Exploring influences on cyber security threats at home: what behavior can reduce IT threats?

Exploring influences on cyber security threats at home: what behavior can reduce IT threats?

MSc BA Change Management Ruben E. W. Barels

S2811197

Supervisor: prof. dr. E.W. Berghout Co-assessor: dr. U.Y. Eseryel

University of Groningen

Date: January 23, 2017

Wordcount: 10261

Abstract

As we collectively increase our usage of IT related services and products, we expose ourselves increasingly to IT security related threats. With an annual worldwide economic damage estimated in the hundreds of billion dollars, this proves to be a significant problem for everyone making use of IT. To contribute to a safer computing environment, this study aims to identify what type of users is more vulnerable and what behaviors succeed in reducing the amount of IT security threats experienced. Results from a survey of 988 home computer users have shown increased IT usage positively, and higher levels of computer self-efficacy negatively relate to the amount of IT threats experienced. The data indicates IT security threats are inevitable for any type of users. Therefore, it seems more valuable to shift our attention towards increasing our collective computer self- efficacy levels, in order to contribute to a safe IT environment for everyone, starting with awareness at the home user level.

Keywords: Home users, IT security, IT security behavior, IT threats.

Table of Contents

Abstract ... 2

Introduction ... 4

Background ... 6

Conceptual model ...13

Methodology ... 14

Search strategy ...14

Sample and measurement ...15

Data analysis ...17

Results ... 18

Demographic characteristics of the sample ...18

Correlation analysis ...19

Comparing different groups within the sample ...20

Discussion and conclusion ... 21

Implications ...21

Limitations ...23

Further research ...24

Concluding remarks ...24

References ... 26

Appendices ... 31

Introduction

We keep increasingly incorporating IT in our life, to make the day to day business easier, more efficient or just more fun. After our PC’s we connected our phones to the internet. Nowadays we keep connecting devices and systems to the internet: cars, thermostats, medical applications and refrigerators are more recent examples, but this list can go on for a while. This rapid expansion brings a lot of advantages for home users and at the same time, it is an important source of innovation and economic growth (NCTV, 2013).

While individuals keep adding and replacing services with IT substitutes, individuals are increasingly exposed to the IT security threats that come along (Furnell, Bryant, & Phippen, 2007).

While IT provides new opportunities for governments, businesses, and consumers, at the same time also present opportunities for those with criminal intentions (Choo, 2011). Examples of threats as the result of criminal intentions are: malware, viruses, spam, cyberespionage, digital fraud and theft of information, ransomware, phishing, DDoS-attacks and fake websites (Abbasi, Zhang, Zimbra, Chen, & Nunamaker Jr., 2010; Choo, 2011; ISACA, 2015; McKenna, 2005; NCTV, 2013; Symantec, 2015; U.S. Secret Service National Threat Assessment, 2014). Byproducts of previously mentioned attacks can also result in additional negative consequences for home users, examples are locked systems and slower functioning systems (Johnston & Warkentin, 2010).

The rising cumulative amount, but also different types of attacks is not likely to stop anytime soon because of the possible financial gains for criminals by obtaining personal information as the result of these attacks (Choo, 2011). Attackers continuously look for targets, that will provide the maximum return on the time they invest in writing malicious code (Galbreth

& Shor, 2010; Symantec Corporation, 2016). In 2015 more than 430 million new pieces of malware were discovered, ransomware increased with 35 percent and over half a billion personal records were stolen (Symantec Corporation, 2016). Annual worldwide economic damage caused by compromises in IT security are estimated in the hundreds of billion dollars (D’Arcy, Hovav, &

Galletta, 2009; Saini, Rao, & Panda, 2012). These figures articulate the significance of this

problem, a problem not just for businesses or governments, but for everyone. In household settings,

the median monetary cost associated with phishing-based identity theft is over $3,000 per victim

(Abbasi et al., 2015).To make things even worse, not all IT security issues are known or reported,

therefore, the reported statistics are most likely to underestimate the problem.

Due to our collective dependence on IT systems, we cannot just turn all IT systems off to be safe once again. Therefore, it is necessary to increase our resilience against existing threats at the individual level, in order to increase our collective defense against cyber threats, as one's individual precautions might yield positive externalities for one another (Png & Wang, 2009). We cannot and may not expect or ask our governments to act as our sole defense against IT threats (NCTV, 2013). To prevent potential harm and losses, a critical IT security issue is that end users need to perform the tasks that are necessary to effectively cope with IT threats (Liang & Xue, 2009). IT security literature has often cited users as the weak link in IT security due to user errors and negligence (Guo, Yuan, Archer, & Connelly, 2011; Spears & Barki, 2010). While having the desire and the tools available to protect themselves, home users keep failing in successfully defending or preparing against attacks. While it could be a choice to not use anti-virus software because of its price (Dey, Lahiri, & Zhang, 2012). Home users’ intentions to protect themselves are previously shown not to correspondent with their actual behavior (Boss, Galletta, Lowry, Moody, & Polak, 2015). An example from the recent past illustrates users were fully aware of a devastating virus spreading quickly, while security tools effective in removing it were available, the users did not install the tools (Pavlou et al., 2007).

Little work has been done to investigate individual security behaviors and their antecedents (Chen & Zahedi, 2016). Also, previous research on malicious software infections on end users systems assumed no differences between consumers (Galbreth & Shor, 2010). Knowledge about the predictors of individual security behavior in a home setting represents the first step in securing the cyber infrastructure (C. L. Anderson & Agarwal, 2010a).

To empirically find relations between types of user and their vulnerability should contribute to answering what behavior succeeds in reducing the amount of IT security threats experienced.

Not only the group of users who have the most to benefit is identified, but at the same time suggestions about behavior that worked for others is revealed.

Background

This research uses nine different concepts to explore relations between types of home users and characteristics that distinguishes them. All concepts and the hypothesis they lead to are discussed separately before positioning them all together in a conceptual model.

IT security behavior

Anderson & Agarwal explain threat appraisal and coping appraisal as key factors in developing a perception of a threat for IT users (C. L. Anderson & Agarwal, 2010a). IT users develop a perception of threat after assessing potential dangers in their computing environment (Liang & Xue, 2009). Both threat appraisal and coping appraisal are key tenets of the protection motivation theory (PMT), which maintains that the perceived probability and severity of a threat occurrence motivate people to take protective measures (C. L. Anderson & Agarwal, 2010a; Liang

& Xue, 2009). Pahnila et al. have already incorporate a variety of factors in addition to those of PMT such as sanctions and rewards in their work (C. L. Anderson & Agarwal, 2010b; Pahnila, Siponen, & Mahmood, 2007). The significance of these variables suggests that although PMT may have explanatory power for user security behavior, there are likely to be other important factors influencing security behavior. This study aims to explore the influences of other variables, and how the relate to the result of a user’s security behavior: the amount of IT threats he or she has experienced.

