated ones (e.g., retail or education)—to identify contextual contingencies and adaptation patterns.
Fourth, the qualitative findings were drawn from semi-structured interviews with 27 professionals, providing rich contextual insights into barriers, enablers, and organizational dynamics. However, qualitative data are inherently interpretive and may reflect biases in participant self-reporting or researcher analysis. While we used triangulation and saturation techniques to enhance validity, future qualitative work could incorporate ethnographic, longitudinal, or comparative case study methods to capture how organizational routines, cultural norms, and power dynamics shape ZT adoption processes in practice.
Fifth, we acknowledge that the sample composition presents a limitation in terms of external validity and generalizability. The quantitative phase was notably concentrated in North and South America, and the qualitative interviews were heavily drawn from professionals in the technology sector. While this focus provides valuable insights into ZT adoption in digitally mature and innovation-driven environments, it may not fully capture dynamics present in other geographic regions or industry sectors, such as government, education, or manufacturing. We have clarified that the use of LinkedIn-based recruitment was intended to capture professionals across diverse regions and industries efficiently; however, future data collections should prioritize professional associations, industry bodies, and certification networks (e.g., ISACA, ISC2, and national cybersecurity councils) to enhance both geographic diversity and response rates. Accordingly, these findings should be interpreted as contextually bound to organizations with relatively high digital readiness and exposure to cybersecurity innovations. Future research should include more diverse and balanced samples to validate the applicability of these results across broader institutional and cultural contexts.
While the mixed-methods approach provided complementary insights and enhanced explanatory depth, the quantitative survey relied on self-reported perceptions, which may be subject to social desirability or recall bias. Future studies could combine perceptual data with objective implementation metrics (e.g., compliance audit results, network access logs, or system telemetry) to improve empirical validation. Experimental or quasi-experimental designs may also help test the causal mechanisms underlying the adoption process more rigorously.
Finally, this study lays a foundation for future research at the intersection of cybersecurity strategy, governance, and innovation adoption. As organizations continue to navigate evolving threat landscapes and regulatory pressures, expanding empirical evidence on ZT adoption—through regionally focused, cross-sectoral, and theory-integrative approaches—will be essential to inform both academic debates and managerial decision-making.

7. Conclusions

Zero Trust (ZT)—a security paradigm rooted in the principles of continuous verification and least-privilege access—has emerged as a strategic approach to addressing the evolving complexities of information security in modern organizations. This study presents a mixed-method investigation into the organizational factors that influence its adoption, drawing on the TOE framework to examine the interplay among security culture, strategic alignment, financial investment, implementation practices, and governance outcomes. By integrating insights from a large-scale survey of cybersecurity professionals with in-depth interviews across industries, the study provides a comprehensive view of how organizational readiness and cultural alignment affect the translation of ZT strategy into operational success.
Our findings indicate that while security culture and investment are strong drivers of both the strategic and technical dimensions of ZT, it is the effective implementation of controls that ultimately supports governance and compliance objectives. Notably, the study reveals that strategy alone is insufficient to predict implementation success unless it is supported by cultural and operational enablers, and that implementation serves as a crucial mediating mechanism linking organizational inputs to regulatory outcomes.
Qualitative insights reinforce these patterns, highlight challenges related to legacy systems, planning complexity, and resistance to cultural change—factors that demand sustained leadership commitment and cross-functional coordination. In sum, this study advances our understanding of ZT not merely as a technical framework but as an enterprise-wide transformation strategy. As organizations face increasing regulatory scrutiny and sophisticated cyber threats, the strategic adoption of ZT—grounded in organizational realities—offers a promising path toward more resilient and adaptive security postures.

Author Contributions

Conceptualization, A.P.; methodology, A.P.; software, A.P.; validation, A.P. and F.d.S.M.; formal analysis, A.P.; investigation, A.P.; resources, A.P.; data curation, A.P.; writing—original draft preparation, A.P.; writing—review and editing, A.P. and F.d.S.M.; visualization, A.P. and F.d.S.M.; supervision, F.d.S.M.; project administration, A.P.; funding acquisition, A.P. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by Coordenação de Aperfeiçoamento de Pessoal de Nível Superior (CAPES), Brazil, grant number 001.

Institutional Review Board Statement

The study was conducted in accordance with the Declaration of Helsinki and approved by the Institutional Ethics Committee of Fundação Getulio Vargas FGV-EAESP (protocol code P.502.2023, date of approval 10 January 2024) for studies involving humans.

Informed Consent Statement

Informed consent was obtained from all subjects involved in the study.

Data Availability Statement

The data that support the findings of this study are openly available at Harvard Dataverse, V1 https://doi.org/10.7910/DVN/KMATU7.

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
ZTZero Trust
TOETechnology–Organization–Environment

Appendix A

Quantitative Report
Table A1. Measurement Model Indicators.
Table A1. Measurement Model Indicators.
Instrument IndicatorsLoadingMeanS.D.T Statisticsp ValuesVIF
Strategic Commitment to Zero Trust: Focuses on the strategic alignment of the organization with the Zero Trust model.
My company currently has a defined zero trust security initiative (SCZ1)0.8880.8880.01751.9970.0002.817
My company understands the impacts of the zero trust security model on business operations (SCZ2)0.8890.8880.01656.4940.0003.061
My company knows the priorities and technical requirements for the adoption of the zero trust paradigm (SCZ3)0.8990.8980.01463.1250.0003.284
My company considers zero trust architecture to define information security technologies (SCZ4)0.8700.8700.02043.3910.0002.577
Information Security Culture: Deals with the organizational culture focused on valuing information security.
My company has an organizational culture that promotes strong information security practices (ISC1)0.8920.8920.01655.7030.0002.753
At my company, information security is traditionally considered an important organizational value (ISC2)0.8630.8620.02633.5810.0002.338
At my company, best practices in information security is the accepted way of doing business (ISC3)0.8570.8570.02239.7690.0002.286
At my company, the business environment promotes information security thinking (ISC4)0.8750.8740.02043.8090.0002.464
Investment in Zero Trust Security: Focuses on investments and commitment to training and technologies based on ZT architecture.
My company invests in zero trust architecture (IZT1)0.9080.9090.01274.5360.0002.651
At my company, the information security investment includes training and education in zero trust paradigm (IZT2)0.8740.8730.01848.7100.0002.137
In my company, information security investment is periodically reassessed using emergent trends in zero-trust architecture (IZT3)0.9090.9090.01273.4280.0002.666
Technical Implementation of Zero Trust Controls: Groups together practical actions related to the application of technical controls according to the principles of Zero Trust.
My company implements security tools that act as a proxy to modernize legacy technologies (TIC1)0.7430.7410.03819.6730.0001.409
My company looks at user’s posture and device position for decision-making in accessing the data layers (TIC2)0.8130.8120.02434.1540.0001.743
My company employs multifactor authentication for external users and employees (TIC3)0.7100.7070.04515.7950.0001.324
My company has context-based access policies (TIC4)0.8060.8060.03027.2670.0001.739
Information Security Governance: Relates to aspects of policies, governance, and reporting and compliance practices.
At my company, security breaches are reported to the appropriate authority openly and effectively (ISG1)0.7380.7330.05313.8820.0001.429
My company provides timely risk management updates to governance, risk and compliance of stakeholders (ISG2)0.8590.8580.02140.6670.0001.724
My company has relevant security control policies in place to support zero trust paradigm (ISG3)0.8370.8380.02041.7480.0001.472
Source: Authors’ Own Creation.
Additional Validity Evidence
To further confirm discriminant validity and rule out indicator redundancy as a potential source of residual covariance, the full cross-loading matrix is presented in Table A2. Each indicator loads highest on its intended construct, with all cross-loadings at least 0.20 lower. This pattern supports the discriminant validity of the reflective measurement model and reinforces that the slightly elevated SRMR value (0.102) results from model complexity rather than misspecification.
Table A2. Cross-Loading Matrix.
Table A2. Cross-Loading Matrix.
IndicatorsInformation Security CultureInformation Security GovernanceInvestment in Zero Trust SecurityStrategic Commitment to Zero TrustTechnical Implementation of Zero Trust Controls
IZT10.5560.4450.9080.5040.327
IZT20.5370.4690.8740.2290.295
IZT30.5430.2710.9090.3710.306
ISC10.8920.5830.5550.3920.540
ISC20.8630.4440.4890.4380.545
ISC30.8570.3650.5170.3760.509
ISC40.8750.3170.5550.3210.505
TIC10.4600.5550.2240.4300.743
TIC20.5330.4090.3380.5220.813
TIC30.5800.5340.3840.4430.710
TIC40.5370.5790.3140.3850.806
ISG10.5230.7380.4160.3790.382
ISG20.6380.8590.5920.5820.452
ISG30.6500.8370.3410.2330.379
SCZ10.5350.4250.3230.8880.314
SCZ20.3550.3610.3170.8890.440
SCZ30.2190.2430.3160.8990.400
SCZ40.4600.3150.4820.8700.294
Note. Cross-loadings shown in bold to emphasize the convergence of each indicator on its respective latent construct, thereby illustrating the expected factor structure. Source: Authors’ Own Creation.

