Unique Academy

Research Report

Student name: SHABAN ABDUL

Student Reg. No: BD31826/S0596/0039/2004
Project Research Name: An Assessment of Cyber Security
Awareness to Small Scale Enterprises

Submission date: July 2, 2021

 ABSTRACT

Cyber-attacks represent a potential threat to information security. As rates of

data usage and internet consumption continue to increase, cyber awareness
turned to be increasingly urgent. This study focuses on the relationships
between cyber security awareness, knowledge and behavior with protection
tools among individuals in general and across two companies: PLV Digital
Investment and Zan Fast Ferries in particular.
Results show that internet users possess adequate cyber threat awareness but
apply only minimal protective measures usually relatively common and simple
ones. The study findings also show that higher cyber knowledge is connected to
the level of cyber awareness, beyond the differences in respondent country or
gender. In addition, awareness is also connected to protection tools, but not to
information they were willing to disclose. Lastly, findings exhibit differences
between the explored companies that affect the interaction between awareness,
knowledge, and behaviors. Results, implications, and recommendations for
effective based cyber security training programs are presented and discussed.
 Declaration

I declare that this dissertation was composed by myself and that the work
contained therein is my own except where explicitly stated otherwise in the
text, and that this work has not been submitted for any other degree or
professional qualification except as specified.

Date: July 2, 2021 ………………………

Shaban Abdul

2
 Contents
ABSTRACT...............................................................................................................................1
CHAPTER ONE..........................................................................................................................4
INTRODUCTION.......................................................................................................................4
1.1 Statement of the problem...............................................................................................12
1.2 Research questions...........................................................................................................13
1.3 Significance of the study................................................................................................13
Chapter Two..........................................................................................................................14
2.1. The impact of internet and cyber on society.........................................................14
CHAPTER THREE.....................................................................................................................20
3. Research methodology......................................................................................................20
3.1. Subjects................................................................................................................................20
3.2.1. Awareness........................................................................................................................21
3.2.2. Knowledge.......................................................................................................................21
3.2.2.1. Threats..........................................................................................................................21
3.2.2.2. Education awareness..............................................................................................21
3.2.2.3. Familiarity..................................................................................................................22
3.2.3. Behavioral aspects.......................................................................................................22
3.2.4. Characteristics of the sample..................................................................................23
3.3. Procedure............................................................................................................................23
Chapter Four.........................................................................................................................23
4. Analysis and Findings.........................................................................................................23
4.1. Connection between cyber knowledge and awareness.............................................................24
CHAPTER FIVE........................................................................................................................25
Summary of findings..............................................................................................................25
Conclusion.............................................................................................................................25
Recommendations.................................................................................................................25
Suggestions for further research............................................................................................25
References.............................................................................................................................25
Appendix...............................................................................................................................25
5. Discussion..........................................................................................................................27
6. Conclusions and future work.............................................................................................31

3
 CHAPTER ONE
INTRODUCTION
1. Background
Cybersecurity is important because it protects all categories of data from theft and
damage. This includes sensitive data, personally identifiable information (PII), protected
health information (PHI), personal information, intellectual property, data, and
governmental and industry information systems. 
Without a cybersecurity program, your organization cannot defend itself against data
breach campaigns, making it an irresistible target for cybercriminals.

Both inherent risk and residual risk is increasing, driven by global connectivity and usage
of cloud services, like Amazon Web Services, to store sensitive data and personal
information. Widespread poor configuration of cloud services paired with increasingly
sophisticated cyber criminals means the risk that your organization suffers from a
successful cyber-attack or data breach is on the rise.

Gone are the days of simple firewalls and antivirus software being your sole security
measures. Business leaders can no longer leave information security to cybersecurity
professionals. 
Cyber threats can come from any level of your organization. You must educate your
staff about simple social engineering scams like phishing and more sophisticated
cybersecurity attacks like ransomware attacks (think WannaCry) or other malware designed
to steal intellectual property or personal data.
GDPR and other laws mean that cybersecurity is no longer something businesses of
any size can ignore. Security incidents regularly affect businesses of all sizes and often
make the front page causing irreversible reputational damage to the companies
involved.
If you are not yet worried about cybersecurity, you should be.

What is Cybersecurity?
Cybersecurity is the state or process of protecting and recovering computer systems,
networks, devices, and programs from any type of cyber-attack. Cyber-attacks are an
increasingly sophisticated and evolving danger to your sensitive data, as attackers
employ new methods powered by social engineering and artificial intelligence to
circumvent traditional security controls. 
The fact of the matter is the world is increasingly reliant on technology and this
reliance will continue as we introduce the next generation of smart Internet-enabled
devices that have access to our networks via Bluetooth and Wi-Fi. 

4
The Importance of Cybersecurity
Cybersecurity's importance is on the rise. Fundamentally, our society is more
technologically reliant than ever before and there is no sign that this trend will slow.
Data leaks that could result in identity theft are now publicly posted on social media
accounts. Sensitive information like social security numbers, credit card information
and bank account details are now stored in cloud storage services like Dropbox or
Google Drive.
The fact of the matter is whether you are an individual, small business or large
multinational, you rely on computer systems every day. Pair this with the rise in cloud
services, poor cloud service security, smartphones and the Internet of Things (IoT) and we
have a myriad of cybersecurity threats that didn't exist a few decades ago. We need to
understand the difference between cybersecurity and information security, even though the
skillsets are becoming more similar.
Governments around the world are bringing more attention to cybercrimes. GDPR is a
great example. It has increased the reputational damage of data breaches by forcing
all organizations that operate in the EU to:
 Communicate data breaches
 Appoint a data-protection officer
 Require user consent to process information
 Anonymize data for privacy
The trend towards public disclosure is not limited to Europe. It also affect Tanzania as
the most businesses are now connected to the internet while conducting their
business. Due to the rise use of internet it comes the need for cyber security
awareness to small enterprises to know how to protect against cyberattacks.
This has driven standards boards like the National Institute of Standards and
Technology (NIST) to release frameworks to help organizations understand their
security risks, improve cybersecurity measures and prevent cyber-attacks.

Why is Cybercrime Increasing?

Information theft is the most expensive and fastest growing segment of cybercrime.
Largely driven by the increasing exposure of identity information to the web via cloud
services. But it is not the only target. Industrial controls that manage power grids and
other infrastructure can be disrupted or destroyed. And identity theft isn't the only
goal, cyber-attacks may aim to compromise data integrity (destroy or change data) to
breed distrust in an organization or government.
Cybercriminals are becoming more sophisticated, changing what they target, how they
affect organizations and their methods of attack for different security systems.

5
Social engineering remains the easiest form of cyber-attack with ransomware,
phishing, and spyware being the easiest form of entry. Third-party and fourth-party
vendors who process your data and have poor cybersecurity practices are another
common attack vector, making vendor risk management and third-party risk
management all the more important.

According to the Ninth Annual Cost of Cybercrime Study from Accenture and the
Ponemon Institute, the average cost of cybercrime for an organization has increased by
$1.4 million over the last year to $13.0 million and the average number of data
breaches rose by 11 percent to 145. Information risk management has never been
more important.
Data breaches can involve financial information like credit card numbers or bank
account details, protected health information (PHI), personally identifiable information
(PII), trade secrets, intellectual property and other targets of industrial espionage.
Other terms for data breaches include unintentional information disclosure, data leak,
cloud leak, information leakage or a data spill.
Other factors driving the growth in cybercrime include:
 The distributed nature of the Internet
 The ability for cybercriminals to attack targets outside their jurisdiction
making policing extremely difficult
 Increasing profitability and ease of commerce on the dark web
 The proliferation of mobile devices and the Internet of Things.

