Cybersecurity Awareness as a Mediating Variable in the Relationship between ICS and AIS in Iraqi State Banks

Younis Ahmed Al-Mohammedi; Ahmed S. Tarkh; Hamzah N. Al-Jumaili; Nedhal Aziz Mahdi

doi:10.12688/f1000research.175421.2

Home Browse Cybersecurity Awareness as a Mediating Variable in the Relationship...

ALL Metrics

-

Views

-

Downloads

Get PDF

Get XML

Export

▬

✚

Research Article

Revised

Cybersecurity Awareness as a Mediating Variable in the Relationship between ICS and AIS in Iraqi State Banks

[version 2; peer review: 1 approved, 2 approved with reservations]

Younis Ahmed Al-Mohammedi¹, Ahmed S. Tarkh¹, Hamzah N. Al-Jumaili ², Nedhal Aziz Mahdi³

PUBLISHED 05 May 2026

Author details Author details

¹ College of Management and Economics - Department of Accounting, University of Fallujah, Al-Fallujah, Al Anbar Governorate, 31002, Iraq
² Internal Audit and Control Department, University of Fallujah, Al-Fallujah, Al Anbar Governorate, 31002, Iraq
³ College of Administration and Economics, Gilgamesh University, Baghdad, Baghdad, Iraq, 10045, Iraq

Younis Ahmed Al-Mohammedi
Roles: Project Administration, Writing – Review & Editing

Ahmed S. Tarkh
Roles: Conceptualization, Resources, Writing – Original Draft Preparation

Hamzah N. Al-Jumaili
Roles: Data Curation, Formal Analysis

Nedhal Aziz Mahdi
Roles: Formal Analysis, Methodology, Software, Writing – Review & Editing

OPEN PEER REVIEW

REVIEWER STATUS

This article is included in the Fallujah Multidisciplinary Science and Innovation gateway.

This article is included in the Cybersecurity collection.

Abstract

Research Objective

This research aims to study the relationship between internal control and accounting information security, while exploring the role of cybersecurity awareness as a mediating variable that can contribute to strengthening this relationship.

Research Significance

This research gains its significance from bridging the knowledge gap in accounting literature concerning the integration of internal control systems with information security in the face of cyber challenges.

Research Methodology and Tools

Considering the nature of the problem and the research objectives, this study follows the steps of the descriptive-analytical method. The aim is to determine the role of cybersecurity awareness as a mediating variable in strengthening the relationship between internal control systems and accounting information security. This includes analyzing data and information related to enhancing the importance of cybersecurity awareness in the local environment, both theoretically and empirically. The analysis was conducted through a survey examining the relationship between internal control systems and accounting information security, mediated by cybersecurity awareness among employees at different administrative levels in the banks included in the study sample. The PLS Smart software was used to process and analyze data. The research found that internal control systems are closely linked to the security of accounting information, with the mediating factor being cybersecurity awareness. This finding indicates a positive and significant relationship. This demonstrates the crucial and positive role of control in protecting data when cybersecurity awareness is raised.

Recommendations

The researchers recommend that banks adopt best practices for information security protection and implement strong and clear policies and procedures for cybersecurity awareness.

Keywords

Cybersecurity awareness, internal control, accounting information security, Iraqi government banks.

Corresponding author: Hamzah N. Al-Jumaili

Competing interests: No competing interests were disclosed.

Grant information: The author(s) declared that no grants were involved in supporting this work.

Copyright: © 2026 Ahmed Al-Mohammedi Y et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

How to cite: Ahmed Al-Mohammedi Y, S. Tarkh A, N. Al-Jumaili H and Aziz Mahdi N. Cybersecurity Awareness as a Mediating Variable in the Relationship between ICS and AIS in Iraqi State Banks [version 2; peer review: 1 approved, 2 approved with reservations]. F1000Research 2026, 15:294 (https://doi.org/10.12688/f1000research.175421.2) First published: 18 Feb 2026, 15:294 (https://doi.org/10.12688/f1000research.175421.1) Latest published: 05 May 2026, 15:294 (https://doi.org/10.12688/f1000research.175421.2)

Revised Amendments from Version 1

Summary of Changes
We are pleased to submit the revised version of our manuscript. In response to the reviewers’ comments, we have implemented several significant revisions to enhance the clarity, rigor, and academic quality of the study. The primary changes are summarized below:
R² Interpretation and Causal Language: We have corrected the interpretation of the $R^2$ values in Section 5.1 to accurately reflect the variance explained by the model. Furthermore, we have thoroughly reviewed the manuscript to replace all causal language with associational terminology, ensuring better alignment with our cross-sectional research design.
Demographic Data and Table Structure: We have revised Table 1 and the associated text to remove all gender-related demographic claims, as our research focus does not categorize the sample by gender. Additionally, we have resolved the duplicate heading error in Table 9 to ensure clarity and professional presentation.
Methodological Transparency: We have addressed the reviewers’ concerns regarding common-method bias. While we utilized procedural remedies (e.g., respondent anonymity) during data collection, we have now explicitly acknowledged the absence of a dedicated statistical test for common-method bias as a limitation.
Limitations Section: We have added a dedicated "Limitations" section to the manuscript. This section provides a transparent discussion of the sample size, the single-institution, two-branch scope, the cross-sectional design, and potential self-report bias.
Supplementary Materials: To ensure full transparency and reproducibility, we have embedded the complete questionnaire instrument as a Supplementary Appendix.
Data Availability and Language: We have updated the Zenodo data availability statement to match our actual deposit title and conducted a comprehensive professional English language edit to improve the overall flow and academic tone.
We believe these revisions fully address the reviewers' concerns and have significantly strengthened the manuscript. We thank the reviewers for their constructive feedback.

To read any peer review reports and author responses for this article, follow the "read" links in the Open Peer Review table.

1. Introduction

Information systems, evidence bases, and communication systems have become the main vein of the world of knowledge, industry, finance, business and other sectors, and the security of information and accounting data. Also, its protection from increasing cyber threats has become crucial considering the digital transformations and a significant expansion in the use of accounting information systems, which can lead to substantial losses if ignored. Security, which justifies the need to understand the factors that enhance the effectiveness of ICS by providing adequate data protection. Despite the Department’s keenness and efforts to implement ICS systems (ICS), the increasing cyberattacks and exploitation of technical gaps have shown a gap in the AIS necessitating the extent for which cybersecurity awareness has an effect on strengthening the relationship between ICS and data security, contributing to designing and developing more effective data security policies in organizations.

In this context, cybersecurity awareness has gained special importance. It is considered a variable that may contribute to strengthening the ICS relationship with AIS, through its active role in enabling employees in banking institutions to identify risks and adopt policies that are understood in accordance with sound security practices. The research relies on data collection by designing a questionnaire addressed to the specialized staff and analyzing it to reveal the relationship between the study variables, in a way that contributes to providing scientific and practical recommendations to enhance the AIS from the risks and security gaps in the contemporary environment.

1.1 Research problem

The use of public networks such as the Internet is one of the main trends of banking institutions in recent times, which has caused a qualitative leap in the financial and banking services, but it is hardly without discomforts. These institutions have confirmed that the benefits and services that come to them because of the use of the Internet include many risks represented in the growing incidence of financial fraud cases because of the weakness and absence of effective standards and principles that can be relied on for the verification of the identity of customers and customers. Also, they have a steady increase in the Cases of privacy violation in electronic financial and banking operations because these processes involve multiple stages of repeated collection and transmission of information and data. For the foregoing, banking institutions should attach great importance to the AIS to ensure the protection of information from internal and external threats and risks, protecting and maintain confidentiality and privacy from the expected risks because of the spread of hacking and hacking methods and tools on public networks, and to counter and combat information attacks activities.

ICS are important tools enhancing the security of the information that organizations rely on in the face of the threats they are exposed to. Also, the effectiveness of these systems is not enough to face various threats unless their employees have sufficient cybersecurity awareness.

The ICS relationship with AIS has emerged, while exploring the role of cybersecurity awareness as an intermediate variable that can contribute to strengthening this relationship. According to the literature, employees in organizations are the weakest link in the AIS system, even in the presence of effective ICS unless their employees have sufficient awareness and knowledge of cybersecurity risks and methods, protection and prevention. Hence, the main problem of the research emerges, which is represented in the following question:

How are cybersecurity awareness and internal control systems (ICS) associated with the protection of accounting information systems (AIS) among employees of banking institutions in Anbar province? This main question includes:

1. How big is cybersecurity awareness among employees of government banks in Anbar province?
2. How effective is the ICS applied in these banks?
3. How efficient is the AIS in these banks?
4. What does cybersecurity awareness relate to AIS among employees of these banks?
5. What is the relationship between ICS and AIS?
6. Does cybersecurity awareness contribute to enhancing the effectiveness of the ICS to protect the AIS?
7. What is the complementary role of both cybersecurity awareness and ICS in protecting AIS?

1.2 The study importance

The study is important because of its effective contribution to bridging the knowledge gap in the accounting literature related to the integration of ICS with information security considering cyber challenges. It highlights the role of cybersecurity awareness as an intermediate variable, an aspect that has rarely been addressed in previous studies in the government context. The research also provides a theoretical framework that can be used in future studies dealing with cybersecurity in the public sector. The research also addresses a real problem facing government banking institutions, namely the weak protection of accounting information because of weak control or the absence of security culture. It helps decision-makers design effective control and awareness policies to protect financial data from cyber threats.

1.3 Research objectives

Considering the nature of the problem that the researchers seek to address the main aspects of it to show the role played by cybersecurity awareness as an intermediate variable in the ICS relationship to AIS, the following secondary objectives emerge from this main goal:

1. Identifying the level of cybersecurity awareness among employees of bank branches of Al-Rashid Bank in the cities of Fallujah and Ramadi.
2. Measuring the ICS effectiveness in those banks.
3. Assess AIS in these banks.
4. Analyze the cybersecurity awareness relation to AIS among employees of these banks.
5. Study the ICS relationship with AIS.
6. Reveal the extent to which cybersecurity awareness contributes to enhancing the effectiveness of the ICS to protect the AIS.
7. Identify the complementary role of both cybersecurity awareness and ICS in protecting the AIS among employees in banking institutions in the study sample.

2. Second topic/Theoretical aspect of the research

2.1 First: Components and elements of the ICS system

“ICS is designing activities and procedures by the board, management and employees of an entity”. It aims to provide a reasonable degree of certainty as to gain the organization’s aims related to asset protection and operational efficiency, the preparation and accuracy of reports, and compliance with the relevant laws and regulations through the procedures and policies adopted for this purpose (COSO, 2013).

According to Abdullah (2007, 229), ICS is the organizational plan, means of coordination and measures designed by the bank’s management to protect its assets, controlling and auditing accounting data, ensuring its accuracy and reliability, raising productivity efficiency, and encouraging employees for the adherence to the set management policies.

According to Ryabov (2021), the ICS is an integrated system that includes organizational plans designed by the economic unit, which implicitly includes the methods to protect its assets, test the accuracy of its data. It improves its operations and encourages adherence to the administrative policies set by it.

So, ICS ensures that banking institutions gain their strategic aims by carrying out their financial and operational operations efficiently and effectively, in addition to contributing to preserving the resources available to the economic unit from damage, loss, misuse and other non-ideal conditions that may occur and affect those units.

In order for the ICS to be effective, it should be strengthened by a set of elements and elements, including but not limited to the existence of a flexible and clear organizational plan that is clearly understood and applied, and the bank’s accounting system has to be sound, clear and simple to ensure effective ICS at all stages of the banking business, by making the accounting cycle and ways of documenting it clear. It must also be ensured that tasks should be distributed and segregated among employees to reduce the likelihood of intentional and unintentional deviations and irregularities affecting financial reporting. It is essential to select qualified and experienced staff, especially those in charge of the ICS system, to ensure that performance is controlled. Also, all levels of staff from top to bottom are obliged to follow the set goals and plans, and to avoid deviations at all levels. Thus, mechanisms should be put in place to address deviations if they occur by checking them and acting Corrective Appropriateness (Qourin et al., 2019).

Banks in government institutions must provide protection against any type of cyber-attacks that they are expected to face during the implementation of their operations, so they are in dire need of cybersecurity (Goutam & Verman: 2015) involving functions related to the management of cyber risks related to the cyber environment. It also aims to provide the optimal basic requirements and in accordance with the standards and practices set for this purpose, whether those related to the confidentiality of information or those related to ensuring the integrity and integrity of information for reducing cyber risks to technological and information assets for all organizations, whether the threats are exposed to them are internal or external.

