knowledge were more aware of cyber hazards. This aware- ness was connected to amount of protection methods and measures used to protect their devices. As such, it is not just the amount of device usage; it is more the level of awareness that determines their attempts to reduce the chances of cyber-attack. 5. Discussion
Research results show that internet users are aware of the term “cyber security”. Therefore, respondents know that using the internet may expose them to multiple threats: violation of privacy, loss of money or data, damage to devices, surveillance of them- selves or any organization to which they belong, etc. However, we also found a discrepancy between respondent attitude and beha- viors. As with previous studies (e.g. Imgraben et al.48; Rek and Milanovski49), we found that respondents take only basic and insufficient action such as using strong password protection and installing antivirus software. Only a minority engage in more sophisticated protection activities that require a deeper knowledge of cyber security, such as avoiding using an open free network, performing computer security audits, or avoiding using public computers. Since these activities are no costlier, the reason for this discrepancy remains unknown. While previous studies suggested that people avoid engaging in extensive cyber-attack precautions (e.g. Rek and Milanovski49), we suggest that respondent cyber knowledge may explain this gap.
Our findings show that respondents with more computer science knowledge (recognition) had a higher positive connec- tion to cyber security awareness. However, specialization in computer science is not an option available to most people. Still, we found that even partial attendance in a cyber security program (d_attendance) or learning about cyber security during formal education (Edu_awareness) was positively connected to level of cyber awareness. Since this connection was found after controlling for respondent country of residence and gender, it highlights the significant role of educational cyber security pro- grams to enlarge cyber-attack awareness.
On the other hand, no connection was found between degree of awareness and the information that the subjects agreed to share on the internet as well as security-related activities when finishing work on the computer. This gap can be explained through the Theory of Planned Behavior (TPB) (Fishbein and Ajzen50) TPB claims that intention is the best predictor of any planned behavior. Therefore, if threats to computer security are taken seriously, then it is more likely that motivation will be found to institute appropriate protective measures. Even so, behavior is also affected by elements such as the amount of self- efficacy and controllability. As such, perception of situations as subject to control due to individual knowledge increases motiva- tion to act. Thus, we found that respondents with more cyber security knowledge take more steps to prevent attacks, especially when defense tools are simple and familiar to internet users. When an action demands higher specialized knowledge, this connection was found to be more complicated. People may be aware of a hazard and want to protect their devices but feel insecure about the appropriate measures, and this can reduce motivation to explore additional options. Indeed, we found that knowledge of cyber and Internet usage was connected to protec- tion activities through the mediation of cyber security awareness. These results highlight the important role of cyber security programs to motivate users to take proactive behaviors.
We also found a connection between awareness, knowledge, and behaviors and the country of the respondent.2 Turkish respondents viewed cyber security as very risky and threatening. showed less concern, as did Poles. These findings can be attributed to cultural differences. is known as a cyber security innovation leader (Tabansky51) tend to “out- source” their cyber security concerns to service providers and organizations, confident in their technological sophistication to ensure a safe internet environment. This may explain why were the least cautious information sharers and lowest in cyber threat avoidance. Indeed, Tabansky51 describes as a country that continuously strives to develop cyberspace solu- tions. is one of the top five global superpower nations as ranked by the National Cyber Initiative (Sabilion et al.52). It can be reasonably claimed that many citizens in these countries are under the mistaken impression that they have sufficient knowl- edge or defense tools to counter cyber risks. In fact, they tend to be less actively involved in daily mitigation of privacy and data and information leaks. In countries with less cyber security development, such as Turkey, cyber security awareness is more linked to the individual implementation of cyber protective behaviors. One explanation for the differences between Turkey and the other countries can be attributed to variations in ques- tionnaire language. As noted, the Turkish participants filled out the questionnaire in their native language, while all other sub- jects used an English version. This difference may have produced biases in response, especially if the non-Turkish students lack full reading comprehension in English. However, all non- Turkish university students comprising our sample are required to possess high-level English language proficiency, and this dis- crepancy can only explain part of the differences and should not be regarded as their main source. Even so, Turkey is well advised to develop its training programs in this field. Future comparative research should focus on senior management cyber security habits in the four evaluated countries. Thus, we claim that the more a developed country (i.e., with substantial GDP value) invests resources in cyber tools (such as), the more its efforts should be directed to educating and increasing awareness. While mediation was found between (one type of) knowledge, awareness, and protection, we feel that there are other factors that can explain why people do not protect their devices with more defenses. Using TPB (Fishbein and Ajzen50), more research should explore the effects of psychological factors, such as self-efficacy and national-cultural values (Hofstede53; Klein and Shtudiner54) on internet user behaviors. Organizations should also take more active as well as protective steps, in parallel with educational programs, such as configura- tion of cyber defense tools with organizational architecture to increase the level of cyber security awareness among their employees. Further studies should focus on capturing how beha- viors of organizations affect employee cyber security awareness. The urgency to reduce employee and individual cyber risks has only increased. As such, senior managers should build practical training workshops and study programs with cyber awareness courses in order to:
a. Increase employee and student knowledge related to cyber security attacks;
b. Cultivate new attitudes toward cyber risk and responsi- bility for maintaining organizational data;
c. Translate awareness into action by decreasing human factors resulting in cyber security vulnerabilities; and
d. Develop new rules informing best cyber practices. Future research should also focus on all aspects of this call to action.
6. Conclusions and future work
The study elaborates on the literature related to cyber security awareness, knowledge, and behavior. To our knowledge, its novelty rests on it being the first to explore the factors relating to and level of cyber security skills among individuals in various countries with differing GDP values. Moreover, the study implicates level of cyber hazard knowledge and exposure to risk to specific user traits (gender, age, degree of using IT, etc.), concluding that specific training programs should be developed by educational and aca- demic institutions. Since this is an initial study, we focused on a comparative approach to evaluating cultural differences in cyber security awareness, knowledge, and behaviors. However, future studies should isolate the roots of lack of cyber hazard awareness.
Our research contributions may be classified into the fol- lowing categories:
● Elaboration on existing knowledge of cyber security awareness, knowledge, and behavior among individuals from different countries;
● Economic need to invest in cyber security technology in developed countries with high GDP values (such as), since much of the population lacks the necessary tools and knowledge to protect against cyber hazards. Even so, it is important to also invest in cyber training to change the perception of cyber hazards.
● Global need for comparative analysis derived from lack of cyber security knowledge across cultures. Therefore, training programs should be developed with an interna- tional orientation, based on individual behavior rather than local and cultural expressions.
It is important to point out that this study has some limitations that should be taken into consideration. The limitation of this study lies mainly with the type of respondents. The sample size was based on students mainly from the social sciences, who studied business IT or economics. To improve the study’s robust- ness, it is recommended to use a wider sample size, one that is not considered a convenient sample and spans various disciplines. Another criticism can be derived from the measurement of the variables. We used face validity in constructing the questionnaire, relying on a team of experts to develop our survey tool. However, since this is one of the few studies to measure cyber security awareness, knowledge, and behavior, the questionnaire should be retested to strengthen its reliability and validity. Future studies should develop specific instruments to measure cyber security awareness and knowledge55.
saving score / loading statistics ...