What is the Impact of Cybercrime?

A lack of focus on cybersecurity can damage your business in range of ways including:

Economic costs
‍ heft of intellectual property, corporate information, disruption in trading and the cost
T
of repairing damaged systems

Reputational cost
‍ oss of consumer trust, loss of current and future customers to competitors and poor
L
media coverage

Regulatory costs
‍ DPR and other data breach laws mean that your organization could suffer from
G
regulatory fines or sanctions as a result of cybercrimes
All businesses, regardless of the size, must ensure all staff understand cybersecurity
threats and how to mitigate them. This should include regular training and a
framework to work with to that aims to reduce the risk of data leaks or data breaches.

6
Given the nature of cybercrime and how difficult it can be to detect, it is difficult to
understand the direct and indirect costs of many security breaches. This doesn't mean
the reputational damage of even a small data breach or other security event is not
large. If anything, consumers expect increasingly sophisticated cybersecurity
measures as time goes on.

How to Protect your Organization against Cybercrime;

There are three simple steps you can take you increase security and reduce risk of
cybercrime:
1. Educate all levels of your organization about the risks of social engineering
and common social engineering scams like phishing emails and typo
squatting.
2. Invest in tools that limit information loss, monitor your third-party risk and
fourth-party vendor risk and continuously scan for data exposure and leak
credentials.
3. Use technology to reduce costs like automatically sending out vendor
assessment questionnaires as part of an overall cyber security risk
assessment strategy.
Companies should no longer be asking why is cybersecurity important, but how can I
ensure my organization's cybersecurity practices are sufficient to comply with GDPR
and other regulation and to protect my business against sophisticated cyber-attacks.
Cyber threats aren't just a problem for big corporations and governments; small
businesses can be targets too. Research suggests that 22% of small businesses have
been the targets of cyberattacks. Approximately 11 percent of these occurred in the
last year, according to a study conducted by the Better Business Bureau.

Tanzania in these recent years have seen the increase number of internet users. This
drastic increase of internet users can be accompanied with large number of
cyberattack. So, these small scale enterprises in Tanzania may also be the victim of
cyberattack if there is no better ways on measures are taken to create an awareness to
these business owners. By March 2021 the number of internet users reached 29.1
million, below table shows the growth of internet users in Tanzania.
Figure 1: Estimate internet users in Tanzania

7
 Source: (TCRA)
From the above internet usage statistic table shows 27.9 million users as of sept 2020,
most recently the number of internet users have increased drastically up to 29.1
million by March 2021. This huge growth of internet users there is also great chance
for an attacker to attack without the user’s awareness. Cyber security awareness is
needed for small scale enterprises, in order to prevent from an online attack employees
need to have knowledge about cyber security. The responsibility of keeping enterprises
safe lies to the owner as well other stakeholders. Government and private agencies
need to cooperate to provide education about the impact of unsafe usage of internet.
Small scale Enterprises are the engine of the national economy and represent over half
of all employees in the private sector; so it should be noted that (SSEs) has
significantly contribute to the economy and comprise the majority of the businesses
and internet users in the country. Then their importance to the development of this
nation cannot be understated or ignored nor discussed without consideration of the
information systems and measures that are in place to protect these systems.
That’s why Tanzania through Tanzania Computer Emergency Response Team (TZ-
CERT) which is mandated to raise awareness and enhance technical capacity in the
area of cybersecurity, conducted training to some of its organizations. These training
take place;- Between 27th July to 18th September 2020, TZ-CERT carried out
cybersecurity awareness program in nine (9) public institutions namely: Tanzania
Investment Centre (TIC), Tanzania Airport Authority (TAA), National Housing
Corporation (NHC), Land and Transport Regulatory Authority (LATRA), Tanzania
National Park Authority (TANAPA), Tanzania Commission of Universities (TCU),
National Social Security Fund (NSSF), Public Service Social Security Fund (PSSSF)
and National Audit Office of Tanzania (NAOT) geared to sensitize safe and acceptable
employees’ behavior on the use of emails.
Although government and other organizations responsible for cyber security
awareness provision are trying to provide education to government agencies and

8
private companies but still many small scale enterprises don’t have such awareness in
protecting their systems from being attacked.

Types of cyber threats

The threats countered by cyber-security are three-fold:
1. Cybercrime includes single actors or groups targeting systems for financial gain or
to cause disruption.
2. Cyber-attack often involves politically motivated information gathering.
3. Cyberterrorism is intended to undermine electronic systems to cause panic or fear.
So, how do malicious actors gain control of computer systems? Here are some
common methods used to threaten cyber-security:

Malware
Malware means malicious software. One of the most common cyber threats, malware
is software that a cybercriminal or hacker has created to disrupt or damage a
legitimate user’s computer. Often spread via an unsolicited email attachment or
legitimate-looking download, malware may be used by cybercriminals to make money
or in politically motivated cyber-attacks.
There are a number of different types of malware, including:
 Virus: A self-replicating program that attaches itself to clean file and
spreads throughout a computer system, infecting files with malicious code.
 Trojans: A type of malware that is disguised as legitimate software.
Cybercriminals trick users into uploading Trojans onto their computer
where they cause damage or collect data.
 Spyware: A program that secretly records what a user does, so that
cybercriminals can make use of this information. For example, spyware
could capture credit card details.
 Ransomware: Malware which locks down a user’s files and data, with the
threat of erasing it unless a ransom is paid.
 Adware: Advertising software which can be used to spread malware.
 Botnets: Networks of malware infected computers which cybercriminals use
to perform tasks online without the user’s permission.

SQL injection
An SQL (structured language query) injection is a type of cyber-attack used to take
control of and steal data from a database. Cybercriminals exploit vulnerabilities in
data-driven applications to insert malicious code into a databased via a malicious SQL

9
statement. This gives them access to the sensitive information contained in the
database.
Phishing
Phishing is when cybercriminals target victims with emails that appear to be from a
legitimate company asking for sensitive information. Phishing attacks are often used
to dupe people into handing over credit card data and other personal information.
Man-in-the-middle attack
A man-in-the-middle attack is a type of cyber threat where a cybercriminal intercepts
communication between two individuals in order to steal data. For example, on an
unsecure Wi-Fi network, an attacker could intercept data being passed from the
victim’s device and the network.
Denial-of-service attack
A denial-of-service attack is where cybercriminals prevent a computer system from
fulfilling legitimate requests by overwhelming the networks and servers with traffic.
This renders the system unusable, preventing an organization from carrying out vital
functions.

