Exploring Users’ Security-related Fact-Checking Behavior in Educational Social Media Groups: The Perspective of Health Belief Model

Social media services have become increasingly prevalent among educators as a means to enhance their educational effectiveness. The group feature in these services, which allows multiple users to communicate within a shared space, has been extensively incorporated into the teaching process. Unfortunately, information security threats and risks have appeared along with the popularity of educational social media groups. In this study, we are conducting exploratory research to investigate the antecedents of users’ security-related fact-checking behavior in teacher-parent social media groups based on the health belief model. A cross-sectional survey will be conducted to test our proposed research model and the data will be collected from WeChat users. We are expecting to make several contributions to the current literature on educational social media usage and behavioral information security

Do you bend or break?:Preventing online banking fraud victimization through online resilience

This doctoral thesis is about the human aspects of online banking safety andsecurity. Preparations for this thesis, part of The Dutch Research Program onSafety and Security of Online Banking, started when online banking fraud figures were relatively high in the Netherlands. In this thesis, online banking fraud is limited to phishing and malware attacks. This thesis investigated a specific partof the issue of how to reduce this type of fraud, namely the extent to which the safety and security of online banking can be improved from an end-userpers pective. Hence, it examined how the online resilience of end users can be enhanced; making them better able to protect themselves against onlinebanking fraud. Next to the practical goal of this thesis, it also aimed to contribute to scientific theory in the behavioural information security domain.This thesis starts with an introductory Chapter (1) in which the context of studyis described and the goal and research questions are highlighted. The empiricalpart of this thesis is divided into two smaller parts. In order to get acomprehensive overview of the human aspects of online banking safety andsecurity, it is important to study the threats as well as people-focussedsafeguards. Therefore, Part I (Chapters 2 to 5) deals with studies on end-users’perceptions of and victimization due to online banking fraud. Learning moreabout risk perceptions, how and why victimization takes place, victimcharacteristics and how victims recover from incidents may lead to moreknowledge on how to combat online banking fraud effectively. Part II of thisthesis (Chapters 6 to 9) consequently deals with studies on precautionary onlinebehaviour of end users and how that behaviour can be improved. Knowledge onthis subject may contribute to strengthening one of the most essential links inthe safety and security of online banking: the end user. The concluding Chapter(10) provides an answer to the central and main research questions and dealswith the theoretical and practical implications of the findings. The main researchquestions are:1: What are the perceptions of end users regarding the safety and security ofonline banking?2: How can online banking fraud victimization be explained from an end-userperspective?3: How can precautionary online behaviour of end users be explained andimproved?To answer these questions, several studies were conducted; these areelaborated in Part I and Part II of this thesis. The contents of the chapters areoutlined below.In Chapter 2, end-user risk perceptions of online bank fraud are studied.Secondary analysis of data based on a survey among 1,200 Dutch onlinebanking users shows that online banking fraud is not considered to be a majorrisk. End users perceive the potential impact of online banking fraud to besevere, but the chances of falling victim themselves to be slim. However, theyestimate the chances of others being victimized to be higher. Furthermore,online banking customers mainly come into contact with online banking fraudthrough media communications. Indirect victimization in the social environmentand direct victimization were less common. In addition, online banking users, ingeneral, have reasonable levels of trust in online banking. Finally, this chapterreveals – using partial least squares path modelling – that risk perceptions aremainly affected by the estimated chance of becoming a victim of online bankingfraud. The perceived impact of online banking fraud and the degree of trust inonline banking affected risk perception to some extent. Direct and indirectvictimization and demographic characteristics hardly affected risk perceptions.In Chapter 3, an analysis of 600 phishing and malware incidents obtained from aDutch bank is presented. The goal of this chapter is to shed light on thecircumstances in which bank customers are victimized in phishing and malwareattacks and how these attacks manifest in practice. This chapter shows that anessential step in the fraudulent process entails customers giving away theirpersonal information to fraudsters. Phishing victimization mainly occurred byresponding to a fraudulent e-mail, a fraudulent phone call or a combination ofthese. Malware victimization primarily occurred by responding to a maliciouspop-up and by installing a malicious application on a mobile device. Customerscooperated because the fraudulent messages were perceived to be professionaland trustworthy and because customers were not sufficiently suspicious of whatwas happening. The results suggest that