Development of Students’ Security and Privacy Habits Scale

  • Naurin Farooq KhanEmail author
  • Naveed Ikram
Conference paper
Part of the Lecture Notes in Networks and Systems book series (LNNS, volume 70)


The cyber space offers many opportunities to general public but it has its dark side in terms of cyber crimes. Apart from technical security, the human factor plays an important role in safe guarding the security and privacy of systems. The end users especially students need to be aware of protective measures they can adopt to safe guard themselves through security awareness and trainings. The awareness programs should be comprehensive and be tailored according to the security and privacy awareness of the individuals. Therefore, the target individuals should be assessed in terms of their security and privacy habits and practices. The previous endeavors in this respect make use of questionnaire instruments that are specific to a particular type of individuals such as employees of an organizations or tap onto use of a specific device. This study presents development of an instrument that gauges the security and privacy habits/practices of end users specifically students.


Information security Development of questionnaire Information security awareness and training 


  1. 1.
    Thompson, H.: The human element of information security. IEEE Secur. Priv. 11(1), 32–35 (2013)Google Scholar
  2. 2.
    Allen, G.: Hitting the ground running. Security 48(12), 44–45 (2011)Google Scholar
  3. 3.
    Wilson, M., Hash, J.: Building an information technology security awareness and training program. NIST Spec. Publ. 800(50), 1–39 (2003)Google Scholar
  4. 4.
    Kim, E.B.: Recommendations for information security awareness training for college students. Inf. Manag. Comput. Secur. 22(1), 115–126 (2014)Google Scholar
  5. 5.
    Statista: All products require an annual contract prices do not include sales tax, “Global digital population 2018|Statistic,” Statista (Online). Available: Last accessed 09 June 2018
  6. 6.
    Evans, D.: How the Next Evolution of the Internet Is Changing Everything, p. 11 (2011)Google Scholar
  7. 7.
    Business of Apps.: Facebook revenue and usage statistics (2018). Business of Apps. (Online). Available: Last accessed 09 June 2018
  8. 8.
    Statista: All products require an annual contract prices do not include sales tax, “Leading global social networks 2018|Statistic,” Statista (Online). Available: Last accessed 09 June 2018
  9. 9.
    Aslam, S.: • YouTube by the numbers (2018): stats, demographics & fun facts, 05 Feb 2018Google Scholar
  10. 10.
    Öğütçü, G., Testik, Ö.M., Chouseinoglou, O.: Analysis of personal information security behavior and awareness. Comput. Secur. 56, 83–93 (2016)Google Scholar
  11. 11.
    Pahnila, S., Siponen, M., Mahmood, A.: Employees’ behavior towards IS security policy compliance. In: 40th Annual Hawaii International Conference on System Sciences, 2007. HICSS 2007, pp. 156b-156b (2007)Google Scholar
  12. 12.
    Stanton, J., Mastrangelo, P., Stam, K., Jolton, J.: Behavioral information security: two end user survey studies of motivation and security practices. In: AMCIS 2004 Proceedings, p. 175 (2004)Google Scholar
  13. 13.
    Schultz, E.E., Proctor, R.W., Lien, M.-C., Salvendy, G.: Usability and security an appraisal of usability issues in information security methods. Comput. Secur. 20(7), 620–634 (2001)Google Scholar
  14. 14.
    Trček, D., Trobec, R., Pavešić, N., Tasič, J.F.: Information systems security and human behaviour. Behav. Inf. Technol. 26(2), 113–118 (2007)Google Scholar
  15. 15.
    Mylonas, A., Kastania, A., Gritzalis, D.: Delegate the smartphone user? Security awareness in smartphone platforms. Comput. Secur. 34, 47–66 (2013)Google Scholar
  16. 16.
    Al-Saggaf, Y.: An exploratory study of attitudes towards privacy in social media and the threat of blackmail: the views of a group of Saudi women. Electron. J. Inf. Syst. Dev. Ctries. 75 (2016)MathSciNetGoogle Scholar
  17. 17.
