Computers & Security 118 (2022) 102732

Contents lists available at ScienceDirect

Computers & Security

journal homepage: www.elsevier.com/locate/cose

The self-assessed information security skills of the Finnish population:

A regression analysis
Maiju Kyytsönen∗, Jonna Ikonen, Anna-Mari Aalto, Tuulikki Vehko
Finnish Institute for Health and Welfare, P.O. Box 30, Helsinki FI-00271, Finland

a r t i c l e i n f o a b s t r a c t

Article history: Instead of traditional services, citizens are increasingly being offered e-services, which require informa-
Received 29 November 2021 tion security skills. However, the majority of research on information security skills has been conducted
Revised 1 March 2022
in homogenous groups of people. The purpose of this study was to describe self-assessed information
Accepted 16 April 2022
security skills of the population of Finland and factors associated with the skills. A population survey
Available online 20 April 2022
covering inhabitants aged 20 and upwards was conducted from September 2020 to February 2021. The
Keywords: cross-sectional dataset was weighted (n = 6023) to ensure it represented the population. Descriptive
Information security statistics were used to establish an initial understanding. Then a regression analysis was conducted to
Cybersecurity identify the variables that were associated with information security skills. The results demonstrate that
Data protection 78% of the respondents assessed their information security skills as good. There was a strong positive
Data privacy association between Internet skills and information security skills. Other factors that demonstrated a sta-
Skills
tistically significant association were age, level of education, financial situation, e-service use, information
Logistic regression analysis
Population survey
security concerns, functional health deficits, and major depression. Even though the majority of people
were confident in their information security skills in the online environment, there was evidence of a
skills gap that affected people in all age groups, more often senior citizens. The findings of this study
increase our understanding of information security skills at the population level. The results can be used
to identify groups who are not confident in their information security skills and for designing safer e-
services and education or guidelines on information security.
© 2022 The Authors. Published by Elsevier Ltd.
This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/)

Introduction destruction, or damage (European Parliament and Council of Eu-

Digital services, both public and private, have spread across dif-
ferent sectors. For example, in Finland the Internet is often used
for bank services (87% of the population), sending, or checking
emails (87%) and reading news (85%) (Official Statistics of Fin-
land, 2020). Additionally, healthcare providers are increasingly of-
fering e-services instead of traditional services. In 2020 as much
as 64 percent of the population had used Finland’s national medi-
cal record service for the citizens (My Kanta Pages) and every fifth
had met a healthcare or social welfare professional online during
the past 12 months (Kyytsönen et al., 2021). The use of these e-
services generates data, which calls for confidentiality, integrity,
and availability of the generated data. The European Union’s Gen-
eral Data Protection Regulation demands that data is processed in a
lawful, fair, and transparent manner and that it is protected from
unauthorized and unlawful processing as well as accidental loss,
∗
Corresponding author.
E-mail address: maiju.kyytsonen@thl.fi (M. Kyytsönen).
ropean Union, 2016). Unfortunately, not all e- services fulfil these
requirements. For example, a mobile health app analysis revealed
that a large proportion of the analyzed apps failed to protect the
users’ sensitive health information from inappropriate usage, pro-
cessing, or disclosure to third parties (Papapgeorgiou et al., 2018).
These shortcomings stress the importance of e-service users eval-
uating the service provider’s trustworthiness and whether to share
personal information on the platform.
Information security has been defined as protection of informa-
tion assets against threats and vulnerabilities (von Solms & van
Niekerk, 2013). Horne et al. (2016) have further suggested that
information security is the act of people consciously or subcon-
sciously creating resources from information and applying con-
trols to avoid facing threats. The protective measures tailored to
individual or organizational needs are a key element in securing
sustainable information resources (Horne et al., 2016). The con-
cept of information security is not essentially related to infor-
mation and communication technology (von Solms & van Niek-
erk, 2013), but in practice it is commonly used in Internet research