IT usage

Furnell et al. explain how users that use more IT claimed increasing knowledge and

confidence about computers, but those same users failed to demonstrate effective IT security

practices as: understanding of security functionality in applications and performing regular updates

to security software (Furnell et al., 2007). These advanced users appeared vulnerable even though

the majority claimed to be knowledgeable and confident about aspects of PC security (Furnell et

al., 2007). Furnell et al. explain the potential risk as a result of their greater confidence by their IT

usage (Furnell et al., 2007). Contradictory to Furnell et al., when choosing not to use something,

would suggest you cannot become a victim of threats caused by that same thing you chose not to

use, extrapolating this towards a hypothesis:

Hypothesis 1: A higher level and frequency of IT usage is positively related to the amount of IT security related issues.

Computer self-efficacy (CSE)

Computer self-efficacy (CSE) is defined as the level of confidence in one’s ability to undertake the recommended preventive behavior (Bandura, 1986; Herath et al., 2014; Wright &

Marett, 2010). Prior research on phishing attacks confirmed higher perceptions of CSE decrease the likelihood a person will be deceived by a phishing e-mail (Wright & Marett, 2010). In addition, self-efficacy positively relates to effects on behavioral intent, meaning individuals with higher confidence levels also intent to take preventive actions more often than individuals who are less confident about their abilities (Johnston & Warkentin, 2010). Contradictory to Johnston &

Warkentin, Herath et al., find higher levels of confidence in their ability to deal with IT threats themselves, resulting in not relying on security tools, and therefore being more vulnerable to IT security threats (Herath et al., 2014). Based on the work of Wright & Marett the following hypothesis is formulated:

Hypothesis 2: Higher self-reported satisfaction levels about knowledge and control possibilities is negatively related to the amount of IT security related issues.

Age

Computers and all the issues the internet age present remain unnatural and often confusing for older generations (Singer, P.w, Friedman, 2014). Work of Raub suggests that older individuals have less computer knowledge and training as well as an unfavorable attitude towards computers (Raub, 1981). In addition to age relating to computer attitudes, Pinto and Rainer found age correlating negatively with computer attitudes, older individuals were more pessimistic towards computers and showed lower computer skill levels (Harrison & Rainer Jr, 1992; Nickell & Pinto, 1986). Singer & Friedman describe these lower computer skill levels as an issue of age (Singer, P.w, Friedman, 2014).

These findings differ from research on the influence of age on morality and computers,

where older people would refrain from distributing illegal software (Gattiker & Kelley, 1999),

since illegal software is a popular way to spread malware (Symantec Corporation, 2016),

extrapolating this behavior would suggest older people should experience less types of negative IT related t. Results of research on anti-spyware adaptation indicate younger adopters were sensitive to price, therefore less willing to implement preventive measures implying younger individuals are more vulnerable towards IT security issues (Lee & Kozar, 2008).

However, the price of optional preventive software is not enough to assume age will show a negative relation with the amount of IT threats. Younger individuals also have advantages that come with their age, as Czara showed that younger individuals tend to learn better and faster than older individuals (Czaja, Hammond, Blascovich, & Swede, 1989).

Given these previous results, it is more likely someone’s age will positively relate to the amount of IT security related issues. Therefore, resulting in the following hypothesis:

Hypothesis 3: Someone’s age is positively related to the amount of IT security related issues.

Preventive measures

Whilst malicious software is a serious risk for computer users, adoption of these systems to protect computer users against it is low (Lee & Kozar, 2008). In the case of spyware, research has shown 80 percent of current spyware problems could be resolved by anti-spyware software, only 10 percent of the users make use of alike software (Girard, 2004; Lee & Kozar, 2005).

Additionally there is a sizeable community of users that will fail to address security unless it is cheap and easy to use (Furnell et al., 2007). In these decisions, users tend to evaluate the tool based on usefulness, usability, and privacy concerns (Herath et al., 2014).

Merely installing antivirus software is not any guarantee of safety. No computer is automatically immune to cyber security threats (Symantec Corporation, 2016). Antivirus software, or rather its creators, first need to identify and resolve malware before their software can prevent infections. The anti-malware software usually lags behind the expertise of cyber criminals, according to Kim & Kim software detects less than two-thirds of the malware within a month (Kim

& Kim, 2014).

Research on the perception of IT security by internet users shows the majority of issues

facing the novice user were knowledge based – they did not know how to protect themselves and

were not aware of initiatives that may help them (Furnell et al., 2007). While such threats are easily

defeated by simply keeping operating systems, browsers, and other critical software constantly up

to date (Singer, P.w, Friedman, 2014). To increase home users to use anti-virus software, security controls must be agile and workable in a variety of environments and, preferably, be developed with end user participation (Colwill, 2009). Although wearing a helmet when riding your bike does not mean you will not suffer any harm when you do crash, it should not make the outcome worse.

Assuming anti-virus software works as promised, increasing the amount of preventive measures taken should result in fewer IT issues. This leads to the following hypothesis:

Hypothesis 4: A higher level of preventive measures taken is negatively related to the amount of IT security related issues.

Education

While mostly being regarded as a vulnerability regarding cyber security (C. L. Anderson

& Agarwal, 2010a), an alternative view believes users to be an asset (von Solms & van Niekerk, 2013). Being able to practice and use IT in a managed IT environment enables the user to get used to safety practices of the school or university (Singer, P.w, Friedman, 2014), hopefully incorporating these in his or her IT usage at home. Obtaining higher levels of education takes a longer amount of time, which enables the students to make use and learn from the managed IT environment offered by the institution. Simultaneously universities and schools increasingly offer their education digitally, forcing the students to practice with IT and learn from these experiences.

A conflicting view is offered by Puhakainen & Sipoonen, who explain that information system security training that comes with managed environments is not enough, current existing security training and education approaches have not proven to be effective yet (Puhakainen &

Siponen, 2010). With regard to users online privacy, while expecting a higher education resulting in increased careful and cautious use, no support was found (Milne & Rohm, 2000). In addition, research on differences in end-user computer skills showed no significant relation between education and computer skill (Harrison & Rainer Jr, 1992).

Although Harrison & Rainer Jr’s conclusion seems applicable, their work dates to the year

1992, while the work with a contrary view is more recent and seems more relevant. The hypothesis

with respect to an individual’s education follows:

Hypothesis 5: A higher level of education is negatively related to the amount of IT security related issues.