Appendix B

Semi Structured Interview Protocol

INTRODUCTION
Please tell us about your role in your organization and the activities for which you are responsible.
CONTROL QUESTIONS
  • How much professional experience do you have (in years)?
  • How long have you worked for this organization (in years)?
  • Is the organization private, public, or another type of activity?
  • Is the origin of the organization’s capital 100% Brazilian? If not, what other nationalities are involved in the organization, and which one prevails? Please elaborate.
SEMI-STRUCTURED INTERVIEW
5.
Is ZT the future of data protection in organizations? Please elaborate.
6.
What do you understand about the impacts of adopting ZT in organizations? Please elaborate.
7.
Do you believe that implementing ZT has any effect on productivity at work? Please elaborate.
8.
What are the three main challenges for the adoption of ZT principles in organizations? Please elaborate.
9.
How does your organization understand the adoption of ZT?
10.
What are the biggest barriers to adopting ZT in your organization?
11.
Within information security, what is ZT’s priority for your organization?

Appendix C

Qualitative Report
Table A3. Sample of Coding scheme and representative excerpts of Interview Data.
Table A3. Sample of Coding scheme and representative excerpts of Interview Data.
First-Order Codes (Quotations)Second-Order Themes
(Axial Codes)		Aggregate Dimensions
“Information security is always seen as something that should not cause, I would say, inconvenience… but it truly appears to be a hindrance to the business. Therefore, this is a big challenge.” (ID8)Perception of Security as an Obstacle to BusinessStrategic Commitment to Zero Trust
“…it is only in the security layer and does not interact with the business layer….” (ID21)Disconnection Between Security and Business Value
“So, I always work from a risky perspective, then we have to prioritize things and do things in priority order.” (ID15)Prioritization of Security Based on Business Risk
“Today, the board, the shareholders, they already understand that information security is crucial for business continuity.” (ID8)Executive Support for Zero Trust Strategy
“…you must have a strategy aimed at implementing zero-trust… to have this paradigm working in fact, you necessarily must have a very well-consolidated strategy…” (ID6)Need for a Consolidated Security Strategy
“…this is a project that not only involves technology, but I would also involve businesspeople right away…I would not implement something in a top down way…I would implement it within an area in such a way that it could generate a result, and if this result is beneficial, it could necessarily spread to the rest of the company.” (ID22)Cross-Functional Integration in Strategy
“The image of the brand that remains because you have lost data or have leaked data from a patient.” (ID1); “Especially, in a bank where an incident can undermine the bank’s credibility.” (ID6); “…the company is a giant… it already adopts all systems; it cannot sell something it does not use…” (ID17)Brand Image and Reputation Depend on SecurityInformation Security Culture
“We sell security systems to the customer and if we don’t apply this ourselves…” (ID16)Cultural Integrity and Internal Application
“… for the company to make this decision to implement, it has to understand if this is part of it, if this is in line with the business model it has established…” (ID24)Alignment with Corporate Identity
“…the cultural impact, I think is the main impact you have within any security principle…” (ID1); “…the IT culture itself. I talked about the impact on users, budget, investments, and the IT culture itself.” (ID7); “Cultural aspects are extremely important from the point of view of trust.” (ID22)Cultural Resistance to Change
“…the training of professionals. Having a trained professional who understands the concept and who can overcome these first two barriers, which is to make management aware and to prepare the environment technologically.” (ID5)Professional Capacity BuildingInvestment in Zero Trust Security
“And there are several trainings aimed at all levels of employees to work with data security.” (ID12); “…it should not be linked only to systems, but professional training, understanding and a lot of people at the various manufacturing levels.” (ID16); “Training and awareness… people are always a challenge.” (ID8)Continuous Training for Security Maturity
“…the financial issue in terms of architecture…I think it is essential to be able to implement zero-trust.” (ID20)Financial Constraints and Prioritization
“I think that any company has a barrier… which is investment in security. In other words, security is not cheap, it never was and never will be.” (ID1)High Costs as Implementation Barrier
“We spent six months planning zero-trust…” (ID15)Planning Complexity and UncertaintyTechnical Implementation of Zero Trust Controls
“…adequacy of processes to the company’s business requirements with regard to zero-trust. I would say adequacy…maintenance, support of processes to adhere to zero-trust. More than adapting, you need to keep them updated.” (ID8); “…companies that do not have well-established process management will face great difficulty in putting this into practice, because it has a direct impact…” (ID24)Process Readiness and Adaptation
“…there can be many legacy systems in which zero-trust is not viable…” (ID13); “Companies use legacy software to trigger legacy, and this hinders zero-trust…” (ID15); “It is truly a complex business…because you have these legacy applications and they were not designed with a zero-trust approach…” (ID19)Technological Obsolescence
“….it is not something you go there and implement all at once. It is not a turn of the key… you implement and turn the key! It is a gradual process.” (ID17)Gradual and Iterative Deployment
“…the impact of capacity… background, experience of information security teams as a whole… because the concept for many people is new…” (ID27)Capacity and Skill Gap in Security Teams
“…today the company already has a policy… in fact, we are currently readjusting the policies for a higher level of zero trust, to make it even more stratified.” (ID9)Policy Maturity and StratificationSecurity Governance and Risk Communication
“…from the moment you apply an information security policy, you start working with encrypted data, the employees’ access itself requires authentication, depending on where you are working, you need to have an even higher level of security.” (ID12)Policy Enforcement via Technical Means
“…the IPO was made, we needed to tighten slightly more controls for compliance issues, and especially a company with public capital outside the country.” (ID19)Security and Compliance Integration