victims have an unintended andsubconscious, but active role in the fraudulent process. An interesting finding isthat the victims did not always seem to trust the fraudster’s intentions, but werementally unable to stop the process. Reasons for this include not being aware ofhow fraudulent schemes manifest in practice, not being alert at the rightmoment and having insufficient knowledge of online banking procedures andprecautionary measures.Chapter 4 explores factors that may explain online banking fraud victimizationbased on interviews with 30 victims using the routine activity approach andprotection motivation theory as theoretical lenses. A qualitative approach was chosen because previous quantitative studies failed to identify such factors. Theinterview data were analysed using computer-assisted qualitative data analysissoftware. This chapter demonstrates that no specific factors from the routineactivity approach and protection motivation theory that increase the chance ofonline banking fraud victimization could be identified. Moreover, victims weredistributed across genders, age categories and levels of education. Ultimately,end-user attributes that lead to higher chances of being victimized throughonline banking fraud could not be identified. This suggests that everyone issusceptible to online banking fraud victimization to some degree.In order to find out whether victims adequately recover from phishing andmalware incidents, it is important to gain insight into its effects and impact onvictims first. However, there was not much literature available on the impact ofthese cybercrimes. This gap is addressed in Chapter 5, in which interview datafrom the above mentioned 30 victims are analysed again. Besides (initial)financial effects (most victims were reimbursed), victims also described variouskinds of psychological and emotional effects, such as feeling awful and stressed,and various kinds of secondary impact, such as time loss and not being treatedproperly during the handling of the incident. Furthermore, this chapterdemonstrates that the level of impact varies among victims, ranging from littleor no impact to severe impact. Moreover, while some victims were only affectedfor a few days, some felt the effects in the long term. The impact of thesefraudulent schemes on victims should therefore not be underestimated.In addition, the interview data provided insight into cognitive and behaviouralchange in order to cope with the incident. Cognitive strategies were mainlyconcerned with reducing psychological and emotional distress, and increasingonline resilience to future attacks. The main behavioural strategies that wereidentified are reporting the incident to the bank and the police and seekingsupport from the social environment. Furthermore, various other actions weretaken, such as enhancing the safety and security of devices and being moreattentive during online banking sessions. However, it was observed that some ofthese actions were only of limited duration. Some victims adopted avoidancebehaviours, such as making less use of online banking services. Victims whowere left with financial damages rationalized the incident, thereby minimizingvictimization for themselves. Chapter 5 concludes that the coping approach thatwas applied provides a useful framework to study the effects and impact ofcybercrime victimization and how victims recover from it.In Chapters 6 and 7, survey data on 1,200 Dutch online banking users areexamined and analysed using partial least squares path modelling. In Chapter 6,three social cognitive models are compared with respect to their ability to explain the intentions of precautionary online behaviour. The models are:protection motivation theory, the reasoned action approach and an integratedmodel comprising variables of these models. The three models were successfullyapplied to online banking. The individual models equally explain much of thevariance in precautionary online behaviour. In the integrated model, thesignificant predictors of the two models remained significant and the level ofexplained variance was highest. Precautionary online behaviour is largely drivenby response efficacy, self-efficacy and attitude towards that behaviour. Thischapter concludes that both protection motivation theory and the reasonedaction approach make a unique contribution in explaining variance forprecautionary online behavioural intention. The integrated model explained mostvariance in protection motivation, which means that integrating theoreticalperspectives from different domains is worthwhile. However, protectionmotivation theory is used as the main theoretical basis in the following chapters,because of its applicability to interventions.Chapter 7 builds on the preceding chapter and continues to study a model ofprecautionary behaviour in the domain of online banking. The aim was to gaininsight into factors that encourage customers to take measures to protectthemselves against online threats. The analyses that were conducted for thischapter provided support for most of the hypothesized relationships and showedthat the model explains high levels of variance for precautionary onlinebehaviour as well as for risk perception. Threat and coping appraisal successfullypredicted the protection motivation of online banking users; in particular,response efficacy and self-efficacy were the most important predictors for takingprecautions. Secondary predictors include locus of control, perceived severity(direct effect) and the negative predictor response costs. Finally, somedifferences in precautionary online behavioural intentions were observed basedon gender and