Wolden et al. (2015) believed that cybersecurity goals are achieved through key axes for maintaining information security:

1- Technology: This axis includes all the tools and techniques used to protect programs from potential cyber threats, such as using protection software to support and enhance the security of electronic systems against cyber threats.
2- Organizations and Individuals: This axis includes all entities and individuals using information and electronic systems, as information security requires collective cooperation by all members of the organization.
3- Activities and Operations: This theme includes the methods used by government banks in employing personnel and technologies that limit or prevent cyberattacks. Through it, the ICS relationship to cybersecurity is manifested.

According to Bozkus & Caliyurt (2018), ICS and cybersecurity determine banking environment, as institutions in general, and banks in particular, have depended on electronic technologies and applications in using their various activities and processes. This increased adoption has led to their high exposure to breaches and security. An ICS is also essential to a cybersecurity strategy to verify the availability of security and protection in the system contributing to identifying vulnerabilities in systems and applications by estimating security risks, discovering vulnerabilities and flaws in system settings. It ensures that these vulnerabilities are addressed appropriately. In addition, it detects cyber-attacks to determine whether the system has been compromised or has been exposed to previous breaches and attacks and an ICS to analyze system logs and identify any unauthorized intrusions or exploits.

The ICS also contributes to raising awareness and self-security among bank employees, as it highlights existing security vulnerabilities and identifies the necessary actions to avoid them and minimize their effects. This, in turn, enhances the ability of employees to monitor, detect, and prevent cyber threats (Stevens et al., 2020).

The ICS is one of the essential measures that contribute to enhancing cybersecurity in banking operations, by helping to detect and protect sensitive data and financial and personal information of customers within the bank, by monitoring security threats and cyber breaches through systems monitoring and data analysis. It also contributes to assessing the implementation of security policies and procedures and ensuring their compliance with relevant local and international standards and legislation.

Furthermore, the ICS ensures the Bank’s compliance with cybersecurity regulations by examining various records and reports, especially those related to the implementation of Cloud ERP Systems, where it plays a key role in identifying weaknesses in the system and recommending the required corrective actions This will enhance the cybersecurity of the bank, which helps in making the appropriate decisions within the specified timings to support and enhance the security of banking operations (Huseynov et al., 2020; Shamsuddin et al., 2018).

2.2 Second: The concept, benefits and motivations of spreading the culture of cybersecurity awareness

Cybersecurity is a critical factor in ensuring the integrity of cloud ERP systems and protecting them from multiple cyber threats, through the development of security procedures and policies (Jamm’e and Alash, 2021). The adoption of specialized protection systems, and the implementation of various technologies are directly related to encryption and advanced protection, and periodic updates (Ben Alqama and Saahi, 2019). Other requirements are also required related to strengthening collaborative relationships between technical service providers, government entities, security institutions, and banks to reduce cyber risks and ensure the security of accounting data. It also emphasizes promoting and raising awareness among users of the need to follow appropriate security measures to protect their financial and personal data, and to provide bank employees with the elements of competence and technical knowledge in the field of information technology to enhance and improve cybersecurity (Despotović et al., 2023).

As the online world becomes more interconnected, enhancing cybersecurity awareness has become a necessity for every user, cybersecurity awareness is the cornerstone of having the right defenses against increasingly complex and pervasive cyber threats (George, George, & Baskar, 2023). People armed with information security awareness understand the importance of data security Whatever their nature, including financial, personal, and corporate data. They are also less likely to fall victim to fraud or inadvertent innuendo and disclosure of important information about the organization.

Having cybersecurity awareness helps to identify potential risks such as malware, phishing, and social engineering fraud early (Sharma & Thapa, 2023). Conscious behavior also plays a pivotal role in early detection of risks and timely preventive measures, which significantly enhances the overall cybersecurity posture.

Cybersecurity practices represent the preventive and proactive methods adopted to protect the unit’s assets, focusing on identifying expected risks and potential threats and seeking to minimize their effects (Stransact, n.d.).

This approach is essential to counter complex threats to organizations, emphasize the confidentiality of information, and enhance organizational resilience in the face of the ever-changing environment of cyber threats. Effective cybersecurity practices enable organizations and individuals to remain vigilant and always ready for the purpose of making strategic and critical decisions as well as adopting measures that reduce the risk of cyber-attacks. The magnitude of the growing cyber risks and threats (Thakur, 2024; Efijemue et al., n.d).

The main objective of promoting cybersecurity awareness and practice in organizations is to train other employees in its importance and to consolidate the organization’s commitment to protecting sensitive information among its employees. The growth and increase in cybersecurity awareness enhances employees’ skills and provides them with the knowledge necessary to address security challenges, including the initiation phase of incident response processes, followed by communication with relevant parties. This is followed by the process of promoting and supporting recovery efforts (Al-Hawamleh, 2024).

The importance of training employees on cybersecurity awareness in banking institutions cannot be underestimated. In a world where cyber risks and threats are constantly growing in complexity and pervasive, it is imperative that organizations equip their employees with the knowledge and skills necessary to recognize and respond to anticipated risks. This training aims to empower years in organizations to become a firewall against cyberattacks, protecting both their interests and customers’ trust in them.

The benefits of cybersecurity awareness training are not limited to just preventing data breaches and attacks but extend beyond that. Those who are informed and vigilant can foster and spread a culture of security awareness within the organization. Those who can understand potential risks and have sufficient qualifications to follow best practices have a greater ability to make sound decisions when dealing with sensitive information. They organization’s devices, reducing potential accidents and limiting anticipated losses, legal liabilities and reputational damage.

The need to train employees on cybersecurity awareness has become even greater as companies embrace digital transformation and implement remote work policies, as employees access the organization’s data and systems from multiple locations and devices, the cybercriminals’ attack space expands. Well-designed training programs can enhance the knowledge of employees of organizations about the specific risks of remote work. Providing them with all the necessary knowledge to secure their networks and home devices effectively and efficiently.

Cybersecurity awareness training is an initiative-taking and necessary investment for organizations that aim to protect their digital assets and maintain their competitive advantage in today’s era. By equipping employees with the knowledge and skills that help identify and respond to cyber threats, organizations can reduce or reduce the likelihood of successful fraudulent attacks and protect their resources and maintain their reputation in the competitive market.

2.3 Third: The concept and relationship between AIS and cybersecurity awareness

A study submitted by (ASIF, 2023) for information security refers to the strategic methods and techniques used by the organization aimed at protecting and securing confidential information from unauthorized access by hackers who engage in activities of criminal nature online or carry out acts of sabotage or illegal weakening. Also, information security can be described as practices aimed at Enhance information security and stand up to unauthorized access.

As information is one of the key assets of organizations, it requires the concerted efforts of all through the participation of diverse groups of stakeholders such as ICT experts, information security professionals, management, staff, and office managers who are the lifeblood and custodians of information in the organization.

Lack of awareness of cyber risks and required security practices is a major factor that leads to vulnerabilities. Hence, ongoing security awareness training plays a big role in educating workers about common and potential risks such as phishing and social engineering attacks, resulting in a reduced likelihood of occurrence Human errors that lead to security breaches (Andersson, Bjursell, & Palm, 2023).

While organizations invest significant resources in advanced tools and technologies that enhance cybersecurity, they alone are not enough to provide comprehensive protection against threats. Workers are often the weakest link in the information security chain and may fall victim to social engineering tact ICS, opening malicious mail attachments, or disclosing and publishing Unintentionally sensitive information. Therefore, it is essential to add to their security strategies that organizations prioritize cybersecurity awareness training.

As detailed above, security risks cannot be eliminated even with the use and adoption of control and preventive measures and procedures, but they can be significantly reduced and scaled down through the creation and updating of targeted plans for the purpose of responding to incidents and confronting breaches or data leaks quickly and effectively.

In the context of cybersecurity awareness and information security, there is an integral relationship between them in organizational processes and activities. The more attention employees pay to cybersecurity and its practices, the safer the organization’s environment becomes. In turn, a culture of cybersecurity awareness can be promoted and disseminated through effective information security processes. Therefore, there is a mutually beneficial relationship between the awareness and practices of office managers in the field of cybersecurity and information security, where they contribute These measures promote a culture of cybersecurity awareness, while workers’ interest in cybersecurity promotes building a safer work environment. Therefore, the two years should have a firm awareness of cybersecurity considering the escalating risks and threats of cybercrime and the digital transformation that the contemporary environment is witnessing, with the aim of protecting sensitive data in organizations.

3. Methodology

3.1 Literature review and hypothesis development

1. Internal Control and Accounting Information Security

Mishra and Dhillon (2008) aimed to show the role of ICS in the effectiveness of AIS in general. The study provided a theoretical framework for the basic objectives and means of ICS in the light of AIS Evidence were gathered through in-depth interviews with 52 IT managers that included questions about their assessment of ICS. The study identified 68 objectives, organized into 25 groups, the findings of which serve as a basis for providing more theoretical frameworks in the field of information security governance. The objectives also help define initiatives and policies related to governance.

Al-Sorihi et al. (2025) examined and tested ICS as a mediating variable between IT risks and AIS in telecommunications companies in the Arab Republic. To achieve study aim, the comprehensive survey method was used using the questionnaire as a data collection tool, and 356 questionnaires were distributed, of which 218 questionnaires were used to analyze the data. It was concluded that information technology risks have a negative effect on the AIS systems by 47.6% before the mediation of internal control, and that technology risks have a negative impact on the AIS systems after ICS mediation by 25.3%, where part of the impact is transmitted through internal control. Constantly updating them, paying attention to integrity, confidentiality, and information, keeping pace with technological developments, and effectively monitoring the implementation of the security policy contributes to raising the information security level and reducing the negative impact of information technology risks.

Abdel-Jaber (2013) identified the validity of ICS procedures in Jordanian industrial companies by the electronic accounting information systems in the reduction of their information security risks. In addition, the obstacles impact this effectiveness by the identification of three types of risks that threaten the AIS systems, such as network hacking risks, social engineering risks, and malware risks. For the achievement of the study objectives, a questionnaire was given to the study sample consisting of thirty industrial companies operating in the Hashemite Kingdom of Jordan using accounting information systems. For the data analysis, the statistical methods represented by arithmetic averages, standard deviations, Kruskal Wallace test, Mann and Wintney test, and the test was used. The ICS procedures provided information security in Jordanian industrial companies through its prevention, detection, and correction, the researcher recommended the need for the department to carry out ICS activities on information security through the provision of qualified cadres, and motivating employees’ industrial companies for obtaining relevant professional certificates.

Based on the results of previous studies, the following hypothesis was developed:

H1:

There is no statistically significant effect of internal control on accounting information security in government banks in Anbar Governorate.

2. Internal Control and Cybersecurity Awareness

Mohamed (2024) shed light on the role played by SAIs in evaluating information systems and cybersecurity, with a focus on the challenges facing audit institutions and their importance in enhancing governance and transparency. The researcher adopted the inductive analytical method, where a theoretical framework was presented for the evaluation of information systems and cybersecurity. The study found out importance for a comprehensive understanding of the basic concepts of information systems control and cybersecurity and the identification of the main objectives of information technology audit. The study also found that strengthening control aspects of information systems and cybersecurity not only contributes to achieving transparency and efficiency but also contributes to enhancing trust between the public and institutions making sure the business continuity and protection of the sensitive data from cyber-attacks.

Mansour (2021) Showed that cybersecurity is important through its effect on ICS and the economic unit value by the adoption of the Information Technology Governance Framework, (COBIT5). The descriptive-analytical approach was used in the data collection along with a questionnaire that included a set of questions divided into eight axes that reflect the research requirements, using Google Forms, and Steven’s equation. Thompson was adopted in determining the size of the sample (98 auditors and accountants) working in higher education and scientific research. There was and general agreement on the relationship between the dimensions and requirements of cybersecurity on the modern frameworks of ICS COBIT5 and the value of economic unity. There was a need for the economic unit to adopt effective means of continuous evaluation of ICS to maintain information security by adopting COBIT5 by integrating procedures and characteristic ICS according to modern frameworks for avoiding the means of penetrating electronic systems and manipulating their information.

Based on the results of previous studies, the following hypothesis was developed:

H2:

There is no statistically significant effect of internal control on cybersecurity awareness in government banks in Anbar Governorate.

3. Internal control, cybersecurity awareness, and accounting information security

Al-Qusayr (2024) designed and developed an information technology governance model to reduce cyber risks and enhance the AIS in Libyan public institutions. The researcher followed the descriptive-analytical approach by reviewing previous studies, reports, models, best practices and related literature, and the study reached a conclusion that the most important pillars of the proposed model were: governance, the Information Technology Governance Committee and its mechanisms, and the independence of the internal auditor, with an emphasis on risk management, active and continuous control, transparency and accountability.