    Mills, J.L.: Privacy: the Lost Right. Oxford University Press (2008)Google Scholar
  18. 18.
    Davidson, M.A.: Leading by example: the case for IT security in academia. Educ. Rev. 40(1) (2005)Google Scholar
  19. 19.
    Chandarman, R., Van Niekerk, B.: Students’ Cybersecurity Awareness at a Private Tertiary Educational Institution (2017)Google Scholar
  20. 20.
    Pramod, D., Raman, R.: A Study on the User Perception and Awareness of Smartphone Security (2014)Google Scholar
  21. 21.
    Aliyu, M., Abdallah, N.A., Lasisi, N.A., Diyar, D., Zeki, A.M.: Computer security and ethics awareness among IIUM students: an empirical study. In: 2010 International Conference on Information and Communication Technology for the Muslim World (ICT4M), pp. A52–A56 (2010)Google Scholar
  22. 22.
    Joinson, A.N., Reips, U.-D., Buchanan, T., Schofield, C.B.P.: Privacy, trust, and self-disclosure online. Hum. Comput. Interact. 25(1), 1–24 (2010)Google Scholar
  23. 23.
    Von Solms, B., Von Solms, R.: The 10 deadly sins of information security management. Comput. Secur. 23(5), 371–376 (2004)Google Scholar
  24. 24.
    Wilson, M., de Zafra, D.E., Pitcher, S.I., Tressler, J.D., Ippolito, J.B.: Information Technology Security Training Requirements: a Role- and Performance-Based Model. National Inst of Standards and Technology Gaithersburg MD Computer Security Div (1998)Google Scholar
  25. 25.
    Lunt, B.M., et al.: Curriculum Guidelines for Undergraduate Degree Programs in Information Technology, vol. 2, no. 2009. Retrieved Mar 2008Google Scholar
  26. 26.
    Susan Hansche, C.: Designing a Security Awareness Program: Part 1 (2001)Google Scholar
  27. 27.
    Rahim, N.H.A., Hamid, S., Mat Kiah, M.L., Shamshirband, S., Furnell, S.: A systematic review of approaches to assessing cybersecurity awareness. Kybernetes 44(4), 606–622 (2015)Google Scholar
  28. 28.
    Al-Daeef, M.M., Basir, N., Saudi, M.M.: Security awareness training: a review. Proc. World Congr. Eng. 1, 5–7 (2017)Google Scholar
  29. 29.
    Haeussinger, F., Kranz, J.: Antecedents of employees’ information security awareness-review, synthesis, and directions for future research. In: Proceedings of the 25th European Conference on Information Systems (ECIS) (2017)Google Scholar
  30. 30.
    Fung, C.C., Khera, V., Depickere, A., Tantatsanawong, P., Boonbrahm, P.: Raising information security awareness in digital ecosystem with games—a pilot study in Thailand. In: 2nd IEEE International Conference on Digital Ecosystems and Technologies, 2008. DEST 2008, pp. 375–380 (2008)Google Scholar
  31. 31.
    Rahim, M.M., Cheo, A., Cheong, K.: IT security expert’s presentation and attitude changes of end-users towards IT security aware behaviour: a pilot study. In: ACIS 2008 Proceedings, p. 33 (2008)Google Scholar
  32. 32.
    Kruger, H., Drevin, L., Steyn, T.: A vocabulary test to assess information security awareness. Inf. Manag. Comput. Secur. 18(5), 316–327 (2010)Google Scholar
  33. 33.
    Kruger, H., Drevin, L., Steyn, T.: Email security awareness—a practical assessment of employee behaviour. In: Fifth World Conference on Information Security Education, pp. 33–40 (2007)Google Scholar
  34. 34.
    Hellqvist, F., Ibrahim, S., Jatko, R., Andersson, A., Hedström, K.: Getting their hands stuck in the cookie jar-students’ security awareness in 1:1 laptop schools. Int. J. Public Inf. Syst. 9(1) (2013)Google Scholar
  35. 35.
