Exploring the Challenges and Issues in Adopting Cybersecurity in Saudi Smart Cities: Conceptualization of the Cybersecurity-Based UTAUT Model

: This study aims to explore the challenges and issues in adopting cybersecurity practices in smart Saudi cities and to develop and validate a newly developed cybersecurity-based uniﬁed theory of acceptance and use of technology 3 (UTAUT3) model. The study has a twofold purpose. First, it identiﬁed the key challenges and issues in adopting smart cities in Saudi smart cities. Second, it developed a technology-based model to adopt cybersecurity practices in Saudi smart cities. Two surveys were conducted to achieve these objectives. The ﬁrst survey identiﬁed challenges and gaps in adopting cybersecurity practices in smart cities, revealing concerns about weak cybersecurity platforms, privacy breaches, and the impact of IT infrastructure advancements on Saudi culture (N = 554: common public). The second survey focused on developing and validating a cybersecurity-based UTAUT3 model (N = 108: IT professionals), emphasizing nine factors: performance expectancy, effort expectancy, social inﬂuence, facilitating conditions, safety, resiliency, availability, conﬁdentiality, and integrity of cybersecurity. The model’s validity and reliability were assessed, demonstrating its potential for understanding user behavior and adoption patterns in smart cities. The study ﬁndings provide valuable insights into the factors inﬂuencing the adoption of cybersecurity measures in smart Saudi cities, highlighting the need for targeted strategies, effective awareness programs, and collaboration between stakeholders to promote a secure and resilient digital environment. Future research may focus on reﬁning the model, extending its applicability to other regions or countries, and investigating the impact of emerging technologies and evolving cyber threats on user behavior and cybersecurity practices.


Introduction
Smart cities are emerging as an innovative solution to the challenges urban areas face in the 21st century. They integrate digital technology, data, and connectivity to improve the quality of life for citizens and foster sustainable development [1]. In recent years, various countries have strongly committed to implementing smart city initiatives, with ambitious projects to create intelligent urban environments [2]. Developing smart cities is becoming a top priority as these countries strive to diversify their economies and reduce dependency on traditional industries. However, implementing these innovative urban environments raises critical concerns related to cybersecurity, given the increased connectivity and reliance on digital infrastructure [3]. As the potential for future possibilities attracts people from various parts of the country and the world, the rapid population growth in these smart cities has highlighted significant security concerns and increased the informal economy [4]. Ensuring the safety and security of citizens, infrastructure, and data in smart cities remains a pressing issue that needs to be addressed to fully realize the potential benefits of these innovative urban environments. 1 To identify the challenges and issues in adopting cybersecurity and safety practices by IT professionals and the common public in smart Saudi cities. 2 To explore the economic, social, and cultural factors/challenges that make the cybersecurity framework practicable in smart Saudi cities. 3 To conceptualize a cybersecurity-based UTAUT3 model in smart Saudi cities.

Technological Challenges and Issues
Poor information and communication technology (ICT) infrastructure and security concerns hamper the adoption of e-government in Saudi Arabia. Hosam and Ahmad [12] assert that the lack of ICT infrastructure is a predominant issue. Additionally, there is a need for Saudi Arabia to develop standardized policies and regulations to oversee the use of ICT services. These changes will enable both the government and citizens in delivering services [12]. Privacy and security concerns are another major technical challenge affecting the implementation of cybersecurity in Saudi Arabia. A study by Alshehri and Drew [13] notes that most Saudi Arabians are concerned that using e-government platform to share personal information, such as names and ID numbers, could expose them to cybersecurity risks. The citizens are afraid that online platforms do not have adequate security to prevent hackers from accessing their data. Regrettably, the concern over the lack of security in e-government systems has created an unwillingness among Saudi Arabians to embrace e-services [13]. Hosam and Ahmad [12] claim that international privacy and security concerns are the leading issues among citizens when using e-government platforms. Thus, the government needs to enhance public awareness of how citizens should safeguard their data and privacy by building cybersecurity practices when using the Internet [12].

Organizational Challenges and Issues
Lack of qualified ICT experts, lack of training, resistance to change, inadequate ICT police, and lack of collaboration between Saudi Arabian agencies are also responsible for the slow adoption of cybersecurity. Alshehri and Drew [13] claim that in Saudi Arabia, most IT experts have moved from the public sector to the private sector since government jobs pay fewer wages compared to corporate jobs. The transition has deprived the public sector of experts who could have helped implement cybersecurity programs [13]. According to Hossam et al. [14], the new phenomenon experiences resistance because people fear the unknown. Since setting cybersecurity in smart cities is an emerging technological revolution in Saudi Arabia, it requires establishing an appropriate framework [12]. For any new government program to succeed, it should receive support from all agencies. Alshehri and Drew [13] claim that Saudi Arabia has experienced slow adoption of cybersecurity measures because of a lack of collaboration between government agencies in promoting their implementation. None of the Saudi Arabian agencies wishes to share their data with other organizations. The country could realize numerous benefits if all the agencies could share their information on cybersecurity practices [13]. These challenges and issues also include:

