Students' Cybersecurity Awareness at a Private Tertiary Educational Institution
DOI:
https://doi.org/10.23962/10539/23572Keywords:
cybersecurity awareness (CSA), password management, cyberbullying, phishing, malware, identity theft, pirated contentAbstract
Internet-based attacks have become prevalent and are expected to increase as technology ubiquity increases. Consequently, cybersecurity has emerged as an essential concept in everyday life. Cybersecurity awareness (CSA) is a key defence in the protection of people and systems. The research presented in this article aimed to assess the levels of CSA among students at a private tertiary education institution in South Africa. A questionnaire tested students in terms of four variables: cybersecurity knowledge; self-perception of cybersecurity skills, actual cybersecurity skills and behaviour; and cybersecurity attitudes. The responses revealed several misalignments, including instances of "cognitive dissonance" between variables, which make the students potentially vulnerable to cyber-attacks. The findings demonstrate the need for targeted CSA campaigns that address the specific weaknesses of particular populations of users.
References
Aliyu, M., Abdallah, N. A., Lasisi, N. A., Diyar, D., & Zeki, A. M. (2010). Computer security and ethics awareness among IIUM students: An empirical study. Paper presented at the Information and Communication Technology for the Muslim World (ICT4M) 2010 International Conference, Jakarta, 13-14 December. https://doi.org/10.1109/ict4m.2010.5971884
Ashford, W. (2015, April 10). French TV5Monde network cyber attack the latest in destructive trend in system intrusions. Computer Weekly. Retrieved from http://www.computerweekly.com/news/4500244107/French-TV5Monde-network-cyber-attack-the-latest-in-destructive-trend-in-system-intrusions
Bada, M., & Sasse, A. (2014). Cyber security awareness campaigns Why do they fail to change behaviour? Global Cyber Security Capacity Centre. Retrieved from http://discovery.ucl.ac.uk/1468954/1/Awareness%20CampaignsDraftWorkingPaper.pdf
Bakar, E. A., Chang, L. L., & Saidin, A. Z. (2013). Knowledge, attitude and practices of consumers in e-commerce transactions. Paper presented at the Information and Communication Technology for the Muslim World (ICT4M) 5th International Conference. Rabat, 26-27 March. https://doi.org/10.1109/ict4m.2013.6518903
BBC News. (2014, August 6). Russia gang hacks 1.2 billion usernames and passwords. Retrieved from http://www.bbc.com/news/technology-28654613
Beres, D. (2014, July 11). Google study finds email scams are more effective than you’d expect. Huffington Post. Retrieved from http://www.huffingtonpost.com/2014/11/07/phishing-scams_n_6116988.html
BusinessTech. (2014, September 14). Internet fraud and phishing costs SA R2.2 billion. Retrieved from http://businesstech.co.za/news/general/68212/sa-internet-fraud-and-phishing-costs-r2-2-billion
Butler, R., & Butler, M. (2014). An assessment of the human factors affecting the password performance of South African online consumers. In N. Clarke, & S. Furnell (Eds), Proceedings of the Eighth International Symposium on Human Aspects of Information Security and Assurance (HAISA 2014) (pp. 150-160), Plymouth, UK, 8-9 July.
Chandarman, R. (2016). Cybersecurity awareness of students at a private higher education institute in South Africa. Master’s dissertation, University of KwaZulu-Natal, Westville, Durban.