The scale of cyber threats

The global cyber threat continues to evolve at a rapid pace, with a rising number of
data breaches each year. A report by Risk Based Security revealed that a shocking 7.9
billion records have been exposed by data breaches in the first nine months of 2019
alone. This figure is more than double (112%) the number of records exposed in the
same period in 2018.
With the scale of the cyber threat set to continue to rise, the International Data
Corporation predicts that worldwide spending on cyber-security solutions will reach a
massive $133.7 billion by 2022. Governments across the globe have responded to the
rising cyber threat with guidance to help organizations implement effective cyber-
security practices.
In the U.S., the National Institute of Standards and Technology (NIST) has created a
cyber-security framework. To combat the proliferation of malicious code and aid in
early detection, the framework recommends continuous, real-time monitoring of all
electronic resources.
Medical services, retailers and public entities experienced the most breaches, with
malicious criminals responsible for most incidents. Some of these sectors are more
appealing to cybercriminals because they collect financial and medical data, but all
businesses that use networks can be targeted for customer data, corporate espionage,
or customer attacks.
Examples of Damages to Companies Affected by Cyber Attacks and Data
Breaches

10
The amount of cyber-attacks and data breaches in the recent years is staggering and
it's easy to produce a laundry list of companies who are household names that have
been affected.
Here's a few examples: 
Equifax
‍ he Equifax cybercrime identity theft event affected approximately 145.5 million U.S.
T
consumers along with 400,000-44 million British residents and 19,000 Canadian
residents. Equifax shares dropped 13% in early trading the day after the breach and
numerous lawsuits were filed against Equifax as a result of the breach. Not to mention
the reputational damage that Equifax suffered. On July 22 2019, Equifax agreed to a
settlement with the FTC which included a $300 million fund for victim compensation,
$175m for states and territories in the agreement and $100 million in fines.
eBay
‍ etween February and March 2014, eBay was the victim of a breach of encrypted
B
passwords, which resulted in asking all of its 145 million users to reset their
password. Attackers used a small set of employee credentials to access this trove of
user data. The stolen information included encrypted passwords and other personal
information, including names, e-mail addresses, physical addresses, phone numbers
and dates of birth. The breach was disclosed in May 2014, after a month-long
investigation by eBay.
Adult Friend Finder
I‍ n October 2016, hackers collected 20 years of data on six databases that included
names, email addresses and passwords for The Friend Finder Network. The Friend
Finder Network includes websites like Adult Friend Finder, Penthouse.com,
Cams.com, iCams.com and Stripshow.com. Most of the passwords were protected only
by the weak SHA-1 hashing algorithm, which meant that 99% of them had been
cracked by the time LeakedSource.com published its analysis of the entire data set on
November 14.
Yahoo
‍ ahoo disclosed that a breach in August 2013 by a group of hackers had compromised
Y
1 billion accounts. In this instance, security questions and answers were also
compromised, increasing the risk of identity theft. The breach was first reported by
Yahoo on December 14, 2016, and forced all affected users to change passwords, and
to reenter any unencrypted security questions and answers to make them encrypted
in the future. However, by October of 2017, Yahoo changed the estimate to 3 billion
user accounts. An investigation revealed that users' passwords in clear text, payment
card data and bank information were not stolen. Nonetheless, this remains one of the
largest data breaches of this type in history.
While these are a few examples of high profile data breaches, it's important to
remember that there are even more that never made it to the front page. 

11
The impact of cyber-attack to small enterprises
A cyberattack can drastically impact your business. In fact, 60% of small businesses
that fall victim to an attack shut down within six months after the breach. While that
may be the most devastating result of the attack, there are other consequences that
your business could experience, including the following:
 Financial losses from theft of banking information
 Financial losses from disruption of business
 High costs to rid your network of threats
 Damage to your reputation after telling customers their information was
compromised.
Because of the explained impact of cyber-attack to enterprises I came up with this
research to determine the awareness of the cyber security from small scale
enterprises.

1.1 Statement of the problem

Information Technology has dramatically increased in the past decade, with massive
global rates of internet consumption by individuals and organizations ranging from
academia and government to industrial sectors (Aloul1; Jalali et al.2; Lee et al.3).
During the last decade, information technology such as mobile devices and digital
applications have transformed daily life, facilitating diverse lifestyles in many areas.
The ease of technology usage as well as the increased demand for online connectivity
(in education, retail, tourism, and even autonomous vehicles) has expanded
opportunities for internet usage on a global scale. Indeed, some of these uses include
reading digital newspapers, surfing the web, utilizing search engines to find desired
content, assisting recommender systems in the form of decision support tools, and
using social media to name only a few. Nevertheless, while internet consumption
buttressed by information technology improvements increases dramatically
(Maurseth4), many citizens (i.e., people who use the internet) still lack sufficient
awareness of various internet threats (also defined as “cyber hazards”). In fact, they
often fail to possess the minimum required knowledge to protect their computing
devices. In worst case scenarios, individuals suffer from a total lack cyber hazard
awareness. Hence, their readiness to utilize protective cyber security measures is non-
existent.
When not carried out by governments, cyber hazards are the work of “bad hackers”
(otherwise known as “black hats”), who act on their own or within an organized
criminal group to commit cyber-crime. In both cases, their intention is to engage in
cyber-crime in any of its various forms, ranging from violation of individual privacy to
identity theft and credit card fraud. Cyber-criminals use malicious software and
hacking tools to sabotage computers, mobile devices, and communication network
infrastructure, including cyber security protection tool disruption (Abawajy5). While
protective tools are generally installed on computers and in infrastructure, studies
show that they do not completely mitigate cyber security breaches (Furnell et al.6;
Parsons et al.7; Schultz.8) This is because the weakest link in the cyber security chain
remains human error (Anwar et al.9; Herath and Rao10; Schneier.11).

12
 Organizations have come to recognize that behaviors deriving from the human factor
are responsible for cyber security flaws and may pose a liability for information
security (Sasse and Flechais.12)
The behavioral contribution to unintentional cyber breaches was highlighted by IBM’s
Global Technology Services as one of the most critical issues to be addressed by
security controls and best practices guidelines. In fact, there has been an increased
recent focus on the role of individual behavior in cyber hazard mitigation. However,
the understanding of how individuals differ in their awareness, knowledge, and cyber
security behavior when confronted with versatile cyber hazards is still quite limited.
Moreover, to the best of our knowledge, no research has yet to compare and evaluate
these three components across small scale enterprises. Therefore, the aim of this
study is to evaluate differences in cyber security awareness, knowledge and cyber
hazard protection behaviors SEs: Tanzania is ranked 110 on the networked readiness
index in 2020 in a global information technology report on ICT for sustainability. As
far as we know, no study comparative has focused on the relative cyber security
awareness, knowledge and behavior differences between these four countries.
The research objectives are divided into two categories:
First, building a theoretical framework to be used in constructing cyber security
training programs. This framework is based on the factors that impact the level of
cyber security awareness, knowledge, and behavior, which were evaluated according
to the following research questions (from general to specific):

1.2 Research questions

(1) What is the level of cyber security awareness among employees in SE’s?
(2) Which types of behavior do SE’s adopt to prevent cyber hazards?
(3) Is there any difference in cyber security awareness and behavior among
employees of different companies diverge in their business value?

The second objective of this study is to provide practical recommendations on how to

improve the quality of cyber training programs based on the theoretical framework
findings.
The rest of this paper is organized as follows: In Section 2, we present the literature
review, while in Section 3 we outline the study methodology. Section 4 details the
results, followed by a discussion of implications and recommendations in Section 5.
Finally, in Section 6, conclusions and suggestions for future work are offered.