Lack of Trust
Certain distinctions exist between cybersecurity in Saudi Arabia and the United States. Alotaibi et al. [15] noted that perceived trustworthiness has a positive and major impact on behavioral intention to use m-government services [16]. This observation suggests that most participants in this research trust such applications and their merits since the government has deployed them. This result is consistent with the principle that when trust in the Internet and government is enhanced, the intention to use cybersecurity practices increases. In addition, security may not be a problem for most individuals who adopt security applications since they have been utilizing the Internet for a long time and are well familiar with security and privacy concerns. Privacy issues do not affect the purchase intentions of cloud computing services in the United States [15]. Moreover, they should deliver services through secure applications to motivate users to embrace these technologies [15].
In view of cybercrimes, related regulations in Saudi Arabia are influenced more by Islamic and social principles, as well as local cultural contexts [16]. These laws include the penalties for the different crimes and the fines that the religion considers consistent with the values it practices. During investigations, Saudi Arabia's Communication and IT Commission provides the required technical support to the established security body to assist with the examination of diverse cybercrimes. However, in the United States, the Federal Bureau of Investigation is responsible for investigating such offenses, in line with the Constitution.

Lack of Awareness and Training Developments
In the Middle East region, security awareness of information, particularly among undergraduates, scholarly researchers, and staff, has been examined to determine their degree of knowledge of information systems [17]. In a study, the researchers note that a lack of scholarship on information system principles is the main impediment to cybersecurity awareness. Several suggestions to minimize the severity of this situation were formulated, namely reinforcing awareness and training initiatives as well as embracing safety measures across learning institutions to promote data security.
Various factors necessitate an examination of cybersecurity in cybersecurity practices. In the view of Saudi Arabia, the e-government paradigm of administrative systems is a relatively new idea, originating in the 1980s. In government contexts, the execution of technology in providing diversified offerings is a costly plan that demands economic practicality. An effective model within which the electorate can access different services is necessary and must be protected to promote social welfare [15]. Given e-government implementation in the country, significant advantages-such as the adoption of digital technologies and a minimization in the cost of public service-have been evident. Saudi Arabia is a nation that maintains a positive outlook on the international stage with the goal of securing varied economic interests [17].
An assessment of Saudi Arabians indicates that their cybersecurity awareness level is considerably low. This situation can be attributed to the nature of the national culture. Additionally, while Saudi citizens exhibit a clear understanding of information technology (IT), their knowledge of cybersecurity risks and the government's role in facilitating information safety across the Internet is quite limited. Therefore, state agencies should create awareness of these issues through training initiatives in learning institutions.

Impacts of Culture
American social customs are broad, coupled with distinct values based on diverse populations and ethnic backgrounds [17]. This convergence means that one religion cannot form the basis for governing the penalties for people found guilty of cybercrime offenses; therefore, a challenge in managing the practice appears [18]. In addition, variations exist in the level of jail time for similar crimes in Saudi Arabia and the United States. Besides, phishing is the most dominant social engineering method in recent times. It entails stealing users' credit card numbers and login details to access their private data. This form of cyberattack accounted for 77% of all social engineering attacks in Saudi Arabia's educational sector in 2017. These attacks can be implemented through the Internet and social media.
Social harmony and human connections are major priorities among Asians. Efficiency and time management, on the other hand, are critical values for Westerners. Such cultural factors have a clear implication for cybersecurity.

Shortage of Local Expertise
In Saudi Arabia, a lack of IT professionals to guide the execution of e-government in their entities is clear [18]. A primary factor for such a lack is the transfer of IT expertise from the public sector to the private sector since government salaries are relatively low [17]. Further, a lack of IT personnel at all levels, including programmers and professional managers, is evident. Consequently, the training of existing employees, especially in the public sector, is vital to advance the adoption of any novel technology. On the other hand, a significant proportion of Saudi Arabia's population lacks the requisite IT competency needed to advance smart cities [17]. Therefore, this situation demands dependence on expatriates to assist in the management of distinct elements of the smart city initiative.
Finally, the study proposes the following assumptions to explore the challenges and issues of adopting cybersecurity practices in smart Saudi cities: P1. The lack of trust related to cyberinfrastructure issues, services from governments or companies, cyber threat attacks, and a cyber-based economy limit cybersecurity framework adoption in Saudi Arabia.
P2. The lack of developments related to a shortage of cyber awareness programs and a lack of trained personnel limit cybersecurity framework adoption in Saudi Arabia.
P3. Cultural influences, including using social apps, influence Saudi Arabia's adoption of cybersecurity awareness methods.