“…the regulations help as long as there are enforcements on the controls, and this will obviously reflect on the concern about the application of the zero-trust concept itself.” (ID26)Regulatory Pressure and Enforcement
Source: Authors’ Own Creation.
Table A4. Additional Quotations to corroborate quantitative findings.
Table A4. Additional Quotations to corroborate quantitative findings.
Latent VariableInterviewees’ Quotations
Strategic Commitment to Zero Trust“You must have a strategy aimed at implementing zero-trust… to have this paradigm working in fact, you necessarily must have a very well-consolidated strategy.” (ID6)
“…this is a project that not only involves technology, but I would also involve businesspeople right away…I would not implement something in a top down way…I would implement it within an area in such a way that it could generate a result, and if this result is beneficial, it could necessarily spread to the rest of the company.” (ID22)
“I believe that you need to have an environment with a reasonably high security maturity level before thinking about an implementation of this size.” (ID23)
“…we have a global structure working everywhere in our network, our firewalls, our accesses…” (ID3)
“…the support of the board as a whole, because you can start at the bottom, but if you do not have people at the top setting an example and spreading the word, it does not work…” (ID2)
“If it does not come from the top down, it is no use coming from an analyst of a specialist consultant…” (ID20)
“…you will need to anchor and sell a project of this magnitude very well to the executives, because it takes a long time for you to have a perception of the added value.” (ID19)
Information Security Culture“…the cultural impact, I think is the main impact you have within any security principle…” (ID1)
“The IT culture itself. I talked about the impact on users, budget, investments, and the IT culture itself.” (ID7)
“Cultural aspects are extremely important from the point of view of trust.” (ID22)
“That person who creates an account there… despite being a repetitive job, he is afraid of losing his job… this change, I think it also reflects one of the difficulties of an implementation… my area will end.” (ID17)
“…within any security principle, users need to be educated for this and usually they do not like it…” (ID1)
“And there are several trainings aimed at all levels of employees to work with data security.” (ID12)
“…it should not be linked only to systems, but professional training, understanding and a lot of people at the various manufacturing levels.” (ID16)
“…component of human behavior… not paying attention to what you’re doing, any employee can put the company at risk, that is why I strongly believe that zero-trust truly is the future.” (ID3)
Investment in Zero Trust Security“I think that any company has a barrier… which is the investment in security. In other words, security is not cheap, it never was and never will be.” (ID1)
“…we are having great difficulty fitting this… budget is going to be a problem.” (ID15)
“The financial issue in terms of architecture… I think it is essential to be able to implement zero-trust.” (ID20)
“… good planning, a good budget helps to defend zero-trust… I think that supporting good planning and awareness of companies…” (ID17)
“The training of professionals. Having a trained professional who understands the concept and who can overcome these first two barriers…” (ID5)
“For more mature companies, the zero trust model is already starting to be a reality, but the investment is high, considering people, tools, implementation and integration.” (ID23)
“We are working to understand… As this company is global… a lot of information comes from abroad, information in English, and we know that here in Brazil there is a difficulty with language.” (ID7)
Technical Implementation of ZT Controls“…it is not something you go there and implement all at once. It is not a turn of the key… you implement and turn the key! It is a gradual process.” (ID17)
“I think it is how to do it, organize yourself, make a plan to have this security paradigm, this type of security action. I think that is the first barrier.” (ID13)
“You must have tools, you cannot do zero-trust without tools, unfortunately you cannot do zero-trust with a process.” (ID15)
“…arriving here with a philosophy and a control strategy that is top of line, bring together all the events, the deliverables of all the peripherals and equipment that we have, and the company does not have the basic configuration of network.” (ID21)
“It is truly a complex business… because you have these legacy applications and they were not designed with a zero-trust approach, they were designed with another security strategy.” (ID19)
“…the complexity of the environment increases with zero-trust, because you have to segment the networks more, you have to define a more granular level of permissions…” (ID18)
“… for you to implement it in a company of this size is very impactful, because you are talking about how many thousand users there are accessing systems through the company…” (ID27)
“…we have to separate the conversation from what we have within our infrastructure, and what we have from the partners that we access as third parties through our infrastructure.” (ID3)
“…in the cybersecurity area there is security focused on access, there is security area focused on integration, there is microservices area, there is security area for architecture, and they do not talk…” (ID17)
“…within IT we have divisions, we have people from the security area, we have people from the infrastructure area, we have the development area… In addition, these areas conflict, especially when we talk about security…” (ID18)
Security Governance “…today the company already has a policy… in fact, we are currently readjusting the policies for a higher level of the zero-trust, to make it even more stratified.” (ID9)
“From the moment you apply an information security policy, you start working with encrypted data, the employees’ access itself requires authentication, depending on where you are working, you need to have an even higher level of security.” (ID12)
“…as for the zero-trust, it always advances in paths that are worrying from the point of view of legality… of individual rights. Therefore, the zero-trust has a very broad bias…” (ID22)
“…if you do not have a very clear policy and methodology, you end up impacting productivity.” (ID2)
“If it is not very well configured and there is no proactive monitoring there… it can have an impact.” (ID18)
“If well implemented, built, it does not impact the productivity of employees.” (ID21)
“The image of the brand that remains because you have lost data or have leaked data from a patient.” (ID1)
“Especially, in a bank where an incident can undermine the bank’s credibility.” (ID6)
Source: Authors’ Own Creation.

