See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/339273589

Cyber Security Awareness, Knowledge and Behavior: A Comparative Study

Article in Journal of Computer Information Systems · January 2022

DOI: 10.1080/08874417.2020.1712269

CITATIONS READS

196 30,339

6 authors, including:

Moti Zwilling Dusan Lesjak

Ariel University University of Primorska
45 PUBLICATIONS 705 CITATIONS 72 PUBLICATIONS 622 CITATIONS

SEE PROFILE SEE PROFILE

Łukasz Wiechetek Fatih Çetin

Maria Curie-Sklodowska University in Lublin Baskent University
72 PUBLICATIONS 321 CITATIONS 106 PUBLICATIONS 1,819 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Fatih Çetin on 14 February 2020.

The user has requested enhancement of the downloaded file.

 Journal of Computer Information Systems

ISSN: 0887-4417 (Print) 2380-2057 (Online) Journal homepage: https://www.tandfonline.com/loi/ucis20

Cyber Security Awareness, Knowledge and

Behavior: A Comparative Study

Moti Zwilling, Galit Klien, Dušan Lesjak, Łukasz Wiechetek, Fatih Cetin &
Hamdullah Nejat Basim

To cite this article: Moti Zwilling, Galit Klien, Dušan Lesjak, Łukasz Wiechetek, Fatih
Cetin & Hamdullah Nejat Basim (2020): Cyber Security Awareness, Knowledge and
Behavior: A Comparative Study, Journal of Computer Information Systems, DOI:
10.1080/08874417.2020.1712269

To link to this article: https://doi.org/10.1080/08874417.2020.1712269

Published online: 14 Feb 2020.

Submit your article to this journal

View related articles

View Crossmark data

Full Terms & Conditions of access and use can be found at

https://www.tandfonline.com/action/journalInformation?journalCode=ucis20
JOURNAL OF COMPUTER INFORMATION SYSTEMS
https://doi.org/10.1080/08874417.2020.1712269

Cyber Security Awareness, Knowledge and Behavior: A Comparative Study

Moti Zwillinga, Galit Kliena, Dušan Lesjakb, Łukasz Wiechetekc, Fatih Cetind, and Hamdullah Nejat Basime
a
Department of Economics and Management, Ariel Cyber Innovation Center, Ariel University, Ariel, Israel; bInternational School for Social and
Business Studies, Celje, Slovenia; cMaria Curie-Sklodowska University, Lublin, Poland; dNiğde Ömer Halisdemir University, Niğde, Turkey; eBaşkent
University, Turkey

ABSTRACT KEYWORDS
Cyber-attacks represent a potential threat to information security. As rates of data usage and internet Cyber security; cyber threats;
consumption continue to increase, cyber awareness turned to be increasingly urgent. This study focuses cyber awareness; cyber
on the relationships between cyber security awareness, knowledge and behavior with protection tools knowledge; cyber behavior
among individuals in general and across four countries: Israel, Slovenia, Poland and Turkey in particular.
Results show that internet users possess adequate cyber threat awareness but apply only minimal
protective measures usually relatively common and simple ones. The study findings also show that
higher cyber knowledge is connected to the level of cyber awareness, beyond the differences in
respondent country or gender. In addition, awareness is also connected to protection tools, but not
to information they were willing to disclose. Lastly, findings exhibit differences between the explored
countries that affect the interaction between awareness, knowledge, and behaviors. Results, implica-
tions, and recommendations for effective based cyber security training programs are presented and
discussed.

1. Introduction intention is to engage in cyber-crime in any of its various

forms, ranging from violation of individual privacy to iden-
Information Technology has dramatically increased in the
tity theft and credit card fraud. Cyber-criminals use mal-
past decade, with massive global rates of internet consump-
icious software and hacking tools to sabotage computers,
tion by individuals and organizations ranging from acade-
mobile devices, and communication network infrastructure,
mia and government to industrial sectors (Aloul1; Jalali
including cyber security protection tool disruption
et al.2; Lee et al.3). During the last decade, information
(Abawajy5). While protective tools are generally installed
technology such as mobile devices and digital applications
on computers and in infrastructure, studies show that
have transformed daily life, facilitating diverse lifestyles in
they do not completely mitigate cyber security breaches
many areas. The ease of technology usage as well as the
(Furnell et al.6; Parsons et al.7; Schultz.8) This is because
increased demand for online connectivity (in education,
the weakest link in the cyber security chain remains human
retail, tourism, and even autonomous vehicles) has
error (Anwar et al.9; Herath and Rao10; Schneier.11)
expanded opportunities for internet usage on a global
Organizations have come to recognize that behaviors deriv-
scale. Indeed, some of these uses include reading digital
ing from the human factor are responsible for cyber secur-
newspapers, surfing the web, utilizing search engines to
ity flaws and may pose a liability for information security
find desired content, assisting recommender systems in
(Sasse and Flechais.12)
the form of decision support tools, and using social media
The behavioral contribution to unintentional cyber
to name only a few. Nevertheless, while internet consump-
breaches was highlighted by IBM’s Global Technology
tion buttressed by information technology improvements
Services as one of the most critical issues to be addressed
increases dramatically (Maurseth4), many netizens (i.e.,
by security controls and best practices guidelines. In fact,
people who use the internet) still lack sufficient awareness
there has been an increased recent focus on the role of
of various internet threats (also defined as “cyber hazards”).
individual behavior in cyber hazard mitigation. However,
In fact, they often fail to possess the minimum required
the understanding of how individuals differ in their aware-
knowledge to protect their computing devices. In worst-
ness, knowledge, and cyber security behavior when con-
case scenarios, individuals suffer from a total lack cyber
fronted with versatile cyber hazards is still quite limited.
hazard awareness. Hence, their readiness to utilize protec-
Moreover, to the best of our knowledge, no research has yet
tive cyber security measures is non-existent.
to compare and evaluate these three components across
When not carried out by governments, cyber hazards are
countries. Therefore, the aim of this study is to evaluate
the work of “bad hackers” (otherwise known as “black
differences in cyber hazard awareness, knowledge and cyber
hats”), who act on their own or within an organized crim-
hazard protection behaviors between four countries:
inal group to commit cyber crime. In both cases, their

CONTACT Moti Zwilling motiz@ariel.ac.il Department of Economics and Management, Ariel Cyber Innovation Center, Ariel University, Ariel, Israel
© 2020 International Association for Computer Information Systems
2 ZWILLING ET AL.
Slovenia, Turkey, Poland and Israel. As such, the compara-
tive study was carried out in these four countries character-
ized by varying GDP and GDP per capita: two economically
more developed (Israel and Slovenia) and two economically
less developed (Poland and Turkey) countries, since there are
many authors claiming that economic development and
cybersecurity and therefore cyber awareness are mutually
dependent (Kshetri13, Vasiu and Vasiu14). GDP and GDP
per capita are among the most common indicators used to
track the health of a nation’s economy. According to the
Worldbank,15 in 2018 Israel was ranked 22nd in GDP per
capita (41,614 USD), with Slovenia in 32nd place (26,234
USD). The GDP per capita of Poland is lower (15,424 USD
and GDP per capita ranking of 52), while Turkey is lower still
(9,311 USD and GDP per capita ranking of 67). As far as we
know, no study comparative has focused on the relative cyber
security awareness, knowledge and behavior differences
between these four countries.
Our research objectives are divided into two categories:
First, building a theoretical framework to be used in con-
structing cyber security training programs. This framework
is based on the factors that impact the level of cyber security
awareness, knowledge, and behavior, which were evaluated
according to the following research questions (from general
to specific):
(1) What is the level of cyber security awareness among
netizens?
(2) Which types of behavior do netizens adopt to prevent
cyber hazards?
(3) Is there any difference in cyber security awareness and
behavior among netizens of different countries that
diverge in their GDP values?
The second objective of this study is to provide practical
recommendations on how to improve the quality of cyber
training programs based on the theoretical framework
findings.
The rest of this paper is organized as follows: In Section 2,
we present the literature review, while in Section 3 we outline
the study methodology. Section 4 details the results, followed
by a discussion of implications and recommendations in
Section 5. Finally, in Section 6, conclusions and suggestions
for future work are offered.
2. Theoretical background
2.1. The impact of internet and cyber on society
The internet has revolutionized how people access data and
utilize various applications for modern day-to-day tasks. Reid
and Van Niekerk16(p. 178) noted the huge impact of the internet
on daily life: “In our technology and information-infused
world, cyberspace is an integral part of the modern-day society.
In both personal and professional contexts, cyberspace is
a highly effective tool in, and enabler of, most people’s daily
digitally transposed activities.17,18,19” However, Coppers20
noted the rising impact of information security breaches on
the economy, resulting in information loss estimated at ~
$2.5 million per year (Coppers20) As noted, this loss can be
only partly mitigated by protective tools since their function-
ality in most cases is controlled by individuals (Furnell et al.6;
McCormac et al.21; Parsons et al.22; Schultz8)
Individual cyber engagement, in general, and with cyber
protection tools in particular, has motivated both academic
scholars and practitioners to focus on individual attitudes and
behaviors concerning cyber threats (Schneier23; Shropshire
et al.24). An instructive example was given by Sasse and
Flechais12 who emphasized the existing gap between facto
and ex post facto mitigation activities conducted by employees
in cases of cyber security breach due to lack of sufficient
engagement with cyber security protection tools. Other stu-
dies evaluated level of individual resilience with cyber security
awareness as a cause of job stress (McCormac et al.25). In
addition, the relationship between individual personality and
level of cyber security risk propensity has been researched
(McCormac et al.26). Yet the relationships between individual
cyber security awareness, knowledge and behavior have never
been studied in cross-country comparison. In fact, the com-
parative approach is considered by important stakeholders to
be crucial for the creation of intervention programs
(McCormac et al.26).
2.2. Cyber security hazard awareness
The internet has revolutionized managing life tasks, enabling
connections with new people through social networks and
opening new economic horizons for transactions via mobile
devices both for individuals and organizations, including radi-
cal change in the higher education system and teaching meth-
ods (Aloul1; Lee et al.3; Saadatdoost et al.27). Even so, many
people still face information security risks from a vast array of
threats. These threats range from simple to catastrophic
attacks. The first may consist of primitive spam e-mails,
while the second may involve organized cyber-crime groups
that use malicious software to steal, corrupt, and destroy data
on a significant scale (Letho28). A major factor in information
security risk is level of individual cyber security awareness,
which can be usefully described as low, medium, or high. Low
awareness behaviors include not paying attention or neglect-
ing security alerts, provided in most cases automatically by
applications, such as when accessing free open networks (such
as Wi-Fi) with mobile devices and laptops. A medium aware-
ness level may be characterized by negligence expressed in
improper technology operation. Finally, high awareness
involves knowledge of cyber threats and capable actions
taken in their prevention.
The term cyber security awareness was already defined by
Shaw et al.29(p. 93) as follows: “[The] degree of understanding
of users about the importance of information security and
their responsibilities and acts to exercise sufficient levels of
information security control to protect the organization’s data
and networks”. They noted widespread lack of awareness of
cyber risks, extending to app usage and information delivery
on social networks and internet web pages. Importantly, they
pointed out that hackers (individual or collective) tend to seek
out the most vulnerable users, i.e. those deficient in informa-
tion and network security awareness. Hackers are proficient at