P4.
The lack of IT professionals in the public sector (a shortage of local expertise) limits the implementation of cybersecurity frameworks in Saudi Arabia.
After a careful literature review, the study identified the key challenges for citizens, governments, and organizations in services, mobility, and standards and protocols. Moreover, the study also identified the smart city factors (i.e., privacy, security, and risk) that need proper laws and regulations, wellbeing and quality of life, and governance. Therefore, the study divided all stakeholders (citizens, government, and organizations) into three main factors, including trust, operational and transitional, technological and sustainability challenges. Based on this information, the study also develops a conceptual framework ( Figure 1) based on the following proposed propositions: P1. The lack of trust related to cyberinfrastructure issues, services from governments or companies, cyber threat attacks, and a cyber-based economy limit cybersecurity framework adoption in Saudi Arabia.
P2. The lack of developments related to a shortage of cyber awareness programs and a lack of trained personnel limit cybersecurity framework adoption in Saudi Arabia.
P3. Cultural influences, including using social apps, influence Saudi Arabia's adoption of cybersecurity awareness methods.
P4. The lack of IT professionals in the public sector (a shortage of local expertise) limits the implementation of cybersecurity frameworks in Saudi Arabia.
After a careful literature review, the study identified the key challenges for citizens, governments, and organizations in services, mobility, and standards and protocols. Moreover, the study also identified the smart city factors (i.e., privacy, security, and risk) that need proper laws and regulations, wellbeing and quality of life, and governance. Therefore, the study divided all stakeholders (citizens, government, and organizations) into three main factors, including trust, operational and transitional, technological and sustainability challenges. Based on this information, the study also develops a conceptual framework ( Figure 1) based on the following proposed propositions:

Research Design
This study adopts a quantitative research method to validate and test the survey items of cybersecurity practices in smart Saudi cities. Quantitative research is focused on collecting and analyzing statistical data, which is suitable for investigating factors in producing repeatable outcomes and generalizing findings [19,20]. Quantitative research is a predominant method due to its objectivity, generalizability, and replicability, as it relies on systematic procedures and numerical data for analysis [21]. Statistical techniques are employed to draw objective conclusions, make inferences about the population, and enhance the rigor and precision of the research. While quantitative research has limitations, such as the potential for overlooking qualitative nuances, its structured and statistical nature makes it accessible and efficient for data collection and analysis. According to the

Research Design
This study adopts a quantitative research method to validate and test the survey items of cybersecurity practices in smart Saudi cities. Quantitative research is focused on collecting and analyzing statistical data, which is suitable for investigating factors in producing repeatable outcomes and generalizing findings [19,20]. Quantitative research is a predominant method due to its objectivity, generalizability, and replicability, as it relies on systematic procedures and numerical data for analysis [21]. Statistical techniques are employed to draw objective conclusions, make inferences about the population, and enhance the rigor and precision of the research. While quantitative research has limitations, such as the potential for overlooking qualitative nuances, its structured and statistical nature makes it accessible and efficient for data collection and analysis. According to the study of cybersecurity in smart cities, the quantitative method has been recommended in previous research [21] to test the assumptions. For this study, a survey-based crosssectional approach was used to analyze relationships between various factors and the implications of the results for the research approach [19]. Therefore, the study used a survey questionnaire to develop a list of questions about exploring challenges and issues in adopting cybersecurity practices in smart Saudi cities.

Data Collection Procedure
The study adopted a survey questionnaire technique to collect data. The study collected data from the common public, targeting 710 citizens. The common public was the subject of a survey questionnaire that was distributed in order to collect data. The respondents using an online platform made available to Saudi citizens living in Saudi Arabia used a combined web-based online survey (Google Forms). In order to determine the cybersecurity challenges and issues in smart Saudi cities and the potential benefits they may provide, a literature review was conducted, and a survey questionnaire was created for this research. The survey questionnaire contained only questions that were straightforward, to the point, free of ambiguity, and simple to read. A list of research questions has been developed from an extensive literature review. When the questions were extracted, they were reviewed and proofread by two professors from universities and two IT experts in the same field (cybersecurity). The questionnaire comprised 36 questions identified from reviewing the literature (see Appendix A). A five-point Likert scale was used to measure the items to reduce the possibility of measurement errors and the mental strain placed on the participants [22].
The participants in this research were the public in information technology and cybersecurity (including web designers, software engineers, and programmers). Since Arabic is Saudi Arabia's primary language, but the questionnaire survey was initially written in English, it was necessary to have it translated into Arabic before it could be sent to the common public. Therefore, the study used both versions of the survey questionnaire to allow the common public to respond clearly. According to Sekaran [23], it is vitally important to select a language for the questionnaire that is clear, straightforward, and written at a level that respondents can comprehend. In this particular investigation, the researcher utilized the strategy of back translation. Back translation has recently become increasingly popular for academic translated versions and expert studies.
The designed questionnaire is improved through a process to reduce the number of errors caused by the creation of the questionnaire and ensure that the content is accurate [24]. The study surveyed the public (N = 710) in Saudi Arabia, but only 554 surveys were fully answered, so the study used only completed survey questionnaires. The study surveyed the public to determine the challenges and issues in adopting cybersecurity practices in smart Saudi cities. This strategy elaborates on the responses to the challenges, barriers, and needs of adopting cybersecurity in smart cities in Saudi Arabia. Finally, the study surveyed the public by taking 554 survey responses from two smart cities (for example, Neom and Riyadh) in Saudi Arabia. The researcher used the list of questions to test the assumptions/propositions of the research (see Appendix A).

