Work Experience as a Factor in Cyber-Security Risk Awareness: A Survey Study with University Students
Abstract
:1. Introduction
- What is the role of initial work experience at student age in improving cyber-security risk awareness?
- What are the specific security topics where increased awareness is associated with work experience, and what are the topics that are unrelated?
2. Related Work
2.1. Cyber-Security Risk Landscape and Information Security Awareness
2.2. Remote Work (Study) Security and Wi-Fi Settings
2.3. Smart Home Devices
2.4. Personal Devices and Shadow IT, BYOD
2.5. Social Engineering Threats
3. Materials and Methods
4. Results
4.1. Remote Work (Study) Security and Wi-Fi Settings
4.2. Smart Home Devices
4.3. Personal Device Usage and BYOD
4.4. Social Engineering Threats
5. Discussion
5.1. Remote Work (Study) Security and Wi-Fi Settings
5.2. Smart Home Devices
5.3. Personal Device Usage and BYOD
5.4. Social Engineering Threats
5.5. Limitations
6. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Acknowledgments
Conflicts of Interest
Appendix A. Online Survey Introduction (Consent Form)
- Procedure:
- Anonymity:
- Reward:
- Data Usage:
- Consent Form:
- Yes, I agree
- No, I do not agree (I do not want to participate in the survey)
Appendix B. Survey Participation Options
- 1.
- Student with remote work experience
- 2.
- Student without remote work experience
- Student with remote work experience
- Student without remote work experience
Appendix C. Survey Questions (Sample)
- Path 1—Students with remote work experience completed the following question categories:
- 1.
- DE—Demographics
- DE01—What is (or was) your regular remote work location?
- DE06—How long have you been working as an intern/employee?
- 2.
- SD—Smart devices
- SD02—Are you aware of any formal cyber security company requirements relating to smart home devices?
- SD03—What is the level of cyber security support, relating to smart home devices, that you would expect from your company?
- 3.
- RW—Remote work
- RW04—Did you get any cyber security company training in the past 12 months to cover remote work requirements?
- RW08—Was the initial password for your home Wi-Fi network at least once updated? (Initial password is provided by the Wi-Fi router manufacturer.)
- 4.
- SE—Social engineering attacks
- SE03—What is the level of cyber security support, relating to phishing and other social engineering attacks that you would expect from your company?
- SE07—Did you report the phishing email attacks to your company, if you received any in the past 12 months?
- 5.
- SI—Shadow IT
- SI03—What is the level of cyber security support, relating to shadow IT/BYOD that you would expect from your company?
- SI09—Are you using personal cloud based services (i.e., Google Drive, Amazon Cloud, Microsoft Cloud, …) to store work related data?
- Path 2—Students without remote work experience completed the following question categories:
- 1.
- DE—Demographics
- DE11—What is your regular study location?
- DE03—What is your age?
- 2.
- ST—Smart devices, TUM
- ST01—Are you aware of any formal cyber security TUM requirements relating to smart home devices?
- ST02—What is the level of cyber security support, relating to smart home devices, that you would expect from TUM?
- 3.
- RS—Remote study, TUM
- RS04—Did you get any cyber security training at TUM in the past 12 months to cover remote study requirements?
- RS05—Did you have the possibility to contact IT Support/IT Helpdesk in every case when you had a remote study related security question?
- 4.
- SA—Social engineering attacks, TUM
- SA02—What is the level of cyber security support, relating to phishing and other social engineering attacks that you would expect from TUM?
- SA03—Do you get regular (at least every 6 months) emails from TUM simulating actual social engineering attacks?
- 5.
- BY—Shadow IT, TUM
- BY02—What is the level of cyber security support, relating shadow IT/BYOD that you would expect from TUM?
- BY08—Are you using personal cloud based services (i.e., Google Drive, Amazon Cloud, Microsoft Cloud, …) to store study related data?