Based on the results of previous studies, the following hypothesis was developed:

H3:

There is no statistically significant effect of cybersecurity awareness on accounting information security in government banks in Anbar Governorate.

H4:

There is no statistically significant effect of internal control on accounting information security when cybersecurity awareness is present as a mediating variable.

3.2 Informed consent

All survey participants were adults of sound mind and legal capacity; no minors were included. They are employees in various administrative positions at Al-Rasheed Bank and provided their voluntary verbal consent before participating. This was due to the nature of the study, the limited risks involved, and the fact that the research procedures did not pertain to health or medical issues. The participants’ social and cultural context was also taken into consideration. They were informed of the study’s purpose and nature and assured that their responses did not include personal information or any statements related to racial discrimination. Instead, they provided data related to cybersecurity, the protection of accounting information, and internal controls.

3.3 Ethical considerations

The information contained in this research is complete and accurate and does not violate internationally recognized laws and ethics, as approved by the Research Ethics Committee at the University of Fallujah. This research has received approval from the Research Ethics Committee of the College of Administration and Economics at the University of Fallujah, under number [UOF.HUM.2025.001].

3.4 Population and sampling procedure

The research included a community represented by the government banking sector (Rashid Bank), where a sample was chosen from this community represented by employees and workers in the departments related to the nature of the studied variables, especially the accounts and financial affairs departments and the departments related to information security in this bank in its branches in the cities of Fallujah and Ramadi.

3.4.1 Sample Description and Demographic Characteristics

The characteristics of the sample covered by this study include Age, Academic qualification, Scientific specialization, Job title, and Years of experience. Table 1 shows the detailed distribution of the demographic characteristics of the participants. The results of the descriptive analysis of the demographic characteristics of the research sample of 50 individuals show that the sample is characterized by young professionals with high academic qualifications. The sample was concentrated in the age group of 35 years or younger, and 80% of them hold a bachelor’s or master’s degree. There is also a very high concentration of financial and administrative specializations, with 40% of the sample majoring in accounting and 16% in business administration. In terms of experience, the sample exhibits a good balance between intermediate and advanced experience, with 46% of the sample having between 15 and 20 years of experience, and 24% having between 16 and 20 years of experience, creating a good balance between new and experienced talent. Job titles show great diversity, with a good distribution between technical and administrative positions, and a large “other” category comprising 42% of the sample.

Table 1. Demographic characteristics of the sample.

Variable	Category	Category number of individuals	Percentage (%)
Age	30 years younger	10	20%
	31-35 years	15	30%
	36-40 years	9	18%
	41-45 years	9	18%
	46-50 years	6	12%
	Over 50 years	1	2%
Academic qualification	Bachelor’s	24	48%
	Higher Diploma	3	6%
	Master’s	16	32%
	Doctorate	4	8%
	Other (specify)	3	6%
Scientific specialization	Accounting	20	40%
	Business Administration	8	16%
	Economics	2	4%
	Public Administration	2	4%
	Financial and Banking Studies	9	18%
	Other (specify)	9	18%
Job title	Department Manager	10	20%
	Auditor	8	16%
	Accountant	11	22%
	Other (specify)	21	42%
Years of experience	Under 5 years	15	30%
	6-10 years	10	20%
	11-15 years	13	26%
	16-20 years	8	16%
	Over 20 years	4	8%
Total		50

3.5 Developing the study tool

The research tool is based on a set of variables that represent the conceptual framework of the research. The research tool includes three main variables: The first variable is the independent variable, which represents internal control, which was measured through five main indicators: the control environment; control activities; follow-up; risk assessment; information and communication. This variable includes (25 items). The second variable is the dependent variable, which represents accounting information security. It was measured as a standardized variable, including (8 items). The third variable is the mediating variable, which is cybersecurity awareness. It was also measured as a standardized variable, through (8 items). Details of the variables, their dimensions, and the number of paragraphs is presented in Table 2.

Table 2. Research variables.

Variable type	Variable	Abbreviation	Dimensions/Components	No. of paragraphs
Independent Variable	Internal Control	IC	Control Environment (CE)	5
			Control Activities (CA)	5
			Monitoring (MON)	5
			Risk Assessment (RA)	5
			Information and Communication (IC)	5
Dependent Variable	Accounting Information Security	AIS	(As a unified concept)	8
Mediating Variable	Cybersecurity Awareness	CAW	(As a unified concept)	8

3.6 Data collection procedures

The research relied on a questionnaire as the primary means of collecting data related to the research variables. The questionnaires were distributed directly to a group of officials and employees specializing in internal control and cybersecurity, employees working on accounting data processing, and financial report preparers at the Rashid Bank in its two branches in Fallujah and Anbar. The aim was to ensure that the respondents were aware of the nature and accuracy of the questions. A total of 50 questionnaires were distributed, all of which were returned, reflecting a high degree of seriousness and cooperation from the participants. The process of distributing and retrieving the questionnaires took a month and a half, including filtering and organizing the data until it was ready for statistical analysis.

3.7 Analytical framework (Quantitative)

To test and discuss hypotheses and evaluate the relationship between variables, quantitative analysis was used, relying on the statistical software SmartPLS, which specializes in structural equation modeling (SEM). This modeling is typically used to explain multiple statistical relationships simultaneously through visualization and model validation. Complex models can be easily discussed using this technique. It is an extension of traditional linear modeling techniques, such as multiple regression analysis and analysis of variance (ANOVA), which are essential requirements for learning structural equation modeling. This modeling adopts a confirmatory approach rather than an exploratory approach. Thus, we will model the impact of internal control on accounting information security, both directly and indirectly through cybersecurity awareness.

3.8 Model specifications

The mathematical model was designed to measure the effect of the independent variable, internal control (IC), on the dependent variable, accounting information security (AIS). An intermediate variable, cybersecurity awareness, was also introduced to examine whether this awareness conveys (or mediates) the effect of internal control on information security. For modeling purposes, internal control is a multidimensional variable consisting of its five components (control environment, control activities, monitoring, risk assessment, and information and communication), while the other variables include multiple indicators that serve as the basis for measuring these variables.

To ensure the accuracy of the results and obtain reliable confidence intervals, the model was first tested using the PLS-SEM algorithm. The purpose is to verify the model’s reliability and validity. Bootstrapping will then be used as the primary analysis tool within the structural equation modeling program.

The structural structure of the mathematical model can be seen in Figure 1.

Figure 1. Conceptual model.

Below is the estimation of the mathematical model based on the structured hypothetical relationships, which will be statistically examined:

(1)

AIS = a_{0} + β_{1} IC + ε

(2)

CAW = a_{0} + β_{2} IC + ε

(3)

AIS = a_{0} + β_{1} IC + β_{3} CAW + ε

4-Evaluation of the mathematical model (Reliability and internal consistency)

To evaluate reliability and internal consistency, the Loadings test, Cronbach’s alpha coefficient and composite reliability rho_c were used. The results showed that the reliability and internal consistency analysis of the mathematical model adopted in the research showed that the measurement tools were characterized by a very high level of reliability and validity, indicating the quality of the statistical design and the integrity and validity of the data for statistical analysis. The results shown in Table 3 related to the Cronbach’s alpha test showed that the reliability values exceeded the acceptable statistical limit of (0.70) for all variables, ranging between (0.886-0.928). This indicates a high degree of internal consistency between the items of each variable, and that all items measure the same dimension with a high degree of accuracy and consistency. The results of the composite reliability test also confirmed very high values, exceeding (0.90) for all variables, which confirms that the indicators used measure and interpret the latent dimensions in a stable and consistent manner. The results of the weighted average variance (AVE) showed that all values were greater than 0.50, which is the minimum statistically acceptable value. This confirms that the model has convergent validity, meaning that the items can explain most of the variance occurring in the latent variables. This confirms that the model accurately measures what it is supposed to measure; and P-values reached 0.000, which is a strong indication that the correlation coefficients between the items and the latent variables are real and not the result of statistical chance (see Table 3).

Table 3. Reliability and internal consistency.

	Cronbach’s alpha	Composite reliability (rho_a)	Composite reliability (rho_c)	Average variance extracted (AVE)
AIS	0.925	0.932	0.939	0.658
CAW	0.886	0.891	0.910	0.560
Internal control	0.928	0.931	0.946	0.778

The results of the outer loadings test show that all items related to the study variables had positive and significant loadings, exceeding the standard value level of 0.70 (see Table 4). This indicates that each item of the variables is associated with the variable to which it belongs. Furthermore, items with loadings slightly lower than this level are still acceptable due to their high statistical significance. Thus, it can be concluded that the proposed model possesses a high degree of stability and validity, and that the research measurement tools used meet the statistical quality requirements required by partial structural equation models (PLS-SEM). These results confirm the possibility of relying on current research data to test causal relationships between variables with high confidence, giving the model explanatory power and high scientific credibility. See Figure 2 To test the discriminator validity of the study model, the Heterotrait-Monotrait Ratio (HTMT) was used. The results of the discriminator validity test showed that all values fall within the statistically acceptable levels (see Table 5). All variable results fall between (0.839-0.871), which is less than the recommended maximum (0.90). These statistics confirm that each variable in the model is distinct from the other variables, meaning that there is a clear distinction between the measured concepts and no overlap between them. The results also showed that the confidence interval (2.5% - 97.5%) for all relationships did not exceed the critical value (1.00), which enhances the discriminator validity of the model and confirms that each dimension measures a different and specific aspect of the phenomenon studied. Thus, the discriminator validity of the latent model is well achieved.

Table 4. Outer loadings results.

	AIS	CAW	Internal control
CA			0.907
CE			0.907
IC			0.892
MON			0.881
RA			0.821
ais1	0.794
ais2	0.857
ais3	0.749
ais4	0.720
ais5	0.864
ais6	0.836
ais7	0.843
ais8	0.813
caw1		0.695
caw2		0.792
caw3		0.805
caw4		0.810
caw5		0.682
caw6		0.852
caw7		0.646
caw8		0.679

Figure 2. Outer loading and R² in PLS-SEM algorithm.

Table 5. Discriminant validity (Heterotrait-Monotrait Ratio -HTMT).

	Original sample (O)	Sample mean (M)	Bias	2.5%	97.5%
CAW<-> AIS	0.850	0.866	0.015	0.655	0.998
Internal control <-> AIS	0.839	0.844	0.005	0.738	0.908
Internal control <-> CAW	0.871	0.871	0.000	0.743	0.943

5- Evaluation of the structural model

5-1 Coefficient of determination and explanatory power of the model (R2)

The results of the adjusted R² indicate that the explanatory power of the developed model is large and solid, as it explains a large proportion of the variance in the dependent variable (see Table 6). The adjusted R² value for the AIS variable reached 0.676, meaning that approximately 68% of the variation in AIS in the studied government banks can be explained by the internal control variable and CAW variable. Similarly, for the CAW variable, the adjusted R² value reached 0.624, meaning that the model explains approximately 62% of the variance in the cyber awareness variable due to internal control. The above results indicate a high explanatory power and demonstrate the effectiveness of the independent variables in explaining the variance in the accounting information systems in the studied government banks. The T-statistics results also showed values of 7.445 and 8.991, with a significance level of P = 0.000. These values confirm that the relationships between the variables are truly statistically significant and are not caused by chance. This indicates that the model has very good explanatory power, and that the variables used represent realistic and influential interactions within the theoretical framework of the research, which enhances the strength and stability of the results (see Figure 2).

Table 6. Coefficient of determination R2 adjusted.

	R-square	R-square adjusted	T statistics (\|O/STDEV\|)	P values
AIS	0.689	0.676	7.445	0.000
CAW	0.632	0.624	8.991	0.000

To test multicollinearity between independent variables, we relied on the results of Collinearity Statistics (VIF) (see Table 7). The VIF value for both the CAW path to AIS and the Internal Control path to AIS was approximately 2.716, which is well below the critical threshold of 5. These results indicate that each variable independently predicts the interpretation of the dependent variable, without significantly affecting the other. The relationship between internal control and cyber awareness showed a VIF value of 1.000, which is completely ideal and indicates the absence of any linear correlation between them. These results indicate that the model enjoys a high degree of independence between the explanatory (independent) variables, and that the estimated causal relationships reflect the true effects of the variables without bias resulting from statistical interference, enhancing the reliability of the estimates and the quality of the results of the structural model.

Table 7. Inner model collinearity statistics (VIF).

	Original sample (O)	Sample mean (M)	2.5%	97.5%
CAW -> AIS	2.716	2.920	1.982	4.230
Internal control -> AIS	2.716	2.920	1.982	4.230
Internal control -> CAW	1.000	1.000	1.000	1.000

5-2 Hypothesis testing (Path analysis)

In hypothesis testing, bootstrapping was used, which is the second step in model analysis using the PLS-SEM method. It is used to test the significance of paths and causal relationships between variables in the internal model. Bootstrapping was performed with a power of 5,000 samples to estimate the standard error and extract statistical values (T-values and P-values) that determine the significance of the hypothesized relationships between variables and determine the significance and strength of the relationship using paths between the studied variables.

