Abstract
Purpose
The purpose of this study is to identify the most common characteristics that make Internet users at the Estonian Academy of Security Sciences (SKA) vulnerable to various threats. This includes password management habits, online banking, shopping and payment behaviours, time spent online, use of public Wi-Fi, gaming and watching movies online. Additionally, the study seeks to review the dangers users encounter and how cautious they are, such as which online activities they consider the most dangerous and which they perceive as safe.
Design/methodology/approach
The data used in this paper is based on an overview of relevant literature, highlighting previous studies and methodologies and explaining why the human factor is considered the weakest link in cybersecurity. This research aims to help characterise the patrons of the SKA and make suggestions for future training and research. For this purpose, the students, administrative employees and academic staff of the SKA were investigated. A five-point scale questionnaire with 54 questions was used as the methodology of the study, considering the following four scales: risky behaviour, conservative behaviour, risk exposure behaviour and risk perception behaviour. The results are interpreted based on the literature, and data obtained from the completed questionnaires were analysed using Excel’s Data Analysis ToolPak. The results are presented mostly as tables and bar charts.
Findings
The research results show that the cybersecurity behaviour of employees and students is generally at a good level. However, some aspects of conservative behaviour need increased attention, such as the use of USB and other external media, opening links in emails too readily, monitoring the authenticity of visited websites and deleting browsing history before logging out. Cyber training has a noticeable effect on behaviour, particularly in the context of password management.
Originality/value
No previous research on cyber behaviour has been conducted in the context of Estonian higher education, despite the increasing number of cyber-attacks in this sector.
Keywords
Citation
Kont, K.-R. (2024), "Cybersecurity behaviours of the employees and students at the Estonian Academy of Security Sciences", Organizational Cybersecurity Journal: Practice, Process and People, Vol. 4 No. 2, pp. 85-104. https://doi.org/10.1108/OCJ-02-2024-0001
Publisher
:Emerald Publishing Limited
Copyright © 2024, Kate-Riin Kont
License
Published in Organizational Cybersecurity Journal: Practice, Process and People. Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) license. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this license may be seen at http://creativecommons.org/licences/by/4.0/legalcode
1. Introduction
The fundamental document on the National Security Concept of Estonia states:
Estonia’s security begins with ourselves, including with the readiness and actions of every individual. Ensuring security and crisis resilience in the country and society is a comprehensive, continuous and purposeful activity. This must be reflected in the thinking, readiness, action and mutual cooperation of constitutional institutions, the executive state power, local government units, companies, organizations, communities and individuals. (National Security Concept of Estonia, 2023, p. 2)
Cybersecurity also starts with the individual – how aware we are as individuals, employees and students of the dangers in cyberspace and how we can protect ourselves and our employers from sensitive data leakage and cybercrime (National Security Concept of Estonia, 2023, p. 2).
Globally, the number and sophistication of cyber-attacks and cybercrime are increasingly growing. When thinking about cybersecurity, most people first think of high-end technology companies, but fewer consider healthcare providers or government agencies. Recent attacks have shown that this is becoming increasingly important for universities as well. Cybercrime is a growing problem for higher education. Kost (2024) states that between 2020 and 2021, cyber-attacks targeting the education sector increased by 75%, with a dramatic rise in ransomware attacks. According to the 2022 Verizon Data Breach Investigations Report, 30% of educational data breaches are due to ransomware attacks (Verizon, 2022, p. 57). The same report indicates that in 2022, there were 1,241 incidents and 282 cases related to data breaches in educational institutions. For comparison, there were 2,792 incidents and 537 data breaches in public sector institutions and 2,527 incidents and 690 cases of data breaches in the financial sector (Verizon, 2022, p. 50).
While nearly every major industry faces significant cybersecurity challenges, several important reasons make higher education particularly vulnerable to cybersecurity threats. Higher education, due to its unique academic culture, is known for its openness and transparency, which most industries lack. One reason is that higher education institutions possess a significant amount of valuable non-public scientific information. Criminals can infiltrate researchers’ networks to access information on ongoing tests and methodologies. Many master’s and doctoral theses are conducted in closed defences, with access restricted to university members or specific groups. This data is a target for espionage and holds economic value. There is an ongoing attempt to covertly collect any kind of information, such as information associated with the operation of sensitive systems, customer data, and research and development. Moreover, the SKA relies on Chinese products, and since the SKA is also a research and development institution, DJI drones pose a higher risk. These devices must never be connected to a public network, personal devices must not be used to transfer data, and drones must not be linked to any work account.
