Text Practice Mode
Part:1 _ Cyber Security Awareness, Knowledge and Behavior: A Comparative Study
created Mar 22nd 2022, 09:26 by MuathNasr
2
1485 words
8 completed
0
Rating visible after 3 or more votes
00:00
Cyber-attacks represent a potential threat to information security. As rates of data usage and internet consumption continue to increase, cyber awareness turned to be increasingly urgent. This study focuses on the relationships between cyber security awareness, knowledge and behavior with protection tools among individuals in general and across four countries: Slovenia, Poland and Turkey in particular. Results show that internet users possess adequate cyber threat awareness but apply only minimal protective measures usually relatively common and simple ones. The study findings also show that higher cyber knowledge is connected to the level of cyber awareness, beyond the differences in respondent country or gender. In addition, awareness is also connected to protection tools, but not to information they were willing to disclose. Lastly, findings exhibit differences between the explored countries that affect the interaction between awareness, knowledge, and behaviors. Results, implica- tions, and recommendations for effective based cyber security training programs are presented and discussed.
Information Technology has dramatically increased in the past decade, with massive global rates of internet consump- tion by individuals and organizations ranging from acade- mia and government to industrial sectors (Aloul1; Jalali et al.2; Lee et al.3). During the last decade, information technology such as mobile devices and digital applications have transformed daily life, facilitating diverse lifestyles in many areas. The ease of technology usage as well as the increased demand for online connectivity (in education, retail, tourism, and even autonomous vehicles) has expanded opportunities for internet usage on a global scale. Indeed, some of these uses include reading digital newspapers, surfing the web, utilizing search engines to find desired content, assisting recommender systems in the form of decision support tools, and using social media to name only a few. Nevertheless, while internet consump- tion buttressed by information technology improvements increases dramatically (Maurseth4), many netizens (i.e., people who use the internet) still lack sufficient awareness of various internet threats (also defined as “cyber hazards”). In fact, they often fail to possess the minimum required knowledge to protect their computing devices. In worst- case scenarios, individuals suffer from a total lack cyber hazard awareness. Hence, their readiness to utilize protec- tive cyber security measures is non-existent. When not carried out by governments, cyber hazards are the work of “bad hackers” (otherwise known as “black hats”), who act on their own or within an organized crim- inal group to commit cyber crime. In both cases, their intention is to engage in cyber-crime in any of its various forms, ranging from violation of individual privacy to iden- tity theft and credit card fraud. Cyber-criminals use mal- icious software and hacking tools to sabotage computers, mobile devices, and communication network infrastructure, including5 cyber security protection tool disruption (Abawajy ). While protective tools are generally installed on computers and in infrastructure, studies show that they do not completely mitigate cyber security breaches (Furnell et al.6; Parsons et al.7; Schultz.8) This is because the weakest link in the cyber security chain remains human error (Anwar et al.9; Herath and Rao10; Schneier.11) Organizations have come to recognize that behaviors deriv- ing from the human factor are responsible for cyber secur- ity flaws and may pose a liability for information security (Sasse and Flechais.12)
The behavioral contribution to unintentional cyber breaches was highlighted by IBM’s Global Technology Services as one of the most critical issues to be addressed by security controls and best practices guidelines. In fact, there has been an increased recent focus on the role of individual behavior in cyber hazard mitigation. However, the understanding of how individuals differ in their aware- ness, knowledge, and cyber security behavior when con- fronted with versatile cyber hazards is still quite limited. Moreover, to the best of our knowledge, no research has yet to compare and evaluate these three components across countries. Therefore, the aim of this study is to evaluate differences in cyber hazard awareness, knowledge and cyber hazard protection behaviors between four countries Slovenia, Turkey, Poland and. As such, the compara- tive study was carried out in these four countries character- ized by varying GDP and GDP per capita: two economically more developed (and Slovenia) and two economically less developed (Poland and Turkey) countries, since there are many authors claiming that economic development and cybersecurity and therefore cyber awareness are mutually dependent (Kshetri13, Vasiu and Vasiu14). GDP and GDP per capita are among the most common indicators used to track the health of a nation’s economy. According to the Worldbank,15 in 2018 was ranked 22nd in GDP per capita (41,614 USD), with Slovenia in 32nd place (26,234 USD). The GDP per capita of Poland is lower (15,424 USD and GDP per capita ranking of 52), while Turkey is lower still (9,311 USD and GDP per capita ranking of 67). As far as we know, no study comparative has focused on the relative cyber security awareness, knowledge and behavior differences between these four countries.
Our research objectives are divided into two categories: First, building a theoretical framework to be used in con- structing cyber security training programs. This framework is based on the factors that impact the level of cyber security awareness, knowledge, and behavior, which were evaluated according to the following research questions (from general to specific):
(1) What is the level of cyber security awareness among netizens?
(2) Which types of behavior do netizens adopt to prevent cyber hazards?
(3) Is there any difference in cyber security awareness and behavior among netizens of different countries that diverge in their GDP values?