https://doi.org/10.1016/j.cose.2022.102732
0167-4048/© 2022 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/)
M. Kyytsönen, J. Ikonen, A.-M. Aalto et al.
(Kruger & Kearney, 2006; Pattinson et al., 2015; Öğütçü et al., 2016;
McCormac et al., 2017; Jaeger & Eckhardt, 2021).
In the context of cybercrime, different stakeholders can have
various crime-related roles as human related factors are hyper-
connected, occurring through diverse interactions in both the phys-
ical and cyber environment (Islam et al., 2019). According to X-
Force Threat Intelligence Index, healthcare sector was the seventh
most attacked industry in 2020, rising three places from 2019
(Singleton, 2021). In the healthcare sector, cyber threats have been
divided into three categories, which are attacks exploiting IT infras-
tructure vulnerabilities, ransomware attacks and attacks exploiting
human vulnerability (Nifakos et al., 2021). Consequently, the real-
ization of safe e-services requires safe design and maintenance of
the services, but also information security skills (ISS) from the ser-
vice users.
A systematic review in the domain of healthcare recognized re-
sisting social engineering attacks as a key element in securing pa-
tient information (Nifakos et al., 2021). One form of social engi-
neering attack is phishing, where efforts are made to manipulate
a person to disclose personal information, for example via email
(Jaeger & Eckhardt, 2021). Trust is an important factor of infor-
mation security (Henshel et al., 2015), which should especially be
considered in the context of healthcare e-service use. The review
underlined the importance of providing standardized cybersecu-
rity training to healthcare professionals, but also drew attention to
social media platforms, where personal data is sometimes shared
without sufficient reflection and necessary privacy settings making
social media users vulnerable to cyberattacks (Nifakos et al., 2021).
Background
Information security behavior
Data protection is generally valued by the public (Noor, 2020;
Pleger et al., 2021) whereas collection, usage and sharing of per-
sonal information online are seen as problematic (Boerman et al.,
2018). For example, targeted advertising based on personal in-
formation has been described as creepy (Hinds et al., 2020) and
breaches of data protection as disturbing (Noor, 2020). Less than
five per cent of people use the Internet in a carefree way and
do not have many privacy concerns (Kruikemeier et al., 2020).
Yet some studies suggest that perceived susceptibility to online
privacy threats does not significantly influence protective behav-
ior (Boerman et al., 2018) or use of social media (Baruh et al.,
2017). On average, online privacy is protected rarely or occasion-
ally (Boerman et al., 2018).
Valuing data privacy yet acting in a way which does not ensure
it, is called the privacy paradox (Gerber et al., 2018). According to a
literature review, higher privacy concerns were able to explain 17%
of taking privacy protective measures (Baruh et al., 2017). There
is also evidence that risk-averse and cautious people adapt their
behavior more often to protect their data privacy (Baruh et al.,
2017; van Bavel et al., 2019; Kruikemeier et al., 2020) and have
a higher level of information security awareness (McCormac et al.,
2017). Being aware of contextual clues has also previously been ob-
served to correlate with successfully identifying a phishing web-
site (Egelman et al., 2016). Reasons for behaving in an ostensibly
conflicting manner may be due to the observed benefits outweigh-
ing the risks (Kokolakis, 2017; Gerber et al., 2018) or because the
available measures are not believed to be effective (Boerman et al.,
2018).
Information security skills and factors associated with the skills
The data privacy regulations are centred on individual privacy
literacy and self-management (Baruh & Popescu, 2017). Yet major-
2
Computers & Security 118 (2022) 102732
ity of people believe that companies control the use of their per-
sonal information (Pleger et al., 2021) and many lack the necessary
skills to execute data protection measures (Baruh & Popescu, 2017).
For example, 34% of respondents in an online study did not know
if they had used private mode in their browser and 18% had never
refrained from visiting a website (Boerman et al., 2018). In Fin-
land, 40% of smartphone users had not changed their application
settings to restrict access to personal data (Official Statistics of
Finland, 2020). Many social media users were also not aware of
how their data is being collected and used or that their social
network affects algorithms of targeted advertising (Hinds et al.,
2020). Social media users’ perceptions of risk have been shown
to be highest in the subarea of information sharing. Precautions
are most often taken regarding phone number and email address,
but at the same time over tenth of the participants were unaware
whether they had protected the information (van Schaik et al.,
2018).
Privacy behavior has been shown to strongly correlate with In-
ternet skills (Büchi et al., 2017) and familiarity with computers if
the end-user is aware of a potential threat (Pattinson et al., 2012).
Basic computer skills have also been recognized to contribute to
ISS (Rajivan et al., 2017). All in all, measuring skills related to
information security in digital environments has been argued to
be hard, e.g. because of uneven skills profiles (Giboney et al.,
2016). An experimental study on phishing emails observed that
when participants were informed about the study theme, they per-
formed better compared to participants who were not informed.
The study further demonstrated that the personality traits of ex-
traversion and openness were associated with better performance
among not-informed participants. (Pattinson et al., 2012.)
Both security behavior and privacy concerns are affected by
the country of origin (van Bavel et al., 2019; Pleger et al., 2021).
However, the effects of gender on information security awareness
are inconsistent (Boerman et al., 2018; McCormac et al., 2017;
Gerber et al., 2018; Gratian et al., 2018). A higher confidence level
seems to decrease caution, when assessing if an email is legiti-
mate or phishing (Canfield et al., 2016). A high education level in-
creases information security awareness (Ögütçü et al., 2016) and a
low education level seems to negatively correlate with privacy be-
havior (Boerman et al., 2018). Prior studies on Internet use have
shown that a higher income level leads to better Internet accessi-
bility (Hargittai et al., 2019; Ojo et al., 2019).
Some behavioral studies suggest that older people navigate
more safely online (van Bavel et al., 2019; Pattinson et al., 2015)
and are more aware of information security (McCormac et al.,
2017), while one study presented no significant correlation be-
tween age and privacy behavior (Boerman et al., 2018). A study on
students’ online behavior concluded that students act in a riskier
way, which is explained on one hand by young people using tech-
nology more often and on the other hand by their lack of negative
experiences due to their younger age (Ögütçü et al., 2016). A con-
nection between experience with phishing and information secu-
rity awareness has been established (Jaeger & Eckhardt, 2021).
Information security research
Even though digital citizenship requires ISS (Masur, 2020), little
is known about ISS at the population level. Previous research has
targeted narrow groups (Kruger & Kearney, 2006; Pattinson et al.,
2015; Ögütçü et al., 2016; McCormac et al., 2017; Gratian et al.,
2018; Hinds et al., 2020), for example participants have been re-
cruited from a university (Gratian et al., 2018; Hinds et al., 2020) or
employment has been set an inclusion criterion (McCormac et al.,
2017). Other studies have been conducted online or certain
online activities have been mandatory in order to participate
(Smit et al., 2014; Pattinson et al., 2015; McCormac et al., 2017;
M. Kyytsönen, J. Ikonen, A.-M. Aalto et al. Computers & Security 118 (2022) 102732

