A study of cybersecurity for telecommunication services concerning smartphone users in Thailand

Smartphones are powerful handheld computers that allow users to connect in real-time with others around the globe through high quality phone calls, and data exchange. They are 2.1 billion smartphones users worldwide in 2016 with this number expected to grow to almost 3 billion by the end of 2020 (www.statista.com). This enormous uptake together with valuable information contained in smart phones makes them an attractive target for attackers to exploit. This study was conducted to indicate the abilities and behaviours of Thai smartphone users in protecting their smartphones from cyber threats. The objectives of this study are: (1) to investigate cyber threats on smartphones and trends; (2) to investigate cybersecurity handlings for smartphone users in Thailand; (3) to investigate general behaviours and protection behaviours of Thai smartphone users; and (4) to analyse causal relationship among constructs of the proposed protection behaviour model. This study utilizes mixed methods research, qualitative and quantitative studies, to collect and analyze the data. Document research was performed in the qualitative part. For the quantitative study, a total of 720 samples from smartphone users were collected with cluster sampling technique from main regions of Thailand. Data were then analyzed with descriptive statistic, T-Test, and ANOVA to create a model, based on Roger, R.W. (1983)’s Protection Motivation Theory (PMT), with the Structural Equation Modeling (S.E.M.) technique to find the factors that affect behaviour of Thai in protecting their smartphones from cyber threats. Based on the collected data, the main findings of this study show that: (1) threats on smartphones that can be caused by attackers - malware attacks, wireless network attacks, denial of service attacks, break-in attacks, and threats due to unawareness of users themselves such as malfunctions, phishing, phone thefts/loses, and platform alterations; (2) identification of the agent responsible for providing incident response to computer security threats, the Thailand Computer Emergency Response Team or ThaiCERT, and their services should be extended to the whole of Thailand; (3) the overall protection behaviours of Thai people were in good level; (4) females had less degree in protecting themselves from mobile threats than males; (5) people whose ages between 41 – 60 had less degree in protecting themselves from mobile threats than the other age-groups; (6) people who have never experienced with phone virus/malware infection, who have never used public Wi-Fi, and who have never transferred money using Internet banking on their phones had less degree in protecting themselves from mobile threats than the other groups; and (7) the protection behaviour model of Thai smartphone users consisted of the following variables: Perceived Vulnerability, Self-efficacy, Social Influence, Threat Appraisal, Coping Appraisal, and Protection Motivation and Protection Behaviours. Among these, only variables that had impacts on Protection Behaviour of Thai smartphone users are: Self-efficacy, Social Influence, Coping Appraisal, and Protection Motivation. The findings provide strategic directions for the education and raising of awareness among smartphone users in Thailand so as to strengthen their protection against potential threats

Mobile Identity Protection: The Moderation Role of Self-Efficacy

The rapid growth of mobile applications and the associated increased dependency on digital identity raises the growing risk of identity theft and related fraud. Hence, protecting identity in a mobile environment is a problem. This study develops a model that examines the role of identity protection self-efficacy in increasing users’ motivation intentions to achieve actual mobile identity protection. Our research found that self-efficacy significantly affects the relationship between users’ perceived threat appraisal and their motivational intentions for identity protection. The relation between mobile users’ protection, motivational intentions, and actual mobile identity protection actions was also found to be significant. Additionally, the findings revealed the considerable impact of awareness in fully mediating between self-efficacy and actual identity protection. The model and its hypotheses are empirically tested through a survey of 383 mobile users, and the findings are validated through a panel of experts, thus confirming the impact of self-efficacy on an individual’s identity protection in the mobile context

A Separate Phone to Work and Play: Protection Motivation Theory and Smartphone Security Behaviour