level of education.In Chapter 8, insight is gained into what protective measures self-employedentrepreneurs take in order to protect themselves against online threats andwhat motivates them to do so. Information technology is becoming increasinglyimportant for entrepreneurs. Protecting their technical infrastructure and storeddata is, therefore, also growing in importance. Nevertheless, research into thesafety and security of entrepreneurs in general, and online threats targeted atentrepreneurs in particular, are still limited. Based on secondary analyses ondata collected from 1,622 Dutch entrepreneurs, it was observed that themajority implement technical and personal coping measures. Entrepreneurs arelikely to implement protective measures if they believe a measure is effective, ifthey are capable of using internet technology, if their attitude towardsinformation security is positive and if they believe they are responsible for their own online security. These findings are similar to those of private users outlinedin Chapters 6 and 7. Finally, some differences in precautionary online behaviourwere observed based on age and education level.Chapter 9 examines the impact of fear appeal messages on user cognitions,attitudes, behavioural attentions and precautionary behaviour regarding onlineinformation-sharing to protect against the threat of phishing attacks. A pre-testpost-test design was used in which 768 internet users filled out an onlinequestionnaire. Participants were grouped in one of three fear appeal conditions:strong-fear appeal, weak-fear appeal and control condition. Claims regardingvulnerability of phishing attacks and claims concerning response efficacy ofprotective online information-sharing behaviour were manipulated in the fearappeal messages. This chapter demonstrates positive effects of fear appeals onheightening end-users’ cognitions, attitudes and behavioural intentions.However, future studies are needed to determine how subsequent securitybehaviour can be promoted, as the effects on this crucial aspect were notdirectly observed. Nonetheless, fear appeals have great potential for promotingsecurity behaviour by making end users aware of threats and simultaneouslyproviding behavioural advice on how to mitigate these threats.All things considered, this thesis investigated online banking fraud victimizationand precautionary online behaviour. Specifically, human aspects were the focusof the present research. This thesis demonstrates that good security is inpeople’s heads. It seems easier, cheaper and more successful for criminals toattack end users using psychology rather than the technology surrounding onlinebanking. Hence, even the best security engineers cannot stop end users fromgiving away their security codes. Therefore, using psychology to defend againstonline banking attacks also makes sense. This is especially the case for attacksusing social engineering (phishing), but to some extent also for attacks usingtechnical engineering (malware). Considering the further digitization of oursociety and the increasing dependability on information systems, the case ismade that people have to ‘bend’ with these developments and become resilientwhen online. This is necessary to stop people from ‘breaking’ and potentiallybecoming victims of online banking fraud.While this thesis obtained information on how safety and security of onlinebanking can be improved from an end-user perspective, it should be noted thatend users will always be confronted with numerous potential threats. It isunrealistic to believe that people can protect themselves against all threats at alltimes. Therefore, we have to accept that bad things will continue to happenonline, but optimistically they can be kept to a minimum if end users are morevigilant about what they do online and are aware of how some people abuse the advantages that the internet offers. At the very least, the impact of theseattacks can be reduced. The following main recommendations from this thesismay be helpful:1: Continue to invest in security education, training and awareness campaignsconcerning threats aimed at online banking.2: Focus on underlying cognitive dimensions in security education, training andawareness campaigns, most notably on response efficacy and self-efficacy.3: Make clear that banks and customers are partners in keeping online bankingsafe and secure.4: Facilitate victims in their recovery process, primarily by providing feedback.5: Continue with research on the human aspects of online banking safety andsecurity.In conclusion, security education, training and awareness remain an importantpriority, especially for combatting social risks. It is very important to promoteonline resilience. The research indicates that in order to strengthen the role ofcustomers in the safety and security of online banking, threat appraisals as wellas coping appraisals should be improved. If customers or end users believe thatprotective measures make a difference (response efficacy) and if they are ableto perform these measures (self-efficacy), it is likely that end users will adoptprecautionary behaviour and become a strong link in the information securitychain. Proper information security practices should become part of our generalskill set as people in this day and age. However, it should not be forgotten thatsafety and security is something that should be worked on together, with allparties involved. And when things do go wrong, we need to help one another torecover from it. All in all, an important requirement for a safer and more secureinternet is that the human factor takes a central place in information security