exploiting both software bugs and security gaps unintention-
ally created by users themselves.
Since the human factor has already been shown to main
cause of cyber breaches, ever more cyber awareness training
programs are offered by academic institutions and private
companies, with the aim of increasing individual cyber-
crime awareness (Dodge30; Kumaraguru et al.31; Shaw et al.29).
However, increasing levels of awareness can only transpire if
cyber awareness itself is fully understood, a thesis already
made in 2015 by Letho: “[While] the world grows more
connected through the cyber world, the most efficient plan
to increase cyber security awareness is the improvement of the
know-how of the citizens and actors of the economic life and
public administration. This improvement could be effective if
the reasons for the lack of cyber security awareness could be
understood (Letho28(p. 180)). However, in the last five years,
a growing body of research has focused on individual cyber
security awareness. For example, McCormac et al.26 pointed
out a linear relationship between age and information security
awareness, one that improves with increase in age. Another
study by McCormac et al.25 among 1,048 Australian employ-
ees showed a relationship between resilience, job stress and
information security awareness (ISA), finding that when
employees can cope or adapt to job stress, their awareness
to cyber security hazards increases, and hence the organiza-
tion’s resilience is improved. Research by Hadlington32 found
that employed people in large organizations tend to develop
higher awareness of cyber risks, which may be explained by
improved budgetary resources and organizational enforce-
ment policies. As with Hadlington32, Pendley33 also focused
on improving cyber security awareness among managerial or
administrative staff, emphasizing adhering to cyber regula-
tions and guidelines as well as establishing security policies.
Nevertheless, lack of cyber awareness is still a serious global
problem. Organizations and educational institutions must
develop adequate training programs, with the first step
a comparative evaluation of level of awareness across different
countries.
2.3. Cyber security knowledge
Increasingly, individuals are in actuality dependent on inter-
net technologies for their day-to-day tasks. Ease of use has
facilitated participation in cyber-related activities on a mass
scale. However, knowledge of existing tools needed for pro-
tection against cyber threats is correspondingly lagging
(Furnell et al.34; Abawajy and Kim35; Abawajy5). As Abawajy
(Abawajy and Kim35, Abawajy5) noted, even basic level cyber
security awareness may not translate into sufficient or appro-
priate cyber security protection knowledge to mitigate cyber
risks and hazards. As such, he suggested increasing cyber
security knowledge through cyber security training programs
using theoretical lectures and simulators to provide exposure
to cyber security protection tools. These would focus on
operational, usage, and process aspects of improving user
knowledge translating into effective cyber security mitigation
behavior. For example, the “Phishing Simulator” is a popular
training resource, designed as an effective training process to
increase awareness of suspicious e-mails sent by hackers. Such
JOURNAL OF COMPUTER INFORMATION SYSTEMS 3
e-mails often contain malicious software (“malware”) result-
ing in illicit data leakage (Abawajy and Kim35; Abawajy5). The
simulator is also suitable for trainers, exposing them to prac-
tical protection tools to mitigate phishing e-mails and internet
links and guiding them in how to attain optimal levels of
protection against cyber security threats.
In a study conducted by Reid16, the influence of a cyber
security awareness campaign for school youth, along with
their existing knowledge related to cyber security hazards,
was measured. He found that campaigns have a positive
impact on improving cyber hazard awareness and knowledge.
A later study, conducted by Cain et al.36, explored “Cyber
Hygiene” (i.e. level of cyber knowledge) in 268 computer and
device users ranging in age from 18 to 55+. The survey
focused on how they maintain system health and online
security tools such as firewalls and anti-virus software, and
was carried out using Amazon Mechanical Turk (MTurk)
(https://www.mturk.com), a crowdsourcing marketplace.
MTurk allows businesses (i.e. “requesters”) to allocate tasks
to remote “crowdworkers”, a potentially rich source of data
collection. They found that self-identified experts had less
cyber hygiene knowledge than self-identified non-experts.
This surprising finding could be attributed to the latter
being more dependent and relying on external guidelines,
hence investing greater efforts in acquiring the necessary
cyber security knowledge for their tasks.
2.4. Cyber security protection behaviors
Recognizing the severe cost of cyber hazards, research has
increasingly focused on the measures taken and behaviors
exhibited by netizens to protect their devices (e.g. Safa et al.37).
However, most recent studies related to cyber protection
behavior look at very narrow aspects of cyber security beha-
vior. For example, Safa et al.37 surveyed level of compliance
with security polices among 416 employees in 4 Malaysian
companies. They found that employee attachment to the firm
does not have a significant influence on their attitude to adopt
a desired cyber security compliance behavior. McCormac et -
al.26 looked at whether employee information behavior is
correlated with personality traits such as conscientiousness,
agreeableness, emotional stability, and risk taking. They
showed that a small significant gender difference exists
related to phishing e-mails, such that women were found to
be more susceptible than men. Another study by McCormac
et al.25,38 aimed at exploring the relationship between
employee resilience and job stress and cyber. They used
a sample of 1,048 working Australians, reporting that higher
levels of cyber threat resilience translated into significantly
better ability, knowledge, attitude, and behavior in cyber
mitigation processes. Similarly, participants who reported
lower levels of job stress also were found to exhibit sign-
ificantly better attitude, knowledge, and behavior in mitiga-
tion of cyber hazards. Hadlington32 focused on the
relationship between risky employee cyber security behavior
and individual (such as age and attitude) and organizational
factors in protective cyber security activities. Risky behaviors
included sharing personal passwords, downloading illegal
content, infringing copyright, and ignoring recommended
4 ZWILLING ET AL.
software updates. Their findings associated these risky beha-
viors with employee self-feeling, defined as the feeling that
cyber security is not a primary concern in their place of
employment.
In fact, Hadlington and Parsons39 had already showed
that employees who feel protected in their workplace tend
to neglect cyber security behavior. This finding was con-
firmed by Tischler et al.40, who found that, in general,
employees tend to decouple their responsibility to install
and operate cyber protection tools from their job, instead
transferring it to senior management. As noted, Cain et al.36
tested levels of so-called cyber hygiene, and found that self-
identified experts exhibited less secure behaviors than self-
identified non-experts. In addition, they found that older
users engaged in more secure cyber behaviors than younger
ones. Surprisingly, they found no differences in individual
response behavior to experienced and inexperienced users –
being attacked by cyber malware for the first time or more
than once, didn’t change their response to cyber attack.
They also did not detect any individual effect in the impor-
tance of cyber training programs. However, they noted that
future studies could shed light on the impact of effective
cyber training programs, which may encourage younger
users to behave more securely when confronted with
a cyber security incident.
These training programs were evaluated by Dodge30, who
noted that the number of phishing scam victims dropped after
students were exposed to “staged” phishing attacks.
McCrohan et al.41 evaluated training programs aimed to
improve the knowledge and awareness of potential cyber
security hazards among users. They focused on cyber security
aspects of password protection awareness and ability to secure
computers pre- and post-cyber security training. They high-
lighted the critical role of cyber education/training, emphasiz-
ing appropriate security practices to improve day-to-day
online behavior. Following this study, Eminağaoğlu et al.42
showed that awareness campaigns can play a positive role in
reducing cyber risk behavior. The authors found that the level
of exposure to and practice in training programs pushed
students to use complex passwords. They suggested that pro-
viding security awareness training courses can comprehen-
sively influence attitudes to information security
management. Similarly, Abawajy5 divided cyber security
training into three categories: online, contextual, and
embedded training. He concluded that a combination of
delivery methods (such as text-based, game-based, and video-
based) should determine the training type. Following
Abawahy5, Pawlowski et al.43 recommended that cyber secur-
ity training courses should be treated as problem-centered,
utilizing case studies that are tailored to student levels of
awareness. Alternatively, Son et al.44 suggested a different
cyber security teaching approach: integration of security labs
with the curriculum in three forms – (1) pure virtual, (2)
traditional physical, and (3) hybrid. They concluded that
security labs should be an essential part of the curriculum,
although they suggested that the deployment model should be
based on individual institutional requirements. Indeed, Harris
and Patten45 developed a cyber security taxonomy that allows
moving security issues from higher-level courses to lower and
intermediate ones. Recently, Bong-Hyun et al.46 emphasized
the importance of developing internet-based cyber training
programs in higher education institutions, offered and dis-
tributed by e-mail and mobile devices with formal or informal
training sessions and presentation types (Shtudiner
et al.47). Even so, the literature tends to be characterized by
calls for more research to address insufficient knowledge of
the relationships between individual awareness, knowledge,
and self-reported behavior in cyber mitigation processes and
use of protection tools. These studies should then contribute
to facilitate the development of substantive individual cyber
security training programs.
As such, the purpose of this research is to provide
a theoretical and practical solution to global lack of cyber
security awareness, knowledge, and behavior, highlighting
the need for cyber security training programs in educational
and academic institutions to generate improved individual
cyber security outcomes.
Our hypotheses are thus the following:
H1: Cyber security knowledge is positively connected to cyber
awareness.
H2: The netizens country of residence will moderate the
connection between cyber knowledge and cyber security
awareness.
H3: Netizens with higher cyber security awareness will engage
in more cyber protection behaviors.
H4: Cyber security awareness will serve as a mediator between
cyber knowledge and cyber protection, i.e., individuals with
greater cyber knowledge will be more aware of potential cyber
hazards and, therefore, exhibit more cyber protection beha-
vior than individuals who lack the needed levels of awareness
or knowledge.
The study model is provided in Figure 1.
To the best of our knowledge, this is the first study to
compare internet user behaviors and level of cyber security
awareness and knowledge in the four selected countries based
on their GDP differences. It is important to note that the
research was conducted on a student sample. Even so, the
study findings may stimulate follow-up research on the effec-
tiveness of cyber security training programs in similar coun-
tries with a wider sample of respondents.
Figure 1. Study hypothesized model.