Smartphone security is a growing concern. In this study, we use of the Protection Motivation Theory (PMT) to explore users’ attitudes, perceptions and behaviours towards the security of their work provided and personal smartphones. Australian employees from an insurance company participated in in-depth semi-structured interviews focussed on their behaviours. Data was analysed using deductive and inductive thematic analysis, guided by PMT to explore the comparisons between personal and work devices. The main overarching theme was that people behave more safely on their work smartphones compared to on their personal smartphones. Results suggest that perceived vulnerability, perceived reward, response cost, self-efficacy and social influence largely contributed to a lack of protective behaviour displayed when using personal smartphones. Despite the safe behaviour reported for work smartphones, these behaviours appear to be motivated by organisational controls, rather than intrinsically. This research has applied implications for education, relevant to both personal and workplace contexts

Complying with BYOD Security Policies: A Moderation Model Based on Protection Motivation Theory

As security concerns have become critical to organizations’ Bring Your Own Device (BYOD) strategy, it is important for employees to comply with organization’s security measures and policies. Based on the protection motivation theory, this study develops a theoretical model to identify the key factors that affect an employee’s intention to comply with organization’s BYOD security policies. This model also enriches general Protection Motivation Theory (PMT) by investigating how unique BYOD features may play moderating roles on the relationships between employee’s security perceptions and compliance intention. A survey of organization employees who were using their own devices in their workplace was conducted. The research model was tested using the partial least squares (PLS) approach. The results suggest that employees’ threat appraisal and coping appraisal affect their intention to comply with BYOD security policies. Further, mixed usage of device and company surveillance visibility are verified moderators. This study contributes to both academics and management practice

In Quest of information security in higher education institutions : security awareness, concerns and behaviour of students