Antecedents of cyber security behavior: the roles of coping appraisal, threat appraisal and responsibility norms among government employees

The value of cyber security awareness among employees plays an important role for organizations in the protection of assets. Cyber security has become a critical issue in society due to growing internet use. Various attitudes towards cyber security practices for employees in organizations are a major cause. Previous research has revealed that in the South East Asia region, Malaysia is reportedly the most vulnerable country, with 46% of respondents admitting to being victims of scams. Equally important, according to an Internet user survey in 2020 conducted by the Malaysian Communication and Multimedia Commission (MCMC), over the last six months, 53.1% of users have experienced cybercrime. On the other hand, 9.4% of users have experienced cybercrime in more than three years, 7.6% of users in the last two years and 27.7% of Internet users have experienced cybercrime in the previous 12 months in 2020. This study verify the extent of threat appraisal (perceived vulnerability, perceived severity), coping appraisal (perceived barrier, security response efficacy, response self-efficacy) and also to evaluate the impact level of responsibility norm (personal responsibility, third-party responsibility) on user‘s cyber security behaviour. Responsibility norms are integrated into the model as a means to assess employees‘ behaviors toward cybersecurity. This study also addresses a gap in the literature by investigating the extent to which the relationships between perceived vulnerability, perceived severity, perceived barrier, security response efficacy, response self-efficacy, personal responsibility, and third-party responsibility exist. A quantitative research design was used in this study. The designed model was tested in two stages of pre-test using structural equation modelling to analyze relationships between variables. 446 respondents from government agencies in Malaysia took part and were analysed using partial least-squares structural equation modelling (PLS-SEM). One of the most notable findings of this study is that cyber security behaviour has a significant impact on Malaysian government employees. These findings are one of the most critical findings from this study. The perceived severity, perceived barrier, response self-efficacy, personal responsibility, and third-party responsibility positively influenced cybersecurity behaviour. In contrast, the perceived vulnerability and security response efficacy have a negative impact on the government employee‘s cybersecurity behaviour in Malaysia. Thus, it concluded that the coping appraisal and responsibility norm associated with PMT has a significantly strong influence on the cyber security behaviour of Malaysian government employees than threat appraisal does. The outcomes of this study will demonstrate the actual findings that may be brought into effective action to decrease the impact of cyber-attacks on government employees in Malaysia. This study also has discovered the potential to contribute to the security of government agencies in Malaysia from cyber-attacks launched by perpetrators in cyberspace

