Information security awareness (ISA) is integral to protecting an organisation from cyber threats. The aim of this paper is to further establish the validity of the Human Aspects of Information Security Questionnaire (HAIS-Q), as an effective instrument for measuring ISA. We present two studies to further establish the construct validity of this instrument. In Study 1, 112 university students completed the HAIS-Q and also took part in an empirical lab-based phishing experiment. Results indicated that participants who scored more highly on the HAIS-Q had better performance in the phishing experiment. This means the HAIS-Q can predict an aspect of information security behaviour, and provides evidence for its convergent validity. In Study 2, the HAIS-Q was administered to a larger and more representative population of 505 working Australians to further establish the construct validity of the instrument. The results of a factor analysis and other statistical techniques provide evidence for the validity of the HAIS-Q as a robust measure of ISA. We also describe the practical implications of the HAIS-Q, particularly how it could be used by information security practitioners.