The second objective of this study is to provide practical recommendations on how to improve the quality of cyber training programs based on the theoretical framework findings.
The rest of this paper is organized as follows: In Section 2, we present the literature review, while in Section 3 we outline the study methodology. Section 4 details the results, followed by a discussion of implications and recommendations in Section 5. Finally, in Section 6, conclusions and suggestions for future work are offered.
2. Theoretical background
2.1. The impact of internet and cyber on society
The internet has revolutionized how people access data and utilize various applications for modern day-to-day tasks. Reid and Van Niekerk16(p. 178) noted the huge impact of the internet on daily life: “In our technology and information-infused world, cyberspace is an integral part of the modern-day society. In both personal and professional contexts, cyberspace is a highly effective tool in, and enabler of, most people’s daily digitally transposed activities.17,18,19” However, Coppers20 noted the rising impact of information security breaches on the economy, resulting in information loss estimated at $2.5 million per year (Coppers20) As noted, this loss can be only partly mitigated by protective tools since their function- ality in most cases is controlled by individuals (Furnell et al.6; McCormac et al.21; Parsons et al.22; Schultz8)
Individual cyber engagement, in general, and with cyber protection tools in particular, has motivated both academic scholars and practitioners to focus on individual attitudes and behaviors concerning cyber threats (Schneier23; Shropshire et al.24). An instructive example was given by Sasse and Flechais12 who emphasized the existing gap between facto and ex post facto mitigation activities conducted by employees in cases of cyber security breach due to lack of sufficient engagement with cyber security protection tools. Other stu- dies evaluated level of individual resilience with cyber security awareness as a cause of job stress (McCormac et al.25). In addition, the relationship between individual personality and level of cyber security risk propensity has been researched (McCormac et al.26). Yet the relationships between individual cyber security awareness, knowledge and behavior have never been studied in cross-country comparison. In fact, the com- parative approach is considered by important stakeholders to be crucial for the creation of intervention programs (McCormac et al.26).
2.2. Cyber security hazard awareness
The internet has revolutionized managing life tasks, enabling connections with new people through social networks and opening new economic horizons for transactions via mobile devices both for individuals and organizations, including radi- cal change in the higher education system and teaching meth- ods (Aloul1; Lee et al.3; Saadatdoost et al.27). Even so, many people still face information security risks from a vast array of threats. These threats range from simple to catastrophic attacks. The first may consist of primitive spam e-mails, while the second may involve organized cyber-crime groups that use malicious software to steal, corrupt, and destroy data on a significant scale (Letho28). A major factor in information security risk is level of individual cyber security awareness, which can be usefully described as low, medium, or high. Low awareness behaviors include not paying attention or neglect- ing security alerts, provided in most cases automatically by applications, such as when accessing free open networks (such as Wi-Fi) with mobile devices and laptops. A medium aware- ness level may be characterized by negligence expressed in improper technology operation. Finally, high awareness involves knowledge of cyber threats and capable actions taken in their prevention.
Information Technology has dramatically increased in the past decade, with massive global rates of internet consump- tion by individuals and organizations ranging from acade- mia and government to industrial sectors (Aloul1; Jalali et al.2; Lee et al.3). During the last decade, information technology such as mobile devices and digital applications have transformed daily life, facilitating diverse lifestyles in many areas. The ease of technology usage as well as the increased demand for online connectivity (in education, retail, tourism, and even autonomous vehicles) has expanded opportunities for internet usage on a global scale. Indeed, some of these uses include reading digital newspapers, surfing the web, utilizing search engines to find desired content, assisting recommender systems in the form of decision support tools, and using social media to name only a few. Nevertheless, while internet consump- tion buttressed by information technology improvements increases dramatically (Maurseth4), many netizens (i.e., people who use the internet) still lack sufficient awareness of various internet threats (also defined as “cyber hazards”). In fact, they often fail to possess the minimum required knowledge to protect their computing devices. In worst- case scenarios, individuals suffer from a total lack cyber hazard awareness. Hence, their readiness to utilize protec- tive cyber security measures is non-existent. When not carried out by governments, cyber hazards are the work of “bad hackers” (otherwise known as “black hats”), who act on their own or within an organized crim- inal group to commit cyber crime. In both cases, their intention is to engage in cyber-crime in any of its various forms, ranging from violation of individual privacy to iden- tity theft and credit card fraud. Cyber-criminals use mal- icious software and hacking tools to sabotage computers, mobile devices, and communication network infrastructure, including5 cyber security protection tool disruption (Abawajy ). While protective tools are generally installed on computers and in infrastructure, studies show that they do not completely mitigate cyber security breaches (Furnell et al.6; Parsons et al.7; Schultz.8) This is because the weakest link in the cyber security chain remains human error (Anwar et al.9; Herath and Rao10; Schneier.11) Organizations have come to recognize that behaviors deriv- ing from the human factor are responsible for cyber secur- ity flaws and may pose a liability for information security (Sasse and Flechais.12)