References

  1. Pigola, A.; Meirelles, F.D.S. Zero Trust in Cybersecurity: Managing Critical Challenges for Effective Implementation. J. Syst. Inf. Technol. 2025. Epub ahead of printing. [Google Scholar] [CrossRef]
  2. Kindervag, J. No More Chewy Centers: The Zero Trust Model of Information Security; Forrester Research: Cambridge, MA, USA, 2016; p. 3. Available online: https://crystaltechnologies.com/wp-content/uploads/2017/12/forrester-zero-trust-model-information-security.pdf (accessed on 25 June 2024).
  3. Winckless, C.; Proctor, P.; Lintemuth, T. Outcome-Driven Metrics You Can Use to Evaluate Your Zero-Trust Initiative 2023. Available online: https://www.gartner.com/document/4842431?ref=solrAll&refval=400273523& (accessed on 25 June 2024).
  4. Kindervag, J. Build Security into Your Network’s Dna: The Zero Trust Network Architecture; Forrester Research: Cambridge, MA, USA, 2010; p. 27. Available online: http://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf (accessed on 25 June 2024).
  5. Rose, S.; Borchert, O.; Mitchell, S.; Connelly, S. Zero Trust Architecture; National Institute of Standards and Technology. 2020. Available online: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf (accessed on 25 June 2024).
  6. Pigola, A.; Meirelles, F.S.; Da Costa, P.R.; Porto, G.S. Trust in Information Security Technology: An Intellectual Property Analysis. World Pat. Inf. 2024, 78, 102281. [Google Scholar] [CrossRef]
  7. Winckless, C.; Olyaei, S. How to Decipher Zero Trust for Your Business 2022. Available online: https://www.gartner.com/document/4014435?ref=solrAll&refval=357881086 (accessed on 25 June 2024).
  8. Hankins, W.; Smith, Z.; McQuaid, A.; Fazal, N. The CISO’s Conversation Guide to Zero Trust. Available online: https://www.gartner.com/en/doc/799106-cisos-conversation-guide-to-zero-trust (accessed on 25 June 2024).
  9. Koeppen, D.; Watts, J. Implement Zero-Trust Network Access Through a Life Cycle Approach. Available online: https://www.gartner.com/en/documents/5398563 (accessed on 7 April 2024).
  10. D’Hoinne, J.; Shoard, P. Use the U.S. DoD Model for Your Zero Trust Approach: Visibility & Analytics Pillar; Gartner: Stamford, CT, USA, 2024; pp. 1–22. Available online: https://www.gartner.com/document/5124931?ref=solrAll&refval=395625636& (accessed on 7 April 2024).
  11. Bobbert, Y.; Timmermans, T. Zero Trust and Compliance with Industry Frameworks and Regulations: A Structured Zero Trust Approach to Improve Cybersecurity and Reduce the Compliance Burden. In Advances in Information and Communication; Arai, K., Ed.; Lecture Notes in Networks and Systems; Springer Nature: Cham, Switzerland, 2024; Volume 921, pp. 650–667. ISBN 978-3-031-54052-3. [Google Scholar]
  12. Google A New Approach to Enterprise Security. BeyondCorp 2018. Available online: https://www.beyondcorp.com/ (accessed on 8 April 2024).
  13. Shenouda, J. Zero Trust Architecture Implementation Across Industries 2024. Available online: https://www.cyber-consult.org/zero-trust-architecture-implementation-across-industries (accessed on 7 April 2024).
  14. Rahman, A.; Indrajit, E.; Unggul, A.; Dazki, E. Implementation of Zero Trust Security in MSME Enterprise Architecture: Challenges and Solutions. Sink. J. Penelit. Tek. Inform. 2024, 8, 2077–2087. [Google Scholar]
  15. Huang, W.; Xie, X.; Wang, Z.; Feng, J.; Han, G.; Zhang, W. ZT-Access: A Combining Zero Trust Access Control with Attribute-Based Encryption Scheme against Compromised Devices in Power IoT Environments. Ad Hoc Netw. 2023, 145, 103161. [Google Scholar] [CrossRef]
  16. Phiayura, P.; Teerakanok, S. A Comprehensive Framework for Migrating to Zero Trust Architecture. IEEE Access 2023, 11, 19487–19511. [Google Scholar] [CrossRef]
  17. Yeoh, W.; Liu, M.; Shore, M.; Jiang, F. Zero Trust Cybersecurity: Critical Success Factors and A Maturity Assessment Framework. Comput. Secur. 2023, 133, 103412. [Google Scholar] [CrossRef]
  18. Collier, Z.A.; Sarkis, J. The Zero-Trust Supply Chain: Managing Supply Chain Risk in the Absence of Trust. Int. J. Prod. Res. 2021, 59, 3430–3445. [Google Scholar] [CrossRef]
  19. Itodo, C.; Ozer, M. Multivocal Literature Review on Zero-Trust Security Implementation. Comput. Secur. 2024, 141, 103827. [Google Scholar] [CrossRef]
  20. Neale, C.; Kennedy, I.; Price, B.; Yu, Y.; Nuseibeh, B. The Case for Zero Trust Digital Forensics. Forensic Sci. Int. Digit. Investig. 2022, 40, 301352. [Google Scholar] [CrossRef]
  21. Uttecht, K.D. Zero Trust (ZT) Concepts for Federal Government Architectures; Report No.: FA8702-15-D-0001; Massachusetts Institute of Technologies, Lincoln Laboratory: Lexington, MA, USA, 2020; pp. 1–58. Available online: https://apps.dtic.mil/sti/citations/AD1106904 (accessed on 12 April 2024).
  22. Tornatzky, L.G.; Fleischer, M. The Processes of Technological Innovation; Issues in Organization and Management Series; Lexington Books: Lexington, MA, USA, 1990; ISBN 978-0-669-20348-6. [Google Scholar]
  23. Van Klyton, A.; Tavera-Mesias, J.; Duque, K.; Agyapong, A. Trust Dynamics for AI Implementation in High-Barrier Environments: The Moderating Effect of Government Involvement. Inf. Technol. People 2025. Epub ahead of printing. [Google Scholar] [CrossRef]
  24. Zhong, Y.; Chen, Z.; Ye, J.; Zhang, N. Exploring Critical Success Factors for Digital Transformation in Construction Industry–Based on TOE Framework. Eng. Constr. Arch. Manag. 2024, 32, 4227–4249. [Google Scholar] [CrossRef]
  25. Joyce, C.; Roman, F.L.; Miller, B.; Jeffries, J.; Miller, R.C. Emerging Cybersecurity Threats in Radiation Oncology. Adv. Radiat. Oncol. 2021, 6, 100796. [Google Scholar] [CrossRef] [PubMed]
  26. Awa, H.O.; Ukoha, O.; Igwe, S.R. Revisiting Technology-Organization-Environment (T-O-E) Theory for Enriched Applicability. Bottom Line 2017, 30, 2–22. [Google Scholar] [CrossRef]
  27. Kumar, A.; Shankar, A. Building a Sustainable Future with Enterprise Metaverse in a Data-Driven Era: A Technology-Organization-Environment (TOE) Perspective. J. Retail. Consum. Serv. 2024, 81, 103986. [Google Scholar] [CrossRef]
  28. Hossain, M.A.; Quaddus, M. The Adoption and Continued Usage Intention of RFID: An Integrated Framework. Inf. Technol. People 2011, 24, 236–256. [Google Scholar] [CrossRef]
  29. Nguyen, T.H.; Le, X.C.; Vu, T.H.L. An Extended Technology-Organization-Environment (TOE) Framework for Online Retailing Utilization in Digital Transformation: Empirical Evidence from Vietnam. J. Open Innov. Technol. Mark. Complex. 2022, 8, 200. [Google Scholar] [CrossRef]
  30. Prakasa, Y.; Fauzan, N. Understanding the Technological-Organizational-Environmental Concepts on SMEs’ Performance in Emerging Market. KnE Soc. Sci. 2024, 1, 43–66. [Google Scholar] [CrossRef]
  31. Stanojevic, M.; Capko, D.; Lendak, I.; Stoja, S.; Jelacic, B. Fighting Insider Threats, with Zero-Trust in Microservice-Based, Smart Grid OT Systems. Acta Polytech. Hung. 2023, 20, 229–248. [Google Scholar] [CrossRef]
  32. Awa, H.O.; Ojiabo, O.U.; Orokor, L.E. Integrated Technology-Organization-Environment (T-O-E) Taxonomies for Technology Adoption. J. Enterp. Inf. Manag. 2017, 30, 893–921. [Google Scholar] [CrossRef]