Compuscan. (2014). Identity fraud on the increase. Retrieved from https://www.compuscan.co.za/identity-fraud-increase
Cyber Aces Foundation. (2014). US cyber challenge: Cyber quests April 2014. Retrieved from http://uscc.cyberquests.org
Da Veiga, A., & Eloff, J. H. P. (2010). A framework and assessment instrument for information security culture. Computers C Security 29(2), 196-207. https://doi.org/10.1016/j.cose.2009.09.002
Department of Communications (DoC). (2013). Review report: E-commerce, cybercrime and cybersecurity – status, gaps and the road ahead. Pretoria: Government of South Africa. Retrieved from https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/Review_Report_e-commerce_cybercrime%20and%20cybersecurity_final_0.pdf
Dodge R. C., & Ferguson A. J. (2006). Using phishing for user email security awareness. In S. Fischer-Hübner, K. Rannenberg L. Yngström. & S. Lindskog (Eds.), Security and privacy in dynamic environments. Proceedings of the IFIP TC-11 21st International Information Security Conference (SEC 2006), 22-24 May, Karlstad, Sweden. https://doi.org/10.1007/0-387-33406-8_41
Doyle, K. (2015, May 19). SA security policy trails Africa. ITWeb. Retrieved from http://www.itweb.co.za/index.php?option=com_content&view=article&id=143303
Educause. (2017). Awareness campaigns. Retrieved from https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/awareness-campaigns
Furnell, S., Gennatou, M., & Dowland, P. (2002). A prototype tool for information security awareness and training. Logistics Information Management, 15(5/6), 352-357. https://doi.org/10.1108/09576050210447037
Hagen, J. M., & Albrechtsen, E. (2009). Effects on employees’ information security abilities by e-learning. Information Management C Computer Security, 17(5), 388-407. https://doi.org/10.1108/09685220911006687
Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computer C Security, 31(1), 83-95. https://doi.org/10.1016/j.cose.2011.10.007
Janssen, C. (2014). Techopedia. Retrieved from http://www.techopedia.com/it-dictionary
Kaur, J., & Mustafa, N. (2013). Examining the effects of knowledge, attitude and behaviour on information security awareness: A case on SME. In IEEE (Ed.), 2013 International Conference on Research and Innovation in Information Systems (ICRIIS) (pp. 286- 290). https://doi.org/10.1109/icriis.2013.6716723
Kim, E. B. (2014). Recommendations for information security awareness training for college students. Information Management C Computer Security, 22(1), 115-126. https://doi.org/10.1108/imcs-01-2013-0005
Kritzinger, E., & von Solms, S. H. (2010). Cyber security for home users: A new way of protection through awareness enforcement, Computers C Security, 29(8), 840-847. https://doi.org/10.1016/j.cose.2010.08.001
Kyobe, M., Matengu, S., Walter, P., & Shongwe, M. (2012). Factors inhibiting recognition and reporting of losses from cyber-attacks: The case of government departments in the Western Cape Province of South Africa. In N. Tadgh (Ed.), 6th European Conference on Information Management and Evaluation (pp. 159-167). Reading, UK: ACP.
Lee, Y., & Kozar, K. (2005). Investigating factors affecting the anti-spyware system adoption. Communications of the ACM,48(8),72-77. https://doi.org/10.1145/1076211.1076243
Lennon, M. (2015, April 12). FireEye uncovers decade-long cyber espionage campaign targeting South East Asia. Security Week. Retrieved from http://www.securityweek.com/fireeye-uncovers-decade-long-cyber-espionage-campaign-targeting-south-east-asia
Leonard, L. N. K., Cronan, T. P., & Kreie, J. (2004). What are influences of ethical behaviour intentions – planned behaviour, reasoned action, perceived importance, or individual characteristics? Information C Management, 42(1), 143-58. https://doi.org/10.1016/j.im.2003.12.008
Malandrino, D., Scarano, V., & Spinelli, R. (2013). How increased awareness can impact attitudes and behaviors toward online privacy protection. In IEEE (Ed.), 2013 International Conference Social Computing (SocialCom) (pp. 57-62). https://doi.org/10.1109/socialcom.2013.15
McCrohan, K. F., Engel, K., & Harvey, J. W. (2010). Influence of awareness and training on cyber security, Journal of internet Commerce, 9(1), 23-41. https://doi.org/10.1080/15332861.2010.487415
Mensch, S., & Wilkie, L. (2011). Information security activities of college students: An exploratory study. Academy of Information C Management Sciences Journal, 14(2), 91- 153.
Minister of Justice and Correctional Services. (2015). Cybercrimes and Cybersecurity Bill. Draft for public comments. Republic of South Africa.
