Towards Comprehensive Information Security Awareness: A Systematic Classification of Concerns among University Students

In this paper, we have systematically identified and classified information security concerns (ISCs) of university students into areas where users perceive information security threats. 354 university students were asked to elicit their level of concern on a given set of 74 ISCs using a 7-point scale. Factor analysis (PCA) produced an 11-factor solution, each factor depicting an area of concern. These areas were related to Personal (legal awareness), Social (Sociality), Institutional (Staff member lapses, University networks), Technological (Online social network use, Intrusive service providers, Web browsing and email, Smartphone use, Electronic device use, and Conventional threats), and Non-technological (Cards and wallets security) aspects of student’s day-to-day life. The majority of the students (66%) showed concerns related to online social network use, whereas, only 40% of them shown concerns related to sociality. The highest level of concerns was related to service providers, whereas the lowest level of concerns was related to sociality. Information security, concerns, information security awareness, students, areas of concern, factor analysis, principal component analysis, affinity diagram


INTRODUCTION
Like in any other organisation, information security is one of the concerns for the educational institutions (Kerievsky & Bruce, 1976).Information security has been ranked as one of the top areas of concerns for educational institutions in the United States (Ingerman & Yang, 2011).The availability of huge amounts of computing power and open access has attracted the attention of malicious entities towards higher educational institutions (HEIs) (Katz, 2005).HEIs, university, institution and educational institutions have been used in this paper, all referring to institutions imparting postsecondary education (bachelor's level and above).However, HEIs are considered to have poor protection regarding the security of their information assets (Rezgui & Marks, 2008).
A variety of technical (Aurigemma & Panko, 2012) and non-technical measures (Abraham, 2011;Bulgurcu et al., 2009;D'Arcy et al., 2009;Pahnila et al., 2007) have been suggested to safeguard organizational and individual security.Security education, training, and awareness (SETA) programs are suggested as a tool to improve information security awareness of the users (Kim, 2014).ISA has been considered as one of the defences against continuously evolving threat landscape, and a way to mitigate security attacks (Aloul, 2010;Furnell & Clarke, 2012;Siponen & Oinas-Kukkonen, 2007;Tsohou, et al., 2008).ISA enables a user to understand his role in the security process and encourages her/him to take necessary measures for his, as well as his peers, information security (Amankwa et al., 2014;Tsohou et al., 2008).The importance of ISA is similar for a different type of users, be it employees of an organisation (McCormac et al., 2017;Parsons, et al., 2014), or home users (Howe, et al., 2012;Kritzinger & von Solms, 2010), or the students (Kim, 2014;Farooq & Kakakhel, 2013;Kim, 2013).
According to the Concerns-based Adoption Model (CBAM) (Loucks-Horsley, 2010), having a concern is first to step towards change and to learn a new behaviour.If a person is concerned about a phenomenon, s/he will try to get awareness about it Towards comprehensive information security awareness: A systematic classification of concerns among university students Ali Farooq • Shamil Alifov • Seppo Virtanen • Jouni Isoaho 2 leading to a stage where he will be able to adopt the change or learn the required skill.Keeping in view the importance of ISA, researchers have studied the concept thoroughly, including its antecedents as well the consequences (Jaeger, 2018).However, in most of the available studies, security experts identify an area where ISA is to be assessed and improved, based upon their expert knowledge, and end-users (employees, homeusers, students) are involved in assessment phase.Research shows that perceptions of threats play an important role toward (in)action of the end-users that would ensure or endanger information security of users (Milne, et al. 2009).Users have different mental models related to information security threats (Camp, 2009) and resultantly threats are perceived differently.Therefore, we suggest that end-users' concerns be taken into consideration at the time of identifying areas where ISA is to be assessed and improved.If we can understand the users' security concerns, their prevalence and variation, whole ISA process can be improved.
Moreover, the researchers have studied ISA in isolation, that is, within one component or area such password-related behaviour Stanton, et al., 2005), application security in computers (Furnell, et al. 2006) or smartphone security (Mylonas, et al., 2013); while others took a more holist approach where more than one components/areas were used for assessing ISA (Crossler, et al., 2017;Farooq, et al., 2015;Parsons et al., 2014).There is need to identify a set of areas related to the day-to-day life of users where their information security can be jeopardized.Such areas then combined with areas identified by the security experts can provide a comprehensive set of areas where ISA of the users can be improved.
Keeping in view the above gaps, we conducted this study to systematically identify students areas of concerns where they have security concerns.In this study, 74 concerns were rated by 354 university students on a 7-point scale.The concerns were classified into 11 areas using factor analysis which covers five aspects of student's life (personal, social, institutional, non-technological and technological).Further, the prevalence of concerns, level of concerns and variation in the level of concern among different student groups was also examined to understand if the identified areas actually represent students' areas of concerns.Following questions are formulated in this regards:

RQ1: What are the areas where students have information security concerns (Identification of areas)?
RQ2: How are the areas related to students (Connecting concerns with students)?

RQ3: How prevalent are different concerns among the university students within identified areas (Prevalence of concerns)? RQ4: What is level of concerns among the students within the identified areas? (Level of concern)
Rest of the paper is organised as follow: Section 2 provides narrates the methods and measures used in the study.Section 3 contains the findings and answers to the research questions.Section 4 contains the concluding remarks, followed by a bibliography and the appendix.