Operating systems

The days when you were safe just by refraining from using Microsoft's Windows as your operating system are long gone (Symantec Corporation, 2016). Sadly, people still believe computers running Mac are deemed safe from computer viruses or malware. Microsoft’s domination has made it “the hacker target of choice” since the sought after financial gains, it makes sense for criminals to target the largest group of users (Symantec, 2015; Symantec Corporation, 2016). Older versions of Microsoft Windows still have a lot of unpatched security issues, the older operating systems just cannot keep up with modern threats (Symantec Corporation, 2016). In 2015 attacks against Windows, Mac and Linux have increased considerably (Symantec Corporation, 2016). So-called mass attacks launched by criminals do not target specific groups of users, but rather target a specific operating system, resulting in all users using that operating system, Windows, Mac or Linux are targeted (Png & Wang, 2009).

Next to operating systems of traditional computers, a technical study in 2012 estimated that over half of the mobile devices running Android have unpatched vulnerabilities (Singer, P.w, Friedman, 2014). Android attacks are increasingly harder to identify, and Apple iOS users are more at risk than ever (Symantec Corporation, 2016). Where malware and viruses traditionally were developed for computers, criminals have already expended towards all types of our mobile devices.

Another piece of software which we all use and mostly is nondependent on your operating system is web browsing software. For web browsers with a lower percentage of the market share, such as Mozilla and Safari, the total number of vulnerabilities found is low. This does not mean that these web browsers are more secure, but merely that only a limited effort has gone into finding their vulnerabilities (Galbreth & Shor, 2010). Expanding this logic from web browsing software to operating systems, the usage of operating systems with lower market shares should result in less IT security related issues. This results in the following hypothesis:

Hypothesis 6: Using an operating system other than windows is negatively related to the

amount of IT security related issues.

Overall carefulness

Contradictory to its purpose, warnings could contribute to the careless use of IT. Anderson describes this as user habituation: a decreased response to a repeated warning (B. B. Anderson et al., 2015; B. B. Anderson, Vance, Kirwan, Jenkins, & Eargle, 2016). In the context of IT, this could mean we get used the warning signals that are supposed to help us make better decisions, so they lose their impact, and our risk tolerance increases. Increased risk tolerance has been linked to increased careless behavior like using illegal software (August & Tunca, 2008). Risk tolerance also influences IT users’ responses to IT threats (Liang & Xue, 2009). Linking overall carefulness to a reduced risk tolerance, therefore showing risk-avoiding behavior, should help careful individuals to reduce the amount of IT threats they experience. This leads to the following hypothesis:

Hypothesis 7: Cautious use of IT is negatively related to the amount of IT security related issues.

IT security related education

Prior research on assessing security perceptions of home computer users showed many of

the problems were amongst IT novices who demonstrated that while they feel it is their

responsibility to protect themselves from attacks, they lacked the knowledge to achieve this

(Furnell et al., 2007). Most companies educate their employees on IT security in order to prevent

incidents (Colwill, 2009). To ensure the viability of a security policy, users must understand it and

accept necessary precautions through education and training (Whitman, Townsend, & Aalberts,

2001). While home users do not have an employer forcing them to follow IT security related

education, they are free to decide this for themselves. Within a business-setting training is

positively related to computer-related ability (Harrison & Rainer Jr, 1992). Colwill goes further

and identifies education as being critical (Colwill, 2009). While security benefits through training

and education may be longer-term rather than short-term (Colwill, 2009), actively following or

having obtained a degree in IT security should contribute to protecting yourself from IT threats,

resulting in the following hypothesis:

Hypothesis 8: Holding or pursuing a degree in IT security is negatively related to the amount of IT security issues.

Gender

Work on internet security perceptions and behavior shows that individual attributes such as gender, and age directly impact individuals’ perceptions of threat (Chen & Zahedi, 2016).

In a study concerning morality and computers, gender differences were reported infrequent, although male subjects appeared to act less risk averse than female subjects (Gattiker & Kelley, 1999). Women appeared more cautious regarding acts of computer use following societal norms and cultures, while men followed their own attitudes and beliefs regarding appropriate computer use (Gattiker & Kelley, 1999; Gutek & Larwood, 1987). In addition, research on anti-spyware adoption also suggested females were less willing to take risks than males (Lee & Kozar, 2008).

While males followed their own attitudes and beliefs, in other work males showed to bring more computer relevant skills than females (Gutek & Bikson, 1985). In research on individuals attitude towards online privacy, no support was found for differences between men or women (Milne & Rohm, 2000). Since both men and women seem to have advantages in their behavior towards IT security threats or no differences were found, there should be no difference in the average amount of IT security issues. This results in the following hypothesis:

Hypothesis 9: A difference in gender should not lead to a difference in the amount of

occurred IT security issues.

Conceptual model Figure 1

A conceptual model containing all constructs.

Methodology

This section aims to clarify the used data collection methods, for both the literature and the survey part of this research. For the controllability of this study, the methods used are explained in this section. In addition to the methods, all outcomes of the test used are given to safeguard both validity and reliability of this study.

Search strategy

To find relevant existing literature on the topic of home user security first a selection of journals was made. Out of the recommended journals, six suitable journals were identified,:

Information Systems Research, Journal of Management Information Systems, MIS Quarterly, European Journal of Information Systems, Information & Management and Information Systems Journal. Three of the selected journals are being listed as top journals within the field of Management Information Systems (Rijksuniversiteit Groningen, 2014).

Using ebscohost’s advanced search to access all journals available within the business source premier database searching for “security” yielded 323 papers. To include “end-user”, “end user”, “end-user computing” and their plurals, their corresponding factor: “user” was added as a prerequisite which reduced the amount to 86 papers. 5 papers were not accessible and therefore dismissed. After reading through the remaining 81 papers, most papers were oriented within a work-related setting and therefore not suitable. The 13 papers that remained were focusing on home users, or the results were generalizable towards home users. The remaining papers that were used during this research were manually added, or included through references of used papers.

Figure 2

Online search strategy with outcome in the amount of papers.

IT Security related (323) User related (86)

Accessible (81) Selected

(13)

Sample and measurement

The data used for this research was an existing dataset, complemented with more recent responses to the survey instrument created by professor Berghout. The questionnaire itself was distributed online through Qualtrics, during courses professor Berghout taught at several universities throughout the Netherlands and within his own network.

The survey instrument was created to gather knowledge within a spectrum regarding IT usage, IT threats, measures taken to prevent IT threats, perceived knowledge and control levels and descriptive statistics of the respondents. To measure this, the questionnaire consists out of 72 yes/no questions and 19 categorical questions with using Likert scales. The complete questionnaire is available in the appendix.

