Integrating Information Security Culture and Protection Motivation to Enhance Compliance with Information Security Policies in Banking: Evidence from PLS-SEM and fsQCA

Information security culture (ISC) is critical for fostering employees' compliance with security policies, yet consensus on ISC criteria remains limited. This study proposes a comprehensive ISC model, analyzing its direct relationships with Protection Motivation Theory (PMT) factors and their collective impact on compliance intentions in Yemen's banking sector. Data from 210 bank employees, analyzed using PLS-SEM and fsQCA, demonstrate that ISC significantly influences perceived self-efficacy (PSE), response efficacy (PRE), response cost (PRC), vulnerability (PV), and severity (PSF). PSE, PRE, and PSF notably drive compliance intentions, while PRC and PV show no significant effect. The findings highlight ISC's role in shaping security behaviors and emphasize PSE as a key motivator. This study advances ISC theory by integrating organizational culture with PMT, offering practical insights for banks in developing countries to strengthen compliance through targeted cultural and motivational interventions.