3. Material and methods
3.1. Subjects
A paper-based survey was distributed to cohorts of under-
graduate and graduate students. In each country, the subjects
were located through convenience sampling, with the assis-
tance of the relevant department in the university. Since
different disciplines require varying levels of cyber knowledge,
we have chosen to focus on Management and/or Business
Administration departments as a baseline for our comparison.
All the students majored in Management and Business
Administration. These included BA students in the depart-
ment of Economics and Business Administration at Ariel
University in Israel (n = 89) and in the department of
Business Administration at Lublin University in Poland (n =
182). BA and MBA students at the school of Business
Administration from Celje (ISSBS) in Slovenia (n = 35) also
filled out surveys, and data from a sample in Turkey (n = 153)
was adjusted to the data of the other countries. Overall, the
sample included 459 subjects who participated in the survey:
52% were female and 48% were male. Ten percent of the
subjects declared that they were studying in a full-time pro-
gram, whereas 58% stated that they worked a part-time job.
The rest of the subjects (32%) declined to answer.
Sixty percent were enrolled in their first degree (BA), 30%
in their second degree (MBA), and 10% in their PhD. Detailed
information for each country appears in Appendix A.
3.2. Instruments
To provide a theoretical framework, we developed a questionnaire
that included several questions aimed to test global familiarity of
the subjects with cyber security issues as well as, specifically, level
of awareness of cyber security risks. To develop the questionnaire,
we used face validity. As such, the measurements were developed
by a research team, most of whom are experts in cyber education.
The team formulated several questions to capture the level of cyber
awareness and cyber hazard awareness, the behaviors exhibited
when confronted with cyber threats and the knowledge regarding
cyber, in general, and cyber-attack, in particular. After deleting
redundant questions, the questionnaire was delivered to the
subjects.
Activity type of cyber security defense used by the subjects
was also explored. This ranged from participating in cyber
security training programs to more focused cyber behaviors
such as installing specific cyber security defense tools. Each
respondent was also asked to report their previous cyber
knowledge, internet usage, and cyber security behavior.
Classification was based on three criteria: (1) level of cyber
security awareness (Awareness), (2) knowledge of cyber secur-
ity and threats (Knowledge), and (3) attempts to prevent
cyber-attack (Behavior).
3.2.1. Awareness
Awareness was measured with the question: “To what degree
are you familiar with the term cyber security?” The item was
on a scale of 4 degrees, with 1 – no knowledge to 4 – very
good knowledge.
JOURNAL OF COMPUTER INFORMATION SYSTEMS 5
3.2.2. Knowledge
We measured respondent knowledge of several aspects of
cyber security, cyber threats, and general cyber knowledge as
follows:
3.2.2.1. Threats. Threats were measured by presenting
respondents with different cyber security scenarios and asking
them to rate the degree of threat. Threat types ranged from
loss of data, loss of money, blocking access to information,
etc. We measured the answers on a Likert scale that ranged
from 1 – strongly disagree to 5 – strongly agree. We also
measured the total amount of threats (“threats”) by calculat-
ing the mean score of the different items. Therefore, the
higher the total score, the higher the amount of threats that
the respondents estimated during a cyber-attack.
3.2.2.2. Education awareness. We measured level of respon-
dent education awareness (“edu_awareness”) by asking the
extent to which their current education influenced their
cyber-security awareness. This was ranked on a Likert scale,
ranging from 1 – definitely not affected to 5 – strongly
affected. We also measured whether students had attended
IT scrutiny training (“IT_past”) on a three-level scale (1-yes,
2-no, 3-I’m not sure). We transformed this variable into
a dummy variable based on attendance (“d_attendance”),
with 1 – attended cyber security course or program and 0 –
other. We asked respondents about their desire to attend an
IT security training program to improve cyber security aware-
ness (“IT_future”) on a Likert scale that ranged from 1 –
definitely not to 5 – definitely yes. We measured knowledge
by asking if respondents know the difference between http
and https protocol (“Recognition”) on a binary scale (1-yes,
0-no). Lastly, we measured respondent knowledge of different
programs and applications such as text editor, spreadsheets,
social media, etc. The answers were ranged on a Likert scale as
1 – no skill to 5 – very high skills. We also measured the total
mean score for the different items (“computer_knowledge”).
Higher results indicated that respondents possess more skills
using computer programs and applications.
3.2.2.3. Familiarity. To measure familiarity, respondents
were asked to evaluate their knowledge of cyber security
issues based on a series of different items. These included
internet sources, university courses, IT journals, etc.
Respondents had to report if they have (1) or do not have
(0) sufficient knowledge of each item. We also measured total
amount of familiarity (“familiarity”) by summing responses.
Therefore, the higher the result, the higher the amount of
respondent familiarity with cyber security knowledge.
3.2.3. Behavioral aspects
Several questions measured the means used by the respon-
dents to prevent cyber-attack situations. For the first beha-
vioral variables, we presented the respondents with different
information and measured their readiness to provide the
information if they were asked by a digital media outlet.
Items included information regarding: home address, age,
e-mail password, etc. Each question was measured on
a categorical scale (1-yes, 0-no). We calculated the total
6 ZWILLING ET AL.
information provided (“provide”) by summing the score of
the different types of information. Therefore, the higher the
score, the higher the respondent level of agreement to reveal
information on the internet.
In the second behavioral variable, we showed the respon-
dents different means, tools, or applications (e.g. strong pass-
word or spam protection) and asked them whether they use
this instrument to avoid cyberattack on a categorical scale
(1-yes, 0-no). We calculated the total protection (“protection”)
by summing the score of the different types of instruments.
Therefore, the higher the score, the higher the level of respon-
dent protection of their computer from cyberattack. We also
asked a directed question regarding their knowledge in case of
cyberattack (“behavioral”) on a scale from 1 – definitely no to
5 – definitely yes. Since the question measured lack of knowl-
edge of how to behave, its direction was negative. The higher
the response, the less knowledge they possessed in the event of
a cyber-attack.
Another behavioral variable measured whether using cyber
products and services made respondents feel as if their knowl-
edge of cyber-attacks was forced on them or acquired by
choice (“Choice”). The question was measured on a Likert
scale that ranged from 1 – definitely by coercion to 5 –
definitely by choice.
To measure how respondents protect their devices, we
asked them to list the length of a standard account password
(e-mail, social media, etc.) (“length”) and whether they use the
same password (“password”) for different portals, systems,
and applications on a categorical scale (1-yes, 0-no). We also
asked respondents to describe their behaviors when finishing
up work on their computer. Presented with individual activ-
ities such as shutting down or locking their computer, they
were requested to confirm if they engaged in (1) or did not
engage in (0) these behaviors. We measured a total score for
each respondent such that the higher the results, the more the
subjects ensured their computer was safe (“finish”).
3.2.4. Characteristics of the sample
We measured gender (male – 1, female – 0), years of study
(1 – no academic background to 6 – PhD student), type of
study (1 – part time, 0 – full time) and country (1 – Israel, 2 –
Poland, 3 – Slovenia, 4 – Turkey).
3.3. Procedure
The questionnaire was uploaded to the internet for the
respondents from the four tested countries. The authors dis-
tributed the site link to the respondents in class during the
academic year of 2017. The questionnaire was in English,
although for Turkish students the English version was trans-
lated into Turkish.
4. Results
Descriptive analysis was initially conducted to capture level
of awareness, knowledge, and behaviors toward cyber-
attacks. The results of the means and standard deviation
scores for the total countries and each country individually
are presented in Appendix B. The results from the total
respondent answers indicated high familiarity with the term
“cyber-security” – either through the internet (81%), social
media (60%), conversations with friends and traditional
media (45%), classes at the university (29%), IT journals
(21%), and/or scientific journals (15%). Only 9% reported
having personal experience with cyber-attacks. Respondents
also agreed that cyber-attacks could cause damage in multiple
arenas. Their main cyber-attack concerns were violation of
privacy (M = 4.20), loss of data (M = 4.17), spying on private
citizens (M = 4.14), loss of money (M = 4.13), spying on
organizations (M = 4.12), and potential role in terror attacks
(M = 4.11), among others. On the other hand, they did not
feel that cyber-attacks block access to information
(M = 1.78).
In parallel with high cyberattack awareness, respondents
avoid disclosure of sensitive information on the web, espe-
cially e-mail passwords (M = 1.77), ID number (M = 1.81),
home address (M = 2.19), social network login (M = 2.02),
and phone number (M2.15). Their only readiness was to
provide their age (M = 3.34). Other positive respondent
cyber security habits include using strong password (85%),
installing antivirus software (75%), regular data backup (61%),
frequent password changes, and updating software (approxi-
mately 56%). On the other hand, only 45% used spam protec-
tion, 35% avoided using a public computer, and just 15%
performed computer security audits. When asking about the
means they use to protect their instrument from 11 threat
options, respondents used five protection tools on average.
About 56% of respondents used the same password for dif-
ferent applications and usages, with average password length
of six characters. Lastly, only two protection behaviors were
conducted at the end of usage: logging off all programs (51%)
and shutting off the computer (66%). Therefore, respondent
behavior indicated a discrepancy between awareness and
amount of activities used to protect themselves from cyber-
attacks.
This gap may be attributed to participant knowledge. Based
on self-evaluation of skills and knowledge, the results indi-
cated that respondents reported having sufficient knowledge
(M = 3.33) especially of e-mail (M = 4.02), computer applica-
tions (M = 3.97), web browsers (M = 3.98), smartphone (M =
3.93), and social networks (M = 3.92). They felt less secure
about web page development (M = 2.42), application devel-
opment environments (M = 2.44), network architecture (M =
2.77), and computer architecture (M = 2.90). Judging their
knowledge of IT security, most respondents never attended an
IT security training program in the past (around 66%), but
were willing to participate in this kind of training in the future
(M = 3.68). Even so, we need to treat this readiness with
caution, since results may suggest a social desirability bias.
That is, respondents may feel more obligated to participate in
future training after having a host of cyber threats pointed out
to them. Indeed, when asked about their behaviors, only 11%
reported taking part in cyber security courses.
We also conducted a correlation analysis to detect multi-
collinearity between the dependent and independent variables
that were later included in the regression analysis. We entered
country of residence as the dummy variable (d_Israel,
d_Poland, d_Slovenia and d_Turkey), indicating 1 – for the
 JOURNAL OF COMPUTER INFORMATION SYSTEMS 7