The results of the statistical analysis presented in Tables 8-10 and Figure 3 showed that all the hypothesized relationships in the statistical model achieved significant significance at the level of (0.05), which reflects the strength of the internal model and its predictive validity. When presenting the detailed results shown in Table (9) related to the direct impact between the variables, these results indicate the presence of a direct and significant positive impact of the internal control variable (IC) on accounting information security (AIS), as the original sample value reached (O = 0.786) with a high t-statistic value (T = 19.001) and a probability value (P = 0.000), which indicates that the internal control variable associated with significantly to enhancing accounting information security within government banks in Anbar Governorate. These results do not support hypothesis (H1), which states that there is no impact of internal control on accounting information security. The results also showed that internal control also has a statistically significant, positive effect at a confidence level of less than 0.005 on cybersecurity awareness (CAW), with an effect value of (O = 0.795, T = 18.447, P = 0.000). This indicates that activating internal control elements contributes to raising the level of awareness and commitment to cybersecurity among employees of the banks under study. This result does not support hypothesis (H2), which states that internal control has no effect on cybersecurity awareness. With the same result, the results showed that awareness of cybersecurity affects the security of accounting information. The results of Table 9 showed that the relationship is positive and statistically significant according to the values (O = 0.438, T = 2.206, P = 0.027). These results confirm that increasing awareness of cybersecurity associated with to improving the protection of accounting systems from potential threats and breaches in the banks under study. These results do not support hypothesis (H3), which states that there is no effect of awareness of cybersecurity on the security of accounting information. The results, as shown in Table 10, regarding the indirect effect, also showed that cybersecurity awareness plays a statistically significant mediating role in the relationship between internal control and accounting information security. The indirect effect value was (O = 0.348, T = 2.105, P = 0.035), indicating that part of the impact of internal control on accounting information security is transmitted through the level of cybersecurity awareness. This result does not support Hypothesis (H4), which states that cybersecurity awareness has no effect on the relationship between internal control and accounting information security.

Table 8. Total direct effect.

	Original sample (O)	Sample mean (M)	Standard deviation (STDEV)	T statistics (\|O/STDEV\|)	P values
Internal control -> AIS	0.348	0.384	0.165	2.105	0.035

Table 9. Indirect effects including CAW as mediator

	Original sample (O)	Sample mean (M)	Standard deviation (STDEV)	T statistics (\|O/STDEV\|)	P values
CAW-> AIS	0.438	0.478	0.199	2.206	0.027
Internal control -> AIS	0.786	0.797	0.041	19.001	0.008
Internal control -> CAW	0.795	0.802	0.043	18.447	0.000

Table 10. Specific indirect effect.

	Original sample (O)	Sample mean (M)	Standard deviation (STDEV)	T statistics (\|O/STDEV\|)	P values
Internal control -> CAW -> AIS	0.348	0.384	0.165	2.105	0.035

Figure 3. Direct and indirect effects results.

The previous results related to the mediating relationship are confirmed in Table 8, where it was shown that the estimated value of the total indirect effect of internal control on accounting information security was statistically significant and positive, reinforcing the hypothesis that cybersecurity awareness is a key factor in the hypothesized model and has a positive effect.

In conclusion, it can be concluded that the structural model shown in Figure 3 has proven highly efficient in explaining the impact relationships between the studied variables. The high values of T and low P indicate that the relationships between the studied variables in the model are not a coincidence, but rather reflect a logical and practical connection between internal control (IC), cybersecurity awareness (CAW), and accounting information security (AIS), in line with modern theoretical trends that confirm that creating a strong internal control environment and raising the level of cybersecurity awareness together help in enhancing the security of accounting information in the studied banking institutions. (See the summary of the hypothesis testing, Table 11).

Table 11. Hypothesis testing summary.

Hyp.	Statement	Path tested	Result	Conclusion
H1	There is no statistically significant effect of internal control on accounting information security in government banks in Anbar Governorate.	IC → AIS (Direct Effect)	β = 0.786, T = 19.00, p = 0.008 (significant)	Rejected
H2	There is no statistically significant effect of internal control on cybersecurity awareness in government banks in Anbar Governorate.	IC → CAW	β = 0.795, T = 18.447, p = 0.000	Rejected
H3	There is no statistically significant effect of cybersecurity awareness on accounting information security in government banks in Anbar Governorate.	CAW → AIS	β = 0.438, T = 2.206, p = 0.027	Rejected
H4	There is no statistically significant effect of internal control on accounting information security when cybersecurity awareness is present as a mediating variable.	IC → CAW → AIS (Indirect Effect)	Indirect effect = 0.348, T = 2.105, p = 0.035 (Significant positive mediation)	Rejected

6. Discussion of results

The results of the statistical analysis showed that the internal control environment in the banks under study enjoys a good level of implementation, as senior management demonstrated a clear interest in control reports and the principle of individual and collective responsibility for control. It also became clear that financial and administrative reports are effectively used as a control tool to help improve performance and identify deviations, reflecting organizational awareness of the importance of control activities in supporting the stability of banking operations. The results also showed that accounting information security is one of the most important elements of accounting system efficiency, as the bank is committed to keeping data confidential, restricting access rights, and maintaining backup copies. This enhances management’s confidence in the accuracy of information and decision-making. Regarding cybersecurity awareness, it was found that employees have a good understanding of the nature of cyber risks and the need to adhere to security measures, such as changing passwords, not sharing them, and examining the sources of emails. However, the results indicated a need for further training courses to enhance the efficiency of employees in this field. In general, the results revealed a complementary relationship between the internal control environment, information security, and cybersecurity awareness, with each contributing to the enhancement of the other. The stronger and more effective the internal control environment, the greater the ability to protect data and information. As employees’ cybersecurity awareness increases, the effectiveness of this control increases, and the quality of the accounting system improves.

7. Study limitations

In the interest of transparency, we acknowledge several limitations of this study. First, the study employed a cross-sectional design, which restricted our ability to infer causation. Consequently, the results reflect only correlational relationships without indicating the direction of causal effects. Second, the study comprises a single institution and two branches, which may affect the generalizability of the findings to other research communities. Third, the study data relied on self-reported perceptions and did not test for common methodological bias, despite corrective measures implemented to ensure participant anonymity. Finally, the sample size limitations suggest the need for larger sample sizes in future research on the same topic to validate the findings and ensure their generalizability.

8. Conclusion and recommendation

In conclusion, this research, which examined the relationship between the internal control environment, accounting information security, and cybersecurity awareness in banks, sought to clarify the vital role played by effective control systems in enhancing information security and ensuring the integrity of financial and accounting procedures. This topic is particularly important considering the accelerating digital transformation taking place in the banking sector and the accompanying cyber risks that require institutional readiness and high professional awareness among employees.

The research reached a set of important findings that summarize the essence of the objectives achieved. The results of the statistical analysis showed that the internal control environment in the banks studied enjoys an acceptable level of organization and effectiveness, and that senior management pays clear attention to audit reports and the application of the principles of segregation of duties and responsibilities, which positively impacts the stability of internal operations. It also revealed that accounting information security represents a fundamental pillar of the accounting system, as banks implement precise procedures to protect data and its confidentiality and continuously update their security systems. Regarding cybersecurity awareness, the results showed that employees are aware of the importance of protecting electronic systems, despite the need for further training and awareness to address the rapid developments in this field.

Based on these results, it can be said that the research clearly answered the question posed at the outset: to determine the extent to which the internal control environment, information security, and cybersecurity awareness impact the efficiency of the accounting system and the protection of its data. The results demonstrated a complementary relationship between these dimensions, with each contributing to the support of the other. This confirms that effective information protection can only be achieved through a robust control system and an institutional culture based on awareness and responsibility. From the above, several conclusions and recommendations can be drawn, the most important of which is that a strong control system represents the cornerstone of information security, and that developing the technological infrastructure is not sufficient unless accompanied by high human and professional awareness. Therefore, it is recommended to strengthen the role of internal audit units and update their policies periodically. It is also recommended to intensify training programs that enhance employees’ awareness of cyber risks, in addition to encouraging cooperation between audit, risk, and information technology departments to ensure integrated protection of financial systems.

Data availability statement

Underlying data

Repository Name: [Study data entitled: Cybersecurity Awareness as a Mediating Variable in the Relationship between ICS and AIS in Iraqi State Banks] available at https://doi.org/10.5281/zenodo.18100387 (Al-Mohammedi et al., 2025)

The project contains the following Underlying data:

- [Questionnaire Form.doc] (This file contains a questionnaire list designed using a five-point Likert scale, including variables, indicators, and items).
- [data.xlsx] (This file contains the raw data used in the statistical analysis, which was collected from the target study sample.)

Data are available under the terms of the Creative Commons Attribution 4.0 International license (CC-BY 4.0).

References

Abdel-Jaber YK: The Effectiveness of Control Procedures in Providing Electronic Information Security in Jordanian Industrial Companies. Jordan: Middle East University, Faculty of Business, Department of Accounting and Finance; 2013. Unpublished Master’s Thesis.
Abdullah KA: Auditing from a Theoretical and Practical Perspective. 2007; Amman: Dar Wael for Publishing and Distribution.
Al-Hawamleh A: Cyber resilience framework: Strengthening defenses and enhancing continuity in business security. International Journal of Computing and Digital Systems. 2024; 15(1): 1315–1331.
Al-Mohammedi YA, Tarkh AS, Al-Jumaili HN, et al.: Data from the study sample titled –Cybersecurity Awareness as a Mediating Variable in the Relationship between ICS and AIS in Iraqi State Banks. [Data set]. Zenodo. 2025. Publisher Full Text
Al-Qusayr IM: Information Technology Governance to Reduce Cyber Risks and Enhance AIS in Libyan Public Institutions – A Proposed Model. Journal of Academic Research (Administrative and Financial Sciences). 2024; 2(28): 10.
Al-Sorihi SAA, Alrubaidi MA, Al-Hemya NHA: The Mediating Role of Security Controls between Information-technology Risks and the AIS Systems: A Field Study in Telecommunication Companies Operating in the Republic of Yemen. Jordan Journal of Business Administration. 2025; 21(1): 2025. Publisher Full Text
Andersson I, Bjursell L, Palm I: Hack the human: A qualitative research study exploring the human factor and social engineering awareness in cybersecurity and risk management among Swedish organisations.2023.
Asif S: What is information security? principles, types.2023. Reference Source
Ben Alqama M, Saahi Y: The role of financial technology in supporting financial and banking sectors. Al Ijtihad Journal of Legal and Economic Studies. 2019; 7(3): 85–107.
Bozkus Kahyaoglu S, Caliyurt K: Cyber security assurance process from the internal audit perspective. Manag. Audit. J. 2018; 33(4): 360–376.
Committee of Sponsoring Organizations of the Treadway (COSO): Internal control—Integrated framework (Framework and appendices). 2013.
Despotović A, Parmaković A, Miljković M: Cybercrime and Cyber Security in Fintech. Digital Transformation of the Financial Industry: Approaches and Applications. Cham: Springer International Publishing; 2023; pp. 255–272.
George AS, George AH, Baskar T: Digitally immune systems: building robust defences in the age of cyber threats. Partners Universal International Innovation Journal. 2023; 1(4): 155–172.
Goutam RK, Verman DK: Top five cyber frauds. Int. J. Comput. Appl. 2015; 119(7): 23–25.
Huseynov T, Mammadova U, Aliyev E, et al.: The impact of the transition to electronic audit on accounting behavior. Economic and Social Development: Book of Proceedings. 2020; 4: 378–384.
Jamm’e M, Alash A: The role of financial technology in promoting Islamic finance. Al Ibtida Journal, University of Blida. 2021; 11(1): 454–467.
Mansour AM: The Impact of Cybersecurity on ICS and its Reflection on Economic Unity - An Exploratory Study of the Opinions of a Sample of Auditors and Accountants in the Ministry of Higher Education and Scientific Research. Journal of Management and Economics in Al-Qadisiyah. 2021; 46(127): 238.
Mishra S, Dhillon G: Defining ICS objectives for information systems security: A value focused assessment. European Conference on Information Systems. 2008.
Mohamed M: Cyber Information Systems Audit - A Case Study of Cyber Information Systems Audit of the National Electricity and Gas Corporation. The Fourteenth Scientific Research Competition of the Arab Organization of Supreme Audit Institutions; 2024.
Qourin HQ, Al-Siddiq AB, Qaidwan, et al.: The role of ICS in mitigating banking risks: A case study of accredited banks in Algeria (with reference to international models). Academy for Social and Human Studies. 2019; 12(1): 35–45.
Ryabov OV: Organising Issues of Operative System of ICS in Banking Sector. USA: Consulting company Ucom; 2021.
Shamsuddin A, Adam MA, Adnan SA, et al.: The effectiveness of internal audit function in managing cyber security in Malaysia’s banking institutions. International Journal of Industrial Management. 2018; 8(4).
Sharma R, Thapa S: Cybersecurity awareness, education, and behavioral change: strategies for promoting secure online practices among end users. Eigenpub Review of Science and Technology. 2023; 7(1): 224–238.
Stevens R, Dykstra J, Everette WK, et al.: Compliance Cautions: Investigating Security Issues Associated with US Digital-Security Standards. NDSS; 2020, February.
Stransact: Safeguarding data assets: A proactive approach to mitigate evolving cybersecurity risks.n.d. Reference Source
Thakur M: Cybersecurity threats and countermeasures in digital age. Journal of Applied Science and Education (JASE). 2024: 1–20.
Wolden M, Valverde R, Talla M: The effectiveness of COBIT 5 information security framework for reducing cyber-attacks on supply chain management system. IFAC- Papers Online. 2015; 48(3): 1846–7852.