Boerman et al., 2018; van Schaik et al., 2018; van Bavel et al., Table 1
Demographic profile of the respondents (digi-module).
2019; Hinds et al., 2020; Kruikemeier et al., 2020; Pleger et al.,
2021). 95% confidence
In Finland 19% of the population feel that they need help in interval
using healthcare and social welfare e-services (Kyytsönen et al., Respondent group % lower upper
2021). At the same time, ISS need to be updated regularly. There- Sex (n = 6,034)
fore, it can be argued that ISS are essential for a broad group, and male 46 44.0 47.8
it is important to conduct research which acknowledges that. This female 54 52.2 56.0
study aims to research ISS that can protect Internet users form cy- Age (n = 6,034)
20–54 55 52.9 56.5
bercrimes, for example hacking, phishing or scams. The object is
55–74 32 30.9 34.1
to describe the level of self-assessed ISS in Finland and to identify >74 13 12.1 13.5
the variables that are associated with the skills. Education level (n = 5,874)
low 42 40.1 44.0
middle 32 30.1 33.6
high 26 24.5 27.8
Materials and methods Employment status (n = 5,967)
working 47 45.3 49.2
The study was conducted as part of The National FinSote Sur- retired (incl. part-time pension) 35 33.6 36.8
vey, which was carried out by the Finnish Institute for Health unemployed or laid off 5 4.4 6.5
other 12 10.8 13.8
and Welfare from September 2020 to February 2021. The sur-
E-service use (n = 6,034)
vey covered health, well-being and service use among the Finnish independently 81 80.1 82.5
adult population aged 20 to 99. The data was collected by a self- with aid/ someone else uses it on their behalf 6 5.1 6.5
administered mail and online questionnaire that was available in does not use 13 11.9 14.0
Finnish, English, Swedish and Russian.
The cross-sectional main FinSote survey was sent to a repre-
sentative sample (n = 61,600) and an additional digi-module for a Age (register data), sex (register data), length of education, In-
sub sample (n = 13,200). The digi-module contained more detailed ternet skills and information security concerns were included in
questions about the necessary skills in navigating in digital envi- the analysis as they have been identified as potential predictors
ronments and the use of e-services in social welfare and healthcare of ISS (Ögütçü et al., 2016; Baruh et al., 2017; Büchi et al., 2017;
sectors. The sampling method was a stratified random sampling Gerber et al., 2018; Boerman et al., 2018; van Bavel et al., 2019;
design with 22 strata, one for every wellbeing services county in Kruikemeier et al., 2020). The use of the Internet for e-services
Finland. In every wellbeing services county, the sample size was was also analyzed to establish the skills’ usefulness. Financial dif-
280 0 (20 0 0 in age group 20–74-year-olds and 800 in age group ficulties were examined based on prior studies on Internet use
over 75-year-olds). In the digi-module the sample size was 600 in (Hargittai et al., 2019; Ojo et al., 2019). Two variables were selected
every wellbeing services county (400 in age group 20–74-year-olds so that the study could better acknowledge the heterogenous user
and 200 in age group over 75-year-olds) (Parikka et al., 2021). The group of e-services, especially eHealth services. The first variable
main survey was answered by 28,199 respondents and the addi- was major depression, which has previously been shown to asso-
tional digi-module by 6034 respondents corresponding to response ciate with subjective cognition (Srisurapanont et al., 2017; Serra-
rates of 46.4 and 46.5%, respectively. Over-coverage, e.g. invited re- Blasco et al., 2019). The second variable was ‘functional health
spondent had died, has been removed from these response rates. deficit’, which was added to the model since Internet use has been
The dependent variable and internet skills statements were asked reported rarer among people with health conditions (Wang et al.,
in the digi-module, while all other variables were included in the 2011) and since severe disease has been shown to affect a person’s
main survey. ability to use eHealth technology (Witry et al., 2018). Background
It has been recommended to measure ISS with perception- information of the respondents included age in years, sex, em-
based actions (Rajivan et al., 2017) and security behavior with ployment status, education and use of the Internet for e-services
questions that are appropriate for the respondents (Becker et al., (Table 1).
2017). The dependent variable consisted of two statements con- The education level (low, middle, high) variable was based
structed for the survey, where the respondents were asked to as- on the question “How many years altogether have you attended
sess their ISS: (1) I can recognize risks related to information secu- school or studied full time? Including primary and comprehensive
rity (e.g., using the same password in several places) and (2) I can school. ____ years.” The respondents were first divided into 10-year
recognize attempts at fraud (e.g., unexpected emails about winning age groups by gender. After this, terciles of years of education were
the lottery or attempts to collect money disguised as investment calculated in each group and the educational level was defined us-
advice). The used examples were formulated based on typical sit- ing those terciles as cut points. A sum variable measuring financial
uations that internet users come across. A five-point Likert-scale difficulties was constructed from three statements, where at least
was used (completely agree, somewhat agree, neither agree nor one option was selected: have you within the past 12 months ever
disagree, somewhat disagree, and strongly disagree). Before includ- feared that you will run out of food before you can get money to
ing the statements in the survey, they were evaluated by two infor- buy more, been unable to buy medicines or not visited a doctor
mation security experts and 14 research experts as well as seven because you did not have any money (yes/no).
citizens aged 29–88. The generic Internet skills were measured using six validated
Since past studies have concentrated on selected groups or nar- Internet skill statements (completely agree–strongly disagree) pro-
row sections of information security, for example ISS at a uni- posed by van Deursen and others (2016). Two of the statements
versity, the study opted for a more open approach, which has were converted from negative to positive based on feedback from
also been recommended for the study theme (Lebek et al., 2014; the pilot study (n = 7). The statements of ISS and Internet skills
Jeong et al., 2019; Islam et al., 2019). In consequence, the selection formed two sum variables. ISS were considered good if the respon-
of independent variables for this study aimed to recognize possible dent agreed with the two statements. The Internet skill sum vari-
groups that view their ISS level as poor and need help in navigat- able was constructed by summing up the six Internet skill state-
ing digital environments. ments (a 5-point Likert scale) and dividing them by six. If the score

3
M. Kyytsönen, J. Ikonen, A.-M. Aalto et al. Computers & Security 118 (2022) 102732

Fig. 1. Percentage of respondents by age group whose self-assessed information se- Fig. 2. Percentage of respondents in different age groups grouped according to their
curity skills are good (n = 6023) and 95% confidence intervals of the estimates. attitude towards information security concerns and 95% confidence intervals of the
estimates.

Table 2
was two or less, the skill level was considered good (1= completely Wald tests for the multiple logistic regression analysis of self-assessed infor-
agree, 5 = strongly disagree). All missing values in the skill state- mation security skills.
ments were coded as disagree based on assumptions made from P-value (Wald P-value (Wald
the data and to avoid producing overly optimistic results. The sum test), Model 1 test), Model 2
variables’ reliability was tested with a Cronbach’s alpha test. The Age in years <0.001 <0.001
score of the ISS was 0.90 and the Internet skills 0.96. Since a score Sex 0.604 -
of 0.70 or more was considered acceptable, the analyzed values in- Education level <0.001 0.001
dicated a high level of internal consistency (Taber, 2018). Employment status 0.232 -
Self-assessed financial situation 0.031 0.040
Information security concerns were asked using a five-point
Internet skills <0.001 <0.001
Likert scale (completely agree–strongly disagree) as follows: I Information security concerns 0.037 0.047
am concerned about information security when it comes to my Use of e-services <0.001 <0.001
personal details. Respondents were asked about their functional Functional health deficit 0.003 0.006
health deficits in one question: Are you limited because of a health Major depression (MHI-5) 0.034 0.035