Another reason higher education institutions are vulnerable to cyber-attacks is their long history of internet access. Universities have been online for a relatively long time, often offering free public access as research centres, not only to their members but also to anyone interested, e.g. through their libraries. As a result, they have long been visible targets, and cybercriminals are likely to know their weaknesses well. Higher education institutions are data-rich hack destinations. They collect vast amounts of data, frequently updated and stored by many institutions, often managed by several different departments. People’s access to various information sources, including faculty, staff, part-time workers and students, poses a significant threat to data security. The decentralisation of data access and storage creates chaos, duplication, and lax security controls and opportunities for potential attackers (Yerby and Floyd, 2018).
Overall, higher education institutions are targets for cyber-attacks because their data is valuable and easily accessible. Apart from the personal data of students and staff, which presents opportunities for ransom attacks, the latest research findings can become targets for international espionage. Therefore, it is critical that academic institutions allocate resources for cybersecurity and protect themselves against potential threats.
This study examines the behaviour of students, lecturers (researchers) and employees of the SKA regarding hybrid threats and the possibility of preventing risks related to cybersecurity. This study is part of a larger research conducted within the framework of the cooperation programme on hybrid threats (HYBRIDC) between the Estonian Academy of Security Sciences and the Lithuanian Mykolas Romeris University. This questionnaire was prepared in cooperation with the digital development department of the SKA. The results can be used to develop strategies and training to reduce errors related to the human factor in the cybersecurity of other higher education institutions in Estonia. The remainder of this paper is structured as follows: a literature review discusses the human factor as the weakest link in organisations’ cybersecurity and highlights studies on cybersecurity awareness among members of higher education institutions. The first section presents the methodology used to assess the level of cybersecurity awareness and the characterisation of the sample. The next section describes the study analysis results based on the demographic data of respondents and answers to background questions, presenting the results scale by scale, focusing separately on password management. The last section concludes the paper and provides recommendations for future research.
2. Literature review
2.1 Human factor as the main cause of cyber-attacks
Cybersecurity professionals know that the weakest part of any system is the human, who is unpredictably vulnerable even in secure and well-managed systems. How we think, feel and what we believe gives attackers an opportunity. Exploiting a person depends on user habits, assumptions, prejudices and even laziness, making them unwittingly help the attacker. Thus, cybersecurity problems are human problems. Yet, it is our humanity – our capacity to recognise patterns, make imaginative leaps, and create communities – that promises to restore our autonomy, privacy and freedom online (Mauro, 2022, p. 1). It is common knowledge that human error accounts for more than 80% of all cyber-attacks, data breaches and ransomware attacks, followed by technological weaknesses (63%) (Metalidou et al., 2014; Soltanmohammadi and Naraghi-Pour, 2014). Nevertheless, most organisations have failed to address the human factors of cybersecurity (Alavi et al., 2016). Kraemer and Carayon classified human error as “any action that leads to an undesirable outcome” (Kraemer and Carayon, 2007, p. 147). Therefore, institutions can be very diligent in ensuring their cybersecurity, but it ultimately comes down to the human factor.
Kearney quotes Ray Stanton, who says that “corporate information security is more at risk than ever and the reason for this is simple – with today’s technology, more and more of our lives are spent online, so the risks are constantly increasing” (Kearney, 2016, p. 5). A company’s investment in cybersecurity is completely wasted if its employees do not understand the risks related to cybersecurity, how they can help or harm the company through their actions, and how the processes and technologies related to information security actually work (Kearney, 2016, p. 6).
It does not matter how experienced professionals work on the information security side when employees write down their passwords or forget their computers in a public place. Although companies are tempted to focus only on the opinion of information security experts because they are professionals in their field and know how to act in different attacks, such thinking is too simplistic. An employee might mismanage physical documents, write down passwords on memo stickers, let colleagues use the intranet with their username to save time, forget their computers in public places, or discuss confidential matters publicly. Therefore, the question arises as to why employees are unable to follow the given instructions and information security policies. Kearney emphasises that in most cases, employees have done their best, but not in an information security manner. This is often because cybersecurity training has been insufficient, or the employee simply did not understand the consequences of their actions (Kearney, 2016, p. 7).