Table 1. Correlation analysis with the dependent and independent variables.

Variables 1 2 3 4 5 6 7 8 9 10 11 12 13
1. Awareness 1
2. Edu_awamess .309** 1
3. Familiarity .268** .194** 1
4. Threats .269** .266** .161** 1
5.d_attendance (0-no, 1-yes) .090 .036 .029 −.12 1** 1
6. computer_knowledge .314** .215** .255** .136** .158** 1
7. protection .300** .318** .344** .305** −.036 .232** 1
8. provide −.067 −.188** −.046 −.89 .087 .012 −.225** 1
9. Recognition (0-do not know the .230** .077 .097* −.077 .173** .346** .093* −.013 1
difference, 1-know)
10. d_Israel −.006 −.093* −.056 .025 .067 −.074 −.290** .168** .020 1
11. d_Poland −.254** −.2568 .021 −.344** .066 .187* −.128** .177 .059 −.398** 1
12. d_Slovenia .064 .020 .189** −.009 −.009 .-.081 .114* −.023 −.013 −.141** −.233** 1
13. d Turkey 233** .332** −.081 .341** −.120** −.087 .312** −.311** −.071 −.347** −.573** −.203** 1
Note: N = 459; * p < .05, **p < 0.01.

subject living in that country, 0 – any other country. The
results appear in Table 1.
The result shows that the variables did not display multi-
collinearity. Interestingly, we found that all the countries
showed negative, yet significant, correlation. This indicates
that subjects showed unique country-specific behaviors,
although the highest levels of difference were between subjects
living in Turkey and Poland (r = −.573, p < .001).
4.1. Connection between cyber knowledge and
awareness
The connection between previous cyber knowledge and level of
cyber security awareness was analyzed controlling for respon-
dent country of residence and gender. Three steps were applied
in the multiple hierarchical regression. In the first step, we
entered country as dummy variables (d_Israel, d_Poland and
d_Slovenia), with Turkey as the comparison country. Gender
was included in the second step, and in the last step, we entered
the different knowledge variables. Table 2 shows the results of
the multiple hierarchical regression analyses.
In the first step, respondent country type explained 7.4% of
variance in awareness of cyber-attack (R2 = 0.74, F(3,454) = 13.03,
p < .01). While Turkey had a significant and positive connection to
awareness (α = 2.654, p < .01), both Israel (β = −.139, p < .01) and
Poland (β = −.315, p < .01) were negatively associated with cyber-
attack awareness. That is, levels of awareness in Israel and Poland
were lower compared to other countries. Entering gender into the
regression analysis added a significant contribution of 3% to the
level of awareness (R2 = 0.10, F (4,453) = 13.72, p < .01). Based on
the direction of the coefficient, males were found to have more
awareness of cyber-attacks compared to females. The last regres-
sion step indicated that cyber knowledge added another 16% to
total variance over netizens country of residence and the gender of
respondents (R2 = .26, F(8,449) = 20.92, p < .01). Education
awareness (Edu_awareness) was positively associated with aware-
ness (β = .143, p < .01), meaning that respondents who felt that
their current education influenced their awareness to cyber-
security also felt higher awareness toward this hazard.
Understanding the differences between http and https protocol
(Recognition) was associated with higher amount of cyber-attack
awareness (β = 0.11, p < .05). Lastly, extensive knowledge of
different aspects of computer usage and applications was also
positively connected to more awareness of cyber-attacks (β =
0.28, p < .01). Therefore, the results suggest that knowledge of
the cyber world and security problems is associated with more

Table 2. Results of the multiple hierarchical regression between awareness and the country, gender, and computer knowledge.
Model 1
Step 1 Step 2 Step 3 Model 2 Model 3 Model 4 Model 5 Model 6 Model 7
‘d_Israel −.139ᵃ** −.138** −.110** −.190** −.118** −.233** −.551** −.111* −.184*
d_poland −.315** −.307** −.318** −.308** −.198** −.197** −.306** .075 −.194**
d_slovenia −.029 −.008 .013 .015 .010 .012 .012 .015 .011
Gender (0-female, 1-male) .171** .144** .150** .147** .146** .153** .147** .122*
Edu_awarness .143** .154** .135** .122** .148** .136** .170
Recognition (o-do not know the differences, 1-know) .112** .075 .216** .187* .106* .101* .069
d_attendance (0-no, 1-yes) .048 .043 .048 .082 .045 .049 .046
Computer_knowledge .285** .274* .264** .291** .234** .343** .284**
Interaction Israel*Recognition .125*
Interaction Ploand*Recognition −.199**
Interaction Slovenia*Recognition .042
Interaction Israel*computer knowledge .456*
Interaction Poland*computer knowledge −.414’
Interaction Slovenia*computer knowledge .826 ‘
R2 .074 .102 .261 .274 .271 .209** .278** .245 .224**
Chg R2 .03* .16** .13** .10** .007 .17** .070 .021’
F 13.03** 13.72** 20.92** 19.16** 19.37** 6.384** 23.98 6.98* 6.855**
Std,E .73 .72 .69 .652 .651 .721 .713 .685 .715
Note: ᵃThe results demonstrate the standardized beta coefficient (β).Dependent variable was awareness to cyber-attack; ‘Turkey was measured as the base line for
comparison; edu_awarness measured the extent in which the current education influenced their cyber-security awareness; d_attandency measured whether the
student were attendant in IT scrutiny training; Computer knowledge measured the amount of knowledge the responders have in different application and usages;
**p < .05, **p < .01, ‘p < .10
8 ZWILLING ET AL.

awareness of the phenomenon of cyber-attacks, supporting the

first hypothesis.
Models 2 to 7 focused on the netizen country of residence
as a moderator in the connection between cyber knowledge
and cyber awareness. The interaction was significant for two
variables: recognition and computer knowledge. For the recog-
nition variable, the interaction among Israeli respondents was
significant (β = .125, p < .05), meaning that respondents who
recognize differences between http and https protocol and live
in Israel exhibited a higher awareness of cyber-attacks com-
pared to people living outside Israel with the same knowledge.
The opposite was found with respondents with no recognition
of differences between http and https protocol. The group that
lives in Israel was characterized by the lowest awareness
compared to all other groups and students who live outside Figure 3. The interaction between cyber recognition in Poland and level of
awareness.
Israel.
The interaction was also found to be significant for Polish
respondents but in a negative direction (β = −.199, p < .01).
That is, students who live outside Poland had higher aware-
ness of cyber-security problems. However, this awareness was
lower and was similar to Polish respondents who could not
differentiate between http and https protocol. The interaction
was not significant in the case of Slovenian respondents. Even
so, since the gender distribution of the Slovenian subjects
diverged from the general population, this might have affected
the results. Figures 2 and 3 illustrate the results of the inter-
actions between recognition, countries, and awareness.1
For computer knowledge, the interaction for Israeli students
was also found significant and positive (β = .456, p < .05),
meaning that students with higher knowledge of computer
usages who live in Israel had higher awareness of cyber-
attacks compared to those living outside Israel with the Figure 4. The interaction between computer knowledge in Israel and level of
same knowledge. The opposite was true for students who awareness.
had less computer knowledge. The group that lives in Israel
was characterized by the lowest awareness compared to all
other groups and students who live outside Israel.
In the case of Poland, the interaction was close to signifi-
cant but in the negative direction (β = −.414 p < .10), meaning
that students who live outside of Poland exhibited higher

Figure 5. The interaction between computer knowledge in Poland and level of

awareness.

awareness compared to those who live in Poland. However,

this awareness was lower and was similar to Polish respon-
dents when examining those with less computer knowledge.
Figures 4 and 5 illustrate the results of the interaction between
Figure 2. The interaction between cyber recognition in Israel and level of
awareness.
recognition, countries, and awareness. To aid us in

