The term cyber security awareness was already defined by Shaw et al.29(p. 93) as follows: “[The] degree of understanding of users about the importance of information security and their responsibilities and acts to exercise sufficient levels of information security control to protect the organization’s data and networks”. They noted widespread lack of awareness of cyber risks, extending to app usage and information delivery on social networks and internet web pages. Importantly, they pointed out that hackers (individual or collective) tend to seek out the most vulnerable users, i.e. those deficient in informa- tion and network security awareness. Hackers are proficient at exploiting both software bugs and security gaps unintention- ally created by users themselves. Since the human factor has already been shown to main cause of cyber breaches, ever more cyber awareness training programs are offered by academic institutions and private companies, with the aim of increasing individual cyber- crime awareness (Dodge30; Kumaraguru et al.31; Shaw et al.29). However, increasing levels of awareness can only transpire if cyber awareness itself is fully understood, a thesis already made in 2015 by Letho: “[While] the world grows more connected through the cyber world, the most efficient plan to increase cyber security awareness is the improvement of the know-how of the citizens and actors of the economic life and public administration. This improvement could be effective if the reasons for the lack of cyber security awareness could be understood (Letho28(p. 180)). However, in the last five years, a growing body of research has focused on individual cyber security awareness. For example, McCormac et al.26 pointed out a linear relationship between age and information security awareness, one that improves with increase in age. Another study by McCormac et al.25 among 1,048 Australian employ- ees showed a relationship between resilience, job stress and information security awareness (ISA), finding that when employees can cope or adapt to job stress, their awareness to cyber security hazards increases, and hence the organiza- tion’s resilience is improved. Research by Hadlington32 found that employed people in large organizations tend to develop higher awareness of cyber risks, which may be explained by improved budgetary resources and organizational enforce- ment policies. As with Hadlington32, Pendley33 also focused on improving cyber security awareness among managerial or administrative staff, emphasizing adhering to cyber regula- tions and guidelines as well as establishing security policies. Nevertheless, lack of cyber awareness is still a serious global problem. Organizations and educational institutions must develop adequate training programs, with the first step a comparative evaluation of level of awareness across different countries. 2.3. Cyber security knowledge Increasingly, individuals are in actuality dependent on inter- net technologies for their day-to-day tasks. Ease of use has facilitated participation in cyber-related activities on a mass scale. However, knowledge of existing tools needed for pro- tection against cyber threats is correspondingly lagging (Furnell et al.34; Abawajy and Kim35; Abawajy5). As Abawajy (Abawajy and Kim35, Abawajy5) noted, even basic level cyber security awareness may not translate into sufficient or appro- priate cyber security protection knowledge to mitigate cyber risks and hazards. As such, he suggested increasing cyber security knowledge through cyber security training programs using theoretical lectures and simulators to provide exposure to cyber security protection tools. These would focus on operational, usage, and process aspects of improving user knowledge translating into effective cyber security mitigation behavior. For example, the “Phishing Simulator” is a popular training resource, designed as an effective training process to increase awareness of suspicious e-mails sent by hackers. Such e-mails often contain malicious software (“malware”) result- ing in illicit data leakage (Abawajy and Kim35; Abawajy5). The simulator is also suitable for trainers, exposing them to prac- tical protection tools to mitigate phishing e-mails and internet links and guiding them in how to attain optimal levels of protection against cyber security threats. In a study conducted by Reid16, the influence of a cyber security awareness campaign for school youth, along with their existing knowledge related to cyber security hazards, was measured. He found that campaigns have a positive impact on improving cyber hazard awareness and knowledge. A later study, conducted by Cain et al.36, explored “Cyber Hygiene” (i.e. level of cyber knowledge) in 268 computer and device users ranging in age from 18 to 55+. The survey focused on how they maintain system health and online security tools such as firewalls and anti-virus software, and was carried out using Amazon Mechanical Turk (MTurk) (https://www.mturk.com), a crowdsourcing marketplace. MTurk allows businesses (i.e. “requesters”) to allocate tasks to remote “crowdworkers”, a potentially rich source of data collection. They found that self-identified experts had less cyber hygiene knowledge than self-identified non-experts. This surprising finding could be attributed to the latter being more dependent and relying on external guidelines, hence investing greater efforts in acquiring the necessary cyber security knowledge for their tasks. 2.4. Cyber security protection behaviors Recognizing the severe cost of cyber hazards, research has increasingly focused on the measures taken and behaviors exhibited by netizens to protect their devices (e.g. Safa et al.37). However, most recent studies related to cyber protection behavior look at very narrow aspects of cyber security beha- vior. For example, Safa et al.37 surveyed level of compliance with security polices among 416 employees in 4 Malaysian companies. They found that employee attachment to the firm does not have a significant influence on their attitude to adopt a desired cyber security compliance behavior. McCormac et - al.26 looked at whether employee information behavior is correlated with personality traits such as conscientiousness, agreeableness, emotional stability, and risk taking. They showed that a small significant gender difference exists related to phishing e-mails, such that women were found to be more susceptible than men. Another study by McCormac et al.25,38 aimed at exploring the relationship between employee resilience and job stress and cyber. They used a sample of 1,048 working Australians, reporting that higher levels of cyber threat resilience translated into significantly better ability, knowledge, attitude, and behavior in cyber mitigation processes. Similarly, participants who reported lower levels of job stress also were found to exhibit sign- ificantly better attitude, knowledge, and behavior in mitiga- tion of cyber hazards. Hadlington32 focused on the relationship between risky employee cyber security behavior and individual (such as age and attitude) and organizational factors in protective cyber security activities. Risky behaviors included sharing personal passwords, downloading illegal content, infringing copyright, and ignoring recommended software updates. Their findings associated these risky beha- viors with employee self-feeling, defined as the feeling that cyber security is not a primary concern in their place of employment. In fact, Hadlington and Parsons39 had already showed that employees who feel protected in their workplace tend to neglect cyber security behavior. This finding was con- firmed by Tischler et al.40, who found that, in general, employees tend to decouple their responsibility to install and operate cyber protection tools from their job, instead transferring it to senior management. As noted, Cain et al.36 tested levels of so-called cyber hygiene, and found that self- identified experts exhibited less secure behaviors than self- identified non-experts. In addition, they found that older users engaged in more secure cyber behaviors than younger ones. Surprisingly, they found no differences in individual response behavior to experienced and inexperienced users – being attacked by cyber malware for the first time or more than once, didn’t change their response to cyber attack. They also did not detect any individual effect in the impor- tance of cyber training programs. However, they noted that future studies could shed light on the impact of effective cyber training programs, which may encourage younger users to behave more securely when confronted with a cyber security incident. These training programs were evaluated by Dodge30, who noted that the number of phishing scam victims dropped after students were exposed to “staged” phishing attacks. McCrohan et al.41 evaluated training programs aimed to improve the knowledge and awareness of potential cyber security hazards among users. They focused on cyber security aspects of password protection awareness and ability to secure computers pre- and post-cyber security training. They high- lighted the critical role of cyber education/training, emphasiz- ing appropriate security practices to improve day-to-day online behavior. Following this study, Eminağaoğlu et al.42 showed that awareness campaigns can play a positive role in reducing cyber risk behavior. The authors found that the level of exposure to and practice in training programs pushed students to use complex passwords. They suggested that pro- viding security awareness training courses can comprehen- sively influence attitudes to information security management. Similarly, Abawajy5 divided cyber security training into three categories: online, contextual, and embedded training. He concluded that a combination of delivery methods (such as text-based, game-based, and video- based) should determine the training type.