The behavioral contribution to unintentional cyber breaches was highlighted by IBM’s Global Technology Services as one of the most critical issues to be addressed by security controls and best practices guidelines. In fact, there has been an increased recent focus on the role of individual behavior in cyber hazard mitigation. However, the understanding of how individuals differ in their aware- ness, knowledge, and cyber security behavior when con- fronted with versatile cyber hazards is still quite limited. Moreover, to the best of our knowledge, no research has yet to compare and evaluate these three components across countries. Therefore, the aim of this study is to evaluate differences in cyber hazard awareness, knowledge and cyber hazard protection behaviors between four countries Slovenia, Turkey, Poland and. As such, the compara- tive study was carried out in these four countries character- ized by varying GDP and GDP per capita: two economically more developed (and Slovenia) and two economically less developed (Poland and Turkey) countries, since there are many authors claiming that economic development and cybersecurity and therefore cyber awareness are mutually dependent (Kshetri13, Vasiu and Vasiu14). GDP and GDP per capita are among the most common indicators used to track the health of a nation’s economy. According to the Worldbank,15 in 2018 was ranked 22nd in GDP per capita (41,614 USD), with Slovenia in 32nd place (26,234 USD). The GDP per capita of Poland is lower (15,424 USD and GDP per capita ranking of 52), while Turkey is lower still (9,311 USD and GDP per capita ranking of 67). As far as we know, no study comparative has focused on the relative cyber security awareness, knowledge and behavior differences between these four countries.
Our research objectives are divided into two categories: First, building a theoretical framework to be used in con- structing cyber security training programs. This framework is based on the factors that impact the level of cyber security awareness, knowledge, and behavior, which were evaluated according to the following research questions (from general to specific):
(1) What is the level of cyber security awareness among netizens?
(2) Which types of behavior do netizens adopt to prevent cyber hazards?
(3) Is there any difference in cyber security awareness and behavior among netizens of different countries that diverge in their GDP values?
The second objective of this study is to provide practical recommendations on how to improve the quality of cyber training programs based on the theoretical framework findings.
The rest of this paper is organized as follows: In Section 2, we present the literature review, while in Section 3 we outline the study methodology. Section 4 details the results, followed by a discussion of implications and recommendations in Section 5. Finally, in Section 6, conclusions and suggestions for future work are offered.
2. Theoretical background
2.1. The impact of internet and cyber on society
The internet has revolutionized how people access data and utilize various applications for modern day-to-day tasks. Reid and Van Niekerk16(p. 178) noted the huge impact of the internet on daily life: “In our technology and information-infused world, cyberspace is an integral part of the modern-day society. In both personal and professional contexts, cyberspace is a highly effective tool in, and enabler of, most people’s daily digitally transposed activities.17,18,19” However, Coppers20 noted the rising impact of information security breaches on the economy, resulting in information loss estimated at $2.5 million per year (Coppers20) As noted, this loss can be only partly mitigated by protective tools since their function- ality in most cases is controlled by individuals (Furnell et al.6; McCormac et al.21; Parsons et al.22; Schultz8)
Individual cyber engagement, in general, and with cyber protection tools in particular, has motivated both academic scholars and practitioners to focus on individual attitudes and behaviors concerning cyber threats (Schneier23; Shropshire et al.24). An instructive example was given by Sasse and Flechais12 who emphasized the existing gap between facto and ex post facto mitigation activities conducted by employees in cases of cyber security breach due to lack of sufficient engagement with cyber security protection tools. Other stu- dies evaluated level of individual resilience with cyber security awareness as a cause of job stress (McCormac et al.25). In addition, the relationship between individual personality and level of cyber security risk propensity has been researched (McCormac et al.26). Yet the relationships between individual cyber security awareness, knowledge and behavior have never been studied in cross-country comparison. In fact, the com- parative approach is considered by important stakeholders to be crucial for the creation of intervention programs (McCormac et al.26).
2.2. Cyber security hazard awareness
The internet has revolutionized managing life tasks, enabling connections with new people through social networks and opening new economic horizons for transactions via mobile devices both for individuals and organizations, including radi- cal change in the higher education system and teaching meth- ods (Aloul1; Lee et al.3; Saadatdoost et al.27). Even so, many people still face information security risks from a vast array of threats. These threats range from simple to catastrophic attacks. The first may consist of primitive spam e-mails, while the second may involve organized cyber-crime groups that use malicious software to steal, corrupt, and destroy data on a significant scale (Letho28). A major factor in information security risk is level of individual cyber security awareness, which can be usefully described as low, medium, or high. Low awareness behaviors include not paying attention or neglect- ing security alerts, provided in most cases automatically by applications, such as when accessing free open networks (such as Wi-Fi) with mobile devices and laptops. A medium aware- ness level may be characterized by negligence expressed in improper technology operation. Finally, high awareness involves knowledge of cyber threats and capable actions taken in their prevention.
saving score / loading statistics ...