Comments on this article Comments (0)

Version 2

VERSION 2 PUBLISHED 18 Feb 2026

Author details Author details

¹ College of Management and Economics - Department of Accounting, University of Fallujah, Al-Fallujah, Al Anbar Governorate, 31002, Iraq
² Internal Audit and Control Department, University of Fallujah, Al-Fallujah, Al Anbar Governorate, 31002, Iraq
³ College of Administration and Economics, Gilgamesh University, Baghdad, Baghdad, Iraq, 10045, Iraq

Younis Ahmed Al-Mohammedi
Roles: Project Administration, Writing – Review & Editing

Ahmed S. Tarkh
Roles: Conceptualization, Resources, Writing – Original Draft Preparation

Hamzah N. Al-Jumaili
Roles: Data Curation, Formal Analysis

Nedhal Aziz Mahdi
Roles: Formal Analysis, Methodology, Software, Writing – Review & Editing

Competing interests

No competing interests were disclosed.

Grant information

The author(s) declared that no grants were involved in supporting this work.

Article Versions (2)

version 2

Revised

Published: 05 May 2026, 15:294

https://doi.org/10.12688/f1000research.175421.2

version 1

Published: 18 Feb 2026, 15:294

https://doi.org/10.12688/f1000research.175421.1

Copyright

© 2026 Ahmed Al-Mohammedi Y et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Download

Export To

metrics

	Views	Downloads
F1000Research	-	-
PubMed Central Data from PMC are received and updated monthly.	-	-

Citations

0

SEE MORE DETAILS

CITE

how to cite this article

Ahmed Al-Mohammedi Y, S. Tarkh A, N. Al-Jumaili H and Aziz Mahdi N. Cybersecurity Awareness as a Mediating Variable in the Relationship between ICS and AIS in Iraqi State Banks [version 2; peer review: 1 approved, 2 approved with reservations]. F1000Research 2026, 15:294 (https://doi.org/10.12688/f1000research.175421.2)

NOTE: If applicable, it is important to ensure the information in square brackets after the title is included in all citations of this article.

track

receive updates on this article

Track an article to receive email alerts on any updates to this article.

Open Peer Review

Current Reviewer Status: ?

Key to Reviewer Statuses VIEW HIDE

ApprovedThe paper is scientifically sound in its current form and only minor, if any, improvements are suggested

Approved with reservations A number of small changes, sometimes more significant revisions are required to address specific details and improve the papers academic merit.

Not approvedFundamental flaws in the paper seriously undermine the findings and conclusions

Version 2

VERSION 2

PUBLISHED 05 May 2026

Revised

Views

4

Reviewer Report 13 May 2026

Hassan Rehan, Purdue University, West Lafayette, Indiana, USA

Approved with Reservations

https://doi.org/10.5256/f1000research.199164.r481832

I have reviewed Version 2 of this manuscript and the authors' response to prior reviewer comments. The revisions address several procedural concerns adequately. However, substantive methodological issues remain that affect the validity of the findings.

What has ... Continue reading

I have reviewed Version 2 of this manuscript and the authors' response to prior reviewer comments. The revisions address several procedural concerns adequately. However, substantive methodological issues remain that affect the validity of the findings.

What has been adequately addressed:
The R² interpretation has been corrected and causal language replaced with associational terminology throughout. The limitations section now transparently acknowledges the cross-sectional design, single-institution scope, sample size constraints, and absence of a dedicated common method bias test. The questionnaire has been embedded as a supplementary appendix. The Zenodo data availability statement has been updated. These are meaningful improvements to the manuscript's transparency.

Remaining concerns:
The sample size of 50 respondents from two branches of a single institution remains a fundamental limitation for PLS-SEM analysis. While the authors acknowledge this in the limitations section, the discussion and conclusion sections still present the findings with a degree of confidence that is not warranted by a sample of this size from a single bank. PLS-SEM with 50 observations and a model of this complexity produces unstable path coefficient estimates. The bootstrapping procedure with 5,000 samples does not compensate for an inadequate original sample — it only resamples what exists. The authors should more explicitly temper their discussion language to reflect this constraint, particularly in Section 6 where findings are discussed as if they reflect general banking sector behavior in Anbar Governorate.

The common method bias issue has been acknowledged as a limitation but not addressed analytically. Given that all three variables — ICS, CAW, and AIS — were measured from the same respondents in a single survey administration, common method variance is a plausible alternative explanation for the observed associations. The authors state procedural remedies were used but acknowledge no statistical test was performed. At minimum, a Harman single-factor test should be reported, or the authors should more explicitly caveat that observed path coefficients may be inflated by common method variance.

The HTMT values reported (0.839–0.871) are below the 0.90 threshold but are notably high, approaching the boundary. With a sample of 50, discriminant validity conclusions should be stated cautiously. The manuscript does not acknowledge this proximity to the threshold.

Recommendation:
The revision represents a genuine improvement over Version 1. The core research question is relevant and the analytical approach is appropriate in principle. However, the discussion section needs further tempering to reflect the sample size and common method bias limitations more consistently. Subject to those revisions, I would approve with reservations.

Competing Interests: No competing interests were disclosed.

Reviewer Expertise: Machine Learning, Artificial Intelligence, Cloud Computing, Data Engineering, Data Analytics, Deep Learning, Big Data Systems, Distributed Computing, AI-driven Security Systems, Intelligent Data Processing

I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however I have significant reservations, as outlined above.

CITE

Report a concern

Respond or Comment

Views

8

Reviewer Report 07 May 2026

Mostafa Rahmany, Buckinghamshire New University, High Wycombe, England, UK

Approved with Reservations

https://doi.org/10.5256/f1000research.199164.r481833

Constructive assessment:
This revised version is improved and addresses several of the main concerns raised in the earlier reviews. In particular, the manuscript now includes a limitations section, the data-availability wording has been corrected, the demographic gender mismatch has ... Continue reading

Constructive assessment:
This revised version is improved and addresses several of the main concerns raised in the earlier reviews. In particular, the manuscript now includes a limitations section, the data-availability wording has been corrected, the demographic gender mismatch has been removed, and the authors state that the questionnaire instrument has been added as supplementary material. These changes improve transparency and make the paper stronger than version 1. The study remains relevant and potentially useful, and the overall PLS-SEM framework is still acceptable for the research question. However, I do not think the manuscript has fully reached the standard for an unrestricted approval yet, because several important issues remain unresolved.

The paper still overstates its scope. The title and several parts of the abstract and conclusion continue to frame the findings as applying to “Iraqi State Banks,” while the actual sample is limited to 50 respondents from two branches of a single bank. The conclusions should therefore remain more tightly tied to the sampled setting.
Despite the stated revision, causal wording still appears throughout the manuscript. Terms such as “effect,” “impact,” “contributes,” “enhancing,” and similar formulations are still used repeatedly in ways that go beyond what a cross-sectional self-report design can support. The language should be made consistently associational throughout.
Some reporting inconsistencies are still present and should be corrected before full approval. For example, Table 8 is labeled as a “Total direct effect,” but the reported values correspond to the indirect effect and match Table 10. Table 9 is titled as indirect effects, yet it contains the direct paths. There is also still inconsistency between the demographic narrative and Table 1, especially in the discussion of years of experience. In addition, the abbreviation “IC” is still used both for the overall internal control construct and for the “information and communication” dimension, which remains confusing.
The English is improved compared with the earlier version, but the manuscript still contains awkward phrasing, grammatical problems, and unclear sentences in several sections. The article is readable, but it still needs another careful language edit.

Overall, I think the manuscript has academic merit and has clearly improved after revision, but the remaining issues are still substantive enough that I recommend Approved with Reservations, not full approval.

In Summary:
The paper continues to make a useful, context-specific contribution with competent analytics and open data practices. However, the incomplete response to my first review points (especially language, scope over-generalization, table errors, and missing questionnaire embedding) means it is not yet ready for full indexing. With the targeted revisions listed above, it would become acceptable.
Questions

Is the work clearly and accurately presented and does it cite the current literature?
Partly (Improved overall, but some wording and reporting inconsistencies remain).
Is the study design appropriate and does the work have academic merit?
Yes (The design fits the research question and has academic merit).
Are sufficient details of methods and analysis provided to allow replication by others?
Partly (Methods and data are provided, but some details are still not fully clear).
If applicable, is the statistical analysis and its interpretation appropriate?
Partly (The method is suitable, but some interpretation and table presentation remain confusing.).
Are all the source data underlying the results available to ensure full reproducibility?
Yes (The raw data and questionnaire are reported as available in the repository).
Are the conclusions drawn adequately supported by the results?
Partly (Supported within the sample, but still somewhat broader than the data justify).
Approval status:
Approved with Reservations

Competing Interests: No competing interests were disclosed.

Reviewer Expertise: Cybersecurity, AI & ML, Network Infrastructure, Network Security, Information Technology, Oil & Gas Industry Management, Oil & Gas Cybersecurity, AI Security, Healthcare Security, Healthcare Cybersecurity Framework,

I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however I have significant reservations, as outlined above.

CITE

Report a concern

Respond or Comment

Version 1

VERSION 1

PUBLISHED 18 Feb 2026

Views

8

Reviewer Report 15 Apr 2026

Hassan Rehan, Purdue University, West Lafayette, Indiana, USA

Approved with Reservations

https://doi.org/10.5256/f1000research.193402.r473915

This study examines cybersecurity awareness as a mediating variable in the relationship between internal control systems (ICS) and accounting information security (AIS) in Iraqi government banks, using PLS-SEM with bootstrapping on a sample of 50 employees from two branches of ... Continue reading

This study examines cybersecurity awareness as a mediating variable in the relationship between internal control systems (ICS) and accounting information security (AIS) in Iraqi government banks, using PLS-SEM with bootstrapping on a sample of 50 employees from two branches of Al-Rashid Bank in Fallujah and Ramadi. The research question is well-motivated and contextually relevant — the integration of internal control with information security in Arab public-sector banking remains underexplored, and cybersecurity awareness as a mediator is a theoretically defensible and practically meaningful construct to investigate. The conceptual model is grounded in COSO (2013) and supported by a coherent body of literature. The analytical execution — measurement model evaluation, structural model testing, and mediation analysis via specific indirect effects — follows accepted PLS-SEM conventions and is transparently reported. Open deposit of the raw dataset and questionnaire on Zenodo is commendable and enhances reproducibility.

Presentation and literature
The manuscript contains persistent grammatical errors, awkward sentence constructions, and redundant passages throughout the introduction, literature review, and discussion sections. Several sentences are incomplete or shift register mid-paragraph. The R² interpretation in Section 5.1 is inverted — the text states that 68% of variation "in internal control" is explained by "the AIS variable," when the correct reading is that AIS variance is explained by internal control. This error in direction of interpretation recurs for the CAW model and must be corrected. The literature coverage is adequate for the topic and includes recent work, though several references lack full citation details and one source is listed only as "n.d." without a retrieval date.

Study design and technical soundness
The PLS-SEM mediation design is appropriate for the research objectives. The measurement model demonstrates acceptable reliability (Cronbach's α 0.886–0.928, composite reliability >0.90, AVE >0.50 for all constructs) and discriminant validity (HTMT values 0.839–0.871, all below the 0.90 threshold). Outer loadings are all statistically significant and the majority exceed 0.70, with four items (caw1, caw5, caw7, caw8) falling slightly below this threshold but remaining statistically meaningful. VIF values confirm the absence of problematic multicollinearity. Bootstrapping with 5,000 samples is appropriate for indirect effect estimation.