Humans, often suggested as the weakest link in information security, require security education, training and awareness (SETA) programs to strengthen themselves against information security threats. These SETA programs improve security awareness (also called information security awareness or ISA) which makes users conscious about the information security threats and risks and motivates them to learn knowledge and measures to safeguard their information security. Studies have shown that most of the SETA programs do not achieve their desired objectives and been proven ineffective. This ineffectiveness is probably because: 1) current SETA programs are designed as a one-fits-all solution and are not tailored as per users’ needs, 2) users are not included in the design phase of the SETA programs and 3) the SETA programs lack theory-grounded approaches. Nonetheless, the relationship between ISA and security behaviour also needs explanation. This thesis sets out to address the issues mentioned above. In this thesis, four separate studies grounded in both quantitative and qualitative methods are conducted. Cross-sectional data from students of a single case was collected using online surveys, with one exception in which data was collected as part of a class assignment. The results showed that, in general, students believed they know more than they actually did. The impacts of gender, previous training, and educational discipline were evident on security knowledge, behaviour, perceived awareness and actual awareness. Students have a wide range of security concerns, related to their personal, social, technological, non-technological and institutional dimensions of everyday life, and not just technological and non-technological aspects as shown in the existing literature. Further, students differ significantly from security experts in terms of their security practices. However, aware students (having training in information security) were more similar in security practices to security experts than the unaware students (having no formal or informal information security training). Lastly, it was found that the relationship between ISA and security behaviour can be explained using Information-Motivation-Behavioural Skills (IMB) model. The research presented in this thesis has implications for faculty members who teach students and the security professionals responsible for information security of higher education institutions.Ihminen mielletään usein tietoturvan heikoimmaksi lenkiksi. Jotta tietoturvauhkilta osattaisiin suojautua, tarvitaan erillistä tietoturvakoulutusta, -harjoitusta sekä -tietoisuutta. Erilaiset tietoturvakoulutukset lisäävät henkilön tietoisuutta erilaisista tietoturvauhkista ja -riskeistä sekä motivoivat oppimaan tapoja ja toimenpiteitä, jotka parantavat henkilökohtaista tietoturvaa. Tutkimuksissa on kuitenkin ilmennyt, että useimmat tietoturvakoulutukset eivät saavuta toivottuja tavoitteita, ja ne ovatkin osoittautuneet tehottomiksi. Tehottomuus johtuu todennäköisesti siitä, että (1) koulutuksia ei ole räätälöity käyttäjien tarpeiden mukaisiksi vaan yleisluontoisiksi, (2) käyttäjiä ei ole otettu mukaan koulutusten suunnitteluun, ja (3) koulutuksilta puuttuvat teoriapohjaiset lähestymistavat. Tässä väitöskirjassa tutkitaan yllä mainittuja epäkohtia ja selvitetään ihmisen tietoturvakäyttäytymisen ja -tietoisuuden suhdetta. Väitöskirjassa esitetyt tulokset saavutettiin tekemällä neljä erillistä tutkimusta kvantitatiivisin (määrällisin) ja kvalitatiivisin (laadullisin) menetelmin. Tietoa kerättiin tutkimusten kohteina olleilta opiskelijoilta verkkokyselyillä, paitsi yhdessä tapauksessa, jossa kysely toteutettiin osana kurssitehtävää. Tulokset osoittavat, että yleisesti opiskelijat mielsivät tietävänsä enemmän kuin todellisuudessa tiesivät. Sukupuolella, aiemmalla koulutuksella ja tieteenalalla oli selkeä vaikutus vastaajien tietoturvakäytökseen - sekä miellettyyn että varsinaiseen tietoisuuteen. Opiskelijoilla on monenlaisia tietoturvaan liittyviä huolenaiheita, jotka liittyvät persoonallisiin, sosiaalisiin, teknologisiin, ei-teknologisiin sekä arkisiin ulottuvuuksiin. Tämä poikkeaa nykyisen kirjallisuuden näkemyksestä, joka käsittää vain teknologisen ja ei-teknologisen ulottuvuuden. Opiskelijat eroavat merkittävästi tietoturvaasiantuntijoista tietoturvakäytäntöjensä suhteen. Tietoturvakoulutusta saaneet, tietoisemmat opiskelijat olivat käyttäytymiseltään lähempänä tietoturva-asiantuntijoita kuin vähemmän tietoiset ja vähemmän koulutusta aiheesta saaneet opiskelijat. Tutkimuksessa kävi ilmi myös, että tietoturvatietoisuuden ja -käyttäytymisen välistä suhdetta voidaan selittää käyttäen IMB-mallia (Information-Motivation- Behavioural Skills model). Tässä väitöskirjassa esitetty tutkimus ja sen tulokset ovat korkeakoulujen opetushenkilöstön ja tietoturvasta vastaavien ammattilaisten suoraan hyödynnettävissä

An Empirical Assessment of Senior Citizens’ Cybersecurity Awareness, Computer Self-Efficacy, Perceived Risk of Identity Theft, Attitude, and Motivation to Acquire Cybersecurity Skills

