Cyberattacks will become increasingly common over the coming years. That is not just a concern for big companies, organisations and governments: every person who uses modern technology is a potential target. EU-funded researchers conducted a qualitative study on what influences individuals’ cybersecurity behaviour.

Digital Economy

Security

Cybercrime is a growing global concern. Attacks are becoming more and more sophisticated as digital transformation processes and the shift towards a more connected tomorrow progress. Business – from online banking to ecommerce – that is being conducted online is booming, driving an uptick in security breaches. Malware attacks, distributed denial-of-service attacks that disrupt the normal traffic of a targeted server or phishing attempts used for identity thefts can have disastrous consequences for citizens, companies and nations.

End users are the first line of defence

The growing social and economic impact of cybercrimes has forced international organisations, businesses and universities to develop strategies to more efficiently respond to attacks. A wealth of work and research has focused on technical forms, measures and the economic consequences of cybercrime. “Despite using state-of-the-art technical security systems, businesses, organisations and people continue to experience security breaches. Whatever the quality of the technical layer of security and the kind of technical controls and countermeasures, security depends on appropriate end-user behaviour. While many people recognise the importance of Internet safety rules and practices, many have a weak cyber security mindset and thus do not engage in proper safeguarding behaviours,” notes Prof. Bertrand Venard, coordinator of the CYBERSECURITY project that received funding under the Marie Skłodowska-Curie programme.

A cross-comparative analysis

Against this backdrop, CYBERSECURITY was established to explore the factors that determine the individuals’ information security behaviour. The project team used qualitative survey research methods and conducted a comparative analysis in France and the United Kingdom, targeting students across different types of institutions and academic fields, and of different gender. “Our main scientific achievement was the development of a theoretical model that can explain cybersecurity behaviour. Using different research methods – interviews, survey questionnaire and modelling – we examined the individuals’ ability to neutralise threats as well as computer self-efficacy. The latter pertains to individuals’ judgment of their capabilities to use computers in various situations to perform a task successfully,” adds Prof. Venard. Researchers used structural test modelling to test their methods. In total, they conducted 65 interviews amongst students and information technology experts in the United Kingdom and 109 in France. The number of interviews conducted was almost 3 times more than forecasted. The long and intense interview process allowed researchers to gain deep understanding of computer security behaviour, in particular why some students do not protect themselves while on the Internet through their PC or smartphones. Project findings revealed that the frequency and severity of cyber threats do not influence students’ computer security behaviour. “Students can efficiently protect themselves especially when they have the access to highly user-friendly antivirus and anti-spyware software tools or firewalls, and could get the help of social guardianship, which refers to the family or peers who protect the victim from an attack. The high response cost of adopting a new technology – the high overhead costs associated with implementing information system security – seem to generate lower protection motivations,” explains Prof. Venard. Furthermore, the stress caused by the number of cyberattacks that have increased along with the rapid spread of the COVID-19 pandemic seem to have no direct effect on the students’ cybersecurity behaviour. Project findings could prove highly valuable to higher-education institutions, organisations and governments, enabling them to take further protection steps in the face of rising cyber risks.

Keywords

CYBERSECURITY, behaviour, students, individuals, cybercrime, cyberattack, social guardianship, response cost