Professional Documents
Culture Documents
Research Report
I declare that this dissertation was composed by myself and that the work
contained therein is my own except where explicitly stated otherwise in the
text, and that this work has not been submitted for any other degree or
professional qualification except as specified.
2
Contents
ABSTRACT...............................................................................................................................1
CHAPTER ONE..........................................................................................................................4
INTRODUCTION.......................................................................................................................4
1.1 Statement of the problem...............................................................................................12
1.2 Research questions...........................................................................................................13
1.3 Significance of the study................................................................................................13
Chapter Two..........................................................................................................................14
2.1. The impact of internet and cyber on society.........................................................14
CHAPTER THREE.....................................................................................................................20
3. Research methodology......................................................................................................20
3.1. Subjects................................................................................................................................20
3.2.1. Awareness........................................................................................................................21
3.2.2. Knowledge.......................................................................................................................21
3.2.2.1. Threats..........................................................................................................................21
3.2.2.2. Education awareness..............................................................................................21
3.2.2.3. Familiarity..................................................................................................................22
3.2.3. Behavioral aspects.......................................................................................................22
3.2.4. Characteristics of the sample..................................................................................23
3.3. Procedure............................................................................................................................23
Chapter Four.........................................................................................................................23
4. Analysis and Findings.........................................................................................................23
4.1. Connection between cyber knowledge and awareness.............................................................24
CHAPTER FIVE........................................................................................................................25
Summary of findings..............................................................................................................25
Conclusion.............................................................................................................................25
Recommendations.................................................................................................................25
Suggestions for further research............................................................................................25
References.............................................................................................................................25
Appendix...............................................................................................................................25
5. Discussion..........................................................................................................................27
6. Conclusions and future work.............................................................................................31
3
CHAPTER ONE
INTRODUCTION
1. Background
Cybersecurity is important because it protects all categories of data from theft and
damage. This includes sensitive data, personally identifiable information (PII), protected
health information (PHI), personal information, intellectual property, data, and
governmental and industry information systems.
Without a cybersecurity program, your organization cannot defend itself against data
breach campaigns, making it an irresistible target for cybercriminals.
Both inherent risk and residual risk is increasing, driven by global connectivity and usage
of cloud services, like Amazon Web Services, to store sensitive data and personal
information. Widespread poor configuration of cloud services paired with increasingly
sophisticated cyber criminals means the risk that your organization suffers from a
successful cyber-attack or data breach is on the rise.
Gone are the days of simple firewalls and antivirus software being your sole security
measures. Business leaders can no longer leave information security to cybersecurity
professionals.
Cyber threats can come from any level of your organization. You must educate your
staff about simple social engineering scams like phishing and more sophisticated
cybersecurity attacks like ransomware attacks (think WannaCry) or other malware designed
to steal intellectual property or personal data.
GDPR and other laws mean that cybersecurity is no longer something businesses of
any size can ignore. Security incidents regularly affect businesses of all sizes and often
make the front page causing irreversible reputational damage to the companies
involved.
If you are not yet worried about cybersecurity, you should be.
What is Cybersecurity?
Cybersecurity is the state or process of protecting and recovering computer systems,
networks, devices, and programs from any type of cyber-attack. Cyber-attacks are an
increasingly sophisticated and evolving danger to your sensitive data, as attackers
employ new methods powered by social engineering and artificial intelligence to
circumvent traditional security controls.
The fact of the matter is the world is increasingly reliant on technology and this
reliance will continue as we introduce the next generation of smart Internet-enabled
devices that have access to our networks via Bluetooth and Wi-Fi.
4
The Importance of Cybersecurity
Cybersecurity's importance is on the rise. Fundamentally, our society is more
technologically reliant than ever before and there is no sign that this trend will slow.
Data leaks that could result in identity theft are now publicly posted on social media
accounts. Sensitive information like social security numbers, credit card information
and bank account details are now stored in cloud storage services like Dropbox or
Google Drive.
The fact of the matter is whether you are an individual, small business or large
multinational, you rely on computer systems every day. Pair this with the rise in cloud
services, poor cloud service security, smartphones and the Internet of Things (IoT) and we
have a myriad of cybersecurity threats that didn't exist a few decades ago. We need to
understand the difference between cybersecurity and information security, even though the
skillsets are becoming more similar.
Governments around the world are bringing more attention to cybercrimes. GDPR is a
great example. It has increased the reputational damage of data breaches by forcing
all organizations that operate in the EU to:
Communicate data breaches
Appoint a data-protection officer
Require user consent to process information
Anonymize data for privacy
The trend towards public disclosure is not limited to Europe. It also affect Tanzania as
the most businesses are now connected to the internet while conducting their
business. Due to the rise use of internet it comes the need for cyber security
awareness to small enterprises to know how to protect against cyberattacks.
This has driven standards boards like the National Institute of Standards and
Technology (NIST) to release frameworks to help organizations understand their
security risks, improve cybersecurity measures and prevent cyber-attacks.
5
Social engineering remains the easiest form of cyber-attack with ransomware,
phishing, and spyware being the easiest form of entry. Third-party and fourth-party
vendors who process your data and have poor cybersecurity practices are another
common attack vector, making vendor risk management and third-party risk
management all the more important.
According to the Ninth Annual Cost of Cybercrime Study from Accenture and the
Ponemon Institute, the average cost of cybercrime for an organization has increased by
$1.4 million over the last year to $13.0 million and the average number of data
breaches rose by 11 percent to 145. Information risk management has never been
more important.