problem in activities people usually do (severely limited/limited

but not severely/not limited at all)? Experiencing symptoms of
82.2–84.6%) and risks related to information security (80%, CI 79.1–
major depression was measured using the five-question Mental
81.8%). There was no statistically significant difference between
Health Inventory (MHI-5), which has been successfully used to
men and women (adjusted f-test p = 0.278). Those who assessed
identify people with depressive symptoms. People who received 52
their ISS as good, had studied on average for 14.4 years (CI 14.3–
points or more were considered to showcase symptoms of major
14.6), while those who assessed their skills as poor had on average
depression. (Yamazaki et al., 2005; Cuijpers et al., 2009.)
studied 11.1 years (CI 10.8–11.4).
To enhance the population representation of the collected Fin-
The older age groups assessed their ISS to be systemati-
Sote data, weights (age, sex, marital status, education, residential
cally poorer than those of a younger age group (adjusted f-test
area, and language) were used in the analyses. An inverse probabil-
p = <0.001) (Fig. 1). 90% (CI 89.5–91.4%) of those who reported
ity weighting (IPW) method was selected to account the effects of
good ISS had good Internet skills, while 20% (CI 16.5–23.0%) of
missing data. The model was selected using Bayesian information
those who did not have good ISS, had good Internet skills.
criterion. The associations of independent variables with ISS were
Being concerned about information security when using e-
first examined in a univariate analysis using an adjusted f-test,
services varied between different age groups (adjusted f-test
which is an adaption of Chi-Square-statistics meant for analyzing
p = <0.001). Those aged 20–54 seemed to be less concerned when
differences between groups with statistical weights. Next, a mul-
compared to older age groups (Fig. 2). The same phenomenon was
tiple binary logistic regression analysis was employed to examine
present among those with good ISS: 41% (CI 37.8–45.2%) of over
the relationship of independent variables accounting for all signifi-
74-year-olds and 40% (CI 37.0–42.9%) of 55–74-year-olds with good
cant independent variables simultaneously. First, multiple indepen-
ISS experienced information security concerns, while the percent-
dent variables were added to the model. Then the variables were
age was 30 (CI 27.3–33.3%) in the age group 20–54 (adjusted f-test
reduced to achieve a model with optimal explanatory power using
p = <0.001).
a Wald test. A variance inflation factor (VIF) was used to measure
The logistic regression analysis was done in two phases. In the
the multicollinearity of the variables. The values were between
first model a Wald test indicated that sex and employment status
1.13–1.88. A value of 1 would have indicated no multicollinearity,
were not statistically significant factors for ISS (Table 2). Therefore,
but values lower than five were still acceptable (Daoud, 2017). The
another regression model was constructed without the variables
results were presented as odds ratios (OR) and their 95% confi-
(Tables 2 and 3).
dence intervals (CI). The data was processed in IBM SPSS Statistics
The logistic regression analysis indicated that age in years, ed-
27 (Table 1, Figs. 1 and 2) and R 3.6.3 and the survey 4.0 package
ucation level, financial difficulties, good Internet skills, having no
(logistic regression analysis).
information security concerns, not using e-services independently,
suffering from functional health deficits and experiencing severe
Results symptoms of depression were associated with self-assessed ISS
(Table 3). ISS were most strongly associated with having good In-
The respondents’ sociodemographic profile is presented in ternet skills. A high education level was also positively associated
Table 1. with ISS. Negative associations were found between ISS and age,
The majority (78%, CI 76.9–79.7%) of the respondents thought experiencing financial difficulties, not using e-services indepen-
they were both capable of recognizing attempts at fraud (83%, CI dently, or altogether, suffering from functional health deficits and

4
M. Kyytsönen, J. Ikonen, A.-M. Aalto et al. Computers & Security 118 (2022) 102732

Table 3
Odds ratios and their 95% confidence intervals for determinants of information security skills (logistic regression analysis) and VIF-values for
the variables (Model 2).

OR 95% CI p-value VIF

Lower Upper

Age in years 1.87

Continuous variable 0.98 0.97 0.99 <0.001
Education group 1.23
Low ref∗
Middle 1.29 0.97 1.73 0.083
High 1.86 1.36 2.56 <0.001
Financial difficulties 1.30
Yes 0.64 0.42 0.98 0.040
No ref∗
Good Internet skills 1.88
Yes 12.69 9.06 17.77 <0.001
No ref∗
Information security concerns 1.64
Completely agree ref∗
Somewhat agree 1.33 0.88 2.01 0.170
Neither agree nor disagree 0.86 0.56 1.32 0.488
Somewhat disagree 1.18 0.7 1.99 0.535
Completely disagree 1.45 0.92 2.27 0.106
Use of e-services 1.57
Yes, independently ref∗
Yes, with help or someone 0.64 0.45 0.91 0.013
else uses them for me
No 0.44 0.32 0.61 <0.001
Functional health deficit 1.13
Yes 0.69 0.53 0.9 0.006
No ref∗
Major depression (MHI-5) 1.28
Yes 0.63 0.41 0.97 0.035
No ref∗
∗
reference category