The questionnaire was distributed between fifteen different groups, during the period between March 2014 and October 2016. The initial dataset at the start of this research existed out of 991 respondents. During this project, 258 additional respondents were added, bringing the total respondents to 1249. While combining the exported data from Qualtrics with the existing dataset in Microsoft Excel some irregularities surfaced. The answers to two multiple choice questions were split into various yes/no questions. To solve the formatting issue, the data was transformed by means of a script written in excel, to prevent human errors while transforming the data.

Due to a divergence in the questions asked, one complete group of respondents had to be removed from the dataset. This deviation was the result of questions that were added to the survey instrument after the first distribution. Because the additional questions are part of the constructs within this research, the first set of respondents was dropped, leaving the 1057 most recent responses who had the chance to complete the same set of questions. Of those 1057 respondents, 988 managed to finish the questionnaire making this the final sample size.

Dependent variable

The dependent variable used during this research is a construct consisting out of multiple

items from the questionnaire. In order to create this construct, first an internal reliability test should

ensure that the individual questions are actually measuring the same phenomena (Field, 2009). To

ensure the reliability of the measurement scales, a reliability analysis was performed in IBM SPSS

Statistics 24. The ten different subscales of IT threats all had high reliabilities, with a combined

Cronbach’s alpha of α = .725, which is higher than the required minimum of .7 (Bernstein &

Nunnally, 1994; Field, 2009), allowing the creation of the combined variable: IT threats consisting out of continuous data.

Independent variables

The nine different independent variables are consisting out of three different data types.

Since the differences in data type affected the processing of the data, the independent variables are clarified one by one based on the data type, which is the same order as the previously drafted hypotheses.

Variables consisting out of continuous data

The independent variable IT usage is a construct consisting out of 26 individual question of which an overview can be found in table 5 in the appendix. The combined Cronbach’s α = .71, which is higher than the required minimum (Bernstein & Nunnally, 1994; Field, 2009). This variable captures the different types of IT related services products or technologies the respondent uses or owns into one variable: “IT usage”, consisting out of continuous data increasing while the respondent’s IT usage increases.

Computer self-efficacy does not measure actual occurrences. This construct exists out of five questions where the respondent could indicate his or her level of satisfaction regarding his or her levels of control and knowledge regarding IT security. The combined Cronbach’s α = .799, which is higher than the required minimum, allowing the creation of the sum variable “self- reported CSE” existing out of continuous data.

The last independent variable consisting out of continuous data is age, reported in whole integers ranging on a scale between 17 and 66. A more extensive description of the reported values is available in the results section in table 1 containing the demographic characteristics of the sample.

Variables consisting out of categorical data

The amount of preventive measures taken is a categorical variable ranging between 0 and

10. Respondents could answer for each question if this was applicable to them yes or no, being

awarded one point for each type of preventive measure taken. Therefore, this variable measures

the amount of preventive actions taken to protect the respondent from IT threats. Since all different measures were awarded one point, all cases weigh equally.

The variable “education” consists out of seven different levels of education where respondents were asked to report their highest obtained level of education.

The variable: “operating system” contains data about the operating systems used. The respondents were asked to report the primary operating system they use. Possible answers are Windows, Android, Linux, Apple or a combination of multiple operating systems. Carefulness is a single question where the respondent could categorize their own considered overall carefulness in daily life as careful, moderately careful, neutral, moderately careless or careless. The variable

“IT security education” consists out of every respondent who reported to pursue or already have obtained a degree in IT security. Finally, the variable gender is also a binary variable, consisting out of just two options: male or female. Results of gender are also included in table 1 in the results section.

Data analysis

To perform the required statistical analyses, the final dataset for this research was imported in IBM SPSS Statistics 24. Missing value analysis and unusual cases identification both manual and in IBM SPSS Statistics 24 did not reveal any problems. To determine which type of test may be used for each hypothesis, all variables were tested for violations of parametric data (Field, 2009).

In order to test if the variables were normally distributed, a Kolmogorov-Smirnov test was conducted for every variable, all resulting in p < .05, indicating a significant deviation from normality for each variable (Field, 2009). The test results are included in table 4, found in the appendix.

Because the data violated the assumptions of parametric data, non-parametric tests were

used to analyze the data. For all different data types of the independent variables, a non-parametric

test was available to test it against the dependent variable. For the continuous independent

variables, Spearman’s rho correlation tests were used to reveal interrelations. For the categorical

variables, Kruskal-Wallis tests were used for variables consisting out of more than two categories,

whereas Mann-Whitney U tests were appropriate when the categorical variable existed just out of

two possible categories.

Results

In this section, the findings are presented. After presenting the descriptive statistics of the sample, the results of the hypotheses are presented. Since the data collection resulted in different forms of data, the multiple tests were necessary to analyze the data accordingly. The findings of these analyses are presented in this chapter.

Demographic characteristics of the sample

The sample consists of 595(60.2%) men and 393(39.8%) women, with age ranging between 17 and 66, with an average of 23 (M = 22.9, SD = 7.35). Furthermore, education level was ranging from primary school to Ph.D. level. The median of highest obtained level of education was 2.00 (High school degree). Among the participants were 72 IT professionals, 850 students and 66 participants who did not fill in the survey as part of a course on a university. Table 1 shows the demographic characteristics of the sample including frequencies and percentages.

Table 1

Demographic characteristics of the sample

Demographic characteristics Frequency Percentage

Age

<20 352 35.6

20 – 29 527 53.3

30 – 39 51 5.2

40 – 49 36 3.6

50 – 59 19 1.9

60+ 3 0.3

Education

Less than high school 1 .1

High school degree 639 64.7

Bachelor degree 219 22.2

Master degree 86 8.7

Post/executive master degree 32 3.2

Ph.D. or Dr 10 1.0

Demographic characteristics Frequency Percentage

Other 1 .1

Gender

Male 595 60.2

Female 393 39.8

Correlation analysis

The first three hypotheses were all tested with correlation analyses. The results are displayed in table 2, graphs that illustrate the correlations can be found in the appendices in figures 3, 4 and 5.

Table 2

Non-parametric correlation table (Spearman’s rho) for H1, H2, and H3.

IT usage CSE Age IT threats

IT usage -

CSE .331** -

Age .092** .010 -

IT threats .136** -1.42** -.016 -

Note: **Correlation is significant at p<0.01 , n=988.

A series of Spearman rank-order correlations were conducted in order to determine if there were any relationships between the amount of IT security issues experienced by an individual and their IT usage, computer self-efficacy (CSE) and age between 988 participants. A two-tailed test of significance indicated that there was a significant positive relationship between IT usage and IT threats (r

(988) = .136, p < .01), illustrated in figure 3. The higher amount of different IT solutions individuals use, the higher the amount of security related issues they experience will be.