Data breaches can involve financial information like credit card numbers or bank
account details, protected health information (PHI), personally identifiable information
(PII), trade secrets, intellectual property and other targets of industrial espionage.
Other terms for data breaches include unintentional information disclosure, data leak,
cloud leak, information leakage or a data spill.
Other factors driving the growth in cybercrime include:
The distributed nature of the Internet
The ability for cybercriminals to attack targets outside their jurisdiction
making policing extremely difficult
Increasing profitability and ease of commerce on the dark web
The proliferation of mobile devices and the Internet of Things.
Economic costs
heft of intellectual property, corporate information, disruption in trading and the cost
T
of repairing damaged systems
Reputational cost
oss of consumer trust, loss of current and future customers to competitors and poor
L
media coverage
Regulatory costs
DPR and other data breach laws mean that your organization could suffer from
G
regulatory fines or sanctions as a result of cybercrimes
All businesses, regardless of the size, must ensure all staff understand cybersecurity
threats and how to mitigate them. This should include regular training and a
framework to work with to that aims to reduce the risk of data leaks or data breaches.
6
Given the nature of cybercrime and how difficult it can be to detect, it is difficult to
understand the direct and indirect costs of many security breaches. This doesn't mean
the reputational damage of even a small data breach or other security event is not
large. If anything, consumers expect increasingly sophisticated cybersecurity
measures as time goes on.
Tanzania in these recent years have seen the increase number of internet users. This
drastic increase of internet users can be accompanied with large number of
cyberattack. So, these small scale enterprises in Tanzania may also be the victim of
cyberattack if there is no better ways on measures are taken to create an awareness to
these business owners. By March 2021 the number of internet users reached 29.1
million, below table shows the growth of internet users in Tanzania.
Figure 1: Estimate internet users in Tanzania
7
Source: (TCRA)
From the above internet usage statistic table shows 27.9 million users as of sept 2020,
most recently the number of internet users have increased drastically up to 29.1
million by March 2021. This huge growth of internet users there is also great chance
for an attacker to attack without the user’s awareness. Cyber security awareness is
needed for small scale enterprises, in order to prevent from an online attack employees
need to have knowledge about cyber security. The responsibility of keeping enterprises
safe lies to the owner as well other stakeholders. Government and private agencies
need to cooperate to provide education about the impact of unsafe usage of internet.
Small scale Enterprises are the engine of the national economy and represent over half
of all employees in the private sector; so it should be noted that (SSEs) has
significantly contribute to the economy and comprise the majority of the businesses
and internet users in the country. Then their importance to the development of this
nation cannot be understated or ignored nor discussed without consideration of the
information systems and measures that are in place to protect these systems.
That’s why Tanzania through Tanzania Computer Emergency Response Team (TZ-
CERT) which is mandated to raise awareness and enhance technical capacity in the
area of cybersecurity, conducted training to some of its organizations. These training
take place;- Between 27th July to 18th September 2020, TZ-CERT carried out
cybersecurity awareness program in nine (9) public institutions namely: Tanzania
Investment Centre (TIC), Tanzania Airport Authority (TAA), National Housing
Corporation (NHC), Land and Transport Regulatory Authority (LATRA), Tanzania
National Park Authority (TANAPA), Tanzania Commission of Universities (TCU),
National Social Security Fund (NSSF), Public Service Social Security Fund (PSSSF)
and National Audit Office of Tanzania (NAOT) geared to sensitize safe and acceptable
employees’ behavior on the use of emails.
Although government and other organizations responsible for cyber security
awareness provision are trying to provide education to government agencies and
8
private companies but still many small scale enterprises don’t have such awareness in
protecting their systems from being attacked.
Malware
Malware means malicious software. One of the most common cyber threats, malware
is software that a cybercriminal or hacker has created to disrupt or damage a
legitimate user’s computer. Often spread via an unsolicited email attachment or
legitimate-looking download, malware may be used by cybercriminals to make money
or in politically motivated cyber-attacks.
There are a number of different types of malware, including:
Virus: A self-replicating program that attaches itself to clean file and
spreads throughout a computer system, infecting files with malicious code.
Trojans: A type of malware that is disguised as legitimate software.
Cybercriminals trick users into uploading Trojans onto their computer
where they cause damage or collect data.
Spyware: A program that secretly records what a user does, so that
cybercriminals can make use of this information. For example, spyware
could capture credit card details.
Ransomware: Malware which locks down a user’s files and data, with the
threat of erasing it unless a ransom is paid.
Adware: Advertising software which can be used to spread malware.
Botnets: Networks of malware infected computers which cybercriminals use
to perform tasks online without the user’s permission.
SQL injection
An SQL (structured language query) injection is a type of cyber-attack used to take
control of and steal data from a database. Cybercriminals exploit vulnerabilities in
data-driven applications to insert malicious code into a databased via a malicious SQL
9
statement. This gives them access to the sensitive information contained in the
database.
Phishing
Phishing is when cybercriminals target victims with emails that appear to be from a
legitimate company asking for sensitive information. Phishing attacks are often used
to dupe people into handing over credit card data and other personal information.
Man-in-the-middle attack
A man-in-the-middle attack is a type of cyber threat where a cybercriminal intercepts
communication between two individuals in order to steal data. For example, on an
unsecure Wi-Fi network, an attacker could intercept data being passed from the
victim’s device and the network.
Denial-of-service attack
A denial-of-service attack is where cybercriminals prevent a computer system from
fulfilling legitimate requests by overwhelming the networks and servers with traffic.
