“…Furthermore, we argue that employees' information security behaviour is a bidimensional construct that is composed of 2 behavioural dimensions, namely, in‐role and extra‐role behaviour, which have been considered in previous studies (eg, Guo, 2013; Hsu, Shih, Hung, & Lowry, ). Although academic research should strive to investigate employees' actual behaviour, certain obstacles in real‐life organizational settings can make this undertaking impossible, thereby providing justification for assessing behavioural intentions as approximations of actual behaviour (D'Arcy & Lowry, ; Hu et al, ; Lowry et al, ; Mehri & Ahluwalia, ; Vroom & Von Solms, ). It is commonly argued that the relationship between behavioural intention and actual behaviour is grounded in the theory of planned behaviour by Ajzen () (eg, Anderson & Agarwal, ; Siponen & Vance, ) and several researchers demonstrated a strong correspondence between the 2 constructs (D'Arcy & Lowry, ; Herath et al, ; Li, Sarathy, Zhang, & Luo, ; Webb & Sheeran, ).…”