Data Analysis
The study used a statistical package for social sciences (SPSS) 21 to analyze the pretesting survey data [25]. First of all, the study calculated descriptive statistics for the demographic characteristics of the respondents. The study also calculated the correlation coefficient [26] among the variables of the pre-testing survey questionnaire. As well, the study tests the survey questions in order to find the challenges and issues in adopting cybersecurity practices in smart Saudi cities.

Descriptive Statistics (Public Survey)
In Table 1, the descriptive statistics showed that there are 62.8% (348) males and 37.2% (206) females. Moreover, 18.6% (103) of the respondents were from the public sector, 53.6% (297) of the respondents were from the private sector, 2.3% (13) of the respondents were unemployed, 9.2% (51) of the respondents were housewives, construction employees, teachers, medical doctors, or military men, 9.6% (53) of the respondents were students, and 6.7% (37) of the respondents were from free businesses. Additionally, 33% (183) of the respondents were using fast internet, 48.2% (267) of the respondents were using medium-speed internet, 15% (83) of the respondents were using low internet, and only 3.8% (21) of the respondents were using very fast speed internet.

Correlation Analysis
The strength and degree of the linear links between two sets of variables are evaluated using correlation coefficients. Therefore, the study used correlation analysis to check the relationship between the variables. Table 2 describes the correlation analysis of the factors related to the Internet and cybersecurity. The results showed that internet services are positively and strongly associated with the latest technologies (r = 0.406 **) and increased cybersecurity issues (r = 0.122 **). In addition, it was also observed that cybersecurity issues are significantly and positively related to the development of the latest technology (r = 0.092 *) and electronic services information (r = 0.099 *). At the same time, no significant relationship was observed between electronic services and cybersecurity scams (r = −0.071), and the relationship was negative. Finally, it was proven that there was the highest correlation coefficient between internet services and the latest internet technology. It happened due to the notion that if there is the latest internet technology, the use of internet services will increase automatically. *. Correlation is significant at the 0.05 level (2-tailed).

Lack of Trust
The survey results indicate that there needs to be more trust in cyber infrastructure and the digital economy in Saudi Arabia (Table 3). A majority of respondents believe that the country has weak cybersecurity platforms, and they need more confidence in the nation's capacity to design and deploy smart cities. Despite this, many participants acknowledge the country's shift towards a digital economy. The respondents display awareness of various IT issues, such as social media scams, bank fraud, and fake advertisements. Concerns about external threats, fake accounts, information leakage, hacking, and improper cybersecurity systems are prevalent. Most participants have experienced medium or slow internet speeds, and many have faced security or privacy breaches. Furthermore, the majority of respondents admit to sharing their personal information online without reading the website's privacy policy. These findings suggest that cybersecurity and digital infrastructure improvements are crucial to increasing trust and confidence in Saudi Arabia's technological advancements. The majority of Saudi citizens surveyed believe it is essential to be aware of cyber threats, with 74% strongly agreeing and 20.2% agreeing. A considerable percentage (40%) of respondents have already participated in a cybersecurity community awareness program, demonstrating an overall interest in the topic. Furthermore, an overwhelming majority (97.09%) expressed interest in promoting a cyber-awareness program within the community, should the government provide incentives. Regarding participating in training, a higher proportion of respondents (62.68%) are willing to pay a small fee for the course, as opposed to 37.3% who would prefer not to pay. In conclusion, the findings indicate that Saudi citizens are highly aware of the importance of cyber threats and demonstrate a significant willingness to participate in and promote cybersecurity awareness programs, with a majority also being open to paying for relevant training courses.
Most participants recognize the importance of cyber threat awareness, indicating a successful initial stage of cybersecurity education and potential readiness for more in-depth knowledge. Despite the recognized importance of awareness, participation in cybersecurity community awareness programs could be much higher. This highlights a gap between understanding the importance of cyber awareness and taking active steps to increase it. Most participants would be interested in promoting cyber-awareness programs if the government provided incentives. This reveals a significant opportunity for government agencies to boost cybersecurity education through incentivized initiatives.
Participants' willingness to pay for a course indicates a market for paid cybersecurity education. However, only some interested people are willing to pay, suggesting that affordable or free training options might be necessary to reach a wider audience. While most interested participants are eager to invest financially in their cybersecurity education, many uninterested participants would not pay for such a course. This suggests that financial commitment may deter some individuals, necessitating additional strategies to engage this group, such as demonstrating the practical benefits of such training (Table 4). The survey results indicate that a significant proportion of respondents believe that advancements in IT infrastructure will impact Saudi culture, with 14.3% strongly agreeing and 32.4% agreeing on this issue (Table 5). However, a notable percentage (40%) remain neutral, while 6.7% disagree and 4.8% strongly disagree. In terms of social apps affecting Saudi culture, Snapchat (51.4%) and Twitter (32.4%) are identified as the two most influential apps, with WhatsApp (14.3%) coming in third place and no respondents selecting Instagram or other apps. In conclusion, most respondents believe that advancements in IT infrastructure and the use of social apps, notably Snapchat and Twitter, have the potential to affect Saudi culture. However, a considerable portion remains neutral on the topic.