Replication details
The questionnaire items are not reproduced in the manuscript body, only referenced via Zenodo. While the Zenodo deposit makes them accessible, embedding the full instrument as a supplementary appendix would substantially improve transparency and immediate replicability. The demographic table (Table 1) omits a gender column despite the text explicitly stating that most respondents are male — this must be corrected either by adding the column or removing the claim.

Statistical interpretation
Path analysis results are correctly reported and interpreted. All four hypotheses are rejected at p < 0.05, supporting positive direct effects of IC on AIS (β = 0.786, T = 19.001) and on CAW (β = 0.795, T = 18.447), a positive effect of CAW on AIS (β = 0.438, T = 2.206), and a significant indirect effect through the mediator (β = 0.348, T = 2.105, p = 0.035). One reporting error requires correction: Tables 8 and 9 both carry the heading "Total indirect effect" — Table 9 should be headed "Direct effects" to reflect its content accurately.

Source data
Raw data and the questionnaire are openly deposited on Zenodo. The data availability statement contains a mismatch — it describes the deposit as concerning "Industrial Control Systems and Management Information Systems" while the actual Zenodo record uses "ICS and AIS." This must be corrected for consistency.

Support for conclusions
The core finding — that cybersecurity awareness partially mediates the relationship between internal control and accounting information security — is statistically supported within the study's scope. However, the manuscript draws conclusions about "Iraqi State Banks" and "government banks in Anbar Governorate" that substantially exceed what a convenience sample of 50 respondents from two branches of a single institution can credibly support. The title, abstract, and conclusion sections must be revised to accurately reflect the narrow institutional scope of the sample. Common-method bias is a legitimate concern in a single-source, self-report survey design and has not been tested — at minimum, a Harman's single-factor test or full collinearity VIF assessment should be reported and the limitation acknowledged explicitly. The high path coefficients (β = 0.786–0.795) combined with the small sample also warrant a caution regarding potential overfitting. Throughout the manuscript, causal language — "contributes to," "enhances," "leads to" — should be tempered to associational language consistent with the cross-sectional design.

Required changes before approval:
The R² directional interpretation in Section 5.1 must be corrected. The gender column must be added to Table 1 or the demographic claim removed. The duplicate table heading ("Total indirect effect" on both Tables 8 and 9) must be corrected. The data availability statement Zenodo description must be corrected to match the actual deposit title. The title, abstract, and conclusions must be revised to reflect the single-institution, two-branch scope of the sample. Causal language throughout must be softened to associational. A common-method bias test should be conducted and reported, or its absence explicitly justified and acknowledged as a limitation. A dedicated limitations section should be added covering sample size, single-institution scope, cross-sectional design, self-report bias, and the absence of common-method bias testing. The full questionnaire instrument should be embedded as a supplementary appendix. Professional English language editing is required throughout.

Is the work clearly and accurately presented and does it cite the current literature?

Partly
Is the study design appropriate and is the work technically sound?

Yes
Are sufficient details of methods and analysis provided to allow replication by others?

Partly
If applicable, is the statistical analysis and its interpretation appropriate?

Yes
Are all the source data underlying the results available to ensure full reproducibility?

Yes
Are the conclusions drawn adequately supported by the results?

Partly

Competing Interests: No competing interests were disclosed.

Reviewer Expertise: Machine Learning, Artificial Intelligence, Cloud Computing, Data Engineering, Data Analytics, Deep Learning, Big Data Systems, Distributed Computing, AI-driven Security Systems, Intelligent Data Processing

I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however I have significant reservations, as outlined above.

CITE

Report a concern

Respond or Comment

Views

20

Reviewer Report 10 Apr 2026

Mostafa Rahmany, Buckinghamshire New University, High Wycombe, England, UK

Approved with Reservations

https://doi.org/10.5256/f1000research.193402.r473923

Constructive assessment:
This is a timely and relevant study that addresses an important gap in the accounting and cybersecurity literature, particularly in the under-researched context of Iraqi government banks. The authors correctly identify cybersecurity awareness as a potential mediator ... Continue reading

Constructive assessment:
This is a timely and relevant study that addresses an important gap in the accounting and cybersecurity literature, particularly in the under-researched context of Iraqi government banks. The authors correctly identify cybersecurity awareness as a potential mediator between internal control systems (ICS) and accounting information security (AIS). They develop a clear conceptual model based on COSO and relevant literature, derive four testable hypotheses, and apply PLS-SEM appropriately to test direct and indirect effects. The measurement model shows strong reliability (Cronbach’s α 0.886–0.928, composite reliability >0.90, AVE >0.50) and discriminant validity (HTMT <0.90). Path coefficients are large and statistically significant, supporting the rejection of all null hypotheses and demonstrating a positive mediating role for cybersecurity awareness. Open sharing of the raw dataset and questionnaire on Zenodo is a major strength and promotes reproducibility.

However, several limitations require attention before the work can be considered fully robust for indexing:

1. Sample size and generalizability (major concern): The study uses N=50 respondents from only two branches of a single institution (Al-Rashid Bank in Fallujah and Ramadi). This is a convenience sample that cannot credibly support conclusions about “Iraqi State Banks” or even “government banks in Anbar Governorate.” While PLS-SEM can function with small samples, the explanatory power claims (R² ≈ 0.68 for AIS) and very high path coefficients (β = 0.786–0.795) warrant caution regarding statistical power, overfitting, and common-method bias (not tested).

2. Language and presentation: The manuscript contains numerous grammatical errors, awkward phrasing, sentence fragments, and repetitions that reduce clarity and readability (especially in the introduction, literature review, and discussion). Professional English editing is essential.

3. Minor technical and reporting issues:
   3.1 Demographic Table 1 description mentions “most of the sample members are male,” yet the table does not include a gender column.
   3.2 Table 8 and Table 9 both carry the heading “Total indirect effect” (copy-paste error).
   3.3 The data-availability statement incorrectly describes the Zenodo deposit as concerning “Industrial Control Systems and Management Information Systems.” The actual Zenodo title correctly uses “ICS and AIS” (matching the article). This mismatch must be corrected.
   3.4 Questionnaire items are not reproduced in the manuscript (only referenced to the Zenodo file), which slightly hinders immediate replication.
   3.5 Causal language (“contribute to,” “enhancing,” “positive role”) should be tempered to “associated with” or “predicts” given the cross-sectional, self-report design.

4. Limitations section: Currently minimal. A fuller discussion of sample limitations, self-report bias, single-institution scope, and cross-sectional nature is needed.

Aspects I have not been able to assess: I did not download and re-run the raw .xlsx file from Zenodo to independently verify every bootstrap result or check for data-entry anomalies (though the reported statistics appear internally consistent and the deposit is openly accessible).

5. Recommendations to authors
5.1 Undertake a full professional language edit.
5.2 Explicitly acknowledge sample limitations and revise title/abstract/conclusions to reflect the narrow scope (e.g., “in selected branches of Al-Rashid Bank, Anbar Governorate”).
5.3 Correct the Zenodo reference and, ideally, embed the full questionnaire items (or a supplementary file) in the next version.
5.4 Expand the limitations and future-research sections.
5.5 Consider testing for common-method bias (e.g., Harman’s single-factor test or full collinearity VIF).
Add a brief practical implications subsection for Iraqi banking regulators or internal-audit units.
These revisions are feasible and would substantially strengthen the paper.

6. Answers to mandatory reviewer questions (Research Article)

1-Is the work clearly and accurately presented, and does it cite the current literature?
Partly. The literature is relevant and up to date, but language/grammar issues and the Zenodo title mismatch reduce clarity and accuracy.

2. Is the study design appropriate and is the work technically sound?
Yes (the PLS-SEM mediation design and execution are technically sound), but the extremely narrow convenience sample limits academic merit and generalizability.

3. Are sufficient details of methods and analysis provided to allow replication by others?
Partly, while mostly (full dataset and questionnaire are openly available; PLS-SEM parameters are reported in detail), but embedding the questionnaire items would improve transparency.
4- If applicable, is the statistical analysis and its interpretation appropriate?
Yes. Standard PLS-SEM procedures were followed and correctly interpreted.
5- Are all the source data underlying the results available to ensure full reproducibility?
Yes (via the Zenodo repository).

6-Are the conclusions drawn adequately supported by the results?
Partly, within the study’s narrow scope, however, the authors over-generalize beyond the sampled branches.

Approval status:
Approved with reservations

In Summary:
The paper makes a useful, context-specific contribution and the analytical work is competently executed, but the small/single-bank sample, language problems, and minor reporting inaccuracies prevent full approval in its current form. With the recommended revisions, it would be suitable for indexing.

Is the work clearly and accurately presented and does it cite the current literature?

Partly
Is the study design appropriate and is the work technically sound?

Yes
Are sufficient details of methods and analysis provided to allow replication by others?

Partly
If applicable, is the statistical analysis and its interpretation appropriate?

Yes
Are all the source data underlying the results available to ensure full reproducibility?

Yes
Are the conclusions drawn adequately supported by the results?

Partly

Competing Interests: No competing interests were disclosed.

Reviewer Expertise: Cybersecurity, AI & ML, Network Infrastructure, Network Security, Information Technology, Oil & Gas Industry Management, Oil & Gas Cybersecurity, AI Security, Healthcare Security, Healthcare Cybersecurity Framework,

I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however I have significant reservations, as outlined above.

CITE

Report a concern

Respond or Comment

Views

5

Reviewer Report 23 Mar 2026

Muthana R. Jasim, College of Administration and Economics - Department of Accounting, Tikrit University, Tikrit, Saladin Governorate, Iraq

Approved

https://doi.org/10.5256/f1000research.193402.r465406

The manuscript addresses an important and timely topic—the role of cybersecurity awareness as a mediator between internal control systems and accounting information security in public banks—and uses PLS-SEM to test theoretically sensible hypotheses. Strengths include a clear theoretical framing, transparent ... Continue reading

The manuscript addresses an important and timely topic—the role of cybersecurity awareness as a mediator between internal control systems and accounting information security in public banks—and uses PLS-SEM to test theoretically sensible hypotheses. Strengths include a clear theoretical framing, transparent reporting of reliability/validity measures, and open sharing of the underlying dataset. However, the study’s generalizability and causal inference are limited by the small and convenience-based sample (N=50 from two branches of a single bank). I recommend the authors temper causal language, more explicitly discuss limitations related to sample size and potential self-report bias and include the survey instrument items in a manuscript appendix (or cite the Zenodo file directly). Overall, the paper makes a useful contribution but would benefit from these clarifications before indexing.

Is the work clearly and accurately presented and does it cite the current literature?

Yes
Is the study design appropriate and is the work technically sound?

Yes
Are sufficient details of methods and analysis provided to allow replication by others?

Yes
If applicable, is the statistical analysis and its interpretation appropriate?

Yes
Are all the source data underlying the results available to ensure full reproducibility?

Partly
Are the conclusions drawn adequately supported by the results?

Yes

Competing Interests: No competing interests were disclosed.

Reviewer Expertise: Financial AccountantInternational Financial Reporting Standards

I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard.

CITE

Report a concern

Respond or Comment

Comments on this article Comments (0)

Version 2

VERSION 2 PUBLISHED 18 Feb 2026

Open Peer Review

Reviewer Status

Reviewer Reports

	Invited Reviewers
	1	2	3
Version 2 (revision) 05 May 26		read	read
Version 1 18 Feb 26	read	read	read

Muthana R. Jasim, Tikrit University, Tikrit, Iraq
Mostafa Rahmany, Buckinghamshire New University, High Wycombe, UK
Hassan Rehan, Purdue University, West Lafayette, USA

Comments on this article

All Comments(0)

Add a comment

Sign up for content alerts

Browse by related subjects

Back to all reports

Reviewer Report

4 Views

13 May 2026 | for Version 2

Hassan Rehan, Purdue University, West Lafayette, Indiana, USA

4 Views Cite this report Responses(0)

Approved With Reservations

I have reviewed Version 2 of this manuscript and the authors' response to prior reviewer comments. The revisions address several procedural concerns adequately. However, substantive methodological issues remain that affect the validity of the findings.

What has been adequately addressed:
The R² interpretation has been corrected and causal language replaced with associational terminology throughout. The limitations section now transparently acknowledges the cross-sectional design, single-institution scope, sample size constraints, and absence of a dedicated common method bias test. The questionnaire has been embedded as a supplementary appendix. The Zenodo data availability statement has been updated. These are meaningful improvements to the manuscript's transparency.