The Cybercrime Triangle

Information technology can increase the convergence of three dimensions of the crime triangle due to the spatial and temporal confluence in the virtual world. In other words, its advancement can lead to facilitating criminals with more chances to commit a crime against suitable targets living in different real-world time zones without temporal and spatial orders. However, within this mechanism, cybercrime can be discouraged “…if the cyber-adversary is handled, the target/victim is guarded, or the place is effectively managed” (Wilcox & Cullen, 2018, p. 134). In fact, Madensen and Eck (2013) assert that only one effective controller is enough to prevent a crime. Given this condition of the crime triangle, it must be noted that each of these components (the offender, the target, and the place) or controllers (i.e., handler, guardian, and manager) can play a pivotal role in reducing cybercrime. To date, scholars and professionals have analyzed the phenomenon of cybercrime and developed cybercrime prevention strategies relying predominantly on cybercrime victimization (suitable targets) but have yet to utilize the broader framework of the crime triangle commonly used in the analysis and prevention of crime. More specifically, the dimensions of cybercrime offenders, places, or controllers have been absent in prior scientific research and in guiding the establishment and examination of cybercrime prevention strategies. Given this gap, much remains to be known as to how these conceptual entities operate in the virtual realm and whether they share similarities with what we know about other crimes in the physical world. Thus, the purpose of this study is to extend the application of the “Crime Triangle,” a derivative of Routine Activity Theory, to crime events in the digital realm to provide scholars, practitioners, and policy makers a more complete lens to improve understanding and prevention of cybercrime incidents. In other words, this dissertation will endeavor to devise a comprehensive framework for our society to use to form cybersecurity policies to implement a secure and stable digital environment that supports continued economic growth as well as national security. The findings of this study suggest that both criminological and technical perspectives are crucial in comprehending cybercrime incidents. This dissertation attempts to independently explore these three components in order to portray the characteristics of cybercriminals, cybercrime victims, and place management. Specifically, this study first explores the characteristics of cybercriminals via a criminal profiling method primarily using court criminal record documents (indictments/complaints) provided by the FIU law library website. Second, the associations between cybercrime victims, digital capable guardianship, perceived risks of cybercrime, and online activity are examined using Eurobarometer survey data. Third, the associations between place management activities and cybercrime prevention are examined using “Phishing Campaign” and “Cybersecurity Awareness Training Program” data derived from FIU’s Division of Information Technology

Employees’ behavioural intention to smartphone security:a gender-based, cross-national study

Despite the benefits of bring your own device (BYOD) programmes, they are considered one of the top security risks companies are facing. Furthermore, there is a gap in the literature in understanding gender differences in employees' smartphone security behavioural intention. This research analyses gender differences in smartphone security behavioural intention among employees in the United Arab Emirates (UAE) and the United States (US). The research develops a new model, the behavioural model of cybersecurity (BMS), based on a combination of the protection motivation theory (PMT), the general deterrence theory (GDT) and Hofstede's cultural dimensions. A questionnaire was distributed to employees in both countries. A total of 1156 useable responses were analysed using partial least squares-structural equation modelling. The findings show that gender differences exist, but neither male nor female employees in either country are aware of the risks associated with their use of smartphones, despite their awareness of the existence of their company's BYOD security policies. The research provides theoretical and practical contributions by developing a new model combining the PMT, GDT and Hofstede's cultural dimensions and suggests gender differences in employees' smartphone security behavioural intention in a cross-national context. It has several practical implications for practitioners and policymakers

Mobile Identity Protection: The Moderation Role of Self-Efficacy

The rapid growth of mobile applications and the associated increased dependency on digital identity raises the growing risk of identity theft and related fraud. Hence, protecting identity in a mobile environment is a problem. This study develops a model that examines the role of identity protection self-efficacy in increasing users’ motivation intentions to achieve actual mobile identity protection. Our research found that self-efficacy significantly affects the relationship between users’ perceived threat appraisal and their motivational intentions for identity protection. The relation between mobile users’ protection, motivational intentions, and actual mobile identity protection actions was also found to be significant. Additionally, the findings revealed the considerable impact of awareness in fully mediating between self-efficacy and actual identity protection. The model and its hypotheses are empirically tested through a survey of 383 mobile users, and the findings are validated through a panel of experts, thus confirming the impact of self-efficacy on an individual’s identity protection in the mobile context