experiencing severe symptoms of depression. Even though the neg-
ative association between age and ISS may seem minor, age does
play a significant role, since each year makes the association more
considerable. Views on experiencing information security concerns
produced conflicting associations, but the most substantial associ-
ation was a positive association between ISS and not having any
information security concerns at all.
Discussion
The aim of the study was to describe the level of self-assessed
ISS in the Finnish general population aged 20 years and upwards
and to identify the variables that are associated with the skills. The
results demonstrated that the majority of the Finnish population
were confident in their ISS, which is in line with the assessment
that Finland is a leading country when it comes to digitalization
(European Commission, 2020). The level of self-assessed ISS seems
to decrease systematically with age. However, the regression anal-
ysis shed a different light on the matter as it indicated that ISS
were most strongly associated with good Internet skills, whereas
age demonstrated a more moderate association.
This work contributed to the research of information security
in the areas of demographics, security concerns, state of health,
and e-service use. Previously, Internet skills, computer skills and
familiarity with computers have been demonstrated to be associ-
ated with privacy protective behavior (Büchi et al, 2017; Pattison
et al., 2012) and ISS (Rajivan et al., 2017). These finding are in line
with our results and a prior study that demonstrated that being
aware of contextual clues, which calls for experience, can help in
detecting a phishing website (Egelman et al., 2016). Prior studies
have described age as a significant factor for information security
behavior and awareness, but the studies have not included Inter-
net skills in their analyses (McCormac et al., 2017; Pattinson et al.,
2015; van Bavel et al., 2019). Measuring Internet skills on top
of age can outline the fact that all age groups include skilled
users.
Other factors that were positively associated with ISS were a
high level of education and having no information security con-
cerns. A high education level has been shown to associate posi-
tively with ISS previously (Ögütçü et al., 2016). It is possible that
highly educated people receive guidance on working in online en-
vironments more often compared to those with a low education
level. Completely disagreeing with being concerned about data se-
curity was positively associated with ISS. On the other hand, some-
what agreeing with having information security concerns was also
positively associated with ISS, which demonstrates that the under-
lying elements behind the associations are more complex than first
appears. A prior systematic review has concluded that privacy con-
cerns are above all explained by situational factors and the web-
site’s reputation (Gerber et al., 2018), which were beyond the scope
of this study but might explain the results to some extent.
Negative associations were discovered between ISS and finan-
cial difficulties, not using e-services independently, suffering from
functional health deficits and experiencing severe symptoms of de-
pression. Financial difficulties have previously been shown to af-
fect Internet use due to less accessibility (Hargittai et al., 2019;
Ojo et al., 2019), which could also be the foundational reason for
the negative association between ISS and financial difficulties. The
negative association between ISS and not using e-services indepen-
dently, or at all, could indicate that the individuals have a lesser
need for ISS. On the other hand, ISS have previously been shown
to reduce risks of privacy loss (Büchi et al., 2017), which outlines
the importance of ISS even for infrequent users of e-services.
Interesting findings included the independent negative associa-
tions between ISS and suffering from functional health deficits and
experiencing severe symptoms of depression. A severe disease has
earlier been shown to affect technology use (Witry et al., 2018). It
has also been suggested that clinical depression predicts subjective