References
- Olson, M.H. Remote office work: Changing work patterns in space and time. Commun. ACM 1983, 26, 182–187. [Google Scholar] [CrossRef]
- Zhang, Z.; Zhang, Y.Q.; Chu, X.; Li, B. An overview of virtual private network (VPN): IP VPN and optical VPN. Photonic Netw. Commun. 2004, 7, 213–225. [Google Scholar] [CrossRef]
- Wyld, D.C. The black swan of the coronavirus and how American organizations have adapted to the new world of remote work. Eur. J. Bus. Manag. Res. 2022, 7, 9–19. [Google Scholar] [CrossRef]
- Child, F.; Frank, M.; Lef, M.; Sarakatsannis, J. Setting a New Bar for Online Higher Education; McKinsey and Company: New York, NY, USA, 2021; Available online: https://www.mckinsey.com/industries/education/our-insights/setting-a-new-bar-for-online-higher-education (accessed on 21 January 2022).
- Barrero, J.M.; Bloom, N.; Davis, S.J. Let Me Work from Home, or I Will Find Another Job; Working Paper 2021-87; Becker Friedman Institute for Economics, University of Chicago: Chicago, IL, USA, 2021. [Google Scholar]
- Schiffer, Z. The Verge Technology News Website: Apple Employees Push Back against Returning to the Office in Internal Letter. Available online: https://www.theverge.com/2021/6/4/22491629/apple-employees-push-back-return-office-internal-letter-tim-cook (accessed on 31 May 2022).
- Ahmad, T. Corona Virus (COVID-19) Pandemic and Work from Home: Challenges of Cybercrimes and Cybersecurity. SSRN Working Paper SSRN 3568830. 2020. Available online: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3568830 (accessed on 31 May 2022).
- Georgiadou, A.; Mouzakitis, S.; Askounis, D. Working from home during COVID-19 crisis: A cyber security culture assessment survey. Secur. J. 2021, 35, 1–20. [Google Scholar] [CrossRef]
- Andrade, R.O.; Garcés, I.O.; Cazares, M. Cybersecurity attacks on Smart Home during Covid-19 pandemic. In Proceedings of the 2020 Fourth World Conference on Smart Trends in Systems, Security and Sustainability (WorldS4), London, UK, 27–28 July 2020; pp. 398–404. [Google Scholar]
- Venkatesha, S.; Reddy, K.R.; Chandavarkar, B.R. Social engineering attacks during the COVID-19 pandemic. SN Comput. Sci. 2021, 2, 1–9. [Google Scholar] [CrossRef]
- Chigada, J.; Rujeko, M. Cyberattacks and threats during COVID-19: A systematic literature review. S. Afr. J. Inf. Manag. 2021, 23, 1–11. [Google Scholar] [CrossRef]
- Skulmowski, A.; Günter, D.R. COVID-19 as an accelerator for digitalization at a German university: Establishing hybrid campuses in times of crisis. Hum. Behav. Emerg. Technol. 2020, 2, 212–216. [Google Scholar] [CrossRef]
- Lebek, B.; Uffen, J.; Neumann, M.; Hohler, B.; Breitner, M.H. Information security awareness and behavior: A theory-based literature review. Manag. Res. Rev. 2014, 37, 1049–1092. [Google Scholar] [CrossRef] [Green Version]
- Khando, K.; Gao, S.; Islam, S.M.; Salman, A. Enhancing employees information security awareness in private and public organisations: A systematic literature review. Comput. Secur. 2021, 106, 102267. [Google Scholar] [CrossRef]
- Farooq, A.; Isoaho, J.; Virtanen, S.; Isoaho, J. Information security awareness in educational institution: An analysis of students’ individual factors. In Proceedings of the 2015 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Helsinki, Finland, 20–22 August 2015; pp. 352–359. [Google Scholar]
- Kim, E.B. Recommendations for information security awareness training for college students. Inf. Manag. Comput. Secur. 2014, 22, 115–126. [Google Scholar] [CrossRef]
- Alhuwail, D.; Al-Jafar, E.; Abdulsalam, Y.; AlDuaij, S. Information security awareness and behaviors of health care professionals at public health care facilities. Appl. Clin. Inform. 2021, 12, 924–932. [Google Scholar] [CrossRef] [PubMed]
- Kirova, D.; Baumöl, U. Factors that affect the success of security education, training, and awareness programs: A literature review. J. Inf. Technol. Theory Appl. 2018, 19, 56–82. [Google Scholar]
- Rea-Guaman, A.M.; Mejia, J.; San Feliu, T.; Calvo-Manzano, J.A. AVARCIBER: A framework for assessing cybersecurity risks. Clust. Comput. 2020, 23, 1827–1843. [Google Scholar] [CrossRef]
- Skopik, F.; Wurzenberger, M.; Settanni, G.; Fiedler, R. Establishing national cyber situational awareness through incident information clustering. In Proceedings of the International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), London, UK, 8–9 June 2015; pp. 1–8. [Google Scholar]
- Cebula, J.L.; Young, L.R. A Taxonomy of Operational Cyber Security Risks; Technical Note CMU/SEI-2010-TN-028; Carnegie-Mellon Univ, Software Engineering Institute: Pittsburgh, PA, USA, 2010; Available online: https://apps.dtic.mil/sti/citations/ADA537111 (accessed on 23 February 2022).