  33. Chwelos, P.; Benbasat, I.; Dexter, A.S. Research Report: Empirical Test of an EDI Adoption Model. Inf. Syst. Res. 2001, 12, 304–321. [Google Scholar] [CrossRef]
  34. Grover, V. An Empirically Derived Model for the Adoption of Customer-based Interorganizational Systems. Decis. Sci. 1993, 24, 603–640. [Google Scholar] [CrossRef]
  35. Shiau, W.; Hsu, P.; Wang, J. Development of Measures to Assess the ERP Adoption of Small and Medium Enterprises. J. Enterp. Inf. Manag. 2009, 22, 99–118. [Google Scholar] [CrossRef]
  36. Zhu, K.; Kraemer, K.; Xu, S. Electronic Business Adoption by European Firms: A Cross-Country Assessment of the Facilitators and Inhibitors. Eur. J. Inf. Syst. 2003, 12, 251–268. [Google Scholar] [CrossRef]
  37. Hwang, H.-G.; Ku, C.-Y.; Yen, D.C.; Cheng, C.-C. Critical Factors Influencing the Adoption of Data Warehouse Technology: A Study of the Banking Industry in Taiwan. Decis. Support Syst. 2004, 37, 1–21. [Google Scholar] [CrossRef]
  38. Zhu, K.; Kraemer, K.L. Post-Adoption Variations in Usage and Value of E-Business by Organizations: Cross-Country Evidence from the Retail Industry. Inf. Syst. Res. 2005, 16, 61–84. [Google Scholar] [CrossRef]
  39. Awa, H.O.; Ojiabo, O.U.; Emecheta, B.C. Integrating TAM, TPB and TOE Frameworks and Expanding Their Characteristic Constructs for e-Commerce Adoption by SMEs. J. Sci. Technol. Policy Manag. 2015, 6, 76–94. [Google Scholar] [CrossRef]
  40. DiMaggio, P.J.; Powell, W.W. The Iron Cage Revisited: Institutional Isomorphism and Collective Rationality in Organizational Fields. Am. Sociol. Rev. 1983, 48, 147. [Google Scholar] [CrossRef]
  41. Salwani, M.I.; Marthandan, G.; Daud Norzaidi, M.; Choy Chong, S. E-commerce Usage and Business Performance in the Malaysian Tourism Sector: Empirical Analysis. Inf. Manag. Comput. Secur. 2009, 17, 166–185. [Google Scholar] [CrossRef]
  42. Ali, B.; Hijjawi, S.; Campbell, L.H.; Gregory, M.A.; Li, S. A Maturity Framework for Zero-Trust Security in Multiaccess Edge Computing. Secur. Commun. Netw. 2022, 2022, 3178760. [Google Scholar] [CrossRef]
  43. Smoljić, M. European Union Directives, National Regulations, and Zero Trust Network Architecture. In Proceedings of the 2024 47th MIPRO ICT and Electronics Convention (MIPRO), Opatija, Croatia, 20 May 2024; IEEE: Opatija, Croatia, 2024; pp. 1496–1501. Available online: https://ieeexplore.ieee.org/document/10569809/ (accessed on 12 April 2024).
  44. Calder, A.; Watkins, S. IT Governance: An International Guide to Data Security and ISO27001/ISO27002, 5th ed.; Kogan Page: London, UK; Philadelphia, PA, USA, 2012; ISBN 978-0-7494-6485-1. [Google Scholar]
  45. Winckless, C.; MacDonald, N. Explaining Zero Trust Security Approaches to Tech Executives 2023. Available online: https://www.gartner.com/document/4755131?ref=solrAll&refval=405938953& (accessed on 12 April 2024).
  46. Durbin, S. What’s Zero Trust, and What’s Driving Its Adoption? Available online: https://www.forbes.com/councils/forbesbusinesscouncil/2022/06/01/whats-zero-trust-and-whats-driving-its-adoption/ (accessed on 25 May 2025).
  47. Lund, B.D.; Lee, T.H.; Wang, Z.; Wang, T.; Mannuru, N.R. Zero-Trust Cybersecurity: Procedures and Considerations in Context 2024. Available online: https://www.preprints.org/manuscript/202408.0628/v1 (accessed on 12 April 2024).
  48. Bozkus, K. Organizational Culture Change and Technology: Navigating the Digital Transformation. In Business, Management and Economics; Sarfraz, M., Ul Hassan Shah, W., Eds.; IntechOpen: Rijeka, Croatia, 2024; Volume 16, ISBN 978-1-83769-318-4. [Google Scholar]
  49. Goldberg, S.G.; Johnson, G.A.; Shriver, S.K. Regulating privacy online: An economic evaluation of the GDPR. Am. Econ. J. Econ Polic. 2024, 16, 325–358. [Google Scholar] [CrossRef]
  50. Lopes, A.P.V.B.V.; De Carvalho, M.M. Evolution of the Open Innovation Paradigm: Towards a Contingent Conceptual Model. Technol. Forecast. Soc. Change 2018, 132, 284–298. [Google Scholar] [CrossRef]
  51. Meyer, A.D.; Goes, J.B. Organizational Assimilation of Innovations: A Multilevel Contextual Analysis. Acad. Manag. J. 1988, 31, 897–923. [Google Scholar] [CrossRef]
  52. Greenwood, D. Applying the Principles of Zero-Trust Architecture to Protect Sensitive and Critical Data. Netw. Secur. 2021, 2021, 7–9. [Google Scholar] [CrossRef]
  53. Badi, S.; Nasaj, M. Cybersecurity Effectiveness in UK Construction Firms: An Extended McKinsey 7S Model Approach. Eng. Constr. Arch. Manag. 2023, 31, 4482–4515. [Google Scholar] [CrossRef]
  54. Krishna, B.; Krishnan, S.; Sebastian, M.P. Examining the Relationship between National Cybersecurity Commitment, Culture, and Digital Payment Usage: An Institutional Trust Theory Perspective. Inf. Syst. Front. 2023, 25, 1713–1741. [Google Scholar] [CrossRef]
  55. Zyoud, B.; Lebai Lutfi, S. The Role of Information Security Culture in Zero Trust Adoption: Insights From UAE Organizations. IEEE Access 2024, 12, 72420–72444. [Google Scholar] [CrossRef]
  56. Haddon, D.A.E. Zero Trust Networks, the Concepts, the Strategies, and the Reality. In Strategy, Leadership, and AI in the Cyber Ecosystem; Elsevier: Amsterdam, The Netherlands, 2021; pp. 195–216. Available online: https://linkinghub.elsevier.com/retrieve/pii/B978012821442800001X (accessed on 25 May 2025)ISBN 978-0-12-821442-8.
  57. Cummings, T.G.; Worley, C.G. Organization Development and Change, 8th ed.; Thomson/South-Western: Mason, OH, USA, 2005; ISBN 978-0-324-26060-1. [Google Scholar]
  58. Syed, N.F.; Shah, S.W.; Shaghaghi, A.; Anwar, A.; Baig, Z.; Doss, R. Zero Trust Architecture (ZTA): A Comprehensive Survey. IEEE Access 2022, 10, 57143–57179. [Google Scholar] [CrossRef]
  59. Benaroch, M. Real Options Models for Proactive Uncertainty-Reducing Mitigations and Applications in Cybersecurity Investment Decision Making. Inf. Syst. Res. 2018, 29, 315–340. [Google Scholar] [CrossRef]
  60. García-Sánchez, E.; García-Morales, V.; Martín-Rojas, R. Influence of Technological Assets on Organizational Performance through Absorptive Capacity, Organizational Innovation and Internal Labour Flexibility. Sustainability 2018, 10, 770. [Google Scholar] [CrossRef]
  61. Dhaigude, A.S.; Gupta, N.; Sardana, D.; Kumar, V.; Terziovski, M. The Catalytic Role of “Responsible Investments” in Innovation and Firm Performance Link: In the Context of Manufacturing in Asia-Pacific. Asia Pac. J. Manag. 2024, 41, 1315–1343. [Google Scholar] [CrossRef]
  62. Kosutic, D.; Pigni, F. Cybersecurity: Investing for Competitive Outcomes. J. Bus. Strat. 2022, 43, 28–36. [Google Scholar] [CrossRef]
  63. Tang, C.; Kumar, V.; Chaisiri, S. Understanding Software-Defined Perimeter. In Data Security in Cloud Computing; Kumar, V., Chaisiri, S., Ko, R., Eds.; Institution of Engineering and Technology: Stevenage, UK, 2017; pp. 151–169. Available online: https://digital-library.theiet.org/content/books/10.1049/pbse007e_ch7 (accessed on 28 May 2025)ISBN 978-1-78561-220-6.
  64. Premkumar, G. A Meta-Analysis of Research on Information Technology Implementation in Small Business. J. Organ. Comput. Electron. Commer. 2003, 13, 91–121. [Google Scholar] [CrossRef]
  65. Dwivedi, Y.K.; Papazafeiropoulou, A. Knowledge Management and Enterprise Systems Adoption by SMEs. J. Enterp. Inf. Manag. 2009, 22, 1–25. [Google Scholar] [CrossRef]