5
M. Kyytsönen, J. Ikonen, A.-M. Aalto et al.
cognitive dysfunction, which does not however correlate with ob-
jective dysfunction (Srisurapanont et al., 2017; Serra-Blasco et al.,
2019). Additionally, it has previously been observed that higher
confidence levels may lead to inclination towards treating emails
as legitimate (Canfield et al., 2016). Therefore, it is possible that
a severe depression does not affect information security behavior
negatively but causes depressed people to assess their skills from
a more negative standpoint. However, this study cannot answer
whether the association would have been found even if ISS had
been measured objectively. The in-depth understanding of the as-
sociation would require a more detailed research frame.
The relevance of sex as a predictor has previously produced
conflicting results (Boerman et al., 2018; McCormac et al., 2017;
Gerber et al., 2018; Gratian et al., 2018). In this study, it was
not a statistically significant factor for ISS, which might be re-
lated to the relatively good state of gender equality in the study
country (ranked second in a country comparison of 156 coun-
tries) (World Economic Forum, 2021). The employment status was
another statistically insignificant variable. Older adults have been
shown to benefit from social support when it comes to digi-
tal skills. The support is often received from family members
(Tsai et al., 2017) and therefore, the absence of social support from
the workplace might not be a decisive factor for pensioners.
Corresponding to previous findings (McCormac et al., 2017), the
older age groups (55–74 and >74) seemed to be concerned about
information security more often when compared to 20–54-year-
olds. Moreover, it has previously been observed that fear, caused
by perceived phishing, provokes motivation for protective behav-
ior (Jaeger & Eckhardt, 2021). In this light, the lack of informa-
tion security concerns especially in the age group of 20–54-year-
olds is alarming. The lack of information security concerns associ-
ated positively with good ISS, of which both were more common
among 20–54-year-olds. This might indicate that having confidence
in one’s own ISS dispels the concerns that one might have over in-
formation security.
Many have already suggested that providing education on data
protection could improve citizens’ standing (Pleger et al., 2021;
Masur, 2020; Gerber et al., 2018). Since attitudes play a part in ac-
tual behavior (Ajzen, 1991) and because younger people especially
seemed to experience less information security concerns, provid-
ing education on information security for the younger population
appears appropriate. Additionally, trust is a crucial factor in ISS
(Henshel et al., 2015) and as the older age groups (55–74 and 75–
99) seem on average to have more information security concerns
and a lower level of ISS, also they should be offered support for
enhancing their ISS. Otherwise, poor skills could act as a barrier for
e-service use. The educational interventions should include help in
assessing one’s own abilities to detect cyber-attacks and in under-
standing the consequences of the attacks (Pattinson et al., 2012).
Ideally citizens should not be the target of security breaches,
and they should have a greater self-determination over their per-
sonal information (Masur, 2020). At the same time, it has been de-
tected that most people do not protect their online privacy very
actively (Boerman et al., 2018; Official Statistics of Finland, 2020),
which might partially be due to the fact that for a regular internet
user, the necessary information security measures are not always
evident (Wash et al., 2017; van Schaik et al., 2018; Boerman et al.,
2018; Hinds et al., 2020). As one solution, well-designed security
warnings and coping messages have been offered, since they have
been shown to improve protective behavior (Pattinson et al., 2012;
Gerber et al., 2018; Boerman et al., 2018; van Bavel et al., 2019;
Jaeger & Eckhardt, 2021). Since the majority of the Finnish popu-
lation are confident in their ISS, introducing motivational functions
could help people to advance from just the observation of informa-
tion security threats to taking (pro)active measures to strengthen
information security.
6
Computers & Security 118 (2022) 102732
The study had both strengths and limitations. Because the study
sample was a national survey covering a wide array of topics, it
was not possible to measure ISS with more than two statements.
It was also decided to measure the skills using subjective self-
evaluation, instead of studying past behavior, for example. Even
though there is scepticism towards self-evaluation, it has been sug-
gested that self-reported security behavior can be accurate espe-
cially on more salient measures taken, e.g. installing an ad-blocker
versus making sure it is running in the background (Wash et al.,
2017). The constructed statements underwent a multifaceted ap-
praisal, which enhances their relevance. Afterwards, the internal
consistency of the instrument was established with a Cronbach’s
Alpha test.
The study sample represented Finland’s population and possi-
ble deviations in the data caused by non-respondents were further
corrected with weights. However, other factors, not accounted in
the survey, may have affected to the decision not to participate in
the study, which cannot be resolved by weighting. The selected
weighting method (inverse probability weighting) has neverthe-
less been found to improve the accuracy of studies made on the
Finnish population (Härkänen et al., 2014). The results represent
Finland’s population and because the country of origin has been
shown to influence findings on the theme (van Bavel et al., 2019;
Pleger et al., 2021), they cannot directly be generalized to other
populations. Causal connections cannot be evaluated based on the
cross-sectional data.
In the future, similar studies on self-assessed ISS that cover a
heterogenous population should be conducted in other countries.
It is important to draw an overall picture of how people find their
own capabilities at a time when crucial services are increasingly
being shifted online. There is also a need for deepening the under-
standing of how a person’s own conception of their ISS correlates
with privacy behavior. Regardless of the approach, it would be im-
portant to include Internet skills as an independent variable.
Conclusions
The paper reported results of a study on self-assessed ISS based
on a representative sample of the Finnish population. The main
findings of the study were that majority of people assessed their
ISS to be good, and that above all, ISS were positively associated
with Internet skills. Therefore, providing education on general In-
ternet skills might also lead to better ISS. People aged 20–54 were
more often confident in their ISS and less concerned about infor-
mation security when compared to over 54-year-olds. The differ-
ence between age groups in terms of experiencing information se-
curity concerns was also present among those, who assessed their
ISS to be good.
An interesting new finding was that experiencing severe symp-
toms of depression and suffering from functional health deficits
were negatively associated with ISS. These findings highlight the
fact that since people are increasingly directed towards e-services,
the users of e-services form a more heterogenous group than be-
fore. For example, patients with multiple morbidities or suffering
from functional health deficits use e-health services that process
their highly sensitive health data. In the future, support for data
protection should be offered proactively. The results of this study
can be used to recognize the groups that are most in need of