1.3 Significance of the study

On top of being a requirement for the fulfillment of the bachelor degree in information
security; this study aimed to assess awareness and to propose to the general pool of
knowledge out there on information systems security. Though more specifically
targeted the Dar es Salaam Internet users, I.T technicians and IT managers, in both
public and private institutions where ICT is a strategic tool in enabling core business

13
operations. These categories of actors could be interested, and thus have an
understanding of cyber security and that being online introduces vulnerability.
Since the significance of proper IS security for an organization is proportional to the
organization’s dependence on information. An organization’s IS security affects not
only the organization itself, but also its external parties (Von Solms, 2017). Not only do
shared information systems and infrastructures require an accepted level of security,
but also the organizations themselves must be considered secure enough to act in
these ‗e-arenas‘. An analogy is traffic safety; it is not enough to build safe roads, we
must also have shared traffic rules and safe cars (von Solms, 2017).

Chapter Two
2. Literature review
2.1. The impact of internet and cyber on society
The internet has revolutionized how people access data and utilize various
applications for modern day-to-day tasks. Reid and Van Niekerk16 (p. 178)
noted the huge impact of the internet on daily life: “In our technology and
information-infused world, cyberspace is an integral part of the modern-day
society. In both personal and professional contexts, cyberspace is a highly
effective tool in, and enabler of, most people’s daily digitally transposed
activities.17, 18, 19” However, Coppers20 noted the rising impact of
information security breaches on the economy, resulting in information loss
estimated at ~ $2.5 million per year (Coppers20) As noted, this loss can be only

14
partly mitigated by protective tools since their functionality in most cases is
controlled by individuals (Furnell et al.6; McCormac et al.21; Parsons et al.22;
Schultz8).
Individual cyber engagement, in general, and with cyber protection tools in
particular, has motivated both academic scholars and practitioners to focus on
individual attitudes and behaviors concerning cyber threats (Schneier23;
Shropshire et al.24). An instructive example was given by Sasse and Flechais12
who emphasized the existing gap between facto and ex post facto mitigation
activities conducted by employees in cases of cyber security breach due to lack
of sufficient engagement with cyber security protection tools. Other studies
evaluated level of individual resilience with cyber security awareness as a
cause of job stress (McCormac et al.25). In addition, the relationship between
individual personality and level of cyber security risk propensity has been
researched (McCormac et al.26). Yet the relationships between individual cyber
security awareness, knowledge and behavior have never been studied in cross-
country comparison. In fact, the comparative approach is considered by
important stakeholders to be crucial for the creation of intervention programs
(McCormac et al.26).
2.2. Cyber security hazard awareness
The internet has revolutionized managing life tasks, enabling connections with
new people through social networks and opening new economic horizons for
transactions via mobile devices both for individuals and organizations,
including radical change in the higher education system and teaching methods
(Aloul1; Lee et al.3; Saadat doost et al.27). Even so, many people still face
information security risks from a vast array of threats. These threats range
from simple to catastrophic attacks. The first may consist of primitive spam e-
mails, while the second may involve organized cyber-crime groups that use
malicious software to steal, corrupt, and destroy data on a significant scale
(Letho28). A major factor in information security risk is level of individual cyber
security awareness, which can be usefully described as low, medium, or high.
Low awareness behaviors include not paying attention or neglecting security
alerts, provided in most cases automatically by applications, such as when
accessing free open networks (such as Wi-Fi) with mobile devices and laptops.
A medium awareness level may be characterized by negligence expressed in
improper technology operation. Finally, high awareness involves knowledge of
cyber threats and capable actions taken in their prevention.
The term cyber security awareness was already defined by Shaw et al.29 (p. 93)
as follows: “[The] degree of understanding of users about the importance of
information security and their responsibilities and acts to exercise sufficient

15
levels of information security control to protect the organization’s data and
networks”. They noted widespread lack of awareness of cyber risks, extending
to app usage and information delivery on social networks and internet web
pages. Importantly, they pointed out that hackers (individual or collective) tend
to seek out the most vulnerable users, i.e. those deficient in information and
network security awareness. Hackers are proficient at exploiting both software
bugs and security gaps unintentionally created by users themselves.
Since the human factor has already been shown to main cause of cyber
breaches, ever more cyber awareness training programs are offered by
academic institutions and private companies, with the aim of increasing
individual cybercrime awareness (Dodge30; Kumaraguru et al.31; Shaw et
al.29).
However, increasing levels of awareness can only transpire if cyber awareness
itself is fully understood, a thesis already made in 2015 by Letho: “[While] the
world grows more connected through the cyber world, the most efficient plan to
increase cyber security awareness is the improvement of the know-how of the
citizens and actors of the economic life and public administration. This
improvement could be effective if the reasons for the lack of cyber security
awareness could be understood (Letho28 (p. 180)). However, in the last five
years, a growing body of research has focused on individual cyber security
awareness. For example, McCormac et al.26 pointed out a linear relationship
between age and information security awareness, one that improves with
increase in age. Another study by McCormac et al.25 among 1,048 Australian
employees showed a relationship between resilience, job stress and information
security awareness (ISA), finding that when employees can cope or adapt to job
stress, their awareness to cyber security hazards increases, and hence the
organization’s resilience is improved. Research by Hadlington32 found that
employed people in large organizations tend to develop higher awareness of
cyber risks, which may be explained by improved budgetary resources and
organizational enforcement policies. As with Hadlington32, Pendley33 also
focused on improving cyber security awareness among managerial or
administrative staff, emphasizing adhering to cyber regulations and guidelines
as well as establishing security policies. Nevertheless, lack of cyber awareness
is still a serious global problem. Organizations and educational institutions
must develop adequate training programs, with the first step a comparative
evaluation of level of awareness across different enterprises.
2.3. Cyber security knowledge
Increasingly, individuals are in actuality dependent on internet technologies for
their day-to-day tasks. Ease of use has facilitated participation in cyber-related
activities on a mass scale. However, knowledge of existing tools needed for