2.2 Higher education institutions as targets of cyber-attacks
Scott Zelko has categorised major attacks on universities in detail to help other higher education institutions understand the scope and danger of such crimes and prepare to avoid similar problems (Zelko, 2024):
- (1)
Database hack: In July 2023, a hacker posted stolen sensitive data online – information about prospective students, past students and staff – from the University of Minnesota, revealing a breach that had occurred in 2021. This criminal intrusion targeted a database containing applications for financial assistance, which included a large amount of personal information such as victims’ full names, addresses, phone numbers, social security numbers, and driver’s licence and passport information dating back to 1989.
- (2)
Unprotected third-party assets: Each year, thousands of students at hundreds of higher education institutions across the US and Canada participate in the Beginning College Student Engagement Survey (BCSSE), sharing information about their past academic and learning experiences. This survey collects personal data, including full names, student ID numbers, sexual orientation, race and ethnicity. Between May and July 2023, cybercriminals posted nearly 250,000 records related to former and current students, including names and email addresses, on Indiana University’s public web. The data, meant to be confidential, was found stored on an unsecured blog containing over 1.3 million open files.
- (3)
Third-party software vulnerability: In September 2023, the University of Georgia, Johns Hopkins University, Washington State University (WSU) and Colorado State University confirmed that cybercriminals had accessed data stored in software used by these universities to manage and transmit sensitive data. Although the exact timing of the hack was unclear, the unauthorised access involved personally identifiable information, including student and faculty names, addresses, phone numbers, email addresses, social security numbers, and details about staff salaries and benefits.
- (4)
Ransomware: In May 2022, after 157 years of operation, Lincoln College became the first American college to close due to a ransomware attack. The college suffered a cyber-attack in December 2021, which disrupted admissions operations and blocked access to institutional data until March 2022. Despite surviving various crises, including the economic crisis of 1887, the great campus fire of 1912, the Spanish flu of 1918, World War II and the global financial crisis of 2008, it was a cyber-attack that ultimately led to the school’s closure. Similarly, in June 2022, the University of Pisa in Italy fell victim to the BlackCat ransomware group, which took over the university’s IT system and demanded a $4.5 million ransom, making it one of the largest ransom demands of 2022 (Zelko, 2024).
Several studies have shown that there is a human dimension to the causes of cyber-attacks in universities (Muniandy and Muniandy, 2012; Othmana et al., 2020). It is the actions of people that often lead to cyber-attacks, and raising their awareness can mitigate the consequences of these attacks on universities. Analysing data from these studies revealed that ignorance and carelessness in managing passwords are common, contributing to higher education institutions becoming targets for cyber-attacks. Previous literature found that 70% of users use the same password for each website login, 67% do not like being forced to change their password, 65% of employees use the same password for different applications or write down the password, 50% of users never change their online passwords, and 28% of Internet banking users use their passwords on other websites (Ciampa, 2013). User ignorance makes passwords a frequent focus of attacks, which explains the risk of cyber-attacks.
Norum and Weagley (2006) argued that higher education students use the Internet heavily and, as a result, are at greater risk of identity theft, among other threats, than the general population. Therefore, it is important that they are trained in cybersecurity. Researchers strongly recommend that cybersecurity education be implemented as part of general education in higher education curricula where cybersecurity is not currently taught. Most students are not given the opportunity to learn this subject and understand the evolving cybersecurity threats, even though they are heavy Internet users. Jones and Heinrichs (2012) emphasised the importance of educating students about safety before they enter the workforce. Teer et al. (2007) argued that college students should not bring their unsafe computer security behaviours to work.
In his book, Lacey highlights that information security in organisations is often not considered very important unless it directly concerns its patrons. However, if patrons were told that ignoring a certain part of information security could send them to jail, they would do anything to ensure compliance with information security rules (Lacey, 2011, p. 38). According to Lacey, an organisation’s employees must have an understanding and awareness of information security threats for any security policy to be functional. It is especially important to improve specific areas within an organisation at a time. The goal of a good information security programme or reform is to first fix those areas that need the most help (Lacey, 2011, p. 211). It is important to be clear about the required changes in the knowledge, attitudes and actual behaviour of organisational members. Changing the attitudes of an organisation’s patrons is much more difficult and often involves a variety of personal experiences that can be challenging to achieve. Patrons may also resist change, in which case it is important to take a more restrained approach, highlighting problematic areas and encouraging people to slowly change their attitude towards information security (Lacey, 2011, p. 212).