- Krumay, B.; Bernroider, E.; Walser, R. Evaluation of cybersecurity management controls and metrics of critical infrastructures: A literature review considering the NIST Cybersecurity Framework. In Nordic Conference on Secure IT Systems; Springer: Cham, Switzerland, 2018; pp. 369–384. [Google Scholar]
- Bauer, S.; Bernroider, E. From information security awareness to reasoned compliant action: Analyzing information security policy compliance in a large banking organization. ACM SIGMIS Database Database Adv. Inf. Syst. 2017, 48, 44–68. [Google Scholar] [CrossRef]
- Bidgoli, M.; Grossklags, J. End user cybercrime reporting: What we know and what we can do to improve it. In Proceedings of the 2016 IEEE International Conference on Cybercrime and Computer Forensic (ICCCF), Vancouver, BC, Canada, 12–14 June 2016; pp. 1–6. [Google Scholar]
- Eling, M.; Werner, S. What do we know about cyber risk and cyber risk insurance? J. Risk Financ. 2016, 17, 474–491. [Google Scholar] [CrossRef]
- Laszka, A.; Farhang, S.; Grossklags, J. On the economics of ransomware. In International Conference on Decision and Game Theory for Security; Springer: Cham, Switzerland, 2017; pp. 397–417. [Google Scholar]
- United States Government Accountability Office. Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market; GAO-21-477; Government Accountability Office: Washington, DC, USA, 2021. Available online: https://www.gao.gov/assets/gao-21-477.pdf (accessed on 23 February 2022).
- Kumar, U.; Gambhir, S. A literature review of security threats to wireless networks. Int. J. Future Gener. Commun. Netw. 2014, 7, 25–34. [Google Scholar] [CrossRef] [Green Version]
- Peng, H. WIFI network information security analysis research. In Proceedings of the 2nd International Conference on Consumer Electronics, Communications and Networks (CECNet), Yichang, China, 21–23 April 2012; pp. 2243–2245. [Google Scholar]
- Mekhaznia, T.; Zidani, A. Wi-Fi security analysis. Procedia Comput. Sci. 2015, 73, 172–178. [Google Scholar] [CrossRef] [Green Version]
- Kohlios, C.P.; Hayajneh, T. A comprehensive attack flow model and security analysis for Wi-Fi and WPA3. Electronics 2018, 7, 284. [Google Scholar] [CrossRef] [Green Version]
- Luo, Z.; Yu, G.; Qi, H.; Liu, Y. Research of a VPN secure networking model. In Proceedings of the 2nd International Conference on Measurement, Information and Control, Harbin, China, 16–18 August 2013; pp. 567–569. [Google Scholar]
- Bansode, R.; Girdhar, A. Common vulnerabilities exposed in VPN – A survey. J. Phys. Conf. Ser. 2021, 1714, 1–8. [Google Scholar] [CrossRef]
- Uskov, A.V. Information security of mobile VPN: Conceptual models and design methodology. In Proceedings of the IEEE International Conference on Electro/Information Technology, Indianapolis, IN, USA, 6–8 May 2012; pp. 1–6. [Google Scholar]
- Hong, Y.R.; Kim, D. Security enhancement of smart phones for enterprises by applying mobile VPN technologies. In International Conference on Computational Science and Its Applications; Springer: Berlin/Heidelberg, Germany, 2011; pp. 506–517. [Google Scholar]