16
protection against cyber threats is correspondingly lagging (Furnell et al.34;
Abawajy and Kim35; Abawajy5). As Abawajy (Abawajy and Kim35, Abawajy5)
noted, even basic level cyber security awareness may not translate into
sufficient or appropriate cyber security protection knowledge to mitigate cyber
risks and hazards. As such, he suggested increasing cyber security knowledge
through cyber security training programs using theoretical lectures and
simulators to provide exposure to cyber security protection tools. These would
focus on operational, usage, and process aspects of improving user knowledge
translating into effective cyber security mitigation behavior. For example, the
“Phishing Simulator” is a popular training resource, designed as an effective
training process to increase awareness of suspicious e-mails sent by hackers.
Such e-mails often contain malicious software (“malware”) resulting in illicit
data leakage (Abawajy and Kim35; Abawajy5). The simulator is also suitable for
trainers, exposing them to practical protection tools to mitigate phishing e-
mails and internet links and guiding them in how to attain optimal levels of
protection against cyber security threats.
In a study conducted by Reid16, the influence of a cyber-security awareness
campaign for school youth, along with their existing knowledge related to cyber
security hazards, was measured. He found that campaigns have a positive
impact on improving cyber hazard awareness and knowledge. A later study,
conducted by Cain et al.36, explored “Cyber Hygiene” (i.e. level of cyber
knowledge) in 268 computer and device users ranging in age from 18 to 55+.
The survey focused on how they maintain system health and online security
tools such as firewalls and anti-virus software, and was carried out using
Amazon Mechanical Turk (MTurk) (https://www.mturk.com), a crowdsourcing
marketplace.
MTurk allows businesses (i.e. “requesters”) to allocate tasks to remote
“crowdworkers”, a potentially rich source of data collection. They found that
self-identified experts had less cyber hygiene knowledge than self-identified
non-experts. This surprising finding could be attributed to the latter being
more dependent and relying on external guidelines, hence investing greater
efforts in acquiring the necessary cyber security knowledge for their tasks.
2.4. Cyber security protection behaviors
Recognizing the severe cost of cyber hazards, research has increasingly focused
on the measures taken and behaviors exhibited by netizens to protect their
devices (e.g. Safa et al.37).
However, most recent studies related to cyber protection behavior look at very
narrow aspects of cyber security behavior. For example, Safa et al.37 surveyed
level of compliance with security polices among 416 employees in 4 Malaysian
companies. They found that employee attachment to the firm does not have a
17
significant influence on their attitude to adopt a desired cyber security
compliance behavior. McCormac et - al.26 looked at whether employee
information behavior is correlated with personality traits such as
conscientiousness, agreeableness, emotional stability, and risk taking. They
showed that a small significant gender difference exists related to phishing e-
mails, such that women were found to be more susceptible than men. Another
study by McCormac et al.25,38 aimed at exploring the relationship between
employee resilience and job stress and cyber. They used a sample of 1,048
working Australians, reporting that higher levels of cyber threat resilience
translated into significantly better ability, knowledge, attitude, and behavior in
cyber mitigation processes. Similarly, participants who reported lower levels of
job stress also were found to exhibit significantly better attitude, knowledge,
and behavior in mitigation of cyber hazards. Hadlington32 focused on the
relationship between risky employee cyber security behavior and individual
(such as age and attitude) and organizational factors in protective cyber
security activities. Risky behaviors included sharing personal passwords,
downloading illegal content, infringing copyright, and ignoring recommended
software updates. Their findings associated these risky behaviors with
employee self-feeling, defined as the feeling that cyber security is not a primary
concern in their place of employment.
In fact, Hadlington and Parsons39 had already showed that employees who feel
protected in their workplace tend to neglect cyber security behavior. This
finding was confirmed by Tischler et al.40, who found that, in general,
employees tend to decouple their responsibility to install and operate cyber
protection tools from their job, instead transferring it to senior management. As
noted, Cain et al.36 tested levels of so-called cyber hygiene, and found that
self-identified experts exhibited less secure behaviors than self-identified non
experts. In addition, they found that older users engaged in more secure cyber
behaviors than younger ones. Surprisingly, they found no differences in
individual response behavior to experienced and inexperienced users – being
attacked by cyber malware for the first time or more than once, didn’t change
their response to cyber-attack.
They also did not detect any individual effect in the importance of cyber
training programs. However, they noted that future studies could shed light on
the impact of effective cyber training programs, which may encourage younger
users to behave more securely when confronted with a cyber-security incident.
These training programs were evaluated by Dodge30, who noted that the
number of phishing scam victims dropped after students were exposed to
“stage” phishing attacks. McCrohan et al.41 evaluated training programs aimed
to improve the knowledge and awareness of potential cyber security hazards
among users. They focused on cyber security aspects of password protection

18
awareness and ability to secure computers pre- and post-cyber security
training. They highlighted the critical role of cyber education/training,
emphasizing appropriate security practices to improve day-to-day online
behavior. Following this study, Eminağaoğlu et al.42 showed that awareness
campaigns can play a positive role in reducing cyber risk behavior. The authors
found that the level of exposure to and practice in training programs pushed
students to use complex passwords. They suggested that providing security
awareness training courses can comprehensively influence attitudes to
information security management. Similarly, Abawajy5 divided cyber security
training into three categories: online, contextual, and embedded training. He
concluded that a combination of delivery methods (such as text-based, game-
based, and video based) should determine the training type. Following
Abawahy5, Pawlowski et al.43 recommended that cyber security training
courses should be treated as problem-centered, utilizing case studies that are
tailored to student levels of awareness. Alternatively, Son et al.44 suggested a
different cyber security teaching approach: integration of security labs with the
curriculum in three forms – (1) pure virtual, (2) traditional physical, and (3)
hybrid. They concluded that security labs should be an essential part of the
curriculum, although they suggested that the deployment model should be
based on individual institutional requirements. Indeed, Harris and Patten45
developed a cyber-security taxonomy that allows moving security issues from
higher-level courses to lower and intermediate ones. Recently, Bong-Hyun et
al.46 emphasized the importance of developing internet-based cyber training
programs in higher education institutions, offered and distributed by e-mail
and mobile devices with formal or informal training sessions and presentation
types (Shtudiner et al.47). Even so, the literature tends to be characterized by
calls for more research to address insufficient knowledge of the relationships
between individual awareness, knowledge, and self-reported behavior in cyber
mitigation processes and use of protection tools. These studies should then
contribute to facilitate the development of substantive individual cyber security
training programs.
As such, the purpose of this research is to provide a theoretical and practical
solution to global lack of cyber security awareness, knowledge, and behavior,
highlighting the need for cyber security training programs in educational and
academic institutions to generate improved individual cyber security outcomes.
Our hypotheses are thus the following:
H1: Cyber security knowledge is positively connected to cyber awareness.
H2: The employee working company will moderate the connection between
cyber knowledge and cyber security awareness.

19
H3: Employee with higher cyber security awareness will engage in more cyber
protection behaviors.
H4: Cyber security awareness will serve as a mediator between cyber
knowledge and cyber protection, i.e., individuals with greater cyber knowledge
will be more aware of potential cyber hazards and, therefore, exhibit more
cyber protection behavior than individuals who lack the needed levels of
awareness or knowledge.
To the best of our knowledge, this is the first study to compare internet user
behaviors and level of cyber security awareness and knowledge in the four
selected countries based on their GDP differences. It is important to note that
the research was conducted on a student sample. Even so, the study findings
may stimulate follow-up research on the effectiveness of cyber security training
programs in similar countries with a wider sample of respondents.
The study model is provided in Figure 1.

Employee
working company

H4

H2
Cyber Cyber Cyber Protection
Knowledge Awareness Behavior
H1 H3

Figure 1. Study hypothesized model.

CHAPTER THREE

3. Research methodology
3.1. Subjects
A paper-based survey was distributed to employees of PLV Digital Investment
Ltd and Zan Fast Ferries. In each company, the subjects were located through
convenience sampling, with the assistance of the relevant department in the
company. Since different disciplines require varying levels of cyber knowledge,
we have chosen to focus on Management and/or Business.
Administration departments as a baseline for our comparison .
3.2. Instruments
To provide a theoretical framework, we developed a questionnaire that included
several questions aimed to test global familiarity of the subjects with cyber
security issues as well as, specifically, level of awareness of cyber security
risks. To develop the questionnaire, we used face validity. As such, the