A two-tailed test of significance indicated the there was a significant negative relation

between one’s self-reported CSE levels and the amount of IT threats (r

(988)= -1.42, p < .01).,

whereas higher self-reported CSE levels will lead to lower amounts of experienced IT security

issues.

Comparing different groups within the sample

In order to analyze whether individuals, with dissimilar amounts of preventive measures taken, differ in the degree of amount of experienced IT threats a Kruskal-Wallis test was performed with preventive measures taken on the amount of IT threats. This Kruskal-Wallis test was not significant χ

(10, N = 988) = 8.749, p = .556. Therefore, this test shows individuals with different amounts of preventive measures taken do not differ in the amount of IT security issues experienced.

Intending to analyze whether individuals with different education differ in the degree of experienced IT threats a Kruskal-Wallis test was performed with the seven levels of education (less than high school degree, high school degree, bachelor degree, master degree, post or executive master degree, Ph.D./Dr or Other) on the amount of IT threats. This Kruskal-Wallis test was not significant χ

(6, N = 988) = 10.918, p = .091. Individuals with different amounts of preventive measures taken do not differ in the amount of experienced IT security threats.

A Kruskal-Wallis test was conducted to evaluate differences among the five possible operating systems in the sample (Windows, Android, Linux, Apple or a combination of operating systems) on the median change in types of IT security issues experienced. The test, which was corrected for tied ranks, was not significant χ

(4, N = 988) = 7.902, p = .095.

A Kruskal-Wallis test was conducted to evaluate differences among the five different self- reported levels of carefulness (careless, moderately careless, neutral, moderately careful or careful) on the median change in types of IT security issues experienced. The test, which was corrected for tied ranks, was not significant χ2(5, N = 988) = 10.140, p = .071.

In order to analyze if individuals holding or pursuing a degree in IT security differ regarding their amount of IT security issues from individuals not holding or pursuing a degree in IT security a Mann-Whitney U test was performed. This test was not significant U = 36,542.500, p = .364, r = -,029. Individuals holding or pursuing a degree in IT security (MR = 468.41, Mdn = 2.00) do not significantly experience fewer IT security related problems than individuals who hold nor pursue a degree in IT security (MR = 496.99, Mdn = 2.00).

A final Mann-Whitney U test was used to analyze if men and women differ regarding the

amount of IT threats they experience. This test results showed no significant difference U =

113,647.500, p = .446, r = -,024. The average amount of IT security issues does not differ between

men (MR = 500, Mdn = 2.00) and women (MR = 486.18; Mdn = 2.00).

Discussion and conclusion

This study was designed to discover relations between home user behavior and the types of IT threats they have experienced, in order to identify behaviors that could contribute to safer computing for home users. Three of the nine hypotheses were supported by the data.

Table 3

Results by hypothesis

Hypothesis Support?

H1: IT usage → Amount of IT threats Yes

H2: CSE → Amount of IT threats Yes

H3: Age → Amount of IT threats No

H4: Preventive measures → Amount of IT threats No

H5: Education → Amount of IT threats No

H6: Operating system → Amount of IT threats No

H7: Overall carefulness → Amount of IT threats No H8: IT security degree → Amount of IT threats No

H9: Gender → Amount of IT threats Yes

Implications

The types of IT services or devices individuals own or use is positively related to the amount of IT security threats that individuals experience, supporting H1. Where Furnell et al.

steered towards increased usage leading to more knowledge, and possible overconfidence this seems not to be the case (Furnell et al., 2007). While increasing your IT usage, you expose yourself longer or more often to the possible threats that came with your IT usage. Increasing your exposure towards possible threats seems intuitively a better explanation why this relation is positive.

As previously shown by Anderson and Agarwal, higher CSE levels have been linked to an

increased attitude towards security related behavior (C. L. Anderson & Agarwal, 2010a). However,

user’s intentions are shown to differ from their actual behavior (Boss, Galletta, Benjamin Lowry,

Moody, & Polak, 2015), this study shows individuals with higher CSE levels actually experience

less IT security threats, as was suspected by Anderson and Agarwal. Users satisfied with their

knowledge and control seem to be better at defending themselves against negative IT experiences.

The data also shows individuals with higher CSE levels using more IT. Even while there is a positive relation between IT usage and IT threats, while using more IT, users with higher CSE levels still experience significant fewer threats than users with lower CSE levels.

The third hypothesis was not supported by the data, older people do not experience significantly more IT threats than younger people. When looking for explanations in the data, a positive relation was found between age and IT usage. This indicates older individuals use more IT, combining this with H1, an increase in IT usage should result in increased amount experienced IT threats. Thus suggest rather that we learn from our experiences while we get older than that we make less use of IT.

A more surprisingly result was the outcome of H4: a higher amount of preventive measures does not reduce the amount of experienced IT threats. Possible explanations are given within the existing literature, preventive measures are not flawless and largely dependent on their developers innovating faster than those with criminal intent. A more illustrative comparison could be made with our everyday traffic, just wearing a helmet while riding your bicycle does not prevent any accident by itself, it can only reduce the negative effect of certain accidents.

Moving on to H5, the amount of IT problems experienced does not significantly differ amongst the different levels of education in the sample. Practicing with controlled IT environments in schools or universities by itself does not seem to teach individuals enough to have an effect on the amount of IT threats. Since IT threats for home users were measured, taught behavior within controlled IT environments deemed not helpful in a non-controlled, environment at home. Another explanation is that no matter your own education, there most likely always will be one or more individuals with criminal intents able to outsmart you or make use of attacking techniques you do not have any influence on yourself.

Continuing with a factor you can influence yourself, H6: choice of operating system. As

explained by Symantec, there is no operating system left that is safe against malicious attacks

(Symantec Corporation, 2016). However, there are clear examples that Windows is the most

popular operating system for criminals to attack. Also, the most malicious software is written for

machines running Windows. The outcome of the test showed the choice of your operating system

does not seem to influence the types of IT security issues you experience. However, the amount of

Linux users was relatively low, which impacted the comparison method. When leaving the

dedicated Linux users out of the equation, against all expectations windows only users seem to

experience significant fewer issues than Apple only, Android only or users with a mix of operating systems. A possible explanation for this remarkable result could be the user-friendliness of both Apple and Android, whereas the users who choose to only use Windows have more freedom of control over their operating system, and therefore need more knowledge about safely using it.