This renders the system unusable, preventing an organization from carrying out vital
functions.
10
The amount of cyber-attacks and data breaches in the recent years is staggering and
it's easy to produce a laundry list of companies who are household names that have
been affected.
Here's a few examples:
Equifax
he Equifax cybercrime identity theft event affected approximately 145.5 million U.S.
T
consumers along with 400,000-44 million British residents and 19,000 Canadian
residents. Equifax shares dropped 13% in early trading the day after the breach and
numerous lawsuits were filed against Equifax as a result of the breach. Not to mention
the reputational damage that Equifax suffered. On July 22 2019, Equifax agreed to a
settlement with the FTC which included a $300 million fund for victim compensation,
$175m for states and territories in the agreement and $100 million in fines.
eBay
etween February and March 2014, eBay was the victim of a breach of encrypted
B
passwords, which resulted in asking all of its 145 million users to reset their
password. Attackers used a small set of employee credentials to access this trove of
user data. The stolen information included encrypted passwords and other personal
information, including names, e-mail addresses, physical addresses, phone numbers
and dates of birth. The breach was disclosed in May 2014, after a month-long
investigation by eBay.
Adult Friend Finder
I n October 2016, hackers collected 20 years of data on six databases that included
names, email addresses and passwords for The Friend Finder Network. The Friend
Finder Network includes websites like Adult Friend Finder, Penthouse.com,
Cams.com, iCams.com and Stripshow.com. Most of the passwords were protected only
by the weak SHA-1 hashing algorithm, which meant that 99% of them had been
cracked by the time LeakedSource.com published its analysis of the entire data set on
November 14.
Yahoo
ahoo disclosed that a breach in August 2013 by a group of hackers had compromised
Y
1 billion accounts. In this instance, security questions and answers were also
compromised, increasing the risk of identity theft. The breach was first reported by
Yahoo on December 14, 2016, and forced all affected users to change passwords, and
to reenter any unencrypted security questions and answers to make them encrypted
in the future. However, by October of 2017, Yahoo changed the estimate to 3 billion
user accounts. An investigation revealed that users' passwords in clear text, payment
card data and bank information were not stolen. Nonetheless, this remains one of the
largest data breaches of this type in history.
While these are a few examples of high profile data breaches, it's important to
remember that there are even more that never made it to the front page.
11
The impact of cyber-attack to small enterprises
A cyberattack can drastically impact your business. In fact, 60% of small businesses
that fall victim to an attack shut down within six months after the breach. While that
may be the most devastating result of the attack, there are other consequences that
your business could experience, including the following:
Financial losses from theft of banking information
Financial losses from disruption of business
High costs to rid your network of threats
Damage to your reputation after telling customers their information was
compromised.
Because of the explained impact of cyber-attack to enterprises I came up with this
research to determine the awareness of the cyber security from small scale
enterprises.
12
Organizations have come to recognize that behaviors deriving from the human factor
are responsible for cyber security flaws and may pose a liability for information
security (Sasse and Flechais.12)
The behavioral contribution to unintentional cyber breaches was highlighted by IBM’s
Global Technology Services as one of the most critical issues to be addressed by
security controls and best practices guidelines. In fact, there has been an increased
recent focus on the role of individual behavior in cyber hazard mitigation. However,
the understanding of how individuals differ in their awareness, knowledge, and cyber
security behavior when confronted with versatile cyber hazards is still quite limited.
Moreover, to the best of our knowledge, no research has yet to compare and evaluate
these three components across small scale enterprises. Therefore, the aim of this
study is to evaluate differences in cyber security awareness, knowledge and cyber
hazard protection behaviors SEs: Tanzania is ranked 110 on the networked readiness
index in 2020 in a global information technology report on ICT for sustainability. As
far as we know, no study comparative has focused on the relative cyber security
awareness, knowledge and behavior differences between these four countries.
The research objectives are divided into two categories:
First, building a theoretical framework to be used in constructing cyber security
training programs. This framework is based on the factors that impact the level of
cyber security awareness, knowledge, and behavior, which were evaluated according
to the following research questions (from general to specific):
13
operations. These categories of actors could be interested, and thus have an
understanding of cyber security and that being online introduces vulnerability.
Since the significance of proper IS security for an organization is proportional to the
organization’s dependence on information. An organization’s IS security affects not
only the organization itself, but also its external parties (Von Solms, 2017). Not only do
shared information systems and infrastructures require an accepted level of security,
but also the organizations themselves must be considered secure enough to act in
these ‗e-arenas‘. An analogy is traffic safety; it is not enough to build safe roads, we
must also have shared traffic rules and safe cars (von Solms, 2017).
Chapter Two
2. Literature review
2.1. The impact of internet and cyber on society
The internet has revolutionized how people access data and utilize various
applications for modern day-to-day tasks. Reid and Van Niekerk16 (p. 178)
noted the huge impact of the internet on daily life: “In our technology and
information-infused world, cyberspace is an integral part of the modern-day
society. In both personal and professional contexts, cyberspace is a highly
effective tool in, and enabler of, most people’s daily digitally transposed
activities.17, 18, 19” However, Coppers20 noted the rising impact of
information security breaches on the economy, resulting in information loss
estimated at ~ $2.5 million per year (Coppers20) As noted, this loss can be only
14
partly mitigated by protective tools since their functionality in most cases is
controlled by individuals (Furnell et al.6; McCormac et al.21; Parsons et al.22;
Schultz8).