- Amraoui, N.; Zouari, B. Securing the operation of Smart Home Systems: A literature review. J. Reliab. Intell. Environ. 2021, 8, 67–74. [Google Scholar] [CrossRef]
- Gunge, V.S.; Yalagi, P.S. Smart home automation: A literature review. Int. J. Comput. Appl. 2016, 2016, 6–10. [Google Scholar]
- Lin, H.; Bergmann, N.W. IoT privacy and security challenges for smart home environments. Information 2016, 7, 44. [Google Scholar] [CrossRef] [Green Version]
- Geneiatakis, D.; Kounelis, I.; Neisse, R.; Nai-Fovino, I.; Steri, G.; Baldini, G. Security and privacy issues for an IoT based smart home. In Proceedings of the 40th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), Opatija, Croatia, 22–26 May 2017; pp. 1292–1297. [Google Scholar]
- Zhang, N.; Mi, X.; Feng, X.; Wang, X.; Tian, Y.; Qian, F. Dangerous skills: Understanding and mitigating security risks of voice-controlled third-party functions on virtual personal assistant systems. In Proceedings of the IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, USA, 19–23 May 2019; pp. 1381–1396. [Google Scholar]
- Haag, S.; Eckhardt, A. Shadow IT. Bus. Inf. Syst. Eng. 2017, 59, 469–473. [Google Scholar] [CrossRef]
- Raković, L.; Sakal, M.; Matković, P.; Marić, M. Shadow IT—Systematic literature review. Inf. Technol. Control. 2020, 49, 144–160. [Google Scholar] [CrossRef] [Green Version]
- Silic, M. Emerging from the Shadows: Survey Evidence of Shadow IT Use from Blissfully Ignorant Employees. SSRN 2633000. 2015. Available online: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2633000 (accessed on 31 May 2022).
- Weidman, J.; Grossklags, J. I like it, but I hate it: Employee perceptions towards an institutional transition to BYOD second-factor authentication. In Proceedings of the 33rd Annual Computer Security Applications Conference, Orlando, FL, USA, 4–8 December 2017; pp. 212–224. [Google Scholar]
- Tambo, T.; Olsen, M.; Bækgaard, L. Motives for feral systems in Denmark. In Web Design and Development: Concepts, Methodologies, Tools, and Applications; IGI Global: Hershey, PA, USA, 2016; pp. 193–222. [Google Scholar]
- Walterbusch, M.; Fietz, A.; Teuteberg, F. Missing cloud security awareness: Investigating risk exposure in shadow IT. J. Enterp. Inf. Manag. 2017, 30, 644–665. [Google Scholar] [CrossRef]
- Aldawood, H.; Skinner, G. Educating and raising awareness on cyber security social engineering: A literature review. In Proceedings of the IEEE International Conference on Teaching, Assessment, and Learning for Engineering (TALE), Wollongong, Australia, 4–7 December 2018; pp. 62–68. [Google Scholar]
- Hadnagy, C. Social Engineering: The Science of Human Hacking; John Wiley & Sons: Hoboken, NJ, USA, 2018. [Google Scholar]
- Hijji, M.; Alam, G. A Multivocal Literature Review on Growing Social Engineering Based Cyber-Attacks/Threats during the COVID-19 Pandemic: Challenges and Prospective Solutions. IEEE Access 2021, 9, 7152–7169. [Google Scholar] [CrossRef]
- Department of Justice, USA. Three Individuals Charged for Alleged Roles in Twitter Hack. 2020. Available online: https://www.justice.gov/usao-ndca/pr/three-individuals-charged-alleged-roles-twitter-hack (accessed on 13 January 2022).