1
We excluded Slovenian respondents since the interaction was not significant.

Table 3. Results of the multiple hierarchical regression between behavioral variables, the responders’ country, gender, and
awareness.
Model 8- protection
Step 1 Step 2
‘d_Israel −.409** −408**
d_poland −.294** −292**
d_solovenia −.012** −.007
Gender (0-female, 1-male) .037
Awareness
R2 .155 .156
Chg R2 .001
F 27.83** 21.04**
Std,E 1.95 1.95
Note: ᵃThe results demonstrate the standardized beta coefficient (β). Dependent variable was behavioral variables; ‘Turkey was
measured as the base line for comparison; awareness measured the amount of awareness to cyber security term; **p < .05,
**p < .01, ‘p < .10.
interpreting the results, we classified the continues variables,
i.e. computer knowledge, into two categories based on the
median (3.28). As such, we had two groups: those with com-
puter knowledge (1) and without computer knowledge (0).
4.2. Connection between country, awareness, and
behaviors
Our next analysis aimed to measure whether awareness is con-
nected to cyber user protective habits. Therefore, multivariate
hierarchical regressions were conducted with behavior variables
as the dependent variables. In the first step, we entered country as
dummy variables (d_Israel, d_Poland and d_Slovenia) with
Turkey as the comparison country. Gender was included in
the second step, and in the last step, we entered the awareness
variables. Table 3 shows the result of the multiple hierarchical
regression analysis of the protection variables in Model 8 and the
information provided by the respondents in Model 9. We also
conducted a regression analysis with the behaviors that respon-
dents engage in when finishing working on their computer.
However, none of the stages in the regression was found to be
significant.
Model 8 presents the results of the regression analysis con-
ducted with the behaviors that respondents used to protect their
computer from cyber-attacks. The first step indicated that the
three countries made a significant contribution to the overall
variances (R2 = .155, p < .01). The three countries were nega-
tively associated with the protection behaviors. That is, Israeli
(β = −.409, P < .01), Polish (β = −.294, P < .01), and Slovenian
respondents (β = −.012, P < .05) employed less protective
measures compared to respondents in other countries. The
exception was Turkish respondents, who used more protective
behaviors compared to respondents in other countries (a =
5.693, p < .01). Even so, when we entered the rest of the
variables, the connection between Slovenian respondents and
protection failed to be significant. Gender, entered in
the second step, was not significantly associated with protection
behaviors, meaning that no differences exist between males and
females concerning protection activities. However, entering
awareness in the last step made a unique contribution to the
overall variance of protection behaviors (Chg. R2 = 5.3%, p <
.01). Awareness was found to be positively connected to pro-
tection behaviors (β = .243, p < .01), indicating that higher
awareness of cyber security resulted in extensive behaviors
JOURNAL OF COMPUTER INFORMATION SYSTEMS 9
Model 9- provide
Step 3 Step 1 Step 2 Step 3
−376** .309** .310** .311**
−217** .322** .323** .325**
−.005 .096* .098* .098*
−.004 .021 .020
.243** .008
.209 .107 .107 .107
.053** .00 .00
23.94** 18.10** 13.61** 10.87**
1.89 .90 .90 .90
aimed to protect devices. As such, this finding supported the
third hypothesis. We also conducted an interaction analysis
between awareness and each of the countries. However, the
interaction failed to be significant and was not reported in the
regression model (β = .038, p > .05, for Israel; β = .056, p > .05
for Poland and β = −.069, p > .05 for Slovenia).
Model 9 shows the results of the regression analysis between
awareness and readiness to provide information. The findings
indicate that respondent country was the sole variable that sig-
nificantly contributed to overall variance of the readiness to pro-
vide information (R2 = .107, p < .01). The results show that
readiness to provide information on the Internet was higher for
respondents who live in Israel (β = .309, p < .01), Poland (β = .322,
p < .01), and Slovenia (β = .096, p < .05) compared to those who
live outside the respondent’s country. Turkey was also positively
associated with willingness to provide information (a = 1.793, p <
.01), meaning that even in Turkey people are willing to disclose
information on the web. As such, we can assume that people today
feel more secure providing information online – even when they
are more aware of the cyber-attack potential. Gender was not
significant, indicating that both male and female users are ready
to provide the same amount of information. Surprisingly, aware-
ness of the cyber-attack problem was not associated with readiness
to disclose information (β = .008, p > .05). The interaction between
country and awareness was not significant, and so was not
reported in the regression model (β = −.161, p > .05, for Israel; β
= .056, p > .05 for Poland and β = .242, p > .05 for Slovenia).
Lastly, we tested if awareness also served as a mediator
between knowledge and protection. Based on Baron and
Kenny’s model (1986), a connection was found between
respondent cyber knowledge and protection variables. The
first step of the regression analysis shows that knowledge
was positively connected to protection (c = .233, p < .01).
In the second step, cyber knowledge was positively and
directly related with cyber security awareness (a = .317,
p < .01) and awareness was positively connected to protec-
tion (b = .300, p < .01). However, when the indirection
effect was measured, the connection between knowledge
and protection decreased (c´ = .153, p < .01), while the
connection between awareness and protection was positive
and significant (b = .233, p < .01). These results thus
support our last hypothesis, that awareness (partially) med-
iates the connection between knowledge and cyber protec-
tion behaviors. That is, subjects with more device usage
10 ZWILLING ET AL.
knowledge were more aware of cyber hazards. This aware-
ness was connected to amount of protection methods and
measures used to protect their devices. As such, it is not
just the amount of device usage; it is more the level of
awareness that determines their attempts to reduce the
chances of cyber-attack.
5. Discussion
Research results show that internet users are aware of the term
“cyber security”. Therefore, respondents know that using the
internet may expose them to multiple threats: violation of privacy,
loss of money or data, damage to devices, surveillance of them-
selves or any organization to which they belong, etc. However, we
also found a discrepancy between respondent attitude and beha-
viors. As with previous studies (e.g. Imgraben et al.48; Rek and
Milanovski49), we found that respondents take only basic and
insufficient action such as using strong password protection and
installing antivirus software. Only a minority engage in more
sophisticated protection activities that require a deeper knowledge
of cyber security, such as avoiding using an open free network,
performing computer security audits, or avoiding using public
computers. Since these activities are no costlier, the reason for this
discrepancy remains unknown. While previous studies suggested
that people avoid engaging in extensive cyber-attack precautions
(e.g. Rek and Milanovski49), we suggest that respondent cyber
knowledge may explain this gap.
Our findings show that respondents with more computer
science knowledge (recognition) had a higher positive connec-
tion to cyber security awareness. However, specialization in
computer science is not an option available to most people.
Still, we found that even partial attendance in a cyber security
program (d_attendance) or learning about cyber security during
formal education (Edu_awareness) was positively connected to
level of cyber awareness. Since this connection was found after
controlling for respondent country of residence and gender, it
highlights the significant role of educational cyber security pro-
grams to enlarge cyber-attack awareness.
On the other hand, no connection was found between degree
of awareness and the information that the subjects agreed to
share on the internet as well as security-related activities when
finishing work on the computer. This gap can be explained
through the Theory of Planned Behavior (TPB) (Fishbein and
Ajzen50) TPB claims that intention is the best predictor of any
planned behavior. Therefore, if threats to computer security are
taken seriously, then it is more likely that motivation will be
found to institute appropriate protective measures. Even so,
behavior is also affected by elements such as the amount of self-
efficacy and controllability. As such, perception of situations as
subject to control due to individual knowledge increases motiva-
tion to act. Thus, we found that respondents with more cyber
security knowledge take more steps to prevent attacks, especially
when defense tools are simple and familiar to internet users.
When an action demands higher specialized knowledge, this
connection was found to be more complicated. People may be
aware of a hazard and want to protect their devices but feel
2
Differences analysis between respondents based on country also appear in Appendix A.
insecure about the appropriate measures, and this can reduce
motivation to explore additional options. Indeed, we found that
knowledge of cyber and Internet usage was connected to protec-
tion activities through the mediation of cyber security awareness.
These results highlight the important role of cyber security
programs to motivate users to take proactive behaviors.
We also found a connection between awareness, knowledge,
and behaviors and the country of the respondent.2 Turkish
respondents viewed cyber security as very risky and threatening.
Israelis showed less concern, as did Poles. These findings can be
attributed to cultural differences. Israel is known as a cyber
security innovation leader (Tabansky51) Israelis tend to “out-
source” their cyber security concerns to service providers and
organizations, confident in their technological sophistication to
ensure a safe internet environment. This may explain why
Israelis were the least cautious information sharers and lowest
in cyber threat avoidance. Indeed, Tabansky51 describes Israel as
a country that continuously strives to develop cyberspace solu-
tions. Israel is one of the top five global superpower nations as
ranked by the National Cyber Initiative (Sabilion et al.52). It can
be reasonably claimed that many citizens in these countries are
under the mistaken impression that they have sufficient knowl-
edge or defense tools to counter cyber risks. In fact, they tend to
be less actively involved in daily mitigation of privacy and data
and information leaks. In countries with less cyber security
development, such as Turkey, cyber security awareness is more
linked to the individual implementation of cyber protective
behaviors. One explanation for the differences between Turkey
and the other countries can be attributed to variations in ques-
tionnaire language. As noted, the Turkish participants filled out
the questionnaire in their native language, while all other sub-
jects used an English version. This difference may have produced
biases in response, especially if the non-Turkish students lack
full reading comprehension in English. However, all non-
Turkish university students comprising our sample are required
to possess high-level English language proficiency, and this dis-
crepancy can only explain part of the differences and should not
be regarded as their main source. Even so, Turkey is well advised
to develop its training programs in this field. Future comparative
research should focus on senior management cyber security
habits in the four evaluated countries. Thus, we claim that the
more a developed country (i.e., with substantial GDP value)
invests resources in cyber tools (such as Israel), the more its
efforts should be directed to educating and increasing awareness.
While mediation was found between (one type of) knowledge,
awareness, and protection, we feel that there are other factors
that can explain why people do not protect their devices with
more defenses. Using TPB (Fishbein and Ajzen50), more
research should explore the effects of psychological factors,
such as self-efficacy and national-cultural values (Hofstede53;
Klein and Shtudiner54) on internet user behaviors.
Organizations should also take more active as well as protective
steps, in parallel with educational programs, such as configura-
tion of cyber defense tools with organizational architecture to
increase the level of cyber security awareness among their
employees. Further studies should focus on capturing how beha-
viors of organizations affect employee cyber security awareness.