Individual cyber engagement, in general, and with cyber protection tools in
particular, has motivated both academic scholars and practitioners to focus on
individual attitudes and behaviors concerning cyber threats (Schneier23;
Shropshire et al.24). An instructive example was given by Sasse and Flechais12
who emphasized the existing gap between facto and ex post facto mitigation
activities conducted by employees in cases of cyber security breach due to lack
of sufficient engagement with cyber security protection tools. Other studies
evaluated level of individual resilience with cyber security awareness as a
cause of job stress (McCormac et al.25). In addition, the relationship between
individual personality and level of cyber security risk propensity has been
researched (McCormac et al.26). Yet the relationships between individual cyber
security awareness, knowledge and behavior have never been studied in cross-
country comparison. In fact, the comparative approach is considered by
important stakeholders to be crucial for the creation of intervention programs
(McCormac et al.26).
2.2. Cyber security hazard awareness
The internet has revolutionized managing life tasks, enabling connections with
new people through social networks and opening new economic horizons for
transactions via mobile devices both for individuals and organizations,
including radical change in the higher education system and teaching methods
(Aloul1; Lee et al.3; Saadat doost et al.27). Even so, many people still face
information security risks from a vast array of threats. These threats range
from simple to catastrophic attacks. The first may consist of primitive spam e-
mails, while the second may involve organized cyber-crime groups that use
malicious software to steal, corrupt, and destroy data on a significant scale
(Letho28). A major factor in information security risk is level of individual cyber
security awareness, which can be usefully described as low, medium, or high.
Low awareness behaviors include not paying attention or neglecting security
alerts, provided in most cases automatically by applications, such as when
accessing free open networks (such as Wi-Fi) with mobile devices and laptops.
A medium awareness level may be characterized by negligence expressed in
improper technology operation. Finally, high awareness involves knowledge of
cyber threats and capable actions taken in their prevention.
The term cyber security awareness was already defined by Shaw et al.29 (p. 93)
as follows: “[The] degree of understanding of users about the importance of
information security and their responsibilities and acts to exercise sufficient
15
levels of information security control to protect the organization’s data and
networks”. They noted widespread lack of awareness of cyber risks, extending
to app usage and information delivery on social networks and internet web
pages. Importantly, they pointed out that hackers (individual or collective) tend
to seek out the most vulnerable users, i.e. those deficient in information and
network security awareness. Hackers are proficient at exploiting both software
bugs and security gaps unintentionally created by users themselves.
Since the human factor has already been shown to main cause of cyber
breaches, ever more cyber awareness training programs are offered by
academic institutions and private companies, with the aim of increasing
individual cybercrime awareness (Dodge30; Kumaraguru et al.31; Shaw et
al.29).
However, increasing levels of awareness can only transpire if cyber awareness
itself is fully understood, a thesis already made in 2015 by Letho: “[While] the
world grows more connected through the cyber world, the most efficient plan to
increase cyber security awareness is the improvement of the know-how of the
citizens and actors of the economic life and public administration. This
improvement could be effective if the reasons for the lack of cyber security
awareness could be understood (Letho28 (p. 180)). However, in the last five
years, a growing body of research has focused on individual cyber security
awareness. For example, McCormac et al.26 pointed out a linear relationship
between age and information security awareness, one that improves with
increase in age. Another study by McCormac et al.25 among 1,048 Australian
employees showed a relationship between resilience, job stress and information
security awareness (ISA), finding that when employees can cope or adapt to job
stress, their awareness to cyber security hazards increases, and hence the
organization’s resilience is improved. Research by Hadlington32 found that
employed people in large organizations tend to develop higher awareness of
cyber risks, which may be explained by improved budgetary resources and
organizational enforcement policies. As with Hadlington32, Pendley33 also
focused on improving cyber security awareness among managerial or
administrative staff, emphasizing adhering to cyber regulations and guidelines
as well as establishing security policies. Nevertheless, lack of cyber awareness
is still a serious global problem. Organizations and educational institutions
must develop adequate training programs, with the first step a comparative
evaluation of level of awareness across different enterprises.
2.3. Cyber security knowledge
Increasingly, individuals are in actuality dependent on internet technologies for
their day-to-day tasks. Ease of use has facilitated participation in cyber-related
activities on a mass scale. However, knowledge of existing tools needed for
16
protection against cyber threats is correspondingly lagging (Furnell et al.34;
Abawajy and Kim35; Abawajy5). As Abawajy (Abawajy and Kim35, Abawajy5)
noted, even basic level cyber security awareness may not translate into
sufficient or appropriate cyber security protection knowledge to mitigate cyber
risks and hazards. As such, he suggested increasing cyber security knowledge
through cyber security training programs using theoretical lectures and
simulators to provide exposure to cyber security protection tools. These would
focus on operational, usage, and process aspects of improving user knowledge
translating into effective cyber security mitigation behavior. For example, the
“Phishing Simulator” is a popular training resource, designed as an effective
training process to increase awareness of suspicious e-mails sent by hackers.
Such e-mails often contain malicious software (“malware”) resulting in illicit
data leakage (Abawajy and Kim35; Abawajy5). The simulator is also suitable for
trainers, exposing them to practical protection tools to mitigate phishing e-
mails and internet links and guiding them in how to attain optimal levels of
protection against cyber security threats.
In a study conducted by Reid16, the influence of a cyber-security awareness
campaign for school youth, along with their existing knowledge related to cyber
security hazards, was measured. He found that campaigns have a positive
impact on improving cyber hazard awareness and knowledge. A later study,
conducted by Cain et al.36, explored “Cyber Hygiene” (i.e. level of cyber
knowledge) in 268 computer and device users ranging in age from 18 to 55+.