Another more likely possible explanation could be the origin of the device, whereas Windows devices are more popular within business settings, and system administrators are able to manage the devices from a distance. The relatively high amount of IT professionals in the sample could be beneficial to this result.

While there is a lack of prior research into carefulness influencing IT security behavior, common sense suggests overall carefulness in daily life would result in careful computer use at home. Additionally, the reduced risk tolerance deemed potential as an explanatory factor with respect to reduced IT security threats. Disappointingly the data does not suggest this to be true, leaving no support for H7.

Even more surprisingly, respondents who have obtained a degree in IT security, or currently pursuing a degree in IT security do not experience fewer problems than individuals not pursuing or obtaining a degree in IT security. This seems remarkable since the purpose of IT security training should is preventing IT threats. Overall individuals in the sample who either obtained or pursued an IT security degree made more use of IT, but also showed to have higher CSE levels.

Lastly, gender does not lead to an increase or decrease of IT security issues as expected.

As discussed earlier, both sexes have their own advantages regarding their IT security behavior, which could cancel each other out. In other results, no evidence of any difference whatsoever was found between men and women. A more realistic explanation for the lack of difference in most demographic characteristics is that most attacks are mass attacks instead of targeted attacks. Where the attack targets your operating system regardless of your age, gender or education.

Limitations

While interpreting the contributions of this study some limitations should be kept in mind.

This study was performed by a single researcher, making the study subject to a researcher bias

(Aken, Berendsen, & Van der Bij, 2012). Continuing with the literature, it quickly appeared

research about home users’ behavior regarding IT security is scarce. Most research takes place in

a business setting, which differs too much from a home user setting to extrapolate findings between environments.

There are also some limitations regarding the sample. Firstly, the data was collected over a period of three years which is quite long within the field of IT. To emphasize, in this period new editions of operating systems were released, as well as new types of malware. Another important limitation is the data being self-reported, there is no way to check if the respondents were honest while answering the questionnaire. The questionnaire was distributed within the network of professor Berghout, resulting in data from mostly Dutch students. Therefore, cultural differences are not being addressed in this study. Additionally, the reported age of the respondents ranged between 17 & 66, therefore missing a large part of elderly users.

Further research

Next to all alterations that would eliminate the current limitations of this study, some additional suggestions became evident during the process. While showing a relation between IT usage and the amount of experienced threats of individuals, the antecedents of someone’s IT usage itself could still be interesting. There could be a difference in perceived severity of IT threats while using other than our own devices or services. Also, since demographic factors as age, education level, overall carefulness, IT security related education and gender do not seem to influence our experienced IT threats, it would be helpful to identify other prevention strategies that would best help individuals, businesses and government agencies avoid IT security threats.

Concluding remarks

Unsatisfactorily this study did not discover the holy grail of IT security threat prevention

to contribute to a safer online environment for home users. Also, there is no evidence of a specific

vulnerable type of IT users. IT security threats for home users are targeting every user instead of a

specific group. Although this is more frightening than comforting, the data supports it. This

however does not mean we should stop taking precautions and accept we will face IT security

threats sooner or later. The data also shows individuals who are confident in their ability to

undertake the recommended preventive behavior are succeeding in preventing IT security threats,

whilst using more IT than others. This should direct our attention to what behavior can increase

our confidence and computer self-efficacy levels.

The utilitarian outcome, an individual’s contribution to the collective outcome, does not motivate home users to act. Since IT security benefits through training and education may be longer-term rather than short-term (Colwill, 2009), this does not seem to benefit home users directly, the perceived collective ownership is too low for home users to take action (C. L.

Anderson & Agarwal, 2010a). To increase our collective security August and Tunca considered the incentive of users to patch security flaws, and as a society pay for everyone’s home cyber security (August & Tunca, 2008; Png & Wang, 2009). Others suggest increasing the fear of negative outcomes should increase preventive measures taken by users (Boss, Galletta, Lowry, et al., 2015).

The Dutch government launched a campaign to prevent break-ins in physical homes with accompanying commercials on TV, but the campaign to increase awareness about IT risks and security as well seems to be left behind. Since persuasive communications are an effective method for modifying human attitudes, intentions, and behaviors (Fishbein, M. & Ajzen, 1975; Johnston

& Warkentin, 2010), increasing awareness about not only the likelihood of being attacked by

malicious IT but also the negative outcomes once you become a victim seems more likely to

successful in increasing confidence than using scare tactics (Pavlou, Liang, & Xue, 2007). Since

prevention, detection, and recovery are all part of IT security, we should direct our attention

towards methods to increase our collective CSE levels (D’Arcy et al., 2009). Attempting to

increase home users’ confidence in their abilities seems to have a higher potential to prevent

negative IT threats than increasing perceived severity of IT threats with fear. Returning to the

comparison of our behavior while riding a bike with our IT behavior, we cannot manage or

influence the actions of others, not in traffic, not in IT. But to decrease negative outcomes for

ourselves and others, we can practice our individual skills before depending on them, just like you

did while learning to ride your bike.

References

Abbasi, A., Zahedi, F. “Mariam,” Zeng, D., Chen, Y., Chen, H., & Nunamaker, J. F. (2015).

Enhancing Predictive Analytics for Anti-Phishing by Exploiting Website Genre Information.

Journal of Management Information Systems, 31(4), 109–157.

https://doi.org/10.1080/07421222.2014.1001260

Abbasi, A., Zhang, Z., Zimbra, D., Chen, H., & Nunamaker Jr., J. F. (2010). Detecting fake websites: The contribution of statistical learning theory. MIS Quarterly, 34(3), 435–461.

https://doi.org/Article

Aken, J. E. V., Berendsen, H., & Van der Bij, H. (2012). Problem-solving in Organizations. A Methological Handbook for Business and Management Students. Cambridge University Press, 240. https://doi.org/978-1-107-01936-2

Anderson, B. B., Kirwan, C. B., Jenkins, J. L., Eargle, D., Howard, S., & Vance, A. (2015). How Polymorphic Warnings Reduce Habituation in the Brain. Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems - CHI ’15, 2883–2892.

https://doi.org/10.1145/2702123.2702322

Anderson, B. B., Vance, A., Kirwan, C. B., Jenkins, J. L., & Eargle, D. (2016). From warning to wallpaper: Why the brain habituates to security warnings and what can be done about it.

Journal of Management Information Systems, 33(3), 713–743.

Anderson, C. L., & Agarwal, R. (2010a). Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions. MIS Quarterly, 34(3), 613–643. https://doi.org/10.1016/j.arth.2009.05.009

Anderson, C. L., & Agarwal, R. (2010b). PRACTICING SAFE COMPUTING: A MULTIMETHOD EMPIRICAL EXAMINATION OF HOME COMPUTER USER SECURITY BEHAVIORAL INTENTIONS, 34(3), 613–643.

