Aloha, Kristina2024-06-062024-06-062022https://hdl.handle.net/2440/141121This item is only available electronically.Background: Cyber security incidents pose a major threat to organisations and are only increasing in sophistication to threaten their money, data, and reputation. Reporting cyber security incidents and providing organisations with information about their true nature, type, and volume, is an important strategy to inform risk-based decisions. Despite the importance of reporting cyber security incidents, little research has addressed what motivates people to do this. Aim: To investigate the factors that influence employees to report cyber security incidents using the Theory of Planned Behaviour as a theoretical framework. Method: Survey data was collected from a sample of 549 working Australian adults. Personal and organisational demographics were gathered, in addition to data using the Cyber Security Incident Reporting Inventory (CSIRI) – a Theory of Planned Behaviour survey designed for this project to look at organisational cyber security incident reporting. Results: It was found that attitude towards reporting, subjective norms, and perceived behavioural control each significantly predicted intention-to-report cyber security incidents. Perceived behavioural control also significantly predicted actual cyber security incident reporting behaviour. Participants were also significantly more likely to intend on reporting cyber security incidents if they were managers, identified cyber security as being either primary or related to their job, and if their organisation had a cyber security policy, regardless of whether it was formal or informal. Interestingly, the results showed that intention-to-report cyber security incidents did not predict actual cyber security incident reporting behaviour, suggesting that there may be other factors related to the cyber security context that mediated this relationship. Conclusion: The present study makes a unique contribution to science by investigating the factors that influence employees’ to report cyber security incidents using an estabished theoretical framework. Theoretically, the results of this study validate the application of the Theory of Planned Behaviour to the cyber security incident reporting context. Practically, these findings can be applied in organisations to inform the development of strategies that increase employees’ cyber security incident reporting behaviour, such as introducing cyber security policies, as well as targeted training and development opportunities. Applying the findings can ultimately safeguard organisations from cyber-attacks, minimise the extent of damage, and prevent similar attacks from re-occurring. Keywords: Cyber security, cyber security incident reporting, organisational incident reporting, Theory of Planned BehaviourMasters; Psychology; OHFThesis