- Parsons, K.; McCormac, A.; Butavicius, M.; Pattinson, M.; Jerram, C. Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Comput. Secur. 2014, 42, 165–176. [Google Scholar] [CrossRef]
- Amankwa, E.; Loock, M.; Kritzinger, E. Enhancing information security education and awareness: Proposed characteristics for a model. In Proceedings of the Second International Conference on Information Security and Cyber Forensics (InfoSec), Cape Town, South Africa, 15–17 November 2015; pp. 72–77. [Google Scholar]
- Hudock, A.; Weidman, J.; Grossklags, J. Security onboarding: An interview study on security training for temporary employees. In Proceedings of the Conference on Mensch und Computer, Magdeburg, Germany, 6–9 September 2020; pp. 183–194. [Google Scholar]
- Choong, Y.Y.; Theofanos, M. What 4,500+ people can tell you—Employees’ attitudes toward organizational password policy do matter. In International Conference on Human Aspects of Information Security, Privacy, and Trust; Springer: Cham, Switzerland, 2015; pp. 293–310. [Google Scholar]
- Choong, Y.Y.; Theofanos, M.F.; Renaud, K.; Prior, S. “Passwords protect my stuff”—A study of children’s password practices. J. Cybersecur. 2019, 5, tyz015. [Google Scholar] [CrossRef]
- Said, H.; Guimaraes, M.; Al Mutawa, N.; Al Awadhi, I. Forensics and war-driving on unsecured wireless network. In Proceedings of the 2011 International Conference for Internet Technology and Secured Transactions, Abu Dhabi, United Arab Emirates, 11–14 December 2011; pp. 19–24. [Google Scholar]
- Moscaritolo, A. 35 Percent of People Never Change Their Passwords, PC Magazine (UK). 2018. Available online: https://uk.pcmag.com/password-managers/116459/35-percent-of-people-never-change-their-passwords (accessed on 13 January 2022).
- Quilantang, K.A.G.; Rivera, J.A.C.; Pinili, M.V.M.; Magpantay, A.J.N.R.; Busia Blancaflor, E.; Pastrana, J.R.A.M. Exploiting Windows 7 vulnerabilities using penetration testing tools: A case study about Windows 7 vulnerabilities. In Proceedings of the 9th International Conference on Computer and Communications Management, Singapore, 16–18 July 2021; pp. 124–129. [Google Scholar]
- Kotzias, P.; Bilge, L.; Vervier, P.A.; Caballero, J. Mind Your Own Business: A Longitudinal Study of Threats and Vulnerabilities in Enterprises. In Proceedings of the Network and Distributed Systems Security (NDSS), San Diego, CA, USA, 24–27 February 2019; pp. 1–15. [Google Scholar]
- Haney, J.M.; Furman, S.M.; Acar, Y. Smart home security and privacy mitigations: Consumer perceptions, practices, and challenges. In International Conference on Human-Computer Interaction; Springer: Cham, Switzerland, 2020; pp. 393–411. [Google Scholar]
- Yoo, S.J. Study on Improving Endpoint Security Technology. Converg. Secur. J. 2018, 18, 19–25. [Google Scholar]
- Mujtaba, G.; Tahir, M.; Soomro, M.H. Energy efficient data encryption techniques in smartphones. Wirel. Pers. Commun. 2019, 106, 2023–2035. [Google Scholar] [CrossRef]
- Reinheimer, B.; Aldag, L.; Mayer, P.; Mossano, M.; Duezguen, R.; Lofthouse, B.; Volkamer, M. An investigation of phishing awareness and education over time: When and how to best remind users. In Proceedings of the Sixteenth Symposium on Usable Privacy and Security (SOUPS), Online Conference, 7–11 August 2020; pp. 259–284. [Google Scholar]
- Jampen, D.; Gür, G.; Sutter, T.; Tellenbach, B. Don’t click: Towards an effective anti-phishing training. A comparative literature review. Hum. Centric Comput. Inf. Sci. 2020, 10, 1–41. [Google Scholar] [CrossRef]
- Scholefield, S.; Shepherd, L.A. Gamification techniques for raising cyber security awareness. In International Conference on Human-Computer Interaction; Springer: Cham, Switzerland, 2019. [Google Scholar]
- Rieff, I. Systematically Applying Gamification to Cyber Security Awareness Trainings: A Framework and Case Study Approach. Master’s Thesis, Faculty of TPM, Delft University of Technology, Delft, The Netherlands, 2018. [Google Scholar]