The survey focused on how they maintain system health and online security
tools such as firewalls and anti-virus software, and was carried out using
Amazon Mechanical Turk (MTurk) (https://www.mturk.com), a crowdsourcing
marketplace.
MTurk allows businesses (i.e. “requesters”) to allocate tasks to remote
“crowdworkers”, a potentially rich source of data collection. They found that
self-identified experts had less cyber hygiene knowledge than self-identified
non-experts. This surprising finding could be attributed to the latter being
more dependent and relying on external guidelines, hence investing greater
efforts in acquiring the necessary cyber security knowledge for their tasks.
2.4. Cyber security protection behaviors
Recognizing the severe cost of cyber hazards, research has increasingly focused
on the measures taken and behaviors exhibited by netizens to protect their
devices (e.g. Safa et al.37).
However, most recent studies related to cyber protection behavior look at very
narrow aspects of cyber security behavior. For example, Safa et al.37 surveyed
level of compliance with security polices among 416 employees in 4 Malaysian
companies. They found that employee attachment to the firm does not have a
17
significant influence on their attitude to adopt a desired cyber security
compliance behavior. McCormac et - al.26 looked at whether employee
information behavior is correlated with personality traits such as
conscientiousness, agreeableness, emotional stability, and risk taking. They
showed that a small significant gender difference exists related to phishing e-
mails, such that women were found to be more susceptible than men. Another
study by McCormac et al.25,38 aimed at exploring the relationship between
employee resilience and job stress and cyber. They used a sample of 1,048
working Australians, reporting that higher levels of cyber threat resilience
translated into significantly better ability, knowledge, attitude, and behavior in
cyber mitigation processes. Similarly, participants who reported lower levels of
job stress also were found to exhibit significantly better attitude, knowledge,
and behavior in mitigation of cyber hazards. Hadlington32 focused on the
relationship between risky employee cyber security behavior and individual
(such as age and attitude) and organizational factors in protective cyber
security activities. Risky behaviors included sharing personal passwords,
downloading illegal content, infringing copyright, and ignoring recommended
software updates. Their findings associated these risky behaviors with
employee self-feeling, defined as the feeling that cyber security is not a primary
concern in their place of employment.
In fact, Hadlington and Parsons39 had already showed that employees who feel
protected in their workplace tend to neglect cyber security behavior. This
finding was confirmed by Tischler et al.40, who found that, in general,
employees tend to decouple their responsibility to install and operate cyber
protection tools from their job, instead transferring it to senior management. As
noted, Cain et al.36 tested levels of so-called cyber hygiene, and found that
self-identified experts exhibited less secure behaviors than self-identified non
experts. In addition, they found that older users engaged in more secure cyber
behaviors than younger ones. Surprisingly, they found no differences in
individual response behavior to experienced and inexperienced users – being
attacked by cyber malware for the first time or more than once, didn’t change
their response to cyber-attack.
They also did not detect any individual effect in the importance of cyber
training programs. However, they noted that future studies could shed light on
the impact of effective cyber training programs, which may encourage younger
users to behave more securely when confronted with a cyber-security incident.
These training programs were evaluated by Dodge30, who noted that the
number of phishing scam victims dropped after students were exposed to
“stage” phishing attacks. McCrohan et al.41 evaluated training programs aimed
to improve the knowledge and awareness of potential cyber security hazards
among users. They focused on cyber security aspects of password protection
18
awareness and ability to secure computers pre- and post-cyber security
training. They highlighted the critical role of cyber education/training,
emphasizing appropriate security practices to improve day-to-day online
behavior. Following this study, Eminağaoğlu et al.42 showed that awareness
campaigns can play a positive role in reducing cyber risk behavior. The authors
found that the level of exposure to and practice in training programs pushed
students to use complex passwords. They suggested that providing security
awareness training courses can comprehensively influence attitudes to
information security management. Similarly, Abawajy5 divided cyber security
training into three categories: online, contextual, and embedded training. He
concluded that a combination of delivery methods (such as text-based, game-
based, and video based) should determine the training type. Following
Abawahy5, Pawlowski et al.43 recommended that cyber security training
courses should be treated as problem-centered, utilizing case studies that are
tailored to student levels of awareness. Alternatively, Son et al.44 suggested a
different cyber security teaching approach: integration of security labs with the
curriculum in three forms – (1) pure virtual, (2) traditional physical, and (3)
hybrid. They concluded that security labs should be an essential part of the
curriculum, although they suggested that the deployment model should be
based on individual institutional requirements. Indeed, Harris and Patten45
developed a cyber-security taxonomy that allows moving security issues from
higher-level courses to lower and intermediate ones. Recently, Bong-Hyun et
al.46 emphasized the importance of developing internet-based cyber training
programs in higher education institutions, offered and distributed by e-mail
and mobile devices with formal or informal training sessions and presentation
types (Shtudiner et al.47). Even so, the literature tends to be characterized by
calls for more research to address insufficient knowledge of the relationships
between individual awareness, knowledge, and self-reported behavior in cyber
mitigation processes and use of protection tools. These studies should then
contribute to facilitate the development of substantive individual cyber security
training programs.
As such, the purpose of this research is to provide a theoretical and practical
solution to global lack of cyber security awareness, knowledge, and behavior,
highlighting the need for cyber security training programs in educational and
academic institutions to generate improved individual cyber security outcomes.
Our hypotheses are thus the following:
H1: Cyber security knowledge is positively connected to cyber awareness.