20
measurements were developed by a research team, most of whom are experts
in cyber education. The researcher formulated several questions to capture the
level of cyber awareness and cyber hazard awareness, the behaviors exhibited
when confronted with cyber threats and the knowledge regarding cyber, in
general, and cyber-attack, in particular. After deleting redundant questions,
the questionnaire was delivered to the subjects. Activity type of cyber security
defense used by the subjects was also explored. This ranged from participating
in cyber security training programs to more focused cyber behaviors such as
installing specific cyber security defense tools. Each respondent was also asked
to report their previous cyber knowledge, internet usage, and cyber security
behavior.
Classification was based on three criteria: (1) level of cyber security awareness
(Awareness), (2) knowledge of cyber security and threats (Knowledge), and (3)
attempts to prevent cyber-attack (Behavior).
3.2.1. Awareness
Awareness was measured with the question: “To what degree are you familiar
with the term cyber security?” The item was on a scale of 4 degrees, with 1 – no
knowledge to 4 – very good knowledge.
3.2.2. Knowledge
We measured respondent knowledge of several aspects of cyber security, cyber
threats, and general cyber knowledge as follows:
3.2.2.1. Threats.
Threats were measured by presenting respondents with different cyber security
scenarios and asking them to rate the degree of threat. Threat types ranged
from loss of data, loss of money, blocking access to information, etc. We
measured the answers on a Likert scale that ranged from 1 – strongly disagree
to 5 – strongly agree. We also measured the total amount of threats (“threats”)
by calculating the mean score of the different items. Therefore, the higher the
total score, the higher the amount of threats that the respondents estimated
during a cyber-attack.
3.2.2.2. Education awareness.
We measured level of respondent education awareness (“edu_awareness”) by
asking the extent to which their current education influenced their cyber-
security awareness. This was ranked on a Likert scale, ranging from 1 –
definitely not affected to 5 – strongly affected. We also measured whether
employees had attended IT security training (“IT_past”) on a three-level scale
(1-yes, 2-no, 3-I’m not sure). We transformed this variable into a dummy
variable based on attendance (“d_attendance”), with 1 – attended cyber security
course or program and 0 – other. We asked respondents about their desire to
attend an IT security training program to improve cyber security awareness
(“IT_future”) on a Likert scale that ranged from 1 – definitely not to 5 –
definitely yes. We measured knowledge by asking if respondents know the
difference between http and https protocol (“Recognition”) on a binary scale (1-
yes, 0-no). Lastly, we measured respondent knowledge of different programs
and applications such as text editor, spreadsheets, social media, etc. The
21
answers were ranged on a Likert scale as 1 – no skill to 5 – very high skills. We
also measured the total mean score for the different items (“computer
knowledge”).
Higher results indicated that respondents possess more skills using computer
programs and applications.
3.2.2.3. Familiarity.
To measure familiarity, respondents were asked to evaluate their knowledge of
cyber security issues based on a series of different items. These included
internet sources, university courses, IT journals, etc. Respondents had to
report if they have (1) or do not have (0) sufficient knowledge of each item. We
also measured total amount of familiarity (“familiarity”) by summing responses.
Therefore, the higher the result, the higher the amount of respondent
familiarity with cyber security knowledge.
3.2.3. Behavioral aspects
Several questions measured the means used by the respondents to prevent
cyber-attack situations. For the first behavioral variables, we presented the
respondents with different information and measured their readiness to provide
the information if they were asked by a digital media outlet.
Items included information regarding: home address, age, e-mail password, etc.
Each question was measured on a categorical scale (1-yes, 0-no). We calculated
the total information provided (“provide”) by summing the score of the different
types of information. Therefore, the higher the score, the higher the respondent
level of agreement to reveal information on the internet.
In the second behavioral variable, we showed the respondents different means,
tools, or applications (e.g. strong password or spam protection) and asked them
whether they use this instrument to avoid cyberattack on a categorical scale
(1-yes, 0-no). We calculated the total protection (“protection”) by summing the
score of the different types of instruments.
Therefore, the higher the score, the higher the level of respondent protection of
their computer from cyberattack. Researcher also asked a directed question
regarding their knowledge in case of cyberattack (“behavioral”) on a scale from
1 – definitely no to 5 – definitely yes. Since the question measured lack of
knowledge of how to behave, its direction was negative. The higher the
response, the less knowledge they possessed in the event of a cyber-attack.
Another behavioral variable measured whether using cyber products and
services made respondents feel as if their knowledge of cyber-attacks was
forced on them or acquired by choice (“Choice”). The question was measured on
a Likert scale that ranged from 1 – definitely by coercion to 5 – definitely by
choice.
To measure how respondents protect their devices, researcher asked them to
list the length of a standard account password (e-mail, social media, etc.)
(“Length”) and whether they use the same password (“password”) for different
portals, systems, and applications on a categorical scale (1-yes, 0-no). We also
asked respondents to describe their behaviors when finishing up work on their
computer. Presented with individual activities such as shutting down or

22
locking their computer, they were requested to confirm if they engaged in (1) or
did not engage in (0) these behaviors. We measured a total score for each
respondent such that the higher the results, the more the subjects ensured
their computer was safe (“finish”).
3.2.4. Characteristics of the sample
Researcher measured gender (male – 1, female – 0), level of education
(1 – no academic background to 6 – PhD level), type of study (1 – IT, 0 –
Computer Science) and company (1 – PLV, 2 –
Zan Fast Ferries, 3 – Simba Net, 4 – Cats Net).
3.3. Procedure
The questionnaire was uploaded to the internet for the respondents from the
four tested countries. The authors distributed the site link to the respondents
in class during the academic year of 2017. The questionnaire was in English.

Chapter Four

4. Analysis and Findings

Descriptive analysis was initially conducted to capture level of awareness, knowledge,
and behaviors toward cyberattacks. The results of the means and standard deviation
scores for the total companies and each company individually are presented in
Appendix B. The results from the total respondent answers indicated high familiarity
with the term “cyber-security” – either through the internet (81%), social media (60%),
conversations with friends and traditional media (45%), classes at the university
(29%), IT journals (21%), and/or scientific journals (15%). Only 9% reported having
personal experience with cyber-attacks. Respondents also agreed that cyber-attacks
could cause damage in multiple arenas. Their main cyber-attack concerns were
violation of privacy (98%), loss of data (93%), spying on private citizens (85%), loss of
money (99%), spying on organizations (60%), and potential role in terror attacks (35%),
among others. On the other hand, they did not feel that cyber-attacks block access to
information (5%).

23
In parallel with high cyberattack awareness, respondents avoid disclosure of sensitive
information on the web, especially e-mail passwords (4%), ID number (2%), home
address (5%), social network login (1%), and phone number (3.6%). Their only
readiness was to provide their age (7%). Other positive respondent cyber security
habits include using strong password (85%), installing antivirus software (75%),
regular data backup (61%), frequent password changes, and updating software
(approximately 56%). On the other hand, only 45% used spam protection, 35%
avoided using a public computer, and just 15% performed computer security audits.
When asking about the means they use to protect their instrument from 11 threat
options, respondents used five protection tools on average. About 56% of respondents
used the same password for different applications and usages, with average password
length of six characters. Lastly, only two protection behaviors were conducted at the
end of usage: logging off all programs (51%) and shutting off the computer (66%).
Therefore, respondent behavior indicated a discrepancy between awareness and
amount of activities used to protect themselves from cyberattacks.
This gap may be attributed to participant knowledge. Based on self-evaluation of skills
and knowledge, the results indicated that respondents reported having sufficient
knowledge (25%) especially of e-mail (89%), computer applications (97%), web
browsers (98%), smartphone (99.4%), and social networks (75%). They felt less secure
about web page development (30%), application development environments (44%),
network architecture (7.7%), and computer architecture (5.90%). Judging their
knowledge of IT security, most respondents never attended an IT security training
program in the past (around 66%), but were willing to participate in this kind of
training in the future (98%). Even so, we need to treat this readiness with caution,
since results may suggest a social desirability bias.
That is, respondents may feel more obligated to participate in future training after
having a host of cyber threats pointed out to them. Indeed, when asked about their
behaviors, only 11% reported taking part in cyber security courses.