Shortage of Local Expertise
The survey results reveal that only a small percentage (11.4%) of respondents have the technical ability to perform network-wide deep-packet inspections (Table 6). In comparison, a more significant portion (41%) do not have this capability, and 45% are uncertain. There is a generally positive outlook regarding job satisfaction and the potential of public and governmental agencies to match private sectors shortly, with 36.2% strongly agreeing and 36.2% agreeing with the statement. However, 19% of respondents remain neutral, while 3.8% disagree, and 2.9% strongly disagree. In conclusion, although the technical ability to perform deep-packet inspections is limited among the respondents, there is optimism that public and governmental agencies can match private sectors shortly.

Conceptualization of the Cybersecurity-Based UTAUT Model
After identifying the challenges and gaps in the survey, it is shown that other economic, cultural, and social factors are related to behavioral intention and actual use of behavior. The literature review showed that economic, cultural, and social factors significantly contribute to behavioral intention and the actual behavior of using smart city technologies. The study identified several factors from the literature studies and tested the results. The factors for each antecedent are termed economic factors, i.e., privacy design (safety), cyber threat intelligence and analysis platform (resiliency); social factors, i.e., digital trust (confidentiality), cyber responses and resilience (availability); and cultural factors, i.e., cyber competencies and awareness program (integrity).
The study used the unified theory of acceptance and use of technology (UTAUT) as the basis to develop a cybersecurity-based UTAUT3 model in smart Saudi cities. Popova and Zagulova [27] in the smart city of Riga, Latvia, use UTAUT models in predicting cybersecurity behaviors and intentions, such as in a study. The study findings showed that all factors of the UTAUT model (i.e., performance expectancy, effort expectancy, social influence, and facilitating conditions) significantly contributed to the behavioral intention and actual use of behavior in adopting smart city technologies. However, they claimed that UTAUT factors might not predict adopting smart city technologies due to the underdeveloped culture. Kuberkar and Singhal [28] conducted a study by testing the behaviors of passengers toward smart city transport technologies. The study stated that performance expectancy, effort expectancy, social influence, facilitating conditions, trust, and anthropomorphism affect behavioral intention and actual use of behavior in adopting smart city transport technologies. Meanwhile, Van Zoonen [29] recognized security and privacy as contributing factors in the smart city awareness campaign model, in which privacy and security variables are connected to applying the appropriate realm of the smart city.
In this context, some of the issues include developing resilience in information security; increasing awareness of privacy risks; growing the security and integrity of online content, thereby encouraging greater use of information systems [30]; generating policy standards for cybersecurity based on global best practice; constructing resilient information systems; and increasing concern regarding security risks [17]. Alzahrani [31] conducted a study claiming that cybersecurity's availability, confidentiality, and integrity are linked to cybersecurity trust and culture. It is helpful to increase the safety of critical systems and cyber resilience capability, conduct research and training, and market cybersecurity remedies, products, or services when government organizations and commercial sectors engage. Therefore, Alzahrani [31] stated that data availability, confidentiality, and integrity should be enhanced to cover the lack of system development and IT experts. On the other hand, Alhalafi and Veeraraghavan [32] proposed recommendations for Saudi Arabia to implement a cybersecurity framework for smart cities. They claimed that smart cities require a model of cybersecurity that will safeguard their integrity and guide the reaction to possible assaults and hazards [32]. Based on the study's findings and evidence in the literature, the study develops a cybersecurity-based UTAUT3 model in smart Saudi cities (see Figure 2):