Mishra, U. (2014). Is anti-virus a necessary evil? https://doi.org/10.2139/ssrn.2434470
Mitre. (2014, April). The Heartbleed Bug. Retrieved from http://heartbleed.com/
Mochiko,T. (2016, November 22). Cybercrime “will rise” with internet of things. Business Live. Retrieved from https://www.businesslive.co.za/bd/life/gadgets-and-gear/2016-11-22-cybercrime-will-rise-with-internet-of-things
MyBroadband. (2015, April 22). South Africans underestimate password value. Retrieved from http://mybroadband.co.za/news/security/124870-south-africans-underestimate- password-value.html
National Institute of Standards and Technology (NIST). (1998). Information technology training requirements: A role-and performance-based model. NIST Special Publication 800-16. Washington, DC: US Department of Commerce.
NIST. (2003). Building an information technology security awareness and training program. NIST Special Publication 800-50. Washington, DC: US Department of Commerce.
Office of the Australian Information Commissioner (OAIC). (2014). Privacy Awareness Week resources 2014. Retrieved from http://www.oaic.gov.au/news-and-events/privacy-awareness-week-2014/resources-2014#training
Oosterwyk, G., & Parker, M. (2010). Investigating bullying via the mobile web in Cape Town schools. Paper presented to the 2010 Annual Conference on WWW Applications, Durban, South Africa, 22-24 September. Retrieved http://www.zaw3.co.za/index.php/ZA-WWW/2010/paper/view/239
Parbanath, S. (2011). Personal information security: Legislation, awareness and attitude. Master’s dissertation. University of KwaZulu-Natal, Westville, Durban.
Peltier, T. R. (2005). Implementing an information security awareness program. Information Systems Security, 14(2), 37-49. https://doi.org/10.1201/1086/45241.14.2.20050501/88292.6
Pramod, D., & Raman, R. (2014). A study on the user perception and awareness of smartphone security. International Journal of Applied Engineering Research, 9(23), 19133-19144.
Pretorius, B., & Van Niekerk, B. (2015). Cyber-security and governance for ICS/SCADA in South Africa. In J. Zaaiman, & L. Leenen (Eds.), Proceedings of the 10th International Conference on Cyber Warfare and Security (pp. 241-251). Reading, UK: ACP.
Rajan, M. (2010). Internet phishing hook, line and hopefully not sunk. MBA thesis, University of KwaZulu-Natal, Durban.
Rosenblatt, S. (2014, April 28). Stop using Microsoft’s IE browser until bug is fixed, US and UK warn. CNET. Retrieved from http://www.cnet.com/news/stop-using-ie-until-bug-is-fixed-says-us
Rosewarne, C. (2013). 2012/3: The South African cyber threat barometer. Retrieved from https://www.wolfpackrisk.com/research/south-african-cyber-threat-barometer
Ruiz, R. (2015, April 8). F.C.C. fines AT&T $25 million for privacy breach. The New York Times. Retrieved from http://bits.blogs.nytimes.com/2015/04/08/f-c-c-fines-att-25-million-for-privacy-breach/?ref=topics
South African Banking Risk Information Centre (SABRIC). (2015). Website. Retrieved from https://www.sabric.co.za
Steyn, T., Kruger, H. A., & Drevin, L. (2007). Identity theft – empirical evidence from a phishing exercise. In H. Venter, M. Eloff, L. Labuschagne, J. Eloff, & R. Von Solms (Eds), New Approaches for Security, Privacy and Trust in Complex Environments: Proceedings of the IFIP TC 11 22nd International Information Security Conference (SEC 2007) (pp. 193-203). https://doi.org/10.1007/978-0-387-72367-9_17
Symantec. (2013). 2013 Norton report: Cost per cybercrime victim up 50 percent. Retrieved from http://www.symantec.com/en/za/about/news/release/article.jsp?prid=20131029_01
TroyHunt. (2014). Everything you need to know about the Shellshock Bash bug. Retrieved from http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. Computers C Security, 38, 97-102. https://doi.org/10.1016/j.cose.2013.04.004
Wlasuk, A. (2012, June 29). Higher education – the perfect security storm. Security Week. Retrieved from http://www.securityweek.com/higher-education-perfect-security-storm
Downloads
Published
Issue
Section
License
Copyright (c) 2017 https://creativecommons.org/licenses/by/4.0
This work is licensed under a Creative Commons Attribution 4.0 International License.
How to Cite
- Abstract 1842
- pdf 1068
.png){kind=spacer}