    Kam, H.-J., Katerattanakul, P.: Out-of-Class Learning: a Pedagogical Approach of Promoting Information Security Education (2014)Google Scholar
  36. 36.
    Dodge Jr., R.C., Carver, C., Ferguson, A.J.: Phishing for user security awareness. Comput. Secur. 26(1), 73–80 (2007)Google Scholar
  37. 37.
    Solic, K., Velki, T., Galba, T.: Empirical study on ICT system’s users’ risky behavior and security awareness. In: 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1356–1359 (2015)Google Scholar
  38. 38.
    Egelman, S., Peer, E.: Scaling the security wall: developing a security behavior intentions scale (sebis). In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp. 2873–2882 (2015)Google Scholar
  39. 39.
    Egelman, S., Harbach, M., Peer, E.: Behavior ever follows intention. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems: CHI ‘16, pp. 1–5 (2016)Google Scholar
  40. 40.
    Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., Jerram, C.: Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Comput. Secur. 42, 165–176 (2014)Google Scholar
  41. 41.
    Pattinson, M., Parsons, K., Butavicius, M., McCormac, A., Calic, D.: Assessing information security attitudes: a comparison of two studies. Inf. Comput. Secur. 24(2), 228–240 (2016)Google Scholar
  42. 42.
    Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., Zwaans, T.: The human aspects of information security questionnaire (HAIS-Q): two further validation studies. Comput. Secur. 66, 40–51 (2017)Google Scholar
  43. 43.
    Crossler, R., Bélanger, F.: An extended perspective on individual security behaviors: protection motivation theory and a unified security practices (USP) instrument. ACM SIGMIS Database DATABASE Adv. Inf. Syst. 45(4), 51–71 (2014)Google Scholar
  44. 44.
    Gökçearslan, Ş., Seferoğlu, S.S.: The use of the internet among middle school students: risky behaviors and opportunities. Kastamonu Educ. J. 24(1), 383–404 (2016)Google Scholar
  45. 45.
    Stutzman, F.: An evaluation of identity-sharing behavior in social network communities. Int. Digit. Media Arts J. 3(1), 10–18 (2006)Google Scholar
  46. 46.
    Ball, A.L., Ramim, M.M., Levy, Y.: Examining users’ personal information sharing awareness, habits, and practices in social networking sites and e-learning systems. Online J. Appl. Knowl. Manag. 3(1), 180–207 (2015)Google Scholar
  47. 47.
    Ion, I., Reeder, R., Consolvo, S.: “… No one can hack my mind”: comparing expert and non-expert security practices. In: Proceedings of SOUPS (2015)Google Scholar
  48. 48.
    Jones, B.H., Chin, A.G.: On the efficacy of smartphone security: a critical analysis of modifications in business students’ practices over time. Int. J. Inf. Manag. 35(5), 561–571 (2015)Google Scholar
  49. 49.
    Jones, B.H., Heinrichs, L.R.: Do business students practice smartphone security? J. Comput. Inf. Syst. 53(2), 22–30 (2012)Google Scholar
  50. 50.
    Jones, B.H., Chin, A.G., Aiken, P.: Risky business: students and smartphones. TechTrends 58(6), 73–83 (2014)Google Scholar
  51. 51.
    Buchanan, T., Paine, C., Joinson, A.N., Reips, U.-D.: Development of measures of online privacy concern and protection for use on the Internet. J. Am. Soc. Inf. Sci. Technol. 58(2), 157–165 (2007)Google Scholar
  52. 52.
    Bryman, A., Cramer, D.: Quantitative Data Analysis with SPSS Release 10 for Windows: a Guide for Social Scientists. Routledge (2002)Google Scholar
  53. 53.
    Aytes, K., Connolly, T.: Computer security and risky computing practices: a rational choice perspective. J. Organ. End User Comput. JOEUC 16(3), 22–40 (2004)Google Scholar
  54. 54.