Data Collection Procedure
The questionnaire was developed based on the findings of the previous survey conducted in smart Saudi cities. The configuration of the research questionnaire uses an online platform, which details the study's objectives and provides the researcher and the supervisors' team with their respective contact information. On the cover page, which was explicitly designed to inform the respondents of the objectives and significance of this research, the researcher provided an explanation of the objectives of the survey and directions for completing the questionnaire at the start of the study. The questionnaire was designed to validate the conceptual framework in smart Saudi cities using nine factors. An emphasis was placed on the nine factors of the UTAUT3 model (performance expectancy, effort expectancy, social influence, facilitating conditions, safety, resiliency, availability, confidentiality, and integrity of cybersecurity) that had been taken. The questionnaire is divided into two distinct sections. Respondents' demographic data were gathered in the first part of the survey. The second section of the questionnaire consisted of UTAUT3 factors and items to validate the cybersecurity-based UTAUT3 model. The survey questionnaire validity and reliability testing involved the researcher sending the

Data Collection Procedure
The questionnaire was developed based on the findings of the previous survey conducted in smart Saudi cities. The configuration of the research questionnaire uses an online platform, which details the study's objectives and provides the researcher and the supervisors' team with their respective contact information. On the cover page, which was explicitly designed to inform the respondents of the objectives and significance of this research, the researcher provided an explanation of the objectives of the survey and directions for completing the questionnaire at the start of the study. The questionnaire was designed to validate the conceptual framework in smart Saudi cities using nine factors. An emphasis was placed on the nine factors of the UTAUT3 model (performance expectancy, effort expectancy, social influence, facilitating conditions, safety, resiliency, availability, confidentiality, and integrity of cybersecurity) that had been taken. The questionnaire is divided into two distinct sections. Respondents' demographic data were gathered in the first part of the survey. The second section of the questionnaire consisted of UTAUT3 factors and items to validate the cybersecurity-based UTAUT3 model. The survey questionnaire validity and reliability testing involved the researcher sending the questionnaire to five scientists who are currently pursuing their doctoral degrees and have substantial expertise in cybersecurity and e-applications, in addition to having a solid understanding of Arabic, which is also their native language. The questionnaire was written in English and Arabic. The feedback from the doctoral students recommended minor alterations to the wording; furthermore, the feedback suggested splitting up a few questions and evolving the order in which they were asked. Their feedback was incorporated into the revision of the draft questionnaire, and then the completed survey instrument was presented to them and received their approval. Finally, a second survey consisting of 108 IT professionals was carried out for the purpose of validating the conceptual model.

Measurement Scales
This study's assessment constructs and items were derived from previous research (see Appendix B). Four performance expectancy items, three effort expectancy items, three social influence items, and three facilitating conditions items were gathered from earlier studies and modified for this investigation [33,34]. Based on Arpaci and Sevinc's [35] research, the study adapted the following cybersecurity factors: four safety items, three resilience items, three secrecy items, three availability items, and four integrity items. Additionally, the research adjusted three items of behavioral intention and three items of actual use behavior from past studies to facilitate data comparison [33,34]. A Likert scale was employed for the measurement scales, with levels ranging from 1 (strongly disagree) to 5 (strongly agree). McDaniel and Gates [36] argue that a Likert scale is practical when the research measures participants' attitudes towards various factors.

Data Analysis
This stage of the survey questionnaire was conducted to develop and validate the factors of the UTAUT3 cybersecurity framework in smart Saudi cities. The study used the Smart PLS 3.3.3 version to develop and validate the new UTAUT3 cybersecurity framework in smart Saudi cities. The study used the first step of the algorithm technique to assess the measurement model. The research-based guidelines of previous researchers in the literature have been followed in this research [37,38] to assess and test the research-developed conceptual framework.

Demographic Information
The demographic information of the pre-test shows that 50% (54) of the respondents were from the IT sector, 19.4% (21) of the respondents from the education sector, only 7.4% (8) from the construction sector, and 23.1% (25) of the respondents from the food sector. The study also reported that 71.3% (77) of the respondents were male and 28.7% (28.7) were female. Meanwhile, the study reported that 15.7% (17)

Convergent Validity and Reliability
The convergent validity and reliability of the measurement scales can be assessed using the threshold values established in the literature [39][40][41]. Convergent validity is demonstrated when all factor loadings are greater than 0.7 [41] and the average variance extracted (AVE) is greater than 0.5 [42]. Reliability is established when both Cronbach's alpha and composite reliability (CR) values are greater than 0.7 [39,40]. The study ran an algorithm with 5000 sub-samples and found that two items of facilitating conditions (FC1 = 0.446, FC2 = 0.508), one item of safety (SAFE4 = 0.626), one item of confidentiality (CON1 = 0.638), and one item of availability (AVAI2 = 0.655) have lower factor loading than 0.7, so they have been deleted from the model. In this study, all measurement scales show satisfactory convergent validity and reliability, as all factor loadings are above the 0.7 threshold, and AVE values for each scale exceed 0.5 (Table 7). Moreover, Cronbach's alpha and CR values are greater than 0.7 for all scales, indicating high internal consistency and reliability (Table 7).