  66. Eze, S.C.; Awa, H.O.; Okoye, J.C.; Emecheta, B.C.; Anazodo, R.O. Determinant Factors of Information Communication Technology (ICT) Adoption by Government-owned Universities in Nigeria: A Qualitative Approach. J. Enterp. Inf. Manag. 2013, 26, 427–443. [Google Scholar] [CrossRef]
  67. Cao, L.; Mohan, K.; Ramesh, B.; Sarkar, S. Evolution of Governance: Achieving Ambidexterity in IT Outsourcing. J. Manag. Inf. Syst. 2013, 30, 115–140. [Google Scholar] [CrossRef]
  68. Albuali, A.; Mengistu, T.; Che, D. ZTIMM: A Zero-Trust-Based Identity Management Model for Volunteer Cloud Computing. In Cloud Computing—CLOUD 2020; Zhang, Q., Wang, Y., Zhang, L.-J., Eds.; Lecture Notes in Computer Science; Springer International Publishing: Cham, Switzerland, 2020; Volume 12403, pp. 287–294. Available online: https://link.springer.com/10.1007/978-3-030-59635-4_22 (accessed on 28 May 2025)ISBN 978-3-030-59634-7.
  69. Oliveira, T.; Martins, M.F. Literature Review of Information Technology Adoption Models at Firm Level. Electron. J. Inf. Syst. Eval. 2011, 14, 110–121. Available online: https://academic-publishing.org/index.php/ejise/article/view/389/352 (accessed on 25 May 2025).
  70. Buck, C.; Olenberger, C.; Schweizer, A.; Völter, F.; Eymann, T. Never Trust, Always Verify: A Multivocal Literature Review on Current Knowledge and Research Gaps of Zero-Trust. Comput. Secur. 2021, 110, 102436. [Google Scholar] [CrossRef]
  71. Madsen, T. Zero-Trust—An Introduction; CRC Press: New York, NY, USA, 2024; ISBN 1-040-00707-4. [Google Scholar]
  72. Tsai, M.; Lee, S.; Shieh, S.W. Strategy for Implementing of Zero Trust Architecture. IEEE Trans. Reliab. 2024, 73, 93–100. [Google Scholar] [CrossRef]
  73. Chuang, S.-W.; Luor, T.; Lu, H.-P. Assessment of Institutions, Scholars, and Contributions on Agile Software Development (2001–2012). J. Syst. Softw. 2014, 93, 84–101. [Google Scholar] [CrossRef]
  74. Hambrick, D.C.; Mason, P.A. Upper Echelons: The Organization as a Reflection of Its Top Managers. Acad. Manag. Rev. 1984, 9, 193. [Google Scholar] [CrossRef]
  75. Chen, H.; Yao, Y.; Zhou, H. How Does Knowledge Coupling Affect Exploratory and Exploitative Innovation? The Chained Mediation Role of Organisational Memory and Knowledge Creation. Technol. Anal. Strateg. Manag. 2021, 33, 713–727. [Google Scholar] [CrossRef]
  76. Novak, L.L.; Anders, S.; Gadd, C.S.; Lorenzi, N.M. Mediation of Adoption and Use: A Key Strategy for Mitigating Unintended Consequences of Health IT Implementation: Table 1. J. Am. Med. Inf. Assoc. 2012, 19, 1043–1049. [Google Scholar] [CrossRef] [PubMed]
  77. Adade, D.; De Vries, W.T. An Extended TOE Framework for Local Government Technology Adoption for Citizen Participation: Insights for City Digital Twins for Collaborative Planning. Transform. Gov. 2025, 19, 53–73. [Google Scholar] [CrossRef]
  78. Corradini, I. Building a Cybersecurity Culture in Organizations: How to Bridge the Gap Between People and Digital Technology; Studies in Systems, Decision and Control; Springer International Publishing: Cham, Switzerland, 2020; Volume 284, Available online: http://link.springer.com/10.1007/978-3-030-43999-6 (accessed on 28 May 2025)ISBN 978-3-030-43998-9.
  79. Bulgurcu, B.; Cavusoglu, H.; Benbasat, I. Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness. MIS Q. 2010, 34, 523. [Google Scholar] [CrossRef]
  80. Ifinedo, P. Information Systems Security Policy Compliance: An Empirical Study of the Effects of Socialisation, Influence, and Cognition. Inf. Manag. 2014, 51, 69–79. [Google Scholar] [CrossRef]
  81. Nassani, A.A.; Yousaf, Z.; Grigorescu, A.; Oprisan, O.; Haffar, M. Accounting Information Systems as Mediator for Digital Technology and Strategic Performance Interplay. Electronics 2023, 12, 1866. [Google Scholar] [CrossRef]
  82. Smits, M.; Van Goor, H.; Kallewaard, J.-W.; Verbeek, P.-P.; Ludden, G.D.S. Evaluating Value Mediation in Patients with Chronic Low-Back Pain Using Virtual Reality: Contributions for Empirical Research in Value Sensitive Design. Health Technol. 2022, 12, 765–778. [Google Scholar] [CrossRef]
  83. Ilmudeen, A.; Bao, Y.; Alharbi, I.M. How Does Business-IT Strategic Alignment Dimension Impact on Organizational Performance Measures: Conjecture and Empirical Analysis. J. Enterp. Inf. Manag. 2019, 32, 457–476. [Google Scholar] [CrossRef]
  84. Karp, R. Gaining Organizational Adoption: Strategically Pacing the Position of Digital Innovations. Acad. Manag. J. 2023, 66, 773–796. [Google Scholar] [CrossRef]
  85. Larasati, N. Technology Readiness and Technology Acceptance Model in New Technology Implementation Process in Low Technology SMEs. Int. J. Innov. Manag. Technol. 2017, 8, 113–117. [Google Scholar] [CrossRef]
  86. Ilmudeen, A.; Attar, R.W.; Alhazmi, A.H. Managing It Investment and Strategic Alignment for Firm Performance: A Comparative Study in Emerging Economies. Inf. Dev. 2025, in press. [Google Scholar] [CrossRef]
  87. Ågerfalk, P.J. Embracing Diversity through Mixed Methods Research. Eur. J. Inf. Syst. 2013, 22, 251–256. [Google Scholar] [CrossRef]
  88. Creswell, J.W. Research Design: Qualitative, Quantitative, and Mixed Methods Approaches, 4th ed.; SAGE Publications: Thousand Oaks, CA, USA, 2014; ISBN 978-1-4522-2609-5. [Google Scholar]
  89. Stol, K.-J.; Schaarschmidt, M.; Morgan, L. Does Adopting Inner Source Increase Job Satisfaction? A Social Capital Perspective Using a Mixed-Methods Approach. J. Strateg. Inf. Syst. 2024, 33, 101819. [Google Scholar] [CrossRef]
  90. Venkatesh, V.; Brown, S.A.; Bala, H. Bridging the Qualitative-Quantitative Divide: Guidelines for Conducting Mixed Methods Research in Information Systems. MIS Q. 2013, 37, 21–54. Available online: http://www.jstor.org/stable/43825936 (accessed on 28 May 2025). [CrossRef]
  91. Bertino, E. Zero Trust Architecture: Does It Help? IEEE Secur. Priv. 2021, 19, 95–96. [Google Scholar] [CrossRef]
  92. Bush, M.; Mashatan, A. From Zero to One Hundred: Demystifying Zero Trust and Its Implications on Enterprise People, Process, and Technology. Queue 2022, 20, 80–106. [Google Scholar] [CrossRef]
  93. Hair, J.F., Jr.; Howard, M.C.; Nitzl, C. Assessing Measurement Model Quality in PLS-SEM Using Confirmatory Composite Analysis. J. Bus. Res. 2020, 109, 101–110. [Google Scholar] [CrossRef]
  94. Podsakoff, P.M.; MacKenzie, S.B.; Lee, J.Y.; Podsakoff, N.P. Common Method Biases in Behavioral Research: A Critical Review of the Literature and Recommended Remedies. J. Appl. Psychol. 2003, 88, 879–903. [Google Scholar] [CrossRef]
  95. Park, S.; Gupta, S. Handling Endogenous Regressors by Joint Estimation Using Copulas. Mark. Sci. 2012, 31, 567–586. [Google Scholar] [CrossRef]
  96. Dijkstra, T.K.; Henseler, J. Consistent partial least squares path modeling. MIS Q. 2015, 39, 297–316. [Google Scholar] [CrossRef]
  97. Sarstedt, M.; Ringle, C.M.; Henseler, J.; Hair, J.F. On the Emancipation of PLS-SEM: A Commentary on Rigdon (2012). Long Range Plan. 2014, 47, 154–160. [Google Scholar] [CrossRef]
  98. Fornell, C.; Larcker, D.F. Structural Equation Models with Unobservable Variables and Measurement Error: Algebra and Statistics. J. Mark. Res. 1981, 18, 382–388. [Google Scholar] [CrossRef]