Protecting networks and data should be a top priority for higher education leaders. In addition to implementing a zero-trust strategy security model that verifies staff and learners only have access to information, services and systems based on their identity and roles, staff and students should be trained in information security awareness. This training should help them spot fraudulent emails, manage their data securely and know how to report issues (Chapman, 2019, p. 1).
Most higher education institutions organise cybersecurity training for their employees, mandatory cybersecurity tests for students and campaigns focused on cybersecurity. Such tests and campaigns should emphasise the importance of cybersecurity, its basics, and current trends in cybercrime and cyber-attacks. The challenge of cybersecurity training in a large higher education institution lies in the variation in the level of competence among participants; some are experts in the field, while others struggle to acquire basic competence. It is reasonable to use feedback from students during security tests and from employees regarding the training to update the focus of tests and training for the next academic year.
2.3 Methods used to study patrons of higher education institutions’ awareness of cyber risks
Several authors have studied the information security awareness and behaviours of students, faculty and staff at higher education institutions. The most common method for identifying weak points in the cybersecurity of higher education institutions (as in any other organisation) appears to be questionnaire surveys using different scales and measures (Öğütçü et al., 2016; Muniandy et al., 2017; Yerby and Floyd, 2018; Nurbojatmiko et al., 2020; Benavides-Astudillo et al., 2021). However, research methods have varied, sometimes employing case studies that combine questionnaires with interviews, observations and document analysis (Othmana et al., 2020).
A study conducted at a US university investigated information security awareness and behaviour among faculty and staff at universities in the Southeastern United States. The online survey consisted of 20 questions, and a five-point Likert scale was used to measure awareness and behaviours (Yerby and Floyd, 2018). The study revealed that information security behaviour among respondents was commendable. Locking workstations was handled commendably, while regularly performing backups and maintaining antivirus protection were at a satisfactory level. Respondents were also commendably aware of how to behave on websites and respond to emails from strangers. Moreover, they understood the importance of strong passwords at an almost excellent level. The authors recommended involving users in effective data security awareness training, emphasising that the human factor is always related to information security awareness and behaviour (Yerby and Floyd, 2018).
Muniandy et al. (2017) focused on the cybersecurity behaviour of Malaysian university students. The research methodology used was the Cyber Security Behaviour Instrument (CSBI), designed by the authors based on a literature review of existing studies on cybersecurity. The results indicated that the respondents’ behaviour was significantly vulnerable and susceptible to cybersecurity threats in every aspect. Some threats could be eliminated or immediately reduced if students were made aware of these issues. Quick steps, such as training and raising awareness, could rapidly improve understanding of the issues. Therefore, raising cybersecurity awareness is crucial to protecting Internet users from potential cybercrimes.
Nurbojatmiko et al. (2020) analysed the information security awareness level of Indonesian university students using Kruger and Kearney’s (2006) approach, the KAB model, a five-point Likert scale, and the six dimensions of knowledge, attitudes, behaviour, confidentiality, integrity and availability. The results showed that students’ information security awareness was at an average level, or 75% of security awareness. The authors suggested improving certain parameters to increase users’ awareness of information system security. For example, Internet access should be used to enhance academic goals rather than personal use. While the practice of handling sensitive information was appropriate and effective, it was still insufficient compared to other parameters. Sharing passwords with others is an improper habit that requires significant effort from university management to change (Nurbojatmiko et al., 2020).
Öğütçü et al. (2016) and Benavides-Astudillo et al. (2021) aimed to identify common characteristics that make users vulnerable to social manipulation, either individually or in groups. They conducted a survey among the employees and students of higher education institutions, focusing on four behavioural scales: Risky Behaviour Scale (RBS), Conservative Behaviour Scale (CBS), Exposure to Offense Scale (EOS) and Risk Perception Scale (RPS). Öğütçü et al. (2016) found that as respondents’ perception of threats increased, their behaviour became more cautious. Additionally, the group that participated in security training scored higher than the group that did not, clearly indicating that such training increases user awareness (Öğütçü et al., 2016). Benavides-Astudillo et al. (2021) used the same methodology and found that users with risky behaviour are most exposed to social manipulation attacks on social networks. They also concluded that faculty and staff fall victim to such attacks much less often than students and that people who spend more time online are more likely to fall victim to social engineering attacks.
Othmana et al. (2020) conducted a qualitative case study at the University of Matara in Malaysia to understand how higher education institutions deal with cyber-attacks. The research design included interviews, observation and document analysis. Fourteen members of the university were interviewed about their experiences, knowledge and skills on the topic. The purpose of the