Cyber-attacks on Internet users have caused billions of dollars in losses annually. Cybercriminals launch attacks via threat vectors such as unsecured wireless networks and phishing attacks on Internet users who are usually not aware of such attacks. Senior citizens are one of the most vulnerable groups who are prone to cyber-attacks, and this is largely due to their limited cybersecurity awareness and skills. Within the last decade, there has been a significant increase in Internet usage among senior citizens. It was documented that senior citizens had the greatest rate of increase in Internet usage over all the other age groups during the past decade. However, whenever senior citizens use the Internet, they are being targeted and exploited particularly for financial crimes, with estimation that one in five becoming a victim of financial fraud, costing more than $2.6 billion per year. Increasing the cybersecurity awareness and skills levels of Internet users have been recommended to mitigate the effects of cyber-attacks. However, it is unclear what motivates Internet users, particularly senior citizens, to acquire cybersecurity skills so that they can identify as well as mitigate the effects of the cyber-attacks. It is also not known how effective cybersecurity awareness training are on the cybersecurity skill level of senior citizens. Therefore, the main goal of this quantitative study was to empirically investigate the factors that contributed to senior citizens’ motivation to acquire cybersecurity skills so that they would be able to identify and mitigate cyber-attacks, as well as assess their actual cybersecurity skills level. This was done by assessing a model of contributing factors identified in prior literature (senior citizens’ cybersecurity awareness, computer self-efficacy, perceived risk of identity theft, & older adults’ computer technology attitude) on the motivation of senior citizens to acquire cybersecurity skills. This study utilized a Web-based survey to measure the contributing factors and a hands-on scenarios-based iPad app called MyCyberSkills™ that was developed and empirically validated in prior research to measure the cybersecurity skills level of the senior citizens. All study measures were done before and after cybersecurity awareness training (pre- & post-test) to uncover if there were any differences on the assessed models and scores due to such treatment. The study included a sample of 254 senior citizens with a mean age of about 70 years. Path analyses using Smart PLS 3.0 were done to assess the pre- and post-test models to determine the contributions of each contributing factor to senior citizens’ motivation to acquire cybersecurity skills. Additionally, analysis of variance (ANOVA) and analysis of covariance (ANCOVA) using SPSS were done to determine significant mean difference between the pre-and post-test levels of the senior citizens’ cybersecurity skill level. The path analysis results indicate that while all paths on both models were significant, many of the paths had very low path coefficients, which in turn, indicated weak relationships among the assessed paths. However, although the path coefficients were lower than expected, the findings suggest that both intrinsic and extrinsic motivation, along with antecedents such as senior citizens’ cybersecurity awareness, computer self-efficacy, perceived risk of identity theft, and older adults’ computer technology attitude significantly impact the cybersecurity skill levels of senior citizens. The analysis of variance results indicated that there was a significant increase in the mean cybersecurity skills scores from 59.67% to 64.51% (N=254) as a result of the cybersecurity awareness training. Hence, the cybersecurity awareness training was effective in increasing the cybersecurity skill level of the senior citizens, and empowered them with small but significant improvement in the requisite skills to take mitigating actions against cyberattacks. The analysis of covariance results indicated that, except for years using computers, all the other demographic indicators were not significant. Contributions from this study add to the body of knowledge by providing empirical results on the factors that motivate senior citizens to acquire cybersecurity skills, and thus, may help in reducing some of the billions of dollars in losses accrued to them because of cyber-attacks. Senior citizens will also benefit in that they will be better able to identify and mitigate the effects of cyber-attacks should they attend cybersecurity awareness trainings. Additionally, the recommendations from this study can be useful to law enforcement and other agencies that work with senior citizens in reducing the number of cases relating to cybersecurity issues amongst senior citizens, and thus, free up resources to fight other sources of cybercrime for law enforcement agencies

A Conceptual Framework for Smartphone Security Among Arab Millennials

The rapid growth of smartphone adoption and use in the Middle East has led to some critical post-adoption issues, including ensuring that smartphones are used securely. Moreover, there is a gap in the existing literature on the perceptions and behaviour of individual consumers, especially millennials, in relation to mobile security and dealing with smartphone security threats. Little research on this subject has been carried out in developing countries, particularly in the Middle East, in a cross-national context. Therefore, this research aims to analyse the factors that can affect smartphone security behaviour among millennials in a cross-national context in the Middle East. The model developed in this research is based on a combination of the protection motivation theory (PMT) and the extended unified theory of acceptance and use of technology (UTAUT2), with additional factors specifically related to millennials’ smartphone security behaviour in the Middle East. The initial findings indicate that (1) there is a gap in research on the security behaviour of Arab millennials, despite the existence of serious security threats associated with their use of these technologies; and (2) there is a gap in research on similarities and differences in smartphone security behaviour among consumers in a cross-national context. A questionnaire will be distributed online to consumers who are 18–29 years old in Iraq, Jordan and the UAE. This is the first research to study millennial Arabs’ security behaviour around smartphones and mobile applications in a cross- national context. In addition, the conceptual framework proposed in this research combines the PMT and the UTAUT2, with a further extension via the inclusion of three additional factors: privacy concerns; security threats related to smartphone-specific characteristics; and cybersecurity acculturation. Furthermore, this research bridges the gap in knowledge in terms of addressing the lack of research on millennials smartphone users in the Middle East region as they form the largest segment of the population