  99. Hair, J.F.; Hult, G.T.M.; Ringle, C.M.; Sarstedt, M.; Danks, N.P. Partial Least Squares Structural Equation Modeling (PLS-SEM): An Updated and Extended Guide for Researchers and Practitioners; SAGE Publications: Thousand Oaks, CA, USA, 2022. [Google Scholar] [CrossRef]
  100. Hult, G.T.M.; Hair, J.F.; Proksch, D.; Sarstedt, M.; Pinkwart, A.; Ringle, C.M. Addressing endogeneity in international marketing applications of partial least squares structural equation modeling. J. Int. Mark. 2018, 26, 1–21. [Google Scholar] [CrossRef]
  101. Cohen, J. Statistical Power Analysis for the Behavioral Sciences, 2nd ed.; Lawrence Erlbaum Associates: Hillsdale, NJ, USA, 1988; ISBN 9780203771587. [Google Scholar] [CrossRef]
  102. Aiken, L.S.; West, S.G. Multiple Regression: Testing and Interpreting Interactions; Sage: Newbury Park, CA, USA, 1991; Available online: https://books.google.com.br/books?hl=en&lr=&id=LcWLUyXcmnkC&oi=fnd&pg=PP11&dq=108.%09Aiken,+L.S.%3B+West,+S.G.+Multiple+Regression:+Testing+and+Interpreting+Interactions%3B+Sage:+Newbury+Park,+CA,+USA,+1991&ots=fqhd_hWS2h&sig=8OvHzIAnE-aWDU2keXEfJiV4xSo#v=onepage&q&f=false (accessed on 27 October 2025).
  103. Corpuz, J.C. The Paradigm Shift: Healthcare Embraces a Zero Trust Approach to Cybersecurity. Health Serv. Insights 2023, 16, 11786329231213706. [Google Scholar] [CrossRef]
  104. Biesta, G. Pragmatism and the Philosophical Foundations of Mixed Methods Research. In Sage Handbook of Mixed Methods in Social and Behavioral Research; Sage: Thousand Oaks, CA, USA, 2010; Volume 2, pp. 95–118. [Google Scholar]
  105. Edmondson, A.C.; Mcmanus, S.E. Methodological Fit in Management Field Research. Acad. Manag. Rev. 2007, 32, 1246–1264. [Google Scholar] [CrossRef]
  106. Monteiro, E.; Constantinides, P.; Scott, S.; Shaikh, M.; Burton-Jones, A. Qualitative Research Methods in Information Systems: A Call for Phenomenon-Focused Problematization. MIS Q. Manag. Inf. Syst. 2022, 46, 1–17. [Google Scholar]
  107. Yin, R.K. Case Study Research and Applications: Design and Methods, 6th ed.; Sage: Los Angeles, CA, USA, 2018; ISBN 978-1-5063-3616-9. [Google Scholar]
  108. Corbin, J.M.; Strauss, A.L. Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory, 4th ed.; SAGE: Los Angeles, CA, USA, 2015; ISBN 978-1-4129-9746-1. [Google Scholar]
  109. Miles, M.B.; Huberman, A.M. Qualitative Data Analysis: An Expanded Sourcebook, 2nd ed.; Sage Publications: Thousand Oaks, CA, USA, 1994; ISBN 978-0-8039-4653-8. [Google Scholar]
Jcp 05 00099 g001
Figure 1. Conceptual Model. In this study, governance is modeled as an organizational outcome of Zero Trust implementation. While governance requirements often originate from environmental pressures (e.g., regulations, industry standards), we conceptualize it as the measurable internal result of adoption, reflecting the organizational consequences of ZT practices. Source: Authors’ Own Creation.
Figure 1. Conceptual Model. In this study, governance is modeled as an organizational outcome of Zero Trust implementation. While governance requirements often originate from environmental pressures (e.g., regulations, industry standards), we conceptualize it as the measurable internal result of adoption, reflecting the organizational consequences of ZT practices. Source: Authors’ Own Creation.
Jcp 05 00099 g001
Table 1. Mapping TOE Dimensions and Governance Roles in ZT Adoption.
Table 1. Mapping TOE Dimensions and Governance Roles in ZT Adoption.
TOE ContextZero Trust FactorsExamples/Key References
TechnologicalPerceived simplicity/complexity; integration with existing infrastructure; performance expectancyMFA, microsegmentation, encryption, continuous monitoring [5,15].
OrganizationalSecurity culture, top management support, strategic commitment, resource allocation, firm size/scopeCulture readiness, managerial priorities, slack resources [1,47,48].
EnvironmentalRegulatory pressures, client demands, industry norms, mimetic and normative pressuresCompliance mandates, GDPR/HIPAA, peer adoption, industry audits [11,43,49].
OutcomeSecurity governance and compliance performanceTreated as the internal result of ZT adoption, while acknowledging external regulatory origins [11,44].
Source: Authors’ Own Creation.
Table 2. Demographic information of the sample.
Table 2. Demographic information of the sample.
Company AgeTtPercentageCompany SizeTtPercentage
More than 20 years15156.6Over 100115758.8
11 to 15 years259.4201 to 500238.6
16 to 20 years3011.2501 to 10002710.1
6 to 10 years3814.251 to 2003312.4
Less than 5 years238.6Less than 502710.1
RegionsTtPercentage
Central America and Caribbean (e.g., Jamaica, Mexico, Panama)83.0
East and Central Asia (e.g., China, Japan, Uzbekistan)41.5
Eastern Europe (e.g., Hungary, Poland, Russia)103.7
North America (e.g., Canada, United States)7026.2
Pacific/Oceania (e.g., Australia, Papua New Guinea, Fiji)51.9
South America (e.g., Brazil, Chile, Colombia)5520.6
South and Southeast Asia (e.g., India, Indonesia, Singapore)83.0
Sub-Saharan Africa (e.g., Kenya, Nigeria, South Africa)186.7
West Asia/Middle East (e.g., Iran, Israel, Saudi Arabia)93.4
Western Europe (e.g., Greece, Sweden, United Kingdom)6223.2
Prefer not to disclose186.7
Source: Authors’ Own Creation.
Table 3. Interviewees Information.
Table 3. Interviewees Information.
IDYear in PositionJob PositionsIndustry
16Sales Tech DirectorTechnology
212IT ManagerRetail
319Head of IT for BrazilPharmaceutical
41Cybersecurity ArchitectureFinance
525IT ManagerHealth
65Chief of Inf. Security and Fraud PreventionFinance
71Regional CISO for Latin AmericaFood
822Executive DirectorTechnology
92Chief Technology OfficerTechnology
1019IT Project LeaderTechnology
115PMO ConsultantTechnology
1215PMO & Quality ManagerManufacturing
139Head of Professional ServicesTechnology
1410Senior Project ManagerManufacturing
1510Chief Information Security OfficerFinance
1610Project Manager of Software DevelopmentManufacturing
1720Senior PM ManagerTechnology
1812IT ManagerHealth
191Global Head of Information Security & IT RiskFinance
2027Information Security ConsultantTelecommunication
217CEOTechnology
2217Executive DirectorTechnology
23 *1Information Security ManagerFinance
242Senior Information SecurityTechnology
256Cloud Security EngineerRetail
265Cybersecurity Risk Management Lead PartnerTechnology
272IT & Cyber Risk Officer for Latin AmericaFinance
Note. * Interviewee #23 sent answers by email. Source: Authors’ Own Creation.
Table 4. Reliability, Convergent Validity, and Discriminant Validity (Fornell-Larcker Criterion and Correlations.
Table 4. Reliability, Convergent Validity, and Discriminant Validity (Fornell-Larcker Criterion and Correlations.
ConstructCronbach’s αCRAVE12345
1. Information Security Culture0.8950.9270.7600.872
2. Information Security Governance0.7460.8540.6610.3480.813
3. Implementation ZT Controls0.7680.8520.5910.4860.3420.769
4. Investment ZT Security0.8790.9250.8050.4070.3370.3390.897
5. Strategic Commitment to Zero Trust0.9090.9360.7860.3680.3170.4450.3570.887
Note: Diagonal elements (in bold) represent the square root of Fornell-Larcker criterion. Off-diagonal elements are Pearson correlation coefficients among constructs (All p < 0.05). Legend: CR (composite reliability); AVE (average variance extracted). Source: Authors’ Own Creation.