- Tabassum, M.; Kosinski, T.; Lipford, H.R. “I don’t own the data”: End user perceptions of smart home device data practices and risks. In Proceedings of the Fifteenth Symposium on Usable Privacy and Security (SOUPS), Santa Clara, CA, USA, 11–13 August 2019; pp. 435–450. [Google Scholar]
- Wang, X.; McGill, T.J.; Klobas, J.E. I want it anyway: Consumer perceptions of smart home devices. J. Comput. Inf. Syst. 2018, 60, 437–447. [Google Scholar] [CrossRef]
- Shouran, Z.; Ashari, A.; Priyambodo, T. Internet of things (IoT) of smart home: Privacy and security. Int. J. Comput. Appl. 2019, 182, 3–8. [Google Scholar] [CrossRef]
- Hubbard, D.W.; Seiersen, R. How to Measure Anything in Cybersecurity Risk; John Wiley & Sons: Hoboken, NJ, USA, 2016. [Google Scholar]
- Kerkdijk, R.; Tesink, S.; Fransen, F.; Falconieri, F. Evidence-Based Prioritization of Cybersecurity Threats. ISACA. 2021. Available online: https://www.isaca.org/resources/isaca-journal/issues/2021/volume-6/evidence-based-prioritization-of-cybersecurity-threats (accessed on 13 January 2022).
- Le, A.; Chen, Y.; Chai, K.K.; Vasenev, A.; Montoya, L. Incorporating FAIR into Bayesian network for numerical assessment of loss event frequencies of smart grid cyber threats. Mob. Netw. Appl. 2019, 24, 1713–1721. [Google Scholar] [CrossRef] [Green Version]
Age Category | Number | Percentage |
---|---|---|
under 18 | 3 | 0.4% |
18–21 | 374 | 46.9% |
22–25 | 311 | 38.9% |
26–29 | 87 | 10.9% |
30–33 | 11 | 1.4% |
34–37 | 2 | 0.2% |
Over 37 | 4 | 0.5% |
Not disclosed | 6 | 0.8% |
Total | 798 | 100.0% |
Work Experience Category | Number | Percentage |
---|---|---|
0–6 months | 181 | 40.4% |
6–12 months | 106 | 23.7% |
1–2 years | 87 | 19.4% |
2 years or more | 74 | 16.5% |
Total | 448 | 100.0% |
Question Category | Key Findings |
---|---|
Informal and formal policy expectations | Work experience students are more likely to be aware of remote work policies. (p < 0.001) |
User expectations | Work experience does not translate into a significantly increased support need. (p = 0.68) |
Technology guidance | Work experience is more likely associated with facing a mandatory requirement to use 2FA for VPN access from the remote environment. (p < 0.001) Work experience students are more likely to have received cyber-security training in the past 12 months. (p < 0.001) |
Assessment of actual technology and practices | Work experience students are less likely to forward emails to private email accounts. (p < 0.001) Work experience does not translate into a significantly increased level of security for Wi-Fi protocol settings. (p = 0.74) Work experience does not translate into a significantly increased awareness in relation to updating the initial Wi-Fi password. (p = 0.59) Work experience does not translate into a significantly increased security awareness regarding devices with legacy operating systems (Windows 7 or XP) being connected to the home Wi-Fi network. (p = 0.54) Work experience does not translate into a significantly more likely usage of more complex Wi-Fi passwords. (p = 0.69) Work experience students are more likely required to use a VPN when connecting to the organizational network from the home Wi-Fi network. (p < 0.001) |
Location | Number | Percentage |
---|---|---|
Home | 381 | 85.0% |
Student dormitory | 45 | 10.0% |
Work office | 12 | 2.7% |
Other location | 7 | 1.6% |
Do not want to disclose | 3 | 0.7% |
Total | 448 | 100.0% |
Location | Number | Percentage |
---|---|---|
Home | 270 | 77.1% |
Student dormitory | 66 | 18.9% |
Other location | 12 | 3.4% |
Do not want to disclose | 2 | 0.6% |
Total | 350 | 100.0% |
Question Category | Key Findings |
---|---|
Informal and formal policy expectations | Work experience students are more likely to be aware of smart device policies. (p < 0.001) |