H2: The employee working company will moderate the connection between
cyber knowledge and cyber security awareness.
19
H3: Employee with higher cyber security awareness will engage in more cyber
protection behaviors.
H4: Cyber security awareness will serve as a mediator between cyber
knowledge and cyber protection, i.e., individuals with greater cyber knowledge
will be more aware of potential cyber hazards and, therefore, exhibit more
cyber protection behavior than individuals who lack the needed levels of
awareness or knowledge.
To the best of our knowledge, this is the first study to compare internet user
behaviors and level of cyber security awareness and knowledge in the four
selected countries based on their GDP differences. It is important to note that
the research was conducted on a student sample. Even so, the study findings
may stimulate follow-up research on the effectiveness of cyber security training
programs in similar countries with a wider sample of respondents.
The study model is provided in Figure 1.
Employee
working company
H4
H2
Cyber Cyber Cyber Protection
Knowledge Awareness Behavior
H1 H3
CHAPTER THREE
3. Research methodology
3.1. Subjects
A paper-based survey was distributed to employees of PLV Digital Investment
Ltd and Zan Fast Ferries. In each company, the subjects were located through
convenience sampling, with the assistance of the relevant department in the
company. Since different disciplines require varying levels of cyber knowledge,
we have chosen to focus on Management and/or Business.
Administration departments as a baseline for our comparison .
3.2. Instruments
To provide a theoretical framework, we developed a questionnaire that included
several questions aimed to test global familiarity of the subjects with cyber
security issues as well as, specifically, level of awareness of cyber security
risks. To develop the questionnaire, we used face validity. As such, the
20
measurements were developed by a research team, most of whom are experts
in cyber education. The researcher formulated several questions to capture the
level of cyber awareness and cyber hazard awareness, the behaviors exhibited
when confronted with cyber threats and the knowledge regarding cyber, in
general, and cyber-attack, in particular. After deleting redundant questions,
the questionnaire was delivered to the subjects. Activity type of cyber security
defense used by the subjects was also explored. This ranged from participating
in cyber security training programs to more focused cyber behaviors such as
installing specific cyber security defense tools. Each respondent was also asked
to report their previous cyber knowledge, internet usage, and cyber security
behavior.
Classification was based on three criteria: (1) level of cyber security awareness
(Awareness), (2) knowledge of cyber security and threats (Knowledge), and (3)
attempts to prevent cyber-attack (Behavior).
3.2.1. Awareness
Awareness was measured with the question: “To what degree are you familiar
with the term cyber security?” The item was on a scale of 4 degrees, with 1 – no
knowledge to 4 – very good knowledge.
3.2.2. Knowledge
We measured respondent knowledge of several aspects of cyber security, cyber
threats, and general cyber knowledge as follows:
3.2.2.1. Threats.
Threats were measured by presenting respondents with different cyber security
scenarios and asking them to rate the degree of threat. Threat types ranged
from loss of data, loss of money, blocking access to information, etc. We
measured the answers on a Likert scale that ranged from 1 – strongly disagree
to 5 – strongly agree. We also measured the total amount of threats (“threats”)
by calculating the mean score of the different items. Therefore, the higher the
total score, the higher the amount of threats that the respondents estimated
during a cyber-attack.
3.2.2.2. Education awareness.
We measured level of respondent education awareness (“edu_awareness”) by
asking the extent to which their current education influenced their cyber-
security awareness. This was ranked on a Likert scale, ranging from 1 –
definitely not affected to 5 – strongly affected. We also measured whether
employees had attended IT security training (“IT_past”) on a three-level scale
(1-yes, 2-no, 3-I’m not sure). We transformed this variable into a dummy
variable based on attendance (“d_attendance”), with 1 – attended cyber security
course or program and 0 – other. We asked respondents about their desire to
attend an IT security training program to improve cyber security awareness
(“IT_future”) on a Likert scale that ranged from 1 – definitely not to 5 –
definitely yes. We measured knowledge by asking if respondents know the
difference between http and https protocol (“Recognition”) on a binary scale (1-
yes, 0-no). Lastly, we measured respondent knowledge of different programs
and applications such as text editor, spreadsheets, social media, etc. The
21
answers were ranged on a Likert scale as 1 – no skill to 5 – very high skills. We
also measured the total mean score for the different items (“computer
knowledge”).
Higher results indicated that respondents possess more skills using computer
programs and applications.
3.2.2.3. Familiarity.
To measure familiarity, respondents were asked to evaluate their knowledge of
cyber security issues based on a series of different items. These included
internet sources, university courses, IT journals, etc. Respondents had to
report if they have (1) or do not have (0) sufficient knowledge of each item. We
also measured total amount of familiarity (“familiarity”) by summing responses.
Therefore, the higher the result, the higher the amount of respondent
familiarity with cyber security knowledge.
3.2.3. Behavioral aspects
Several questions measured the means used by the respondents to prevent
cyber-attack situations. For the first behavioral variables, we presented the
respondents with different information and measured their readiness to provide
the information if they were asked by a digital media outlet.
Items included information regarding: home address, age, e-mail password, etc.
Each question was measured on a categorical scale (1-yes, 0-no). We calculated
the total information provided (“provide”) by summing the score of the different
types of information. Therefore, the higher the score, the higher the respondent
level of agreement to reveal information on the internet.
In the second behavioral variable, we showed the respondents different means,
tools, or applications (e.g. strong password or spam protection) and asked them
whether they use this instrument to avoid cyberattack on a categorical scale
(1-yes, 0-no). We calculated the total protection (“protection”) by summing the
score of the different types of instruments.