support. The findings can also be used, when designing safer e-
services and education or guidelines on information security.
Funding
This work was supported by Finnish Institute for Health and
Welfare and The Ministry of Social Affairs and Health (Finland):
M. Kyytsönen, J. Ikonen, A.-M. Aalto et al.
Monitoring and assessment of social welfare and health care infor-
mation system services, contract 002/OHO/EMR/2019, project num-
ber 414919001.
Declaration of Competing Interest
The authors declared no conflict of interest.
CRediT authorship contribution statement
Maiju Kyytsönen: Conceptualization, Methodology, Formal
analysis, Writing – original draft, Visualization, Project adminis-
tration. Jonna Ikonen: Data curation, Formal analysis, Writing –
review & editing. Anna-Mari Aalto: Conceptualization, Methodol-
ogy, Writing – review & editing. Tuulikki Vehko: Conceptualiza-
tion, Methodology, Writing – review & editing.
References
Ajzen, I., 1991. The theory of planned behaviour. Organ. Behav. Hum. Decis. Process.
50 (2), 179–211. doi:10.1016/0749- 5978(91)90020- T.
Baruh, L., Popescu, M., 2017. Big data analytics and the limits of privacy self-
management. New Med. Soc. 19 (4), 579–596. doi:10.1177/1461444815614001.
Baruh, L., Secinti, E., Cemalcilar, Z., 2017. Online privacy concerns and privacy man-
agement: a meta-analytical review. J. Commun. 67 (1), 26–53. doi:10.1111/jcom.
12276.
Becker, I., Parkin, S. & Sasse, A.M. (2017). Measuring the success of {Context-Aware}
security behaviour surveys. USENIX Association, The LASER Workshop: Learn-
ing from Authoritative Security Experiment Results (LASER 2017), 77-86. https:
//www.usenix.org/conference/laser2017/presentation/becker
Boerman, S.C., Kruikemeier, S., Zuiderveen Borgesius, F.J., 2018. Exploring motiva-
tions for online privacy protection behaviour: insights from panel data. Com-
mun. Res., 0 09365021880 0915 doi:10.1177/0 09365021880 0915.
Büchi, M., Just, N., Latzer, M., 2017. Caring is not enough: the importance of internet
skills for online privacy protection. Information. Commun. Soc. 20 (8), 1261–
1278. doi:10.1080/1369118X.2016.1229001.
Canfield, C.I., Fischhoff, B., Davis, A., 2016. Quantifying phishing susceptibility for
detection and behaviour decisions. Hum. Factors 58 (8), 1158–1172. doi:10.1177/
0018720816665025.
Cuijpers, P., Smits, N., Donker, T., Ten Have, M., de Graaf, R., 2009. Screening for
mood and anxiety disorders with the five-item, the three-item, and the two-
item mental health inventory. Psychiatry Res. 168 (3), 250–255. doi:10.1016/j.
psychres.2008.05.012.
Daoud, J.I., 2017. Multicollinearity and regression analysis. J. Phys. Conf. Ser. 949,
012009. doi:10.1088/1742-6596/949/1/012009.
Egelman, S., Harbach, M., Peer, E., 2016. Behaviour ever follows intention? A vali-
dation of the security behaviour intentions scale (SeBIS). Association for com-
puting machinery. In: Proceedings of the CHI Conference on Human Factors in
Computing Systems, pp. 5257–5261. doi:10.1145/2858036.2858265.
European Commission. (2020). Digital economy and society index (DESI) 2020. The-
matic chapter. European Commission, report.
European Parliament and Council of European Union 2016. (2016). General Data Pro-
tection Regulation 2016/679.
Gerber, N., Gerber, P., Volkamer, M., 2018. Explaining the privacy paradox: a system-
atic review of literature investigating privacy attitude and behaviour. Comput.
Secur. 77, 226–261. doi:10.1016/j.cose.2018.04.002.
Giboney, J.S., Proudfoot, J.G., Goel, S., Valacich, J.S., 2016. The security expertise as-
sessment measure (SEAM): developing a scale for hacker expertise. Comput. Se-
cur. 60, 37–51. doi:10.1016/j.cose.2016.04.001.
Gratian, M., Bandi, S., Cukier, M., Dykstra, J., Ginther, A., 2018. Correlating human
traits and cyber security behaviour intentions. Comput. Secur. 73, 345–358.
doi:10.1016/j.cose.2017.11.015.
Hargittai, E., Piper, A.M., Morris, M.R., 2019. From internet access to internet skills:
digital inequality among older adults. Univers. Access Inform. Soc. 18 (4), 881–
890. doi:10.1007/s10209- 018- 0617- 5.
Henshel, D., Cains, M.G., Hoffman, B., Kelley, T., 2015. Trust as a human factor in
holistic cyber security risk assessment. Procedia Manuf. 3, 1117–1124. doi:10.
1016/j.promfg.2015.07.186.
Hinds, J., Williams, E.J., Joinson, A.N., 2020. It would not happen to me”: privacy
concerns and perspectives following the Cambridge analytica scandal. Int. J.
Hum. Comput. Stud. 143 (2), 102498. doi:10.1016/j.ijhcs.2020.102498.
Horne, C., Ahmad, A., Maynard, S., 2016. A theory on information security. In: Pro-
ceedings of the Australasian Conference on Information Systems. Wollongong,
Australia.
Härkänen, T., Kaikkonen, R., Virtala, E., Koskinen, S., 2014. Inverse probability
weighting and doubly robust methods in correcting the effects of non-response
in the reimbursed medication and self-reported turnout estimates in the ATH
survey. BMC Public Health 14, 1150. doi:10.1186/1471- 2458- 14- 1150, 1150.
Islam, T., Becker, I., Posner, R., Ekblom, M., McGuire, M., Borrion, H., Li, S.,
2019. A socio-technical and co-evolutionary framework for reducing human-
related risks in cyber security and cybercrime ecosystems. In: Wang, G.,
7
Computers & Security 118 (2022) 102732
Bhuiyan, M.Z.A., De Capitani di Vimercati, S., Ren, Y. (Eds.), Dependability in
Sensor, Cloud, and Big Data Systems and Applications. DependSys 2019. Com-
munications in Computer and Information Science. Springer, Singapore, p. 1123.
doi:10.1007/978- 981- 15- 1304- 6_22.
Jaeger, L., Eckhardt, A., 2021. Eyes wide open: the role of situational information
security awareness for security-related behaviour. Inform. Syst. J. 31 (3), 429–
472. doi:10.1111/isj.12317.
Jeong, J., Mihelcic, J., Oliver, G., Rudolph, C., 2019. Towards an improved understand-
ing of human factors in cybersecurity. In: Proceedings of the IEEE 5th Interna-
tional Conference on Collaboration and Internet Computing (CIC), pp. 338–345.
Kokolakis, S., 2017. Privacy attitudes and privacy behaviour: a review of current
research on the privacy paradox phenomenon. Comput. Secur. 64, 122–134.
doi:10.1016/j.cose.2015.07.002.
Kruger, H.A., Kearney, W.D., 2006. A prototype for assessing information security
awareness. Comput. Secur. 25 (4), 289–296. doi:10.1016/j.cose.20 06.02.0 08.
Kruikemeier, S., Boerman, S.C., Bol, N., 2020. Breaching the contract? Using social
contract theory to explain individuals’ online behaviour to safeguard privacy.
Med. Psychol. 23 (2), 269–292. doi:10.1080/15213269.2019.1598434.
Kyytsönen, M., Aalto, A., & Vehko, T. (2021). Social and health care online ser-
vice use in 2020–2021: experiences of the population (English abstract).
Finnish Institute for Health and Welfare, report 7/2021, http://urn.fi/URN:ISBN:
978- 952- 343- 680- 0
Lebek, B., Uffen, J., Neumann, M., Hohler, B., Breitner, M.H., 2014. Information secu-
rity awareness and behavior: a theory-based literature review. Manag. Res. Rev.
37 (12), 1049–1092. doi:10.1108/MRR- 04- 2013- 0085.
Masur, P., 2020. How online privacy literacy supports self-data protection and self-
determination in the age of information. Med. Commun. 8 (2), 258–269. doi:10.
17645/mac.v8i2.2855.
McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., Pattinson, M., 2017.
Individual differences and information security awareness. Comput. Hum. Be-
hav. 69, 151–156. doi:10.1016/j.chb.2016.11.065.
Nifakos, S., Chandramouli, K., Nikolaou, C.K., Papachristou, P., Koch, S., Panaousis, E.,
Bonacina, S., 2021. Influence of human factors on cyber security within health-
care organisations: a systematic review. Sensors 21 (15), 5119. doi:10.3390/
s21155119.
Noor, M.U., 2020. Indonesian millennial awareness to privacy and personal data
protection on the internet. DESIDOC J. Libr. Inf. Technol. 40 (2), 83–88. doi:10.