    Stanton, J.M., Stam, K.R., Mastrangelo, P., Jolton, J.: Analysis of end user security behaviors. Comput. Secur. 24(2), 124–133 (2005)Google Scholar
  55. 55.
    Milne, G.R., Labrecque, L.I., Cromer, C.: Toward an understanding of the online consumer’s risky behavior and protection practices. J. Consum. Aff. 43(3), 449–473 (2009)Google Scholar
  56. 56.
    Ng, B.-Y., Kankanhalli, A., Xu, Y.C.: Studying users’ computer security behavior: a health belief perspective. Decis. Support Syst. 46(4), 815–825 (2009)Google Scholar
  57. 57.
    Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Formulating information systems risk management strategies through cultural theory. Inf. Manag. Comput. Secur. 14(3), 198–217 (2006)Google Scholar
  58. 58.
    Oceja, L., Ambrona, T., López-Pérez, B., Salgado, S., Villegas, M.: When the victim is one among others: empathy, awareness of others and motivational ambivalence. Motiv. Emot. 34(2), 110–119 (2010)Google Scholar
  59. 59.
    Verplanken, B., Orbell, S.: Reflections on past behavior: a self-report index of habit strength1. J. Appl. Soc. Psychol. 33(6), 1313–1330 (2003)Google Scholar
  60. 60.
    Fogel, J., Nehmad, E.: Internet social network communities: risk taking, trust, and privacy concerns. Comput. Hum. Behav. 25(1), 153–160 (2009)Google Scholar
  61. 61.
    Mensch, S., Wilkie, L.: Information security activities of college students: an exploratory study. J. Manag. Inf. Decis. Sci. 14(2), 91 (2011)Google Scholar
  62. 62.
    Galba, T., Solic, K., Lukic, I.: An information security and privacy self-assessment (ISPSA) tool for internet users. Acta Polytech. Hung. 12(7), 149–162 (2015)Google Scholar
  63. 63.
    Burgoon, J.K., Parrott, R., Le Poire, B.A., Kelley, D.L., Walther, J.B., Perry, D.: Maintaining and restoring privacy through communication in different types of relationships. J. Soc. Pers. Relat. 6(2), 131–158 (1989)Google Scholar
  64. 64.
    DeCew, J.W.: In Pursuit of Privacy: Law, Ethics, and the Rise of Technology. Cornell University Press (1997)Google Scholar
  65. 65.
    Fox, S., Rainie, L., Horrigan, J., Lenhart, A., Spooner, T., Carter, C.: Trust and Privacy Online: Why Americans Want to Rewrite the Rules. Pew Internet Am. Life Proj., pp. 1–29 (2000)Google Scholar
  66. 66.
    Young, A.L., Quan-Haase, A.: Information revelation and internet privacy concerns on social network sites: a case study of Facebook. In: Proceedings of the Fourth International Conference on Communities and Technologies, pp. 265–274 (2009)Google Scholar
  67. 67.
    Govani, T., Pashley, H.: Student awareness of the privacy implications when using Facebook. Unpublished paper present. “Privacy Poster Fair” Carnegie Mellon Univ. Sch. Libr. Inf. Sci., vol. 9, pp. 1–17 (2005)Google Scholar
  68. 68.
    Tufekci, Z.: Can you see me now? Audience and disclosure regulation in online social network sites. Bull. Sci. Technol. Soc. 28(1), 20–36 (2008)Google Scholar
  69. 69.
    Dinev, T., Hart, P.: Internet privacy concerns and their antecedents-measurement validity and a regression model. Behav. Inf. Technol. 23(6), 413–422 (2004)Google Scholar
  70. 70.
    Velki, T., Solic, K., Ocevcic, H.: Development of users’ information security awareness questionnaire (UISAQ)—ongoing work. In: 2014 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1417–1421 (2014)Google Scholar
  71. 71.
    Slusky, L., Partow-Navid, P.: Students information security practices and awareness. J. Inf. Priv. Secur. 8(4), 3–26 (2012)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Riphah International UniversityIslamabadPakistan

Personalised recommendations