4.1. Connection between cyber knowledge and awareness

The connection between previous cyber knowledge and level of cyber security
awareness was analyzed controlling for respondent country of residence and gender.
Three steps were applied in the multiple hierarchical regression.

24
 CHAPTER FIVE

Summary of findings

Conclusion

Recommendations

Suggestions for further research

References

Appendix

No table of figures entries found.Questionnaire

Figure 2. The interaction between cyber recognition in PLV Digital Investment

Ltd and level of awareness.
Therefore, the results suggest that knowledge of the cyber world and security
problems is associated with more awareness of the phenomenon of cyber-
attacks, supporting the first hypothesis
Lastly, the researcher tested if awareness also served as a mediator between
knowledge and protection. Based on Baron and Kenny’s model (1986), a
connection was found between respondent cyber knowledge and protection
variables. The first step of the regression analysis shows that knowledge was
positively connected to protection.

The study conducted shows that some respondents of the questionnaires they
protect their computers from cyberattacks.

25
Figure: 3 The interaction between computer knowledge in Zan Fast Ferries and
level of awareness.

These results thus support our last hypothesis, that awareness (partially)
mediates the connection between knowledge and cyber protection behaviors.
That is, subjects with more device usage knowledge were more aware of cyber
hazards. This awareness was connected to amount of protection methods and
measures used to protect their devices. As such, it is not just the amount of
device usage; it is more the level of awareness that determines their attempts to
reduce the chances of cyber-attack.

26
 Chapter Five

5. Discussion
Research results show that internet users are aware of the term “cyber
security”. Therefore, respondents know that using the internet may expose
them to multiple threats: violation of privacy, loss of money or data, damage to
devices, surveillance of themselves or any organization to which they belong,
etc. However, we also found a discrepancy between respondent attitude and
behaviors. As with previous studies (e.g. Imgraben et al.48; Rek and
Milanovski49), we found that respondents take only basic and insufficient
action such as using strong password protection and installing antivirus
software. Only a minority engage in more sophisticated protection activities
that require a deeper knowledge of cyber security, such as avoiding using an
open free network, performing computer security audits, or avoiding using
public computers. Since these activities are no costlier, the reason for this
discrepancy remains unknown. While previous studies suggested that people
avoid engaging in extensive cyber-attack precautions (e.g. Rek and
Milanovski49), we suggest that respondent cyber knowledge may explain this
gap.

Researcher’s findings show that respondents with more computer science

knowledge (recognition) had a higher positive connection to cyber security
awareness. However, specialization in computer science is not an option
available to most people. Still, we found that even partial attendance in a
cyber-security program (d_attendance) or learning about cyber security during
formal education (Edu_awareness) was positively connected to level of cyber
awareness. Since this connection was found after controlling for respondent
country of residence and gender, it highlights the significant role of educational
cyber security programs to enlarge cyber-attack awareness. On the other hand,
no connection was found between degree of awareness and the information
that the subjects agreed to share on the internet as well as security-related

27
activities when finishing work on the computer. This gap can be explained
through the Theory of Planned Behavior (TPB) (Fishbein and Ajzen50) TPB
claims that intention is the best predictor of any planned behavior. Therefore, if
threats to computer security are taken seriously, then it is more likely that
motivation will be found to institute appropriate protective measures. Even so,
behavior is also affected by elements such as the amount of self-efficacy and
controllability. As such, perception of situations as subject to control due to
individual knowledge increases motivation to act. Thus, we found that
respondents with more cyber security knowledge take more steps to prevent
attacks, especially when defense tools are simple and familiar to internet users.
When an action demands higher specialized knowledge, this connection was
found to be more complicated. People may be aware of a hazard and want to
protect their devices but feel insecure about the appropriate measures, and
this can reduce motivation to explore additional options. Indeed, we found that
knowledge of cyber and Internet usage was connected to protection activities
through the mediation of cyber security awareness. These results highlight the
important role of cyber security programs to motivate users to take proactive
behaviors. Researcher also found a connection between awareness, knowledge,
and behaviors and the country of the respondent.2 Turkish respondents viewed
cyber security as very risky and threatening. Let’s take an example on Israel,
the country which is confident in fighting cyber-crimes.

Israelis showed less concern, as did Poles. These findings can be attributed to
cultural differences. Israel is known as a cyber-security innovation leader
(Tabansky51) Israelis tend to “outsource” their cyber security concerns to
service providers and organizations, confident in their technological
sophistication to ensure a safe internet environment. This may explain why

Israelis were the least cautious information sharers and lowest in cyber threat
avoidance. Indeed, Tabansky51 describes Israel as a country that continuously
strives to develop cyberspace solutions. Israel is one of the top five global

28
superpower nations as ranked by the National Cyber Initiative (Sabilion et
al.52). It can be reasonably claimed that many citizens in these countries are
under the mistaken impression that they have sufficient knowledge or defense
tools to counter cyber risks. In fact, they tend to be less actively involved in
daily mitigation of privacy and data and information leaks. In countries with
less cyber security development, such as Turkey, cyber security awareness is
more linked to the individual implementation of cyber protective behaviors.
One explanation for the differences between PLV and the other companies can
be attributed to variations in questionnaire language. As noted, the PLV
participants filled out the questionnaire by knowing the phenomenon because
they server as IT support, while all other subjects are in different business.
This difference may have produced biases in response, especially if the non-IT
expert lack full reading comprehension in technology. However, all non-PLV
employee and customers are comprising our sample are required to possess
high-level knowledge proficiency, and this discrepancy can only explain part of
the differences and should not be regarded as their main source. Even so, PLV
is well advised to develop its training programs in this field. Future
comparative research should focus on senior management cyber security
habits in the two evaluated companies. Thus, we claim that the more a
developed company (i.e., with substantial GDP value) invests resources in
cyber tools (such as PLV), the more its efforts should be directed to educating
and increasing awareness. While mediation was found between (one type of)
knowledge, awareness, and protection, we feel that there are other factors that
can explain why people do not protect their devices with more defenses. Using
TPB (Fishbein and Ajzen50), more research should explore the effects of
psychological factors, such as self-efficacy and national-cultural values
(Hofstede53; Klein and Shtudiner54) on internet user behaviors.

Organizations should also take more active as well as protective steps, in

parallel with educational programs, such as configuration of cyber defense
tools with organizational architecture to increase the level of cyber security

29
awareness among their employees. Further studies should focus on capturing
how behaviors of organizations affect employee cyber security awareness.

The urgency to reduce employee and individual cyber risks has only increased.
As such, senior managers should build practical training workshops and study
programs with cyber awareness courses in order to:

a. Increase employee and student knowledge related to cyber security attacks;

b. Cultivate new attitudes toward cyber risk and responsibility for maintaining
organizational data;

c. Translate awareness into action by decreasing human factors resulting in

cyber security vulnerabilities; and

d. Develop new rules informing best cyber practices. Future research should
also focus on all aspects of this call to action.