User expectations | Work experience does not translate into a significantly increased support need. (p = 0.087) |
Technology guidance | - |
Assessment of actual technology and practices | Work experience is more likely associated with careful usage of smartphones when accessing smart devices through public Wi-Fi connections. (p < 0.001) Work experience does not translate into a significantly increased likelihood of conducting smartphone security updates. (p = 0.097) Work experience does not translate into a significantly increased likelihood of changing the initial voice-activated password on smart home devices. (p = 0.0634) |
Question Category | Key Findings |
---|---|
Informal and formal policy expectations | Work experience students are more likely to be aware of Shadow IT policies. (p < 0.001) |
User expectations | Work experience does not translate into a significantly increased support need. (p < 0.05) |
Technology guidance | Work experience is more likely associated with using only approved apps on organizational mobile devices (phone, tablet). (p < 0.001) Work experience is more likely associated with using only approved applications on organizational devices (desktop, tablet). (p < 0.001) |
Assessment of actual technology and practices | Work experience students are less likely to store work or study-related data using personal cloud-based services. (p < 0.001) Work experience students are more likely to have endpoint security software installed on their (company) smartphones. (p < 0.001) |
Question Category | Key Findings |
---|---|
Informal and formal policy expectations | Work experience students are more likely to be aware of social engineering threat policies. (p< 0.001) |
User expectations | Work experience does not translate into a significantly increased support need. (p = 0.35) |
Technology guidance | Work experience students are more likely to receive social engineering attack case studies and actual emails simulating those attacks. (p < 0.001) Work experience students are more likely to receive fraud awareness and compliance training, focusing on phishing emails and other compromise attempts. (p < 0.001) |
Assessment of actual technology and practices | Work experience students are more likely to report phishing email attacks if they received any of those attack emails. (p < 0.001) Work experience students are more likely to identify phishing emails in their email correspondence. (p < 0.001) Work experience students are more likely to identify the dedicated person in the organization who they can contact in case of phishing or other attack attempts. (p < 0.001) Work experience students are more likely to recognize insider attack emails originating from organizational partners. (p < 0.05) Work experience students are more likely to recognize spam emails that were not initially identified by the organizational spam filter. (p < 0.01) |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Pósa, T.; Grossklags, J. Work Experience as a Factor in Cyber-Security Risk Awareness: A Survey Study with University Students. J. Cybersecur. Priv. 2022, 2, 490-515. https://doi.org/10.3390/jcp2030025
Pósa T, Grossklags J. Work Experience as a Factor in Cyber-Security Risk Awareness: A Survey Study with University Students. Journal of Cybersecurity and Privacy. 2022; 2(3):490-515. https://doi.org/10.3390/jcp2030025
Chicago/Turabian StylePósa, Tibor, and Jens Grossklags. 2022. "Work Experience as a Factor in Cyber-Security Risk Awareness: A Survey Study with University Students" Journal of Cybersecurity and Privacy 2, no. 3: 490-515. https://doi.org/10.3390/jcp2030025
APA StylePósa, T., & Grossklags, J. (2022). Work Experience as a Factor in Cyber-Security Risk Awareness: A Survey Study with University Students. Journal of Cybersecurity and Privacy, 2(3), 490-515. https://doi.org/10.3390/jcp2030025