Remaining concerns:
The sample size of 50 respondents from two branches of a single institution remains a fundamental limitation for PLS-SEM analysis. While the authors acknowledge this in the limitations section, the discussion and conclusion sections still present the findings with a degree of confidence that is not warranted by a sample of this size from a single bank. PLS-SEM with 50 observations and a model of this complexity produces unstable path coefficient estimates. The bootstrapping procedure with 5,000 samples does not compensate for an inadequate original sample — it only resamples what exists. The authors should more explicitly temper their discussion language to reflect this constraint, particularly in Section 6 where findings are discussed as if they reflect general banking sector behavior in Anbar Governorate.

The common method bias issue has been acknowledged as a limitation but not addressed analytically. Given that all three variables — ICS, CAW, and AIS — were measured from the same respondents in a single survey administration, common method variance is a plausible alternative explanation for the observed associations. The authors state procedural remedies were used but acknowledge no statistical test was performed. At minimum, a Harman single-factor test should be reported, or the authors should more explicitly caveat that observed path coefficients may be inflated by common method variance.

The HTMT values reported (0.839–0.871) are below the 0.90 threshold but are notably high, approaching the boundary. With a sample of 50, discriminant validity conclusions should be stated cautiously. The manuscript does not acknowledge this proximity to the threshold.

Recommendation:
The revision represents a genuine improvement over Version 1. The core research question is relevant and the analytical approach is appropriate in principle. However, the discussion section needs further tempering to reflect the sample size and common method bias limitations more consistently. Subject to those revisions, I would approve with reservations.

Competing Interests

No competing interests were disclosed.

Reviewer Expertise

Machine Learning, Artificial Intelligence, Cloud Computing, Data Engineering, Data Analytics, Deep Learning, Big Data Systems, Distributed Computing, AI-driven Security Systems, Intelligent Data Processing

I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however I have significant reservations, as outlined above.

Respond to this report

Responses (0)

Back to all reports

Reviewer Report

8 Views

07 May 2026 | for Version 2

Mostafa Rahmany, Buckinghamshire New University, High Wycombe, England, UK

8 Views Cite this report Responses(0)

Approved With Reservations

Constructive assessment:
This revised version is improved and addresses several of the main concerns raised in the earlier reviews. In particular, the manuscript now includes a limitations section, the data-availability wording has been corrected, the demographic gender mismatch has been removed, and the authors state that the questionnaire instrument has been added as supplementary material. These changes improve transparency and make the paper stronger than version 1. The study remains relevant and potentially useful, and the overall PLS-SEM framework is still acceptable for the research question. However, I do not think the manuscript has fully reached the standard for an unrestricted approval yet, because several important issues remain unresolved.

The paper still overstates its scope. The title and several parts of the abstract and conclusion continue to frame the findings as applying to “Iraqi State Banks,” while the actual sample is limited to 50 respondents from two branches of a single bank. The conclusions should therefore remain more tightly tied to the sampled setting.
Despite the stated revision, causal wording still appears throughout the manuscript. Terms such as “effect,” “impact,” “contributes,” “enhancing,” and similar formulations are still used repeatedly in ways that go beyond what a cross-sectional self-report design can support. The language should be made consistently associational throughout.
Some reporting inconsistencies are still present and should be corrected before full approval. For example, Table 8 is labeled as a “Total direct effect,” but the reported values correspond to the indirect effect and match Table 10. Table 9 is titled as indirect effects, yet it contains the direct paths. There is also still inconsistency between the demographic narrative and Table 1, especially in the discussion of years of experience. In addition, the abbreviation “IC” is still used both for the overall internal control construct and for the “information and communication” dimension, which remains confusing.
The English is improved compared with the earlier version, but the manuscript still contains awkward phrasing, grammatical problems, and unclear sentences in several sections. The article is readable, but it still needs another careful language edit.

Overall, I think the manuscript has academic merit and has clearly improved after revision, but the remaining issues are still substantive enough that I recommend Approved with Reservations, not full approval.

In Summary:
The paper continues to make a useful, context-specific contribution with competent analytics and open data practices. However, the incomplete response to my first review points (especially language, scope over-generalization, table errors, and missing questionnaire embedding) means it is not yet ready for full indexing. With the targeted revisions listed above, it would become acceptable.
Questions

Is the work clearly and accurately presented and does it cite the current literature?
Partly (Improved overall, but some wording and reporting inconsistencies remain).
Is the study design appropriate and does the work have academic merit?
Yes (The design fits the research question and has academic merit).
Are sufficient details of methods and analysis provided to allow replication by others?
Partly (Methods and data are provided, but some details are still not fully clear).
If applicable, is the statistical analysis and its interpretation appropriate?
Partly (The method is suitable, but some interpretation and table presentation remain confusing.).
Are all the source data underlying the results available to ensure full reproducibility?
Yes (The raw data and questionnaire are reported as available in the repository).
Are the conclusions drawn adequately supported by the results?
Partly (Supported within the sample, but still somewhat broader than the data justify).
Approval status:
Approved with Reservations

Competing Interests

No competing interests were disclosed.

Reviewer Expertise

Cybersecurity, AI & ML, Network Infrastructure, Network Security, Information Technology, Oil & Gas Industry Management, Oil & Gas Cybersecurity, AI Security, Healthcare Security, Healthcare Cybersecurity Framework,

I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however I have significant reservations, as outlined above.

Respond to this report

Responses (0)

Back to all reports

Reviewer Report

8 Views

15 Apr 2026 | for Version 1

Hassan Rehan, Purdue University, West Lafayette, Indiana, USA

8 Views Cite this report Responses(0)

Approved With Reservations

This study examines cybersecurity awareness as a mediating variable in the relationship between internal control systems (ICS) and accounting information security (AIS) in Iraqi government banks, using PLS-SEM with bootstrapping on a sample of 50 employees from two branches of Al-Rashid Bank in Fallujah and Ramadi. The research question is well-motivated and contextually relevant — the integration of internal control with information security in Arab public-sector banking remains underexplored, and cybersecurity awareness as a mediator is a theoretically defensible and practically meaningful construct to investigate. The conceptual model is grounded in COSO (2013) and supported by a coherent body of literature. The analytical execution — measurement model evaluation, structural model testing, and mediation analysis via specific indirect effects — follows accepted PLS-SEM conventions and is transparently reported. Open deposit of the raw dataset and questionnaire on Zenodo is commendable and enhances reproducibility.

Presentation and literature
The manuscript contains persistent grammatical errors, awkward sentence constructions, and redundant passages throughout the introduction, literature review, and discussion sections. Several sentences are incomplete or shift register mid-paragraph. The R² interpretation in Section 5.1 is inverted — the text states that 68% of variation "in internal control" is explained by "the AIS variable," when the correct reading is that AIS variance is explained by internal control. This error in direction of interpretation recurs for the CAW model and must be corrected. The literature coverage is adequate for the topic and includes recent work, though several references lack full citation details and one source is listed only as "n.d." without a retrieval date.

Study design and technical soundness
The PLS-SEM mediation design is appropriate for the research objectives. The measurement model demonstrates acceptable reliability (Cronbach's α 0.886–0.928, composite reliability >0.90, AVE >0.50 for all constructs) and discriminant validity (HTMT values 0.839–0.871, all below the 0.90 threshold). Outer loadings are all statistically significant and the majority exceed 0.70, with four items (caw1, caw5, caw7, caw8) falling slightly below this threshold but remaining statistically meaningful. VIF values confirm the absence of problematic multicollinearity. Bootstrapping with 5,000 samples is appropriate for indirect effect estimation.

Replication details
The questionnaire items are not reproduced in the manuscript body, only referenced via Zenodo. While the Zenodo deposit makes them accessible, embedding the full instrument as a supplementary appendix would substantially improve transparency and immediate replicability. The demographic table (Table 1) omits a gender column despite the text explicitly stating that most respondents are male — this must be corrected either by adding the column or removing the claim.

Statistical interpretation
Path analysis results are correctly reported and interpreted. All four hypotheses are rejected at p < 0.05, supporting positive direct effects of IC on AIS (β = 0.786, T = 19.001) and on CAW (β = 0.795, T = 18.447), a positive effect of CAW on AIS (β = 0.438, T = 2.206), and a significant indirect effect through the mediator (β = 0.348, T = 2.105, p = 0.035). One reporting error requires correction: Tables 8 and 9 both carry the heading "Total indirect effect" — Table 9 should be headed "Direct effects" to reflect its content accurately.

Source data
Raw data and the questionnaire are openly deposited on Zenodo. The data availability statement contains a mismatch — it describes the deposit as concerning "Industrial Control Systems and Management Information Systems" while the actual Zenodo record uses "ICS and AIS." This must be corrected for consistency.

Support for conclusions
The core finding — that cybersecurity awareness partially mediates the relationship between internal control and accounting information security — is statistically supported within the study's scope. However, the manuscript draws conclusions about "Iraqi State Banks" and "government banks in Anbar Governorate" that substantially exceed what a convenience sample of 50 respondents from two branches of a single institution can credibly support. The title, abstract, and conclusion sections must be revised to accurately reflect the narrow institutional scope of the sample. Common-method bias is a legitimate concern in a single-source, self-report survey design and has not been tested — at minimum, a Harman's single-factor test or full collinearity VIF assessment should be reported and the limitation acknowledged explicitly. The high path coefficients (β = 0.786–0.795) combined with the small sample also warrant a caution regarding potential overfitting. Throughout the manuscript, causal language — "contributes to," "enhances," "leads to" — should be tempered to associational language consistent with the cross-sectional design.

Required changes before approval:
The R² directional interpretation in Section 5.1 must be corrected. The gender column must be added to Table 1 or the demographic claim removed. The duplicate table heading ("Total indirect effect" on both Tables 8 and 9) must be corrected. The data availability statement Zenodo description must be corrected to match the actual deposit title. The title, abstract, and conclusions must be revised to reflect the single-institution, two-branch scope of the sample. Causal language throughout must be softened to associational. A common-method bias test should be conducted and reported, or its absence explicitly justified and acknowledged as a limitation. A dedicated limitations section should be added covering sample size, single-institution scope, cross-sectional design, self-report bias, and the absence of common-method bias testing. The full questionnaire instrument should be embedded as a supplementary appendix. Professional English language editing is required throughout.

Is the work clearly and accurately presented and does it cite the current literature?

Partly
Is the study design appropriate and is the work technically sound?

Yes
Are sufficient details of methods and analysis provided to allow replication by others?

Partly
If applicable, is the statistical analysis and its interpretation appropriate?

Yes
Are all the source data underlying the results available to ensure full reproducibility?

Yes
Are the conclusions drawn adequately supported by the results?

Partly

Competing Interests

No competing interests were disclosed.

Reviewer Expertise

Machine Learning, Artificial Intelligence, Cloud Computing, Data Engineering, Data Analytics, Deep Learning, Big Data Systems, Distributed Computing, AI-driven Security Systems, Intelligent Data Processing

I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however I have significant reservations, as outlined above.

Respond to this report

Responses (0)

Back to all reports

Reviewer Report

20 Views

10 Apr 2026 | for Version 1

Mostafa Rahmany, Buckinghamshire New University, High Wycombe, England, UK

20 Views Cite this report Responses(0)

Approved With Reservations

Constructive assessment:
This is a timely and relevant study that addresses an important gap in the accounting and cybersecurity literature, particularly in the under-researched context of Iraqi government banks. The authors correctly identify cybersecurity awareness as a potential mediator between internal control systems (ICS) and accounting information security (AIS). They develop a clear conceptual model based on COSO and relevant literature, derive four testable hypotheses, and apply PLS-SEM appropriately to test direct and indirect effects. The measurement model shows strong reliability (Cronbach’s α 0.886–0.928, composite reliability >0.90, AVE >0.50) and discriminant validity (HTMT <0.90). Path coefficients are large and statistically significant, supporting the rejection of all null hypotheses and demonstrating a positive mediating role for cybersecurity awareness. Open sharing of the raw dataset and questionnaire on Zenodo is a major strength and promotes reproducibility.

However, several limitations require attention before the work can be considered fully robust for indexing:

1. Sample size and generalizability (major concern): The study uses N=50 respondents from only two branches of a single institution (Al-Rashid Bank in Fallujah and Ramadi). This is a convenience sample that cannot credibly support conclusions about “Iraqi State Banks” or even “government banks in Anbar Governorate.” While PLS-SEM can function with small samples, the explanatory power claims (R² ≈ 0.68 for AIS) and very high path coefficients (β = 0.786–0.795) warrant caution regarding statistical power, overfitting, and common-method bias (not tested).

2. Language and presentation: The manuscript contains numerous grammatical errors, awkward phrasing, sentence fragments, and repetitions that reduce clarity and readability (especially in the introduction, literature review, and discussion). Professional English editing is essential.