Therefore, the higher the score, the higher the level of respondent protection of
their computer from cyberattack. Researcher also asked a directed question
regarding their knowledge in case of cyberattack (“behavioral”) on a scale from
1 – definitely no to 5 – definitely yes. Since the question measured lack of
knowledge of how to behave, its direction was negative. The higher the
response, the less knowledge they possessed in the event of a cyber-attack.
Another behavioral variable measured whether using cyber products and
services made respondents feel as if their knowledge of cyber-attacks was
forced on them or acquired by choice (“Choice”). The question was measured on
a Likert scale that ranged from 1 – definitely by coercion to 5 – definitely by
choice.
To measure how respondents protect their devices, researcher asked them to
list the length of a standard account password (e-mail, social media, etc.)
(“Length”) and whether they use the same password (“password”) for different
portals, systems, and applications on a categorical scale (1-yes, 0-no). We also
asked respondents to describe their behaviors when finishing up work on their
computer. Presented with individual activities such as shutting down or
22
locking their computer, they were requested to confirm if they engaged in (1) or
did not engage in (0) these behaviors. We measured a total score for each
respondent such that the higher the results, the more the subjects ensured
their computer was safe (“finish”).
3.2.4. Characteristics of the sample
Researcher measured gender (male – 1, female – 0), level of education
(1 – no academic background to 6 – PhD level), type of study (1 – IT, 0 –
Computer Science) and company (1 – PLV, 2 –
Zan Fast Ferries, 3 – Simba Net, 4 – Cats Net).
3.3. Procedure
The questionnaire was uploaded to the internet for the respondents from the
four tested countries. The authors distributed the site link to the respondents
in class during the academic year of 2017. The questionnaire was in English.
Chapter Four
23
In parallel with high cyberattack awareness, respondents avoid disclosure of sensitive
information on the web, especially e-mail passwords (4%), ID number (2%), home
address (5%), social network login (1%), and phone number (3.6%). Their only
readiness was to provide their age (7%). Other positive respondent cyber security
habits include using strong password (85%), installing antivirus software (75%),
regular data backup (61%), frequent password changes, and updating software
(approximately 56%). On the other hand, only 45% used spam protection, 35%
avoided using a public computer, and just 15% performed computer security audits.
When asking about the means they use to protect their instrument from 11 threat
options, respondents used five protection tools on average. About 56% of respondents
used the same password for different applications and usages, with average password
length of six characters. Lastly, only two protection behaviors were conducted at the
end of usage: logging off all programs (51%) and shutting off the computer (66%).
Therefore, respondent behavior indicated a discrepancy between awareness and
amount of activities used to protect themselves from cyberattacks.
This gap may be attributed to participant knowledge. Based on self-evaluation of skills
and knowledge, the results indicated that respondents reported having sufficient
knowledge (25%) especially of e-mail (89%), computer applications (97%), web
browsers (98%), smartphone (99.4%), and social networks (75%). They felt less secure
about web page development (30%), application development environments (44%),
network architecture (7.7%), and computer architecture (5.90%). Judging their
knowledge of IT security, most respondents never attended an IT security training
program in the past (around 66%), but were willing to participate in this kind of
training in the future (98%). Even so, we need to treat this readiness with caution,
since results may suggest a social desirability bias.
That is, respondents may feel more obligated to participate in future training after
having a host of cyber threats pointed out to them. Indeed, when asked about their
behaviors, only 11% reported taking part in cyber security courses.
24
CHAPTER FIVE
Summary of findings
Conclusion
Recommendations
References
Appendix
The study conducted shows that some respondents of the questionnaires they
protect their computers from cyberattacks.
25
Figure: 3 The interaction between computer knowledge in Zan Fast Ferries and
level of awareness.
These results thus support our last hypothesis, that awareness (partially)
mediates the connection between knowledge and cyber protection behaviors.
That is, subjects with more device usage knowledge were more aware of cyber
hazards. This awareness was connected to amount of protection methods and
measures used to protect their devices. As such, it is not just the amount of
device usage; it is more the level of awareness that determines their attempts to
reduce the chances of cyber-attack.
26
Chapter Five
5. Discussion
Research results show that internet users are aware of the term “cyber
security”. Therefore, respondents know that using the internet may expose
them to multiple threats: violation of privacy, loss of money or data, damage to
devices, surveillance of themselves or any organization to which they belong,
etc. However, we also found a discrepancy between respondent attitude and
behaviors. As with previous studies (e.g. Imgraben et al.48; Rek and
Milanovski49), we found that respondents take only basic and insufficient
action such as using strong password protection and installing antivirus
software. Only a minority engage in more sophisticated protection activities
that require a deeper knowledge of cyber security, such as avoiding using an
open free network, performing computer security audits, or avoiding using
public computers. Since these activities are no costlier, the reason for this
discrepancy remains unknown. While previous studies suggested that people
avoid engaging in extensive cyber-attack precautions (e.g. Rek and
Milanovski49), we suggest that respondent cyber knowledge may explain this
gap.
27
activities when finishing work on the computer. This gap can be explained
through the Theory of Planned Behavior (TPB) (Fishbein and Ajzen50) TPB
claims that intention is the best predictor of any planned behavior. Therefore, if
threats to computer security are taken seriously, then it is more likely that
motivation will be found to institute appropriate protective measures. Even so,
behavior is also affected by elements such as the amount of self-efficacy and
controllability. As such, perception of situations as subject to control due to
individual knowledge increases motivation to act. Thus, we found that
respondents with more cyber security knowledge take more steps to prevent
attacks, especially when defense tools are simple and familiar to internet users.