Having Two Conflicting Goals in Mind: The Tension Between IS Security and Privacy when Avoiding Threats

Despite users of personal IT devices perceive high risks of losing their personal data if their devices get lost or damaged, many are reluctant to use user-friendly online services (i.e., online backups) to recover from such incidents. We suggest that the reason for this denial are information privacy concerns because users need to disclose their personal files to the safeguard provider. As safeguarding services promise to reduce the IS security threat of losing data, individuals are subsequently tensed between two goals: protecting their data against loss (IS security) and their information privacy. To shed light on this goal conflict, our work builds on the theory of goal-directed behavior. Based on a quantitative online survey among 446 participants, we show that privacy concerns impede threat avoidance to prevent data loss. Comparing current users and non-users of online backup services, our results confirm that provider-related privacy concerns are significantly higher for non-users

Empirical Assessment of Mobile Device Users’ Information Security Behavior towards Data Breach: Leveraging Protection Motivation Theory

User information security behavior has been an area of growing demand in information systems (IS) research. Unfortunately, most of the previous research done in user information security behavior have been in broad contexts, therefore creating a gap in the literature of similar research that focuses on specific emerging technologies and trends. With the growing reliance on mobile devices to increase the flexibility, speed and efficiency in how we work, communicate, shop, seek information and entertain ourselves, it is obvious that these devices have become data warehouses and platform for data in transit. This study was an empirical and quantitative study that gathered data leveraging a web-survey. Prior to conducting the survey for the main data collection, a Delphi study and pilot study were conducted. Convenience sampling was the category of nonprobability sampling design used to gather data. The 7-Point Likert Scale was used on all survey items. Pre-analysis data screening was conducted prior to data analysis. The Partial Least Square Structural Equation Modeling (PLS-SEM) was used to analyze the data gathered from a total of 390 responses received. The results of this study showed that perceived threat severity has a negative effect on protection motivation, while perceived threat susceptibility has a positive effect on protection motivation. Contrarily, the results from this study did not show that perceived response cost influences protection motivation. Response efficacy and mobile self-efficacy had a significant positive influence on protection motivation. Mobile device security usage showed to be significantly influenced positively by protection motivation. This study brings additional insight and theoretical implications to the existing literature. The findings reveal the PMT’s capacity to predict user behavior based on threat and coping appraisals within the context of mobile device security usage. Additionally, the extension of the PMT for the research model of this study implies that mobile devices users also can take recommended responses to protect their devices from security threats

“It's the one thing that makes my life tick”:security perspectives of the smartphone era

As smartphones overtake personal computers as the device of choice for internet access and everyday digital tasks, cybersecurity becomes a pressing issue for the platform. Research has found that smartphone users appear to act less securely than they would on a PC, but the reasons for this are unclear. The technology, the threats, and the role of smartphones have all developed in recent years, and this paper examines what smartphone security looks like to users in the 2020s. We interviewed 27 smartphone users about their security attitudes and behaviours. We find that users place great emphasis on, and take responsibility for, the physical security of their device, but minimise their responsibility for dealing with digital threats. We observe key contextual factors that influence how users protect their smartphones. The increasing monetary cost of smartphones and users’ functional reliance on them, causes participants to be highly concerned with protecting the physical safety and integrity of their devices. However, users appear to have a high level of trust in apps, based on the vetting processes of official app stores, yet they are still vulnerable to abuse from malicious/unnecessary permissions, and exhibit poor security habits when accessing illegitimate, pirated media outside of their smartphone's app store