Table 5. HTMT ratios.
Table 5. HTMT ratios.
Latent Variables12345
1. Information Security Culture-
2. Information Security Governance0.807
3. Implementation ZT Controls0.8280.861
4. Investment ZT Security0.6840.8840.777
5. Strategic Commitment to Zero Trust0.7400.8420.7720.857
6. Information Security Culture x Strategic Commitment to Zero Trust0.6360.5740.5390.3670.428
Source: Authors’ Own Creation.
Table 6. Structural-model results: path coefficients, t-values, and significance levels.
Table 6. Structural-model results: path coefficients, t-values, and significance levels.
HypoPathCoef.t-Valuep-ValueInterpretation
H1Information Security Culture → Implementation of ZT Controls0.3855.7360.000Strong direct effect; security culture directly supports implementation.
H1aInformation Security Culture → Strategic Commitment to ZT0.2335.5270.001Strong direct effect; security culture directly supports strategy.
H2Investment in ZT Security → Strategic Commitment to ZT0.71518.9530.000Very strong relationship; investment strongly shapes strategic alignment.
H2aInvestment in ZT Security → Implementation of ZT Controls0.2773.1210.002Direct positive effect; investment improves implementation.
H3Implementation of ZT Controls → Information Security Governance0.74221.5450.000Very strong effect; implementation is crucial for governance.
H4Strategic Commitment to Zero Trust → Implementation of ZT Controls0.1101.2190.223Not significant; strategy alone does not predict implementation.
H5Information Security Culture → Implementation of ZT Controls → Information Security Governance0.2865.4110.000Significant mediation path; implementation mediates culture and governance.
H6Investment in ZT Security → Implementation of ZT Controls → Information Security Governance0.2062.9900.003Investment has a strong direct impact on governance outcomes.
H7Information Security Culture x Strategic Commitment to ZT → Implementation of ZT Controls-0.0751.7430.081Marginal effect; interaction may suppress strategy effect under high culture.
Note: Bootstrapping performed with 5000 subsamples (two-tailed, α = 0.05). Confidence intervals are bias-corrected. Source: Authors’ Own Creation.
Table 7. Summary of Findings and Implications.
Table 7. Summary of Findings and Implications.
HypoFindings of the Quantitative StudyFindings of the Qualitative Study
H1Strong direct effect (β = 0.385, p < 0.001). Security culture is a key predictor of implementation success.Interviewees repeatedly emphasized cultural resistance as a barrier and cultural alignment as an enabler. ID1 stated, “the cultural impact… is the main impact you have within any security principle.” ID22 noted, “Cultural aspects are extremely important from the point of view of trust.” These insights confirm that shared values and behaviors significantly influence implementation outcomes.
H1aStrong direct effect (β = 0.233, p < 0.001). A culture of security supports the development of ZT-oriented strategies.Strategic decisions were reported as heavily influenced by cultural norms. ID24 noted alignment with the company’s business model was essential for decision-making. ID6 stated, “you must have a strategy aimed at implementing Zero Trust…” These views indicate that culture plays a foundational role in shaping security strategy.
H2Very strong effect (β = 0.715, p < 0.001). Investment is a key driver of strategic commitment to ZT.Respondents emphasized that meaningful investment, especially in architecture and training, drives strategic thinking. ID20 explained, “investment in architecture is essential,” and ID12 mentioned, “there are several trainings… to work with data security.” This affirms that investments directly inform strategic readiness.
H2aPositive direct effect (β = 0.277, p = 0.002). Financial investment improves ZT implementation.Multiple interviewees cited high costs and resource constraints as both a barrier and a catalyst for implementation. ID1 stated, “security is not cheap, never was and never will be,” while ID15 said, “we spent six months planning Zero Trust…” These remarks highlight the vital role of budgeting and planning in execution.
H3Very strong effect (β = 0.742, p < 0.001). ZT implementation is central to improved governance and compliance.Governance enhancements through ZT were confirmed qualitatively. ID12 noted, “from the moment you apply an information security policy, you start working with encrypted data…” and ID19 added, “we needed to tighten controls for compliance…” These examples underscore ZT’s regulatory and policy impact.
H4Not significant (β = 0.110, p = 0.223). Strategy alone does not predict implementation.Interview data supports this result. Participants highlighted gaps between planning and practice. ID17 said, “it is not a turn of the key… it is a gradual process,” and ID19 mentioned delays in seeing the value of ZT, “it takes a long time to perceive added value.” This suggests that strategy needs operational and cultural support to succeed.
H5Significant mediation effect (β = 0.286, p < 0.001). Implementation mediates the impact of culture on governance.Interviews support this indirect effect. ID5 emphasized the role of trained professionals in both awareness and governance execution. ID27 explained how “information security teams… need to understand the concept.” Culture sets the stage, but implementation operationalizes governance.
H6Significant mediation (β = 0.206, p = 0.003). Investment drives governance through implementation.This relationship is mirrored in quotes emphasizing structured investment and planning. ID15 spoke of a six-month ZT planning phase, and ID17 noted that good planning and budgeting “helps to defend Zero Trust.” Investment supports both strategic commitment and technical outcomes that reinforce governance.
H7Marginal moderation (β = −0.075, p = 0.081). Culture may suppress the effect of strategy when misaligned.Interviewees described culture as a double-edged factor. While some noted its enabling effect (ID8, ID22), others warned of resistance, especially in less mature environments (ID1, ID17). These insights align with the moderation result: strong culture may either enhance or obstruct strategy, depending on alignment and context.
Source: Authors’ Own Creation.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Pigola, A.; Meirelles, F.d.S. Zero Trust in Practice: A Mixed-Methods Study Under the TOE Framework. J. Cybersecur. Priv. 2025, 5, 99. https://doi.org/10.3390/jcp5040099

AMA Style

Pigola A, Meirelles FdS. Zero Trust in Practice: A Mixed-Methods Study Under the TOE Framework. Journal of Cybersecurity and Privacy. 2025; 5(4):99. https://doi.org/10.3390/jcp5040099

Chicago/Turabian Style

Pigola, Angélica, and Fernando de Souza Meirelles. 2025. "Zero Trust in Practice: A Mixed-Methods Study Under the TOE Framework" Journal of Cybersecurity and Privacy 5, no. 4: 99. https://doi.org/10.3390/jcp5040099

APA Style

Pigola, A., & Meirelles, F. d. S. (2025). Zero Trust in Practice: A Mixed-Methods Study Under the TOE Framework. Journal of Cybersecurity and Privacy, 5(4), 99. https://doi.org/10.3390/jcp5040099

Article Metrics

Back to TopTop