When an action demands higher specialized knowledge, this connection was
found to be more complicated. People may be aware of a hazard and want to
protect their devices but feel insecure about the appropriate measures, and
this can reduce motivation to explore additional options. Indeed, we found that
knowledge of cyber and Internet usage was connected to protection activities
through the mediation of cyber security awareness. These results highlight the
important role of cyber security programs to motivate users to take proactive
behaviors. Researcher also found a connection between awareness, knowledge,
and behaviors and the country of the respondent.2 Turkish respondents viewed
cyber security as very risky and threatening. Let’s take an example on Israel,
the country which is confident in fighting cyber-crimes.
Israelis showed less concern, as did Poles. These findings can be attributed to
cultural differences. Israel is known as a cyber-security innovation leader
(Tabansky51) Israelis tend to “outsource” their cyber security concerns to
service providers and organizations, confident in their technological
sophistication to ensure a safe internet environment. This may explain why
Israelis were the least cautious information sharers and lowest in cyber threat
avoidance. Indeed, Tabansky51 describes Israel as a country that continuously
strives to develop cyberspace solutions. Israel is one of the top five global
28
superpower nations as ranked by the National Cyber Initiative (Sabilion et
al.52). It can be reasonably claimed that many citizens in these countries are
under the mistaken impression that they have sufficient knowledge or defense
tools to counter cyber risks. In fact, they tend to be less actively involved in
daily mitigation of privacy and data and information leaks. In countries with
less cyber security development, such as Turkey, cyber security awareness is
more linked to the individual implementation of cyber protective behaviors.
One explanation for the differences between PLV and the other companies can
be attributed to variations in questionnaire language. As noted, the PLV
participants filled out the questionnaire by knowing the phenomenon because
they server as IT support, while all other subjects are in different business.
This difference may have produced biases in response, especially if the non-IT
expert lack full reading comprehension in technology. However, all non-PLV
employee and customers are comprising our sample are required to possess
high-level knowledge proficiency, and this discrepancy can only explain part of
the differences and should not be regarded as their main source. Even so, PLV
is well advised to develop its training programs in this field. Future
comparative research should focus on senior management cyber security
habits in the two evaluated companies. Thus, we claim that the more a
developed company (i.e., with substantial GDP value) invests resources in
cyber tools (such as PLV), the more its efforts should be directed to educating
and increasing awareness. While mediation was found between (one type of)
knowledge, awareness, and protection, we feel that there are other factors that
can explain why people do not protect their devices with more defenses. Using
TPB (Fishbein and Ajzen50), more research should explore the effects of
psychological factors, such as self-efficacy and national-cultural values
(Hofstede53; Klein and Shtudiner54) on internet user behaviors.
29
awareness among their employees. Further studies should focus on capturing
how behaviors of organizations affect employee cyber security awareness.
The urgency to reduce employee and individual cyber risks has only increased.
As such, senior managers should build practical training workshops and study
programs with cyber awareness courses in order to:
b. Cultivate new attitudes toward cyber risk and responsibility for maintaining
organizational data;
d. Develop new rules informing best cyber practices. Future research should
also focus on all aspects of this call to action.
30
Chapter Six
It is important to point out that this study has some limitations that should be
taken into consideration. The limitation of this study lies mainly with the type
of respondents. The sample size was based on Small Scale Enterprises mainly
31
from Dar es Salaam, which deal with IT support solutions. To improve the
study’s robustness, it is recommended to use a wider sample size, one that is
not considered a convenient sample and spans various disciplines.
Another criticism can be derived from the measurement of the variables. The
researcher used face validity in constructing the questionnaire, relying on a
team of experts to develop our survey tool. However, since this is one of the few
studies to measure cyber security awareness, knowledge, and behavior, the
questionnaire should be retested to strengthen its reliability and validity.
Future studies should develop specific instruments to measure cyber security
awareness and knowledge55. Although we measured this variable using a
single-item scale, multi-item scales were found to exhibit higher reliability.
Even so, some researchers have suggested that if a single-item question can
elicit valuable information, its advantage of simplicity can confer on its
reliability and validity, even at the expense of extensive detail (Bowling56). Still,
more comprehensive instruments to assess cyber security awareness are
desirable.
In sum, our current reality is in many ways a cyber-one. The internet is deeply
embedded in our daily life, and our dependency on connected mobile devices
seems likely to only increase. Yet with growing dependency comes elevated risk
of cyber-attack victimization. Future work should focus on exploring how
specific training programs based on our study findings improve levels of cyber
knowledge, awareness and skill-based behaviors.
References
32
Abawajy J. User preference of cyber security awareness delivery methods.
Behav Inf Technol. 2014;33(3):237–48. doi:10.1080/0144929X.2012.708787.
Sasse MA, Flechais I Usable security: why do we need it? How do we get it?
O’Reilly. 2005. http://discovery.ucl.ac.uk/20345.
Aloul FA. The need for effective information security awareness. J Adv. Inf
Technol. 2012;3(3):176–83. doi:10.4304/jait.3.3.176-183.
33
Lee KG, Chong CW, Ramayah T. Website characteristics and web users’
satisfaction in a higher learning institution. Int J Manage Educ.
2017;11(3):266–83. doi:10.1504/IJMIE.2017.084926.
34
Schneier B. Secrets and lies: digital security in a networked world. Indianapolis
(IB): Wiley Publishing, Inc; 2000.
35