How to Cultivate Cyber Security Culture? The Evidences from Literature

Cyber Security Culture (CSC) is a culture that could produce a secure cyber space and could improve the quality of cyber world engagement. Despite many benefits that could be offered by CSC, there is a lack of models and guidelines on how to cultivate this culture. This paper discusses the concept of CSC model in terms of elements that form the model to suggest how CSC could be cultivated. Information Security Culture (ISC) model developed by [1] is used as a framework in discussing the concept of CSC. A literature search also is conducted to find and analyses the most suitable elements for CSC. A new model of CSC was proposed as a result of this study. The findings could provide better understanding of CSC and could be used as baseline to conduct more research on CSC

Modelling the phishing avoidance behaviour among internet banking users in Nigeria: The initial investigation

The positive usage of Internet Technology advantage had inspired the banking sector in Nigeria to invest in digitalizing the banking platform, which has been a move towards the usage of IB for financial services; however, such move also implies an increase opportunity for Phishing Attacks (PA). Despite this huge enhancement, the ratio of usage has been relatively low, among IB users in Nigeria. This evidence indicates that there is an urgent requirement to investigate the factors behind the issue. Therefore, this study is conducted to develop a conceptual model based on Technology Threat Avoidance Theory (TTAT) and Modified TTAT to evaluate the PA among IB users in Nigeria and to enhance avoidance behaviour. As the study is still in the early stage, this paper will present the initial investigation that leads to the development of the conceptual model, including the background of the study, literature review and research methodology that the study wishes to employ. Finally, this study seeks to contribute some understandings on how the new Conceptual Model can predict the success of phishing avoidance behaviour among Nigerian IB users

Preparación policial para responder al delito informático en Ecuador.

The present study aims to describe and explore the preparation of Ecuadorian police personnel to respond to cybercrime, for which a survey was applied whose data was used to analyze the frequency of participation in training focused on cybercrime, their level of individual and organizational confidence to respond to this type of crime; and the perception of how to improve their response to these facts. This is followed by a review of existing research on the complexity of cybercrime investigations and police preparedness to respond to cyber incidents. Among the study's conclusions, it is suggested that Ecuadorian police officers may benefit from more excellent training in basic skills related to cybercrime.El presente estudio pretende describir y explorar la preparación del personal policial ecuatoriano para responder al delito informático, para lo cual se aplicó una encuesta cuyos datos se utilizaron para analizar la frecuencia de participación en capacitaciones enfocadas a delitos informáticos; su nivel de confianza individual y organizacional para responder a este tipo de delito; y, la percepción sobre cómo mejorar su respuesta ante estos hechos. Se realizó una revisión de las investigaciones existentes sobre la complejidad de las investigaciones de delitos informáticos y la preparación policial para responder a los incidentes informáticos. Entre las conclusiones del estudio se sugiere que los policías ecuatorianos pueden beneficiarse de una mayor capacitación en habilidades básicas relacionadas con el delito informático

A Separate Phone to Work and Play: Protection Motivation Theory and Smartphone Security Behaviour

Smartphone security is a growing concern. In this study, we use of the Protection Motivation Theory (PMT) to explore users’ attitudes, perceptions and behaviours towards the security of their work provided and personal smartphones. Australian employees from an insurance company participated in in-depth semi-structured interviews focussed on their behaviours. Data was analysed using deductive and inductive thematic analysis, guided by PMT to explore the comparisons between personal and work devices. The main overarching theme was that people behave more safely on their work smartphones compared to on their personal smartphones. Results suggest that perceived vulnerability, perceived reward, response cost, self-efficacy and social influence largely contributed to a lack of protective behaviour displayed when using personal smartphones. Despite the safe behaviour reported for work smartphones, these behaviours appear to be motivated by organisational controls, rather than intrinsically. This research has applied implications for education, relevant to both personal and workplace contexts