August, T., & Tunca, T. I. (2008). Let the pirates patch? An economic analysis of software security patch restrictions. Information Systems Research, 19(1), 48–70.

https://doi.org/10.1287/isre.1070.0142

Bandura, A. (1986). Social foundations of thought and action : a social cognitive theory / Albert Bandura. Englewood Cliffs, N.J: Prentice-Hall, 1986. xiii, 617 pp.

Bernstein, I. H., & Nunnally, J. C. (1994). Psychometric theory. New York: McGraw-Hill. Oliva,

TA, Oliver, RL, & MacMillan, IC (1992). A Catastrophe Model for Developing Service

Satisfaction Strategies. Journal of Marketing, 56, 83–95.

Boss, S. R., Galletta, D. F., Benjamin Lowry, P., Moody, G. D., & Polak, P. (2015). WHAT DO SYSTEMS USERS HAVE TO FEAR? USING FEAR APPEALS TO ENGENDER THREATS AND FEAR THAT MOTIVATE PROTECTIVE SECURITY BEHAVIORS. MIS Quarterly, 39(4), 837–864. Retrieved from http://search.ebscohost.com.proxy- ub.rug.nl/login.aspx?direct=true&db=buh&AN=110877517&site=ehost-live&scope=site Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., & Polak, P. (2015). What Do Systems

Users Have to Fear? Using Fear Appeals To Engender Threats and Fear that Motivate Protective Security Behaviours. MIS Quarterly, 39(4), 837–864.

Chen, Y., & Zahedi, F. M. (2016). Individuals’ Internet Security Perceptions and Behaviors:

Polycontextual Contrasts Between the United States and China. MIS Quarterly, 40(1), 205–

222.

Choo, K.-K. R. (2011). The cyber threat landscape: Challenges and future research directions.

Computers & Security, 30(8), 719–731. https://doi.org/10.1016/j.cose.2011.08.004

Colwill, C. (2009). Human factors in information security: The insider threat - Who can you trust these days? Information Security Technical Report, 14(4), 186–196. Retrieved from http://www.scopus.com/inward/record.url?eid=2-s2.0-

77956652072&partnerID=40&md5=43ad41c5fd1894f8b44fc666c971e9c7

Czaja, S. J., Hammond, K., Blascovich, J. J., & Swede, H. (1989). Age related differences in learning to use a text-editing system. Behaviour & Information Technology, 8(4), 309–319.

https://doi.org/10.1080/01449298908914562

D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79–98. https://doi.org/10.1287/isre.1070.0160

Field, A. (2009). Discovering Statistics Using SPSS. Statistics (Vol. 58).

Fishbein, M. & Ajzen, I. (1975). Belief, attitude, attitude, intention and behavior: An introduction to theory of research. Reading, MA : Addison-Wesley Addison-Wesley, 578.

Furnell, S. M., Bryant, P., & Phippen, A. D. (2007). Assessing the security perceptions of personal Internet users. Computers and Security, 26(5), 410–417.

https://doi.org/10.1016/j.cose.2007.03.001

Galbreth, M. R., & Shor, M. (2010). The Impact of Malicious Agents on the Enterprise Software

Industry. Mis Quarterly, 34(3), 595–612. https://doi.org/Article

Gattiker, U. E., & Kelley, H. (1999). Morality and computers: Attitudes and differences in moral judgments. Information Systems Research, 10(3), 233–254.

Girard, J. (2004). A field guide to spyware vibrations. ID# TU-23-1453, Gartner Research.

Guo, K. H., Yuan, Y., Archer, N. P., & Connelly, C. E. (2011). Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model. Journal of Management Information Systems, 28(2), 203–236. https://doi.org/10.2753/MIS0742-1222280208

Gutek, B. A., & Bikson, T. K. (1985). Differential experiences of men and women in computerized offices. Sex Roles, 13(3–4), 123–136.

Gutek, B. A., & Larwood, L. (1987). Information technology and working women in the USA.

Women and Technology, 71–94.

Harrison, A. W., & Rainer Jr, R. K. (1992). The influence of individual differences on skill in end- user computing. Journal of Management Information Systems, 9(1), 93–111. Retrieved from http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=5744198&site=ehost- live

Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J., & Rao, H. R. (2014). Security services as coping mechanisms: an investigation into user intention to adopt an email authentication service. Information Systems Journal, 24(1), 61–84.

ISACA. (2015). State of Cybersecurity : Implications for 2015. CyberSecurity Nexus, 22.

Johnston, A. C., & Warkentin, M. (2010). FEAR APPEALS AND INFORMATION SECURITY BEHAVIORS: AN EMPIRICAL STUDY. MIS Quarterly, 34(3), 549-A4. Retrieved from http://search.ebscohost.com.proxy-

ub.rug.nl/login.aspx?direct=true&db=buh&AN=52546360&site=ehost-live&scope=site Kim, S. H., & Kim, B. C. (2014). DIFFERENTIAL EFFECTS OF PRIOR EXPERIENCE ON

THE MALWARE RESOLUTION PROCESS. MIS Quarterly, 38(3), 655–678. Retrieved

from http://search.ebscohost.com.proxy-

ub.rug.nl/login.aspx?direct=true&db=buh&AN=97267640&site=ehost-live&scope=site Lee, Y., & Kozar, K. a. (2005). Investigating Factors Affecting the Adoption of Anti-Spyware

Systems. Communications of the ACM, 48(8), 72–77.

https://doi.org/10.1145/1076211.1076243

Lee, Y., & Kozar, K. A. (2008). An empirical investigation of anti-spyware software adoption: A

multitheoretical perspective. Information and Management, 45(2), 109–119.

https://doi.org/10.1016/j.im.2008.01.002

Liang, H., & Xue, Y. (2009). Avoidance of Information Technology Threats: A Theoretical Perspective. MIS Quarterly, 33(1), 71–90. https://doi.org/Article

McKenna, B. (2005). Symantec’s Thompson pronounces old style IT security dead.

https://doi.org/10.1016/S1353-4858(05)00194-7

Milne, G. R., & Rohm, A. J. (2000). Consumer privacy and name removal across direct marketing channels: Exploring opt-in and opt-out alternatives. Journal of Public Policy & Marketing, 19(2), 238–249.

NCTV. (2013). Nationale Cybersecurity Strategie 2.