Participants, Setting, and Measures
Data on security concerns were collected from students of a Finnish university using an online survey forum, webropol, during 2017.There was no benefit, monetary or otherwise, offered to survey participants.417 responses were collected in total which were reduced to a usable sample size of 354.The survey took 25-30 minute on an average.Seventy four concerns were taken from (Farooq et al., 2016), and each was presented with a standard statement "How concerned you are for…" in the questionnaire.A 7-point measurement scale (1: not at all concern to 7: extremely concerned) was used.An option of "I don't know" was also provided.Five items measuring gender, educational level, discipline, previous information security related training (categorical) and age (continuous) were also added.(For detail on concerns consult appendix A.

Data Analysis
Principle Component Analysis (PCA) was conducted using principal axis factoring with the oblique rotation, as recommended by (Osborne, et al., 2009) in SPSS (v 25,0).Initially, we identified 14 factors using Kaiser criterion (Fabrigar, et al., 1999) (having eigenvalues greater than 1), allowing item loading greater than 0,4, explaining a total variance (TVE) of 69,90%.We repeated the same step by removing items having loadings less than 0,4; no or few item cross-loadings; items; items with cross loading difference more than 0,15 or loading heavily (0,40) on more than one factors were removed; and, items loading on the different components measure different constructs.Haywood cases were removed (item loading greater than 1,0).We also kept in mind the face validity of the factors, that is, similar items should be loaded under one factor, and if not, such items were removed.Once the right factors were reduced after a couple of iterations, we observed that one of the factors contains items each explaining three different concepts.At this point, to reduce the data loss, we relaxed our criteria of no fewer than three items per factor and divided the factor into three factors explaining three different concepts.In this way, we came up with a solution consisting of 11 reliable and stable factors, explaining 68,87% of the variance.23 items were dropped (highlighted as italic in Annexure) while attaining reliable and stable factors.

Sample Characteristics
Sample characteristics are shown in Table 1:

Identifying Areas of Concern (RQ1)
Factors along with item loadings are shown in Table 2. Item loadings cannot be shown as pattern matrix due to the paper template design.For item description, consult the Annexure.To assess the reliability of the factors, we calculated Cronbach's alpha for each factor and found all factors to be above an acceptable level (0,70).Table 2 shows the 11 areas of concerns identified using factor analysis.

Connecting Concerns with Students (RQ2)
To clarify the connection between students and areas of concern, we employed affinity diagramming technique (Grant & Booth, 2009) to group the related areas.An affinity diagram is a tool that is used to organise data (ideas, opinions, issues) into groups based on their natural relationship.We came up with an affinity diagram consisting of 5 groups covering 11 areas of concern.Each group was given a title and represents one of the day-to-day facets of a student's life.Figure 1 depicts areas of concerns and how they are connected with students' day-today life.

Prevalence and Level of Concerns
To examine prevalence of concerns among the identified areas, we divided the area concern score into three groups, a) absence of concern (point 1 to 4 of 7 point scale), b) presence of concern (point 5 to 6 of 7 point scale), and c) lack of awareness ("I don't know" option).Then, we calculated the percentage of prevalence of concerns within an area.We also employed chi-square test identify the difference in prevalence of concerns.Figure 2 shows the prevalence of concerns was significant differences depicted by '*' with area code in the.In comparison, the highest number of respondents (66%) have concerns related to online social networks (OSN), whereas, the area for which least number of respondents (40%) have concerns was sociality (SOC).Except for SOC, more than half of respondents (at least 54%) have concerns within all the areas.
While the prevalence of concerns show if concerns are present or absent within an area among the students, the level of concern enable us to see how concerns vary among the students.Table 3 shows descriptive for 11 identified areas in descending order of mean scores.The originally coded "I don't know was removed while calculating descriptive statistics.The highest level of concern was found related to intrusive behaviour by service providers such as search string collection by search engines, targeted advertisement, excessive data collection by service providers for marketing purpose and data leakage from the cloud services.The lowest level of concerns was related to sociality.The concerns within this area were mostly related to family members, close friends and peers in the classroom and university.Intrusive Service Providers, Cards and Wallets security, Online Social Networks, Smart Phones and Staff Lapses turned out to be top 5 areas where students have a higher level of concerns.

CONCLUDING REMARKS
This paper describes initial findings of an ongoing work on systematic identification of students' concerns about their information security.Data was on security concerns was colleted from 354 university students.Using factor analysis, eleven areas, where students perceive to have information security concerns, were identified.These areas are related to personal, social, institutional, technological and non-technological aspects of students' life.The personal aspect includes legal awareness, the social aspect includes sociality, and the institutional aspect has areas such as university network and staff members lapses.Most of the identified areas (6/11) were related to the technological aspect: online social network use, intrusive service provider, smartphone use, conventional threats, electronic device use and web browsing and email.Cards and wallet security falls into the non-technological aspect of a student's life.Students's concern prevale in most of the areas.In future, we will examine differences in prevelance may arise due to difference in gender, educational background and previous security training.

Figure 1 :Figure 2 :
Figure 1: Areas of concerns and Different Aspects of Student's Life

Table 1 :
Sample Characteristics

Table 2 :
Factors along with item loadings depicting areas of concern (concern descriptions are in theAppendix)

Table 3 :
Result of Means, Medians, Modes, Standard Deviations for the level of concerns for different areas