Discriminant Validity
Cross-loadings are the correlation coefficients between the items and the factors, and they are used to evaluate the discriminant validity of the measurement scales [39]. Discriminant validity is established when the items load higher on their respective factors than on others [43]. A common rule of thumb is that the difference between the item's loading on its own factor and its highest loading on other factors should be at least 0.1 [43]. The findings showed that most items have a higher loading on their respective factors (diagonal elements in bold) than on other factors (off-diagonal elements). This suggests a reasonable level of discriminant validity for most of the items in this study (see Appendix C).
Another part of discriminant validity is testing the Fornell-Larcker [44] criterion. The Fornell-Larcker criterion is an approach used to assess discriminant validity, which is the degree to which a construct is distinct from other constructs [44]. This criterion is fulfilled when the square root of a construct's average variance extracted (AVE) is greater than the correlations between that construct and all other constructs in the model. In Table 8, the diagonal values (in bold) represent the square root of AVEs for each construct, while the off-diagonal values represent the correlations between the constructs. Based on the Fornell-Larcker criterion, it can be concluded that discriminant validity is established for most of the constructs as the square root of the AVE for each construct is higher than its correlations with other constructs. R-square (R 2 ) measures the proportion of variance in the dependent variable that the independent variables can explain in a multiple regression model. It is a commonly used statistic to evaluate the goodness of fit of a model. R-square values range from 0 to 1, with higher values indicating a better fit between the model and the data [39]. In the given study, the R 2 values for the two dependent variables, behavioral intention of adopting cybersecurity in smart cities and use behavior of adopting cybersecurity in smart cities, are 0.567 and 0.537, respectively. These values suggest that the nine factors in the model explained 56.7% of the variance in behavioral intention and 53.7% of the variance in user behavior.

Discussion and Conclusions
The existing literature and studies underscore the significant influence of economic, cultural, and social factors on the behavioral intention and actual use of smart city technologies. Applying the unified theory of acceptance and use of technology (UTAUT) to cybersecurity contexts, particularly in smart cities, has yielded significant findings concerning performance expectancy, effort expectancy, social influence, and facilitating conditions. However, gaps in cultural development and specific factors such as privacy, security, trust, and anthropomorphism were also identified as critical aspects of technology adoption. Emphasizing the need for resilient information systems and raising awareness of privacy and security risks are pivotal steps toward strengthening smart city infrastructure. Therefore, factors including data availability, confidentiality, and integrity are addressed to mitigate the dearth of system development and IT expertise. Consequently, developing and implementing a comprehensive cybersecurity framework is paramount to safeguarding the integrity of smart cities, providing guidance for respoding to potential threats, and promoting a robust and secure digital environment. After that, this study examines the widespread phenomenon of testing the behavioral intentions in adopting cybersecurity awareness programs in two cities in Saudi Arabia (i.e., Riyadh and Neom). The study conducted two surveys. The first survey was carried out to explore the challenges and issues in adopting cybersecurity practices in smart Saudi cities. The second survey was carried out to develop and validate the conceptual cybersecurity-based UTAUT3 model. In the first phase, the study targeted 554 respondents (common public). In the second phase, the study targeted 108 IT professionals because they provided the most authentic responses to validate a new model in smart Saudi cities. The survey results reveal several key insights about trust in cyberinfrastructure and the digital economy in Saudi Arabia. First, there is a widespread perception of weak cybersecurity platforms and a need for more confidence in the country's ability to design and deploy smart cities. Second, respondents are highly aware of various IT issues and have experienced security or privacy breaches. Third, Saudi citizens understand the importance of cyber threats and express a strong interest in participating in cybersecurity awareness programs. Furthermore, most respondents believe that advancements in IT infrastructure and social apps, notably Snapchat and Twitter, have the potential to impact Saudi culture. However, a considerable portion of respondents remains neutral on this issue. While technical abilities such as deep-packet inspections are limited among the respondents, there is optimism that public and governmental agencies can match the private sector shortly.
The study results emphasize the importance of economic, cultural, and social factors in shaping behavioral intention and actual use of smart city technologies. Key factors identified include privacy design, cyber threat intelligence, digital trust, cyber responses, resilience, and cyber competencies and awareness programs. Moreover, the R 2 values of 0.567 and 0.537 for behavioral intention and user behavior, respectively, indicate that the nine factors (performance expectancy, effort expectancy, social influence, facilitating conditions, safety, resiliency, confidentiality, availability, and integrity of cybersecurity) in the cybersecurity-based UTAUT3 model explain a significant proportion of the variance in these two dependent variables. This suggests that a comprehensive approach addressing economic, social, and cultural factors is crucial for increasing trust in cyberinfrastructure and promoting the adoption of cybersecurity measures in smart cities within Saudi Arabia.
Combining the two surveys' findings, the study concludes by emphasizing the interconnectedness of public perception, technical abilities, and the role of economic, social, and cultural factors in influencing the adoption of cybersecurity measures in Saudi Arabia's transition to a digital economy and smart cities. Additionally, the results highlight the need for effective government policies, incentives, and awareness programs to enhance the overall trust and confidence in the country's cyber infrastructure and digital advancements. The findings of the study presented cybersecurity aspects and factors, including the actual use of behavior, availability, behavioral intention, confidentiality, effort expectancy, facilitating conditions, integrity, performance expectancy, resiliency, safety, and social influence in the context of smart cities. These were each measured with several items, which resulted in factor loadings ranging from 0.746 to 0.888, indicating a high level of validity and reliability. Moreover, all constructs scored above 0.6 in average variance extracted (AVE), implying good convergent validity. Furthermore, all constructs' Cronbach alpha and composite reliability values were above the acceptable 0.7 thresholds, indicating high reliability and internal consistency. The correlation matrix noted that all the constructs were significantly correlated with each other, ranging from 0.317 to 0.733, with the diagonal showing the square root of AVE, illustrating adequate discriminant validity. This indicates that the constructs are related yet distinct from each other, thereby supporting the validity and reliability of the scales used in measuring these constructs. These measurements could be instrumental in shaping cybersecurity policy and best practices in the context of smart cities.