14429/djlit.40.2.14969.
Official Statistics of Finland. (2020). Use of information and communications tech-
nology by individuals. Statistics Finland, statistical report. Retrieved 13.9., 2021,
http://www.stat.fi/til/sutivi/index_en.html
Öğütçü, G., Testik, Ö.M., Chouseinoglou, O., 2016. Analysis of personal information
security behaviour and awareness. Comput. Secur. 56, 83–93. doi:10.1016/j.cose.
2015.10.002.
Ojo, A.O., Arasanmi, C.N., Raman, M., Tan, C.N.L., 2019. Ability, motivation, opportu-
nity and sociodemographic determinants of Internet usage in Malaysia. Inf. Dev.
35 (5), 819–830. doi:10.1177/0266666918804859.
Papageorgiou, A., Strigkos, M., Politou, E., Alepis, E., Solanas, A., Patsakis, C., 2018.
Security and privacy analysis of mobile health applications: the alarming state
of practice. IEEE Access 6, 9390–9403. doi:10.1109/ACCESS.2018.2799522.
Parikka, S., Koskela, T., Ikonen, J., & Hedman, L. (2021). The adult population’s well-
being, health and services – FinSote 2020, regional differences in the service
experiences and well-being of adults. Finnish Institute for Health and Welfare,
statistical report 16/2021, http://urn.fi/URN:NBN:fi-fe2021052731871
Pattinson, M., Butavicius, M., Parsons, K., McCormac, A., Calic, D., 2015. Factors that
influence information security behaviour: an Australian web-based study. In:
Tryfonas, T., Askoxylakis, I. (Eds.), Human Aspects of Information Security, Pri-
vacy, and Trust. HAS 2015. Lecture Notes in Computer Science. Springer, Cham
vol 9190 doi:10.1007/978- 3- 319- 20376- 8_21.
Pattinson, M., Jerram, C., Parsons, K., McCormac, A., Butavicius, M., 2012. Why do
some people manage phishing e-mails better than others? Inform. Manag. Com-
put. Secur. 20 (1), 18–28. doi:10.1108/09685221211219173.
Pleger, L.E., Guirguis, K., Mertes, A., 2021. Making public concerns tangible: an em-
pirical study of German and UK citizens’ perception of data protection and data
security. Comput. Hum. Behav. 122, 106830. doi:10.1016/j.chb.2021.106830.
Rajivan, P., Moriano, P., Kelley, T., Camp, L.J., 2017. Factors in an end user secu-
rity expertise instrument. Inform. Comput. Secur. 25 (2), 190–205. doi:10.1108/
ICS- 04- 2017- 0020.
Serra-Blasco, M., Torres, I.J., Vicent-Gil, M., Goldberg, X., Navarra-Ventura, G.,
Aguilar, E., et al., 2019. Discrepancy between objective and subjective cogni-
tion in major depressive disorder. Eur. Neuropsychopharmacol. 29 (1), 46–56.
doi:10.1016/j.euroneuro.2018.11.1104.
Singleton, C. (2021). X-force threat intelligence index 2021. IBM Corporation, report.
https://www.ibm.com/downloads/cas/M1X3B7QG
Smit, E.G., Van Noort, G., Voorveld, H.A.M., 2014. Understanding online behavioural
advertising: user knowledge, privacy concerns and online coping behaviour in
Europe. Comput. Hum. Behav. 32, 15–22. doi:10.1016/j.chb.2013.11.008.
Srisurapanont, M., Suttajit, S., Eurviriyanukul, K., Varnado, P., 2017. Discrepancy be-
tween objective and subjective cognition in adults with major depressive disor-
der. Sci. Rep. 7, 3901. doi:10.1038/s41598- 017- 04353- w.
Taber, K.S., 2018. The use of Cronbach’s alpha when developing and reporting re-
search instruments in science education. Res. Sci. Educ. 48, 1273–1296. doi:10.
1007/s11165-016-9602-2.
Tsai, H.S., Shillair, R., Cotten, S.R., 2017. Social support and “playing around”: an ex-
amination of how older adults acquire digital literacy with tablet computers. J.
Appl. Gerontol. 36 (1), 29–55. doi:10.1177/0733464815609440.
M. Kyytsönen, J. Ikonen, A.-M. Aalto et al.
Yamazaki, S., Fukuhara, S., Green, J., 2005. Usefulness of five-item and three-
item mental health inventories to screen for depressive symptoms in the gen-
eral population of Japan. Health Qual. Life Outcomes 3 (1), 48. doi:10.1186/
1477- 7525- 3- 48.
van Bavel, R., Rodríguez-Priego, N., Vila, J., Briggs, P., 2019. Using protection motiva-
tion theory in the design of nudges to improve online security behaviour. Int. J.
Hum. Comput. Stud. 123, 29–39. doi:10.1016/j.ijhcs.2018.11.003.
van Deursen, A.J.A.M., Helsper, E.J., Eynon, R., 2016. Development and validation of
the internet skills scale (ISS). Inform. Commun. Soc. 19 (6), 804–823. doi:10.
1080/1369118X.2015.1078834.
van Schaik, P., Jansen, J., Onibokun, J., Camp, J., Kusev, P., 2018. Security and pri-
vacy in online social networking: risk perceptions and precautionary behaviour.
Comput. Hum. Behav. 78, 283–297. doi:10.1016/j.chb.2017.10.007.
von Solms, R., van Niekerk, J., 2013. From information security to cyber security.
Comput. Secur. 38, 97–102. doi:10.1016/j.cose.2013.04.004.
Wang, J., Bennett, K., Probst, J., 2011. Subdividing the digital divide: differences in
internet access and use among rural residents with medical limitations. J. Med.
Internet Res. 13 (1), e25. doi:10.2196/jmir.1534.
Wash, R., Rader, E., Fennell, C., 2017. Can people self-report security accurately?
Agreement between self-report and behavioural measures. Association for com-
puting machinery. In: Proceedings of the CHI Conference on Human Factors in
Computing Systems, pp. 2228–2232. doi:10.1145/3025453.3025911.
Witry, M., Comellas, A., Simmering, J., Polgreen, P., 2018. The association between
technology use and health status in a chronic obstructive pulmonary disease
cohort: multi-method study. J. Med. Internet Res. 20 (4), e125. doi:10.2196/jmir.
9382.
World Economic Forum (2021). Global Gender Gap Report 2021. Insight report.
https://www3.weforum.org/docs/WEF_GGGR_2021.pdf
Maiju Kyytsönen (MHSc, University of Oulu, 2019) is a researcher in Finnish Insti-
tute for Health and Welfare. Her research mainly focusses on citizens’ experiences
of social and healthcare e-service use and on health and social care professionals’
Computers & Security 118 (2022) 102732
experiences of electronic health record and client information systems. She is cur-
rently working in a project “Monitoring and assessment of social welfare and health
care information system services”.
Jonna Ikonen (MSc, University of Eastern Finland, 2017) is a statistical researcher
in Finnish Institute for Health and Welfare. Her work has mainly focussed on health
and well-being data analysis from different data sources. She is currently working
as a statistical researcher in Evaluation and foresight -team in Population Health
-unit, mainly concentrating on FinSote and KOTT studies. FinSote is the national
Finnish survey of health, well-being and service use and KOTT is the national
Finnish Student Health and Wellbeing Survey.
Anna-Mari Aalto (Adjunct professor, University of Helsinki, 2005; Ph.D, University
of Helsinki, 1999) is a chief expert and a team leader in Finnish Institute for Health
and Welfare. She has been researching a variety of topics, in the recent years con-
centrating on the Finnish health system, patient experiences, health related quality
of life and validation of indicators. Nowadays, she also acts as a service system ex-
pert in the project group of a population survey (FinSote) and takes part in the
national working group that aims to draft a reform for the elderly persons’ service
package.
Tuulikki Vehko (Ph.D, University of Tampere, 2014) is a research manager at
Finnish Institute for Health and Welfare. Currently she leads a national project
“Monitoring and assessment of social welfare and health care information system
services”. The aim of the project is to produce monitoring information that sup-
ports national planning and steering of information system services as well as ser-
vice providers of social and health care sector. Her research field is health service
research and the research methods she uses cover both qualitative (focus group in-
terviews and vignette studies) and quantitative (survey studies and registered based
studies) methods.