3. Minor technical and reporting issues:
   3.1 Demographic Table 1 description mentions “most of the sample members are male,” yet the table does not include a gender column.
   3.2 Table 8 and Table 9 both carry the heading “Total indirect effect” (copy-paste error).
   3.3 The data-availability statement incorrectly describes the Zenodo deposit as concerning “Industrial Control Systems and Management Information Systems.” The actual Zenodo title correctly uses “ICS and AIS” (matching the article). This mismatch must be corrected.
   3.4 Questionnaire items are not reproduced in the manuscript (only referenced to the Zenodo file), which slightly hinders immediate replication.
   3.5 Causal language (“contribute to,” “enhancing,” “positive role”) should be tempered to “associated with” or “predicts” given the cross-sectional, self-report design.

4. Limitations section: Currently minimal. A fuller discussion of sample limitations, self-report bias, single-institution scope, and cross-sectional nature is needed.

Aspects I have not been able to assess: I did not download and re-run the raw .xlsx file from Zenodo to independently verify every bootstrap result or check for data-entry anomalies (though the reported statistics appear internally consistent and the deposit is openly accessible).

5. Recommendations to authors
5.1 Undertake a full professional language edit.
5.2 Explicitly acknowledge sample limitations and revise title/abstract/conclusions to reflect the narrow scope (e.g., “in selected branches of Al-Rashid Bank, Anbar Governorate”).
5.3 Correct the Zenodo reference and, ideally, embed the full questionnaire items (or a supplementary file) in the next version.
5.4 Expand the limitations and future-research sections.
5.5 Consider testing for common-method bias (e.g., Harman’s single-factor test or full collinearity VIF).
Add a brief practical implications subsection for Iraqi banking regulators or internal-audit units.
These revisions are feasible and would substantially strengthen the paper.

6. Answers to mandatory reviewer questions (Research Article)

1-Is the work clearly and accurately presented, and does it cite the current literature?
Partly. The literature is relevant and up to date, but language/grammar issues and the Zenodo title mismatch reduce clarity and accuracy.

2. Is the study design appropriate and is the work technically sound?
Yes (the PLS-SEM mediation design and execution are technically sound), but the extremely narrow convenience sample limits academic merit and generalizability.

3. Are sufficient details of methods and analysis provided to allow replication by others?
Partly, while mostly (full dataset and questionnaire are openly available; PLS-SEM parameters are reported in detail), but embedding the questionnaire items would improve transparency.
4- If applicable, is the statistical analysis and its interpretation appropriate?
Yes. Standard PLS-SEM procedures were followed and correctly interpreted.
5- Are all the source data underlying the results available to ensure full reproducibility?
Yes (via the Zenodo repository).

6-Are the conclusions drawn adequately supported by the results?
Partly, within the study’s narrow scope, however, the authors over-generalize beyond the sampled branches.

Approval status:
Approved with reservations

In Summary:
The paper makes a useful, context-specific contribution and the analytical work is competently executed, but the small/single-bank sample, language problems, and minor reporting inaccuracies prevent full approval in its current form. With the recommended revisions, it would be suitable for indexing.

Is the work clearly and accurately presented and does it cite the current literature?

Partly
Is the study design appropriate and is the work technically sound?

Yes
Are sufficient details of methods and analysis provided to allow replication by others?

Partly
If applicable, is the statistical analysis and its interpretation appropriate?

Yes
Are all the source data underlying the results available to ensure full reproducibility?

Yes
Are the conclusions drawn adequately supported by the results?

Partly

Competing Interests

No competing interests were disclosed.

Reviewer Expertise

Cybersecurity, AI & ML, Network Infrastructure, Network Security, Information Technology, Oil & Gas Industry Management, Oil & Gas Cybersecurity, AI Security, Healthcare Security, Healthcare Cybersecurity Framework,

I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however I have significant reservations, as outlined above.

Respond to this report

Responses (0)

Back to all reports

Reviewer Report

5 Views

23 Mar 2026 | for Version 1

Muthana R. Jasim, College of Administration and Economics - Department of Accounting, Tikrit University, Tikrit, Saladin Governorate, Iraq

5 Views Cite this report Responses(0)

Approved

The manuscript addresses an important and timely topic—the role of cybersecurity awareness as a mediator between internal control systems and accounting information security in public banks—and uses PLS-SEM to test theoretically sensible hypotheses. Strengths include a clear theoretical framing, transparent reporting of reliability/validity measures, and open sharing of the underlying dataset. However, the study’s generalizability and causal inference are limited by the small and convenience-based sample (N=50 from two branches of a single bank). I recommend the authors temper causal language, more explicitly discuss limitations related to sample size and potential self-report bias and include the survey instrument items in a manuscript appendix (or cite the Zenodo file directly). Overall, the paper makes a useful contribution but would benefit from these clarifications before indexing.

Is the work clearly and accurately presented and does it cite the current literature?

Yes
Is the study design appropriate and is the work technically sound?

Yes
Are sufficient details of methods and analysis provided to allow replication by others?

Yes
If applicable, is the statistical analysis and its interpretation appropriate?

Yes
Are all the source data underlying the results available to ensure full reproducibility?

Partly
Are the conclusions drawn adequately supported by the results?

Yes

Competing Interests

No competing interests were disclosed.

Reviewer Expertise

Financial AccountantInternational Financial Reporting Standards

I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard.

Respond to this report

Responses (0)

[1] Abdel-Jaber YK: The Effectiveness of Control Procedures in Providing Electronic Information Security in Jordanian Industrial Companies. Jordan: Middle East University, Faculty of Business, Department of Accounting and Finance; 2013. Unpublished Master’s Thesis.

[2] Abdullah KA: Auditing from a Theoretical and Practical Perspective. 2007; Amman: Dar Wael for Publishing and Distribution.

[3] Al-Hawamleh A: Cyber resilience framework: Strengthening defenses and enhancing continuity in business security. International Journal of Computing and Digital Systems. 2024; 15(1): 1315–1331.

[4] Al-Mohammedi YA, Tarkh AS, Al-Jumaili HN, et al.: Data from the study sample titled –Cybersecurity Awareness as a Mediating Variable in the Relationship between ICS and AIS in Iraqi State Banks. [Data set]. Zenodo. 2025. Publisher Full Text

[5] Al-Qusayr IM: Information Technology Governance to Reduce Cyber Risks and Enhance AIS in Libyan Public Institutions – A Proposed Model. Journal of Academic Research (Administrative and Financial Sciences). 2024; 2(28): 10.

[6] Al-Sorihi SAA, Alrubaidi MA, Al-Hemya NHA: The Mediating Role of Security Controls between Information-technology Risks and the AIS Systems: A Field Study in Telecommunication Companies Operating in the Republic of Yemen. Jordan Journal of Business Administration. 2025; 21(1): 2025. Publisher Full Text

[7] Andersson I, Bjursell L, Palm I: Hack the human: A qualitative research study exploring the human factor and social engineering awareness in cybersecurity and risk management among Swedish organisations.2023.

[8] Asif S: What is information security? principles, types.2023. Reference Source

[9] Ben Alqama M, Saahi Y: The role of financial technology in supporting financial and banking sectors. Al Ijtihad Journal of Legal and Economic Studies. 2019; 7(3): 85–107.

[10] Bozkus Kahyaoglu S, Caliyurt K: Cyber security assurance process from the internal audit perspective. Manag. Audit. J. 2018; 33(4): 360–376.

[11] Committee of Sponsoring Organizations of the Treadway (COSO): Internal control—Integrated framework (Framework and appendices). 2013.

[12] Despotović A, Parmaković A, Miljković M: Cybercrime and Cyber Security in Fintech. Digital Transformation of the Financial Industry: Approaches and Applications. Cham: Springer International Publishing; 2023; pp. 255–272.

[13] George AS, George AH, Baskar T: Digitally immune systems: building robust defences in the age of cyber threats. Partners Universal International Innovation Journal. 2023; 1(4): 155–172.

[14] Goutam RK, Verman DK: Top five cyber frauds. Int. J. Comput. Appl. 2015; 119(7): 23–25.

[15] Huseynov T, Mammadova U, Aliyev E, et al.: The impact of the transition to electronic audit on accounting behavior. Economic and Social Development: Book of Proceedings. 2020; 4: 378–384.

[16] Jamm’e M, Alash A: The role of financial technology in promoting Islamic finance. Al Ibtida Journal, University of Blida. 2021; 11(1): 454–467.

[17] Mansour AM: The Impact of Cybersecurity on ICS and its Reflection on Economic Unity - An Exploratory Study of the Opinions of a Sample of Auditors and Accountants in the Ministry of Higher Education and Scientific Research. Journal of Management and Economics in Al-Qadisiyah. 2021; 46(127): 238.

[18] Mishra S, Dhillon G: Defining ICS objectives for information systems security: A value focused assessment. European Conference on Information Systems. 2008.

[19] Mohamed M: Cyber Information Systems Audit - A Case Study of Cyber Information Systems Audit of the National Electricity and Gas Corporation. The Fourteenth Scientific Research Competition of the Arab Organization of Supreme Audit Institutions; 2024.

[20] Qourin HQ, Al-Siddiq AB, Qaidwan, et al.: The role of ICS in mitigating banking risks: A case study of accredited banks in Algeria (with reference to international models). Academy for Social and Human Studies. 2019; 12(1): 35–45.

[21] Ryabov OV: Organising Issues of Operative System of ICS in Banking Sector. USA: Consulting company Ucom; 2021.

[22] Shamsuddin A, Adam MA, Adnan SA, et al.: The effectiveness of internal audit function in managing cyber security in Malaysia’s banking institutions. International Journal of Industrial Management. 2018; 8(4).

[23] Sharma R, Thapa S: Cybersecurity awareness, education, and behavioral change: strategies for promoting secure online practices among end users. Eigenpub Review of Science and Technology. 2023; 7(1): 224–238.

[24] Stevens R, Dykstra J, Everette WK, et al.: Compliance Cautions: Investigating Security Issues Associated with US Digital-Security Standards. NDSS; 2020, February.

[25] Stransact: Safeguarding data assets: A proactive approach to mitigate evolving cybersecurity risks.n.d. Reference Source

[26] Thakur M: Cybersecurity threats and countermeasures in digital age. Journal of Applied Science and Education (JASE). 2024: 1–20.

[27] Wolden M, Valverde R, Talla M: The effectiveness of COBIT 5 information security framework for reducing cyber-attacks on supply chain management system. IFAC- Papers Online. 2015; 48(3): 1846–7852.

Cybersecurity Awareness as a Mediating Variable in the Relationship between ICS and AIS in Iraqi State Banks

Abstract

Research Objective

Research Significance

Research Methodology and Tools

Recommendations

Keywords

Revised Amendments from Version 1

1. Introduction

1.1 Research problem

1.2 The study importance

1.3 Research objectives

2. Second topic/Theoretical aspect of the research

2.1 First: Components and elements of the ICS system

2.2 Second: The concept, benefits and motivations of spreading the culture of cybersecurity awareness

2.3 Third: The concept and relationship between AIS and cybersecurity awareness

3. Methodology

3.1 Literature review and hypothesis development

H1:

H2:

H3:

H4:

3.2 Informed consent

3.3 Ethical considerations

3.4 Population and sampling procedure

Table 1. Demographic characteristics of the sample.

3.5 Developing the study tool

Table 2. Research variables.

3.6 Data collection procedures

3.7 Analytical framework (Quantitative)

3.8 Model specifications

Figure 1. Conceptual model.

(1)

(2)

(3)

4-Evaluation of the mathematical model (Reliability and internal consistency)

Table 3. Reliability and internal consistency.

Table 4. Outer loadings results.

Figure 2. Outer loading and R2 in PLS-SEM algorithm.

Table 5. Discriminant validity (Heterotrait-Monotrait Ratio -HTMT).

5- Evaluation of the structural model

5-1 Coefficient of determination and explanatory power of the model (R2)

Table 6. Coefficient of determination R2 adjusted.

Table 7. Inner model collinearity statistics (VIF).

5-2 Hypothesis testing (Path analysis)

Table 8. Total direct effect.

Table 9. Indirect effects including CAW as mediator

Table 10. Specific indirect effect.

Figure 3. Direct and indirect effects results.

Table 11. Hypothesis testing summary.

6. Discussion of results

7. Study limitations

8. Conclusion and recommendation

Data availability statement

Underlying data

References

Comments on this article Comments (0)

Open Peer Review

Comments on this article Comments (0)

Open Peer Review

Reviewer Status

Reviewer Reports

Comments on this article

Browse by related subjects

Competing Interests Policy

Stay Updated

Figure 2. Outer loading and R² in PLS-SEM algorithm.