Nickell, G. S., & Pinto, J. N. (1986). The computer attitude scale. Computers in Human Behavior, 2, 301–306. https://doi.org/10.1016/0747-5632(86)90010-5

Pahnila, S., Siponen, M., & Mahmood, A. (2007). Employees’ behavior towards IS security policy compliance. In Proceedings of the Annual Hawaii International Conference on System Sciences. https://doi.org/10.1109/HICSS.2007.206

Pavlou, P. A., Liang, H., & Xue, Y. (2007). UNDERSTANDING AND MITIGATING UNCERTAINTY IN ONLINE EXCHANGE RELATIONSHIPS: A PRINCIPAL--AGENT PERSPECTIVE. MIS Quarterly, 31(1), 105–136. Retrieved from http://search.ebscohost.com.proxy-

ub.rug.nl/login.aspx?direct=true&db=buh&AN=23963781&site=ehost-live&scope=site Png, I. P. L., & Wang, Q.-H. (2009). Information security: Facilitating user precautions vis-{à}-

vis enforcement against attackers. Journal of Management Information Systems, 26(2), 97–

121.

Puhakainen, P. P., & Siponen, M. (2010). Improving Employee’ Compliance Through Information Systems Security Training: An Action Research Study. MIS Quarterly, 34(4), 757–778.

Raub, A. C. (1981). Correlates of computer anxiety in college students. Education. Retrieved from http://proxy.library.upenn.edu:2080/pqdweb?did=751693351&Fmt=7&clientId=3748&RQ T=309&VName=PQD

Rijksuniversiteit Groningen. (2014). Top and very good journals | Performance Criteria | Our

organization | SOM Research Institute | Research / FEB | FEB | Over ons | Rijksuniversiteit

Groningen. Retrieved September 21, 2016, from http://www.rug.nl/research/som-

ri/organization/performance-criteria/top-and-very-good-journals

Saini, H., Rao, Y. S., & Panda, T. C. (2012). Cyber-Crimes and their Impacts : A Review.

International Journal of Engineering Research and Applications, 2(2), 202–209.

Singer, P.w, Friedman, A. (2014). Cybersecurity and Cyberwar. Igarss 2014, (1), 1–5.

https://doi.org/10.1007/s13398-014-0173-7.2

Spears, J. L., & Barki, H. (2010). USER PARTICIPATION IN INFORMATION SYSTEMS SECURITY RISK MANAGEMENT. MIS Quarterly, 34(3), 503-A5. Retrieved from http://search.ebscohost.com.proxy-

ub.rug.nl/login.aspx?direct=true&db=buh&AN=52551903&site=ehost-live&scope=site Symantec. (2015). Internet Security Threat Report. Internet Security Threat Report, 20(April), 119.

Retrieved from https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA- internet-security-threat-report-volume-20-2015-social_v2.pdf

Symantec Corporation. (2016). Internet Security Threat Report. Symantec (Vol. 2016).

https://doi.org/10.1016/S1353-4858(05)00194-7

U.S. Secret Service National Threat Assessment. (2014). US Cybercrime: Rising Key findings from the 2014 US State of Cybercrime Survey. PWC, (July), 21. Retrieved from https://www.ncjrs.gov/App/Publications/abstract.aspx?ID=269621

von Solms, R., & van Niekerk, J. (2013). From information security to cyber security. Computers

& Security, 38, 97–102. https://doi.org/10.1016/j.cose.2013.04.004

Whitman, M. E., Townsend, A. M., & Aalberts, R. J. (2001). Information systems security and the need for policy. DigitalCommons@ Kennesaw State University.

Wright, R. T., & Marett, K. (2010). The influence of experiential and dispositional factors in

phishing: An empirical investigation of the deceived. Journal of Management Information

Systems, 27(1), 273–303.

Appendices

Table 4

Tests of normality for all variables used.

Kolmogorov-Smirnov Shapiro-Wilk

Variable Statistic Sig. Statistic Sig.

IT threats .163 .000 .902 .000

IT usage .080 .000 .987 .000

CSE .088 .000 .984 .000

Age .286 .000 .607 .000

Preventive Measures .125 .000 .971 .000

Education .379 .000 .666 .000

Operating System .295 .000 .702 .000

Overall carefulness .321 .000 .838 .000

IT security education .534 .000 .316 .000

Gender .394 .000 .621 .000

Figure 3

A scatterplot showing the relation between an individual’s IT usage and the amount of IT threats

experienced, with a correlation fit line.

Figure 4

A scatterplot showing the relation between an individual’s self-reported CSE level and the amount

of IT threats experienced, with a correlation fit line.

Figure 5

A scatterplot showing the relation between an individual’s self-reported CSE level and the amount

of IT threats experienced, with a correlation fit line.

Questionnaire:

The following questions concern your acquaintance with / information technology. Please answer the questions below:

1. I have personally installed software on my current computer.

2. I have personally changed the password of my current computer.

3. I have personally changed the pin code of my current mobile phone.

4. I have added printers to a home network.

5. I currently maintain a Facebook account.

6. I have uploaded photos for public use on web platforms (such as LinkedIn, Google+, Facebook).

7. I own a private computer (either desktop or Notebook). ("No" implies that all the computers that you are using are used by more persons than yourself).

8. I use Twitter or WhatsApp on at least a weekly basis (read or write).

9. I possess a mobile phone with Internet access.

10. I have Internet access in my home address.

11. I have managed security settings of a web service 12. I have changed (any) settings of (any) firewall.

13. I synchronize all data of my contacts and agenda over more than one device (phone, notebook and or desktop).

14. I frequently use and maintain NAS* storage in my home network (*Network Attached Storage).

15. I am proficient in a computer programming language.

The following questions concern your security / measures. Please answer the questions below:

16. Virus detection on my PC is automatically installed, or is always installed manually within a week.

17. Updates for my operating system (f.i. Microsoft-Windows or Apple-IOS) are automatically installed, or are always installed manually within a week.

18. I have told somebody the pin code of any of my bank accounts.

19. I have told somebody the password of any of my computers.

20. I have told somebody the password of any of my Business or University accounts.

21. I have told somebody the password of my mobile phone.

22. I always bear my privacy in mind when placing content on Facebook.

23. I have blocked the camera of any of my devices.

24. I sometimes use a pseudonym instead of my real name in Internet communications.

25. I do not use Gmail or Hotmail, because of privacy concerns.

26. I refrain from using particular web services because of security risks.

27. I sometimes switch of my phone to stay untraceable.

28. I continuously leave on my phone and will always answer calls (of a selected group of people) any time of day or night.

29. I have used a proxy server for anonymous web surfing.

30. I use software that is presumably illegal.

31. I do not use the same password for more than two different services.

32. I always check the privileges of Apps before installing new Apps.

33. I have decided not to use particular Apps, because of requested privileges.