30
 Chapter Six

6. Conclusions and future work

This study elaborates on the literature related to cyber security awareness,
knowledge, and behavior. To our knowledge, its novelty rests on it being the
first to explore the factors relating to and level of cyber security skills among
individuals in various countries with differing GDP values. Moreover, the study
implicates level of cyber hazard knowledge and exposure to risk to specific user
traits (gender, age, degree of using IT, etc.), concluding that specific training
programs should be developed by educational and academic institutions. Since
this is an initial study, we focused on a comparative approach to evaluating
cultural differences in cyber-security awareness, knowledge, and behaviors.
However, future studies should isolate the roots of lack of cyber hazard
awareness.

The research contributions may be classified into the following categories:

 Elaboration on existing knowledge of cyber security awareness,

knowledge, and behavior among individuals from different countries;
 Economic need to invest in cyber security technology in developed
countries with high GDP values since much of the population lacks the
necessary tools and knowledge to protect against cyber hazards. Even so,
it is important to also invest in cyber training to change the perception of
cyber hazards.
 Global need for comparative analysis derived from lack of cyber security
knowledge across cultures. Therefore, training programs should be
developed with an international orientation, based on individual behavior
rather than local and cultural expressions.

It is important to point out that this study has some limitations that should be
taken into consideration. The limitation of this study lies mainly with the type
of respondents. The sample size was based on Small Scale Enterprises mainly

31
from Dar es Salaam, which deal with IT support solutions. To improve the
study’s robustness, it is recommended to use a wider sample size, one that is
not considered a convenient sample and spans various disciplines.

Another criticism can be derived from the measurement of the variables. The
researcher used face validity in constructing the questionnaire, relying on a
team of experts to develop our survey tool. However, since this is one of the few
studies to measure cyber security awareness, knowledge, and behavior, the
questionnaire should be retested to strengthen its reliability and validity.
Future studies should develop specific instruments to measure cyber security
awareness and knowledge55. Although we measured this variable using a
single-item scale, multi-item scales were found to exhibit higher reliability.
Even so, some researchers have suggested that if a single-item question can
elicit valuable information, its advantage of simplicity can confer on its
reliability and validity, even at the expense of extensive detail (Bowling56). Still,
more comprehensive instruments to assess cyber security awareness are
desirable.

Moreover, this type of study should be conducted in additional companies that

differ in their GDP values, with the results compared to the current research.

In sum, our current reality is in many ways a cyber-one. The internet is deeply
embedded in our daily life, and our dependency on connected mobile devices
seems likely to only increase. Yet with growing dependency comes elevated risk
of cyber-attack victimization. Future work should focus on exploring how
specific training programs based on our study findings improve levels of cyber
knowledge, awareness and skill-based behaviors.

References

32
Abawajy J. User preference of cyber security awareness delivery methods.
Behav Inf Technol. 2014;33(3):237–48. doi:10.1080/0144929X.2012.708787.

Schultz E. From the editor-in-chief: the human factor in security.

Comput Secur. 2005;24(6):425–26. doi:10.1016/j.cose.2005.07.002.

Anwar M, He W, Ash I, Yuan X, Li L, Xu L. Gender difference and employees’

cybersecurity behaviors. Comput Human Behav.2017;69:437–
43.doi:10.1016/j.chb.2016.12.040.

Herath T, Rao HR. Protection motivation and deterrence: a framework for

security policy compliance in organisations. Eur J Inf Syst. 2009;18(2):106–25.
doi:10.1057/ejis.2009.6.

Schneier B. Hacking the business climate for network security.Computer.

2004;37(4):87–89. doi:10.1109/MC.2004.1297316.

Sasse MA, Flechais I Usable security: why do we need it? How do we get it?
O’Reilly. 2005. http://discovery.ucl.ac.uk/20345.

Kshetri N. Cybersecurity and development. Markets Globalization Dev Rev.

2016;1:2. doi:10.23860/MGDR-2016-01-02-03.

Maurseth PB. The effect of the Internet on economic growth: counter-evidence

from cross-country panel data. Econ Lett.2018; 172:74–77.
doi:10.1016/j.econlet.2018.08.034.

Aloul FA. The need for effective information security awareness. J Adv. Inf
Technol. 2012;3(3):176–83. doi:10.4304/jait.3.3.176-183.

Jalali MS, Siegel M, Madnick S. Decision-making and biases in cybersecurity

capability development: evidence from a simulation game experiment. J
Strategic Inf Syst. 2019;28(1):66–82.doi:10.1016/j.jsis.2018.09.003.

33
Lee KG, Chong CW, Ramayah T. Website characteristics and web users’
satisfaction in a higher learning institution. Int J Manage Educ.
2017;11(3):266–83. doi:10.1504/IJMIE.2017.084926.

WorldBank Data. 2019. https://data.worldbank.org/indicator/NY.

GDP.PCAP.CD.

Reid R, Van Niekerk J. Decoding audience interpretations of awareness

campaign messages. Inf Comput Secur. 2016;24(2):177–93. doi:10.1108/ICS-
01-2016-0003.

Klimburg A, editor. National cyber security framework manual. NATO

Cooperative Cyber Defense Center of Excellence. 2012.doi:10.1094/PDIS-11-
11-0999-PDN.

Siponen MT. Five dimensions of information security awareness. SIGCAS

Comput Soc. 2001;31(2):24–29. doi:10.1145/503345.503348.

De Lange M, von Solms R. An e-safety educational framework in South Africa.

Proceedings of the Southern Africa Telecommunication Networks and
Applications Conference (SATNAC); 2012 Sep. doi:10.1094/PDIS-11-11-0999-
PDN.

Coopers P. Turnaround and transformation in cybersecurity. Key Findings

Global State Inf Secur Surv. 2015;2016.

McCormac A, Parsons K, Butavicius M. Preventing and profiling malicious

insider attacks (No. DSTO-TR-2697). Defence Science and Technology
Organisation Edinburgh (Australia) Command Control Communications and
Intelligence Division. 2012. :10.1094/PDIS-11-11-0999-PDN.Parsons
K,McCormacA, ButaviciusM, Ferguson LHuman factors and information
security: individual, culture and security environment. DSTO Technical Report
(DSTO-TR2484). 2010 Oct.

34
Schneier B. Secrets and lies: digital security in a networked world. Indianapolis
(IB): Wiley Publishing, Inc; 2000.

Shropshire J, Warkentin M, Johnston A, Schmidt M. Personality and IT

security: an application of the five-factor model. AMCIS 2006 Proceedings;
2006 Dec 31, Acapulco, Mexico. p. 415

McCormac A, Calic D, Parsons K, Butavicius M, Pattinson M, Lillie M. The

effect of resilience and job stress on information security awareness. Inf
Comput Secur. 2018 Jul 9;26(3):277–89. doi:10.1108/ICS-03-2018-0032.

McCormac A, Zwaans T, Parsons K, Calic D, Butavicius M, Pattinson M.

Individual differences and information security awareness. Comput Human
Behav. 2017;69:151–56. doi:10.1016/j.chb.2016.11.065.

Saadatdoost R, Sim AT, Jafarkarimi H, Mei Hee J. ExploringMOOC from

education and Information Systems perspectives: a short literature review.
Educ Rev. 2015;67(4):505–18. doi:10.1080/00131911.2015.1058748.

35