Practical Implications
The practical implications of this study, which focuses on developing and applying a cybersecurity-based UTAUT3 model in smart Saudi cities, are manifold. Implementing this model can lead to several changes in cybersecurity practices, including the following:

1.
Enhanced understanding of user adoption factors: The UTAUT3 model provides a comprehensive framework for understanding the factors influencing the adoption of cybersecurity measures in smart cities. By identifying key economic, social, and cultural factors, policymakers and city planners can develop targeted strategies to increase trust and confidence in cyberinfrastructure and promote the adoption of advanced security measures.

2.
Improved cybersecurity awareness programs: The UTAUT3 model emphasizes the importance of cyber competencies and awareness programs in shaping users' behavioral intentions and actual use of cybersecurity measures. By designing and implementing effective cybersecurity awareness campaigns, government agencies can equip citizens with the necessary knowledge and skills to identify, prevent, and respond to cyber threats.

3.
Informed policy development: Understanding the factors influencing the adoption of cybersecurity measures in smart cities can help policymakers develop informed strategies that address economic, social, and cultural barriers. This may include providing incentives for participating in cyber-awareness programs, supporting training and education initiatives, and fostering public-private partnerships to improve cyberinfrastructure.

4.
Strengthened cybersecurity practices: By addressing the concerns and needs of users, as identified in the UTAUT3 model, smart cities can design and deploy robust cybersecurity platforms that address privacy, resiliency, confidentiality, availability, and integrity. This will result in a more secure digital environment, fostering trust and confidence among citizens.

5.
Promoting digital trust and collaboration: By addressing the concerns and needs of users in smart cities, the UTAUT3 model can help build digital trust among citizens, businesses, and government agencies. This will encourage greater collaboration in developing and maintaining cybersecurity practices, ultimately leading to more secure and resilient smart cities. 6.
Preserving cultural values: The UTAUT3 model considers the potential impact of IT infrastructure advancements on Saudi culture. By considering these cultural factors, policymakers and city planners can ensure that cybersecurity practices align with societal values and contribute positively to the overall development of smart cities.

Limitations and Future Directions
While the study provides valuable insights into the factors influencing cybersecurity practices in smart Saudi cities, it has some limitations. The sample size and demographic distribution of respondents may only represent part of the population, potentially limiting the generalizability of the findings. The most significant limitation of the study is that it developed and validated the cybersecurity-based UTAUT3 model but did not examine the effect of all nine factors on behavioral intentions and actual use of behavior in adopting cybersecurity practices; a future study should consider this aspect to investigate the impacts. Furthermore, the study focuses solely on Saudi Arabia, and the results may not directly apply to other countries or regions with different cultural, economic, and social contexts. Future research could address these limitations by employing more extensive and diverse samples and conducting comparative studies across multiple regions or countries. Additionally, researchers could explore the long-term effects of implementing the UTAUT3 model on the overall security and resilience of smart cities, examine the role of emerging technologies such as artificial intelligence and blockchain in enhancing cybersecurity, and investigate the impact of evolving cyber threats on user behavior and adoption patterns.
Author Contributions: N.A. and P.V. contribute to saudi smart cities to identify the challenges and issues in adopting cybersecurity practices. All authors have read and agreed to the published version of the manuscript.
Funding: This research received no external funding. Data Availability Statement: Study data cannot be shared due to ethical considerations.