The urgency to reduce employee and individual cyber risks
has only increased. As such, senior managers should build
practical training workshops and study programs with cyber
awareness courses in order to:
a. Increase employee and student knowledge related to
cyber security attacks;
b. Cultivate new attitudes toward cyber risk and responsi-
bility for maintaining organizational data;
c. Translate awareness into action by decreasing human
factors resulting in cyber security vulnerabilities; and
d. Develop new rules informing best cyber practices. Future
research should also focus on all aspects of this call to
action.
6. Conclusions and future work
The study elaborates on the literature related to cyber security
awareness, knowledge, and behavior. To our knowledge, its novelty
rests on it being the first to explore the factors relating to and level
of cyber security skills among individuals in various countries with
differing GDP values. Moreover, the study implicates level of cyber
hazard knowledge and exposure to risk to specific user traits
(gender, age, degree of using IT, etc.), concluding that specific
training programs should be developed by educational and aca-
demic institutions. Since this is an initial study, we focused on
a comparative approach to evaluating cultural differences in cyber
security awareness, knowledge, and behaviors. However, future
studies should isolate the roots of lack of cyber hazard awareness.
Our research contributions may be classified into the fol-
lowing categories:
● Elaboration on existing knowledge of cyber security
awareness, knowledge, and behavior among individuals
from different countries;
● Economic need to invest in cyber security technology in
developed countries with high GDP values (such as
Israel), since much of the population lacks the necessary
tools and knowledge to protect against cyber hazards.
Even so, it is important to also invest in cyber training
to change the perception of cyber hazards.
● Global need for comparative analysis derived from lack
of cyber security knowledge across cultures. Therefore,
training programs should be developed with an interna-
tional orientation, based on individual behavior rather
than local and cultural expressions.
It is important to point out that this study has some limitations
that should be taken into consideration. The limitation of this
study lies mainly with the type of respondents. The sample size
was based on students mainly from the social sciences, who
studied business IT or economics. To improve the study’s robust-
ness, it is recommended to use a wider sample size, one that is not
considered a convenient sample and spans various disciplines.
Another criticism can be derived from the measurement of the
variables. We used face validity in constructing the questionnaire,
relying on a team of experts to develop our survey tool. However,
since this is one of the few studies to measure cyber security
JOURNAL OF COMPUTER INFORMATION SYSTEMS 11
awareness, knowledge, and behavior, the questionnaire should
be retested to strengthen its reliability and validity. Future studies
should develop specific instruments to measure cyber security
awareness and knowledge55. Although we measured this variable
using a single-item scale, multi-item scales were found to exhibit
higher reliability. Even so, some researchers have suggested that if
a single-item question can elicit valuable information, its advan-
tage of simplicity can confer on its reliability and validity, even at
the expense of extensive detail (Bowling56). Still, more compre-
hensive instruments to assess cyber security awareness are desir-
able. Moreover, this type of study should be conducted in
additional countries that differ in their GDP values, with the
results compared to the current research.
In sum, our current reality is in many ways a cyber one. The
internet is deeply embedded in our daily life, and our dependency
on connected mobile devices seems likely to only increase. Yet
with growing dependency comes elevated risk of cyber-attack
victimization. Future work should focus on exploring how specific
training programs based on our study findings improve levels of
cyber knowledge, awareness and skill-based behaviors.
Acknowledgments
This work was supported by the Ariel Cyber Innovation Center in
conjunction with the Israel National Cyber directorate in the Prime
Minister's Office.
References
1. Aloul FA. The need for effective information security awareness.
J Adv Inf Technol. 2012;3(3):176–83. doi:10.4304/jait.3.3.176-183.
2. Jalali MS, Siegel M, Madnick S. Decision-making and biases in
cybersecurity capability development: evidence from a simulation
game experiment. J Strategic Inf Syst. 2019;28(1):66–82.
doi:10.1016/j.jsis.2018.09.003.
3. Lee KG, Chong CW, Ramayah T. Website characteristics and web
users’ satisfaction in a higher learning institution. Int J Manage
Educ. 2017;11(3):266–83. doi:10.1504/IJMIE.2017.084926.
4. Maurseth PB. The effect of the Internet on economic growth:
counter-evidence from cross-country panel data. Econ Lett.
2018;172:74–77. doi:10.1016/j.econlet.2018.08.034.
5. Abawajy J. User preference of cyber security awareness delivery
methods. Behav Inf Technol. 2014;33(3):237–48. doi:10.1080/
0144929X.2012.708787.
6. Furnell SM, Jusoh A, Katsabas D. The challenges of understanding
and using security: a survey of end-users. Comput Secur. 2006;25
(1):27–35. doi:10.1016/j.cose.2005.12.004.
7. Parsons K, McCormac A, Butavicius M, Pattinson M, Jerram C.
Determining employee awareness using the human aspects of
information security questionnaire (HAIS-Q). Comput Secur.
2014;42:165–76. doi:10.1016/j.cose.2013.12.003.
8. Schultz E. From the editor-in-chief: the human factor in security.
Comput Secur. 2005;24(6):425–26. doi:10.1016/j.cose.2005.07.002.
9. Anwar M, He W, Ash I, Yuan X, Li L, Xu L. Gender difference
and employees’ cybersecurity behaviors. Comput Human Behav.
2017;69:437–43. doi:10.1016/j.chb.2016.12.040.
10. Herath T, Rao HR. Protection motivation and deterrence:
a framework for security policy compliance in organisations. Eur
J Inf Syst. 2009;18(2):106–25. doi:10.1057/ejis.2009.6.
11. Schneier B. Hacking the business climate for network security.
Computer. 2004;37(4):87–89. doi:10.1109/MC.2004.1297316.
12. Sasse MA, Flechais I Usable security: why do we need it? How do
we get it? O’Reilly. 2005. http://discovery.ucl.ac.uk/20345.
13. Kshetri N. Cybersecurity and development. Markets Globalization
Dev Rev. 2016;1:2. doi:10.23860/MGDR-2016-01-02-03.
12 ZWILLING ET AL.
14. Vasiu I, Vasiu L. Cybersecurity as an essential sustainable eco-
nomic development factor. Eur J Sustainable Dev. 2018;7
(4):171–78. doi:10.14207/ejsd.2018.v7n4p171.
15. WorldBank Data. 2019. https://data.worldbank.org/indicator/NY.
GDP.PCAP.CD.
16. Reid R, Van Niekerk J. Decoding audience interpretations of
awareness campaign messages. Inf Comput Secur. 2016;24
(2):177–93. doi:10.1108/ICS-01-2016-0003.
17. Klimburg A, editor. National cyber security framework manual.
NATO Cooperative Cyber Defense Center of Excellence. 2012.
doi:10.1094/PDIS-11-11-0999-PDN.
18. Siponen MT. Five dimensions of information security awareness.
SIGCAS Comput Soc. 2001;31(2):24–29. doi:10.1145/503345.503348.
19. De Lange M, von Solms R. An e-safety educational framework in
South Africa. Proceedings of the Southern Africa
Telecommunication Networks and Applications Conference
(SATNAC); 2012 Sep. doi:10.1094/PDIS-11-11-0999-PDN.
20. Coopers P. Turnaround and transformation in cybersecurity. Key
Findings Global State Inf Secur Surv. 2015;2016.
21. McCormac A, Parsons K, Butavicius M. Preventing and profiling
malicious insider attacks (No. DSTO-TR-2697). Defence Science
and Technology Organisation Edinburgh (Australia) Command
Control Communications and Intelligence Division. 2012.
doi:10.1094/PDIS-11-11-0999-PDN.
22. Parsons K, McCormac A, Butavicius M, Ferguson L Human factors and
information security: individual, culture and security environment.
DSTO Technical Report (DSTO-TR2484). 2010 Oct.
23. Schneier B. Secrets and lies: digital security in a networked world.
Indianapolis (IB): Wiley Publishing, Inc; 2000.
24. Shropshire J, Warkentin M, Johnston A, Schmidt M. Personality
and IT security: an application of the five-factor model. AMCIS
2006 Proceedings; 2006 Dec 31, Acapulco, Mexico. p. 415
25. McCormac A, Calic D, Parsons K, Butavicius M, Pattinson M,
Lillie M. The effect of resilience and job stress on information
security awareness. Inf Comput Secur. 2018 Jul 9;26(3):277–89.
doi:10.1108/ICS-03-2018-0032.
26. McCormac A, Zwaans T, Parsons K, Calic D, Butavicius M,
Pattinson M. Individual differences and information security
awareness. Comput Human Behav. 2017;69:151–56. doi:10.1016/j.
chb.2016.11.065.
27. Saadatdoost R, Sim AT, Jafarkarimi H, Mei Hee J. Exploring
MOOC from education and Information Systems perspectives:
a short literature review. Educ Rev. 2015;67(4):505–18.
doi:10.1080/00131911.2015.1058748.
28. Lehto M. Cyber security competencies: cyber security education and
research in Finnish universities. ECCWS2015-Proceedings of the 14th
European Conference on Cyber Warfare & Security: ECCWS 2015; 2015
Jul 1; Hatfield (UK): University of Hertfordshire, Academic Conferences
and Publishing International Limited. p. 179–88.
29. Shaw RS, Chen CC, Harris AL, Huang HJ. The impact of infor-
mation richness on information security awareness training
effectiveness. Comput Educ. 2009;52(1):92–100. doi:10.1016/j.
compedu.2008.06.011.
30. Dodge RC Jr, Carver C, Ferguson AJ. Phishing for user security
awareness. Comput Secur. 2007;26(1):73–80. doi:10.1016/j.
cose.2006.10.009.
31. Kumaraguru P, Rhee Y, Acquisti A, Cranor LF, Hong J, Nunge E.
Protecting people from phishing: the design and evaluation of an
embedded training email system. Proceedings of the SIGCHI
conference on Human factors in computing systems; 2007;
ACM, San Jose California, USA. p. 905–14.
32. Hadlington LJ. Employees attitudes towards cyber security and
risky online behaviours: an empirical assessment in the United
Kingdom. Int J Cyber Criminol. 2018;12:269–81.
33. Pendley JA. Finance and accounting professionals and cyberse-
curity awareness. J Corporate Accounting Finance. 2018;29
(1):53–58. doi:10.1002/jcaf.v29.1.
34. Furnell SM, Bryant P, Phippen AD. Assessing the security percep-
tions of personal Internet users. Comput Secur. 2007;26
(5):410–17. doi:10.1016/j.cose.2007.03.001.
35. Abawajy J, Kim TH. Performance analysis of cyber security awareness
delivery methods. Security technology, disaster recovery and business
continuity.In: Communication in computer and information science.
Vol. 122. Springer-Verlag; 2010. p. 142–48.
36. Cain A, Edwards ME, Still JD. An exploratory study of cyber
hygiene behaviors and knowledge. J Inf Secur Appl.
2018;42:36–45. doi:10.1016/j.jisa.2018.08.002.
37. Safa NS, Von Solms R, Furnell S. Information security policy compli-
ance model in organizations. Comput Secur. 2016;56:70–82.
doi:10.1016/j.cose.2015.10.006.
38. McCormac A, Calic D, Butavicius MA, Parsons K, Pattinson MR,
Lillie M. Understanding the relationships between resilience, work
stress and information security awareness. HAISA. 2017 Nov;
p.80–90.
39. Hadlington L, Parsons K. Can cyberloafing and Internet addiction
affect organizational information security? Cyberpsychol Behav
Social Networking. 2017;20(9):567–71. doi:10.1089/cyber.2017.0239.
40. Tischer M, Durumeric Z, Foster S, Duan S, Mori A, Bursztein E,
Bailey M. Users really do plug in USB drives they find. 2016 IEEE
Symposium on Security and Privacy (SP); 2016; IEEE, San Jose
California, USA. p. 306–19.
41. McCrohan KF, Engel K, Harvey JW. Influence of awareness and
training on cyber security. J Internet Commerce. 2010;9(1):23–41.
doi:10.1080/15332861.2010.487415.
42. Eminağaoğlu M, Uçar E, Eren Ş. The positive outcomes of information
security awareness training in companies–a case study. Inf Secur
Techn Rep. 2009;14(4):223–29. doi:10.1016/j.istr.2010.05.002.
43. Pawlowski SD, Jung Y. Social representations of cybersecurity by
university students and implications for instructional design. J Inf
Syst Educ. 2015;26:281–94.
44. Son J, Bhuse V, Othmane LB, Lilien L. Incorporating lab experi-
ence into computer security courses: three case studies. Global
J Enterp Inf Syst. 2015;7:2.
45. Harris MA. Using bloom’s and webb’s taxonomies to integrate
emerging cybersecurity topics into a computic curriculum. J Inf
Syst Educ. 2015;26:219–34.
46. Bong-Hyun K, Ki-Chan K. Development of cyber information
security education and training system. Multimed Tools Appl.
2017;76(4):6051–64. doi:10.1007/s11042-016-3495-y.
47. Shtudiner ZE, Klein G. The impact of gender and attractiveness
on judgment of accountants’ misbehaviors. SSRN Electron J.
doi:10.2139/ssrn.3391257.
48. Imgraben J, Engelbrecht A, Choo KK. Always connected, but are
smart mobile users getting more security savvy? A survey of smart
mobile device users. Behav Inf Technol. 2014;33(12):1347–60.
doi:10.1080/0144929X.2014.934286.
49. Rek M, Milanovski BK. Mediji in srednješolci v Sloveniji.
Slovenija, Ljubljana: Fakulteta za medije [izdelava]. Slovenija
(Ljubljana): Univerza v Ljubljani, Arhiv družboslovnih podatkov
[distribucija]; 2017. IDNo: MPSS16.
50. Fishbein M, Ajzen I. Predicting and changing behavior: The rea-
soned action approach. New York (NY): Psychology press; 2011.
51. Tabansky L. Critical infrastructure protection policy: the Israeli
experience. J Inf Warfare. 2013;12:78–86.
52. Sabillon R, Cavaller V, Cano J. National cyber security strategies: global
trends in cyberspace. Int J Comput Sci Software Eng. 2016 May 1;5(5):67.
53. Hofstede G, Culture’s consequences: comparing values, behaviors,
institutions and organizations across nations. London (UK): Sage
publications; 2001 Apr 20.
54. Klein G, Shtudiner ZE. Trust in others: does it affect investment
decisions? Qual Quant. 2016;50(5):1949–67. doi:10.1007/s11135-015-
0245-6.
55. Zwilling M, Lesjak D, Natek S, Phusavat K, Anussornnitisarn P.
How to deal with the awareness of cyber hazards and security in
(Higher) education?. In: Valerij D, editor. Thriving on future
education, industry, business and society. Proceedings of the
Makelearn and TIIM International Conference; 2019. p. 433–439.
56. Bowling A. Just one question: if one question works, why ask
several? J Epidemiol Community Health. 2005;59:342–45.
doi:10.1136/jech.2004.021204.
 JOURNAL OF COMPUTER INFORMATION SYSTEMS 13

Appendix A

Table A1. Descriptive analysis of respondent characteristics (in percent).

Turkey Slovenia
(n = 153) (n = 35) Poland (n = 182) Israel (n = 89) Name of Variable
Gender:
48 71 53 49 Female
52 29 47 51 Male
Education year:
NA* 6 22 12 Do not have an academic
background
NA 3 44 15 First year Bachelor
NA 14 7 23.5 Second year Bachelor
NA 8 3 33 Third year Bachelor
NA 9 18 14 Master
NA 60 6 2.5 PhD
Type of studies:
NA 26 4 29 Full time study
NA 74 96 71 Part time study
*Not included in the survey for that specific country.
 14
Appendix B

Table B1. Descriptive analysis of the total response.

General
results
Mean Poland-b Slovenia-c Turkey-d
Name of Variable Description/question (Sd.) Yes Israel-a (n = 89) (n = 182) (n = 35) (n = 153) F/Chi2
ZWILLING ET AL.

Awareness Are you familiar with the term cyber security (1- no knowledge to 4- very good (d > a,b; 2.40 2.39 2.16 2.57 2.65 F = 13.03**
c > b)’’ (.76) (.84)’ (.65) (.60) (.75)
Knowledge
Familiarity Familiarity of different sources – total score (range from 0 sources through 9 sources) 5.89 3.56 3.79 4.85 3.56 F = 6.67**
c > a,b,c)’’ (2.65) (1.91) (1.76) (2.36) (1.50)
Familiarity through- Internet sources2 (a > 1.96)ᵃ 81% 72% 39% 8% 35.5% X2 = 8.13*
Familiarity through-classes at the university (b,c,d > 1.96)ᵃ 29% 26% 40% 51% 12% X2 = 41.43**
Familiarity through- Traditional media (b,d > 1.96)ᵃ 45% 39% 34% 60% 57% X2 = 20.97**
Familiarity through-scientific journal (b,d > 1.96)ᵃ 15.5% 12% 9% 14% 25% X2 = 16.19**
Familiarity through-IT journals (a > 1.96)ᵃ 21% 11% 20% 34% 27% X2 = 11.78**
Familiarity through-Industry report 9% 7% 10% 17% 6% X2 = = 5.78
Familiarity through-Talking with friends 45.5% 46% 45% 60% 42% X2 = 3.55
Familiarity through-Social media (d > 1.96)ᵃ 60% 66% 65% 80% 46% X2 = 21.99**
Familiarity through-Victim of cyber attack 9% 10% 10% 3% 10% X2 = 1.88
Attendance
IT_past - Attendance in IT security training in the past (d < a,b)’’ 18% 25% 46% 7% 12% X2 = 26.86**
IT_future Would like to attend in IT security training. (1- definitely not to 5- definitely yes). (b < c,d)’’
3.68 3.65 3.46 3.97 3.90 F = 6.72**
(.99) (1.0) (.98) (.85) (.97)
Threats The main cyber security threats are-(scale 1-strongly disagrees to 5- strongly disagree) (d > a, 4.02 4.06 3.69 4.00 4.39 F = 26.69**
b,c; a > c)’’ (.76) (.88) (.64) (.86) (.63)
Threats- Blocking access to information (d > b)’’ 1.78 3.90 3.54 3.86 3.99 F = 5.18**
(1.25) (1.15) (1.07) (1.11) (1.06)
Threats-Violation of privacy (d > a,b)’’ 4.20 4.58 3.89 4.20 4.63 F = 17.05**
(1.00) (1.17) (.99) (.99) (.73)
Threats – Loss of data (d > a,b)’’ 4.17 4.09 3.8 4.20 4.56 F = 14.03**
(.99) (1.16) (1.02) (.90) (.70)
Threats-Loss of money (d > b)’’ 4.13 4.03 3.94 4.14 4.40 F = 5.81**
(1.04) (1.19) (1.02) (1.03) (.92)
Threats- Device damage (b < a,d)’’ 3.97 4.10 3.68 3.91 4.27 F = 10.51**
(1.02) (.97) (1.00) (1.06) (.96)
Threats- Spying people (b < a,d)’’ 4.14 4.28 3.77 4.09 4.51 F = 16.20**
(1.03) (1.10) (1.05) (1.09) (.77)
Threats-Spying organization (b < a,d)’’ 4.12 4.17 3.77 4.11 4.50 F = 13.84**
(1.06) (1.22) (1.07) (1.10) (.78)
Threats-Influencing the social choice elections (b < a,d)’’ 3.80 3.84 3.43 3.69 4.25 F = 17.51**
(1.08) (1.2) (.93) (1.10) (1.00)
Threats- takeover of devices (a > b; d < a,b,c)’’ 4.05 4.18 3.53 3.97 4.61 F = 35.64**
(1.06) (1.11) (.99) (1.20) (.75)
Threats-Blocking business process (d > b)’’ 3.96 4.21 3.50 4.14 4.31 F = 23.32**
(1.02) (.99) (.99) (.97) (.89)
Threats- Attack of IT infrastructures (d < a,b)’’ 4.02 4.00 3.63 4.03 4.50 F = 20.32**
(1.08) (1.27) (1.03) (1.09) (.78)
Threats- Use IT infrastructure for terrorist attacks (d < a,b)’’ 4.11 4.07 3.85 4.03 4.50 F = 12.08**
(1.04) (1.24) (1.01) (1.09) (.81)
Threats- knowing my personality details (d > a,b)’’ 4.10 4.08 3.79 4.09 4.48 F = 12.46**
(1.06) (1.10) (1.13) (1.14) (.066)
(Continued )
Table B1. (Continued).
General
results
Mean Poland-b Slovenia-c Turkey-d
Name of Variable Description/question (Sd.) Yes Israel-a (n = 89) (n = 182) (n = 35) (n = 153) F/Chi2
Threats- consumer behavior preferences (d > b)’’ 3.78 3.91 3.55 3.54 4.01 F = 5.93**
(1.10) (1.23) (1.09) (1.19) (.95)
Education awareness
Edu_awarness The extend in which the current education influenced their cyber-security awareness 3.33 3.15 3.03 3.40 3.78 F = 20.64**
(1-defintely not affected to 5- strongly affected) (.96) (.90) (1.06) (.95) (.66)
Recognition I usually recognize and know the differences between http and https protocol 51% 53% 54% 49% 46% X2 = 2.72
Provide Total sum of the amount of information that the responders provide in the web (scale 2.21 2.54 2.42 2.13 1.79 F = 18.10**
1-strongly disagree to 5- strongly disagree) (a > c,d)’ (.95) (.90) (1.06) (.95) (.66)
Provide- Home address (a > b,d)’’ 2.19 2.70 2.12 2.03 2.01 F = 5.35**
(1.38) (1.62) (1.36) (1.20) (1.22)
Provide- Age (a > b,d)’’ 3.34 3.90 3.21 3.43 3.13 F = 8.91**
(1.21) (1.22) (1.08) (.91) (1.32)
Provide- Personal phone number (d < a,c)’’ 2.15 2.44 2.33 1.83 1.85 F = 6.40**
(1.28) (1.32) (1.39) (1.12) (1.08)
Provide- Personal ID number (b > d)’’ 1.81 1.73 2.13 1.77 1.48 F = 8.19**
(1.23) (1.12) (1.44) (1.23) (.89)
Provide- Social network login (a > c; d < a,b,c)’’ 2.02 2.78 2.44 1.94 1.11 F = 49.67**
(1.36) (1.50) (1.39) (1.32) (.43)
Provide- E-Mail password 1.778 1.71 2.31 1.83 1.18 F = 25.10**
(d < a,b,c; b > a)’’ (1.27) (1.18) (1.49) (1.29) (.57)
Computer_knowledge Self-evaluation of skills and knowledge in using computer application (range from 1-no skills 3.35 3.25 3.50 3.16 3.27 F = 5.78**
(total sum) to 5- very high skills) (b > a,c,d)’’ (.65) (.70) (.59) (.60) (.66)
Self-evaluation in computer application (a > c)’’ 3.97 3.25 3.50 3.16 3.27 F = 5.78**
(.94) (.70) (.59) (.60) (.66)
Self-evaluation in – using smartphone/tablet applications (d < a,b)’’ 3.93 4.21 3.97 3.60 3.91 F = 4.00**
(1.10) (1.11) (1.02) (.73) (.75)
Self-evaluation in Computer architecture (a < b,d)’’ 2.9 4.26 4.01 3.74 3.68 F = 8.33**
(1.10) (1.08) (.93) (.85) (.83)
Self-evaluation in Network architecture(b > a,d)’’ 2.77 2.45 3.11 2.57 3.00 F = 9.40**
(1.07) (1.26) (1.04) (.94) (1.02)
Self-evaluation in Using text editor (a < b; d > a,b,c)’’ 3.82 2.37 3.05 2.66 2.69 F = 9.22**
(1.05) (1.27) (1.03) (.90) (.94)
Self-evaluation in – Using spreadsheet (b > a; d > a,c)’’ 3.52 3.12 3.81 3.63 4.29 F = 27.82**
(1.13) (1.42) (.89) (.80) (.74)
Self-evaluation in – Using web browser (a > b)’’ 3.96 2.94 3.59 3.20 3.84 F = 14.16**
(1.97) (1.40) (1.00) (1.07) (.96)
Self-evaluation in – Using an e-mail applications (b < a,d)’’ 4.02 4.26 3.85 3.74 3.97 F = 4.28**
(.93) (1.07) (1.03) (.78) (.84)
Self-evaluation in – Using internet communicators (b > d; d < a,c)’’ 3.71 4.18 3.81 3.97 4.20 F = 6.16**
(1.09) (1.12) (1.00) (.74) (.69)
Self-evaluation in – Using social networks (d < a,b)’’ 3.90 3.81 3.97 3.83 3.30 F = 11.71**
(1.04) (1.22) (.98) (.78) (1.09)
Self-evaluation in database software (b > a,d)’’ 2.97 4.34 3.98 3.86 3.56 F = 11.60**
(1.13) (1.01) (.95) (.94) (1.08)
Self-evaluation in – Using graphics packages (b > a,d)’’ 2.60 2.64 3.25 2.71 2.88 F = 7.41**
(1.14) (1.36) (.95) (1.04) (1.14)
Self-evaluation in – Using application development environments (b > a,c,d)’’ 2.44 2.25 2.97 2.40 2.42 F = 11.34**
(1.17) (1.21) (1.03) (1.06) (1.14)
JOURNAL OF COMPUTER INFORMATION SYSTEMS

Self-evaluation in – Web pages development (d < a,b)’’ 2.42 2.16 2.88 2.23 2.13 F = 15.72**
(1.19) (1.23) (1.04) (1.06) (1.15)
(Continued )
15
 16

View publication stats

ZWILLING ET AL.

Table B1. (Continued).

General
results
Mean Poland-b Slovenia-c Turkey-d
Name of Variable Description/question (Sd.) Yes Israel-a (n = 89) (n = 182) (n = 35) (n = 153) F/Chi2
Behavioral
Behavioral I know how to behave in case of cyber-attack (on a scale from 1- defiantly no to 5-rather yes.) 3.14 3.07 3.18 3.17 3.12 F = .237
(a < b,c,d)’’ (1.19) (1.19) (1.09) (1.20) (1.08)
Choice Is the use of technology products coming from your desire or by coercion (1-dfinitely by 3.15 3.40 3.03 3.11 (not F = 3.66*
coercion to 5- definitely by choice (a > b))’’ (1.09) (.98) (1.10) (1.02) included)
Protection Sum of the score in the usage that the responders make to protect their instrument (ranged 4.72 3.50 4.42 5.60 5.69 F = 27.83**
from 0 to 11) (a < b,c,d; b < c; d > a,b)’’ (2.11) (1.87) (1.71) (2.39) (2.14)
Protect- strong password 85% 81% 83% 94% 88% X2 = 4.92
Protect- frequent password change 57% 41% 37% 40% 53% X2 = 8.85
Protect-Updating software (a > 1.96)ᵃ 56% 29% 45% 60% 48% X2 = 12.77**
Protect-Backup (a,b,d > 1.96)ᵃ 61% 26% 22.5% 54% 63% X2 = 68.81**
Protect- antivirus software (a,d > 1.96)ᵃ 75% 42% 76% 91% 89% X2 = 73.89**
Protect- Spam protection (a,d > 1.96)ᵃ 45% 26% 41% 54% 59% X2 = 27.27**
Protect- avoid using a public computer (d > 1.96)ᵃ 35.5% 25% 30% 40% 47% X2 = 15.96**
Protect- avoid using an open networks (b,d > 1.96)ᵃ 29% 26% 20% 23% 43% X2 = 23.44**
Protect-Taking part in cyber security courses (b,c,d > 1.96)ᵃ 11% 10% 17% 3% 0.7% X2 = 29.30**
Protect- Performing computer security audits 15.5% 15% 15% 17% 16% X2 = .270
Protect- avoid installing applications from unknown source (d > 1.96)ᵃ 47% 31% 55% 63% 62% X2 = 23.29**
Length The average length of your standard password (minimum 0 to maximum −14) 9.99 8.99 10.62 10.49 9.67 F = 1.99
(5.47) (5.72) (7.05) (3.85) (2.71)
Password Do you use the same password for different portals, system and application (c > 1.96)1 56% 63% 53% 34% 61% X2 = 10.79*
Finish Sum of the activities that the responders are acting when finish working on the computer 1.50 1.32 1.55 1.98 1.54 F = 2.11
(range from 0 to 4) (.75) (.67) (.78) (.88) (.69)
Finish – Turn off only the monitor (a > 1.96)ᵃ 14% 28% 11% 20% 10% X2 = 13.19**
Finish – Turn off the computer system(a,d > 1.96)ᵃ 66% 45% 66% 57% 80% X2 = 31.57**
Finish – Leave the computer on (d > 1.96)ᵃ 10% 11% 14% 17% 3% X2 = 15.09**
Finish – Log off all program 51% 42% 58% 43% 50% X2 = 7.38
Finish – Lock the computer system 19% 21% 21% 29% 14% X2 = 4.82
‘‘‘When I finish working in my or other computer I- I do nothing (d > 1.96)ᵃ 4% 2% 7% 9% 1% X2 = 8.39*
Note: ‘Standard deviation appears in the parentheses; ‘‘ the parentheses indicated the source of the differences according to Scheffepost hoc analysis test.
2
For the categorial variables, the results indicate the percentage of responders that agree with that sentence from that country; ᵃ the results in the parentheses indicate that the standardized residual of that country was
greater than the critical value (1.96), supporting a specific finding that they were different from the expected results. ‘‘‘excluded from the calculation of the total score of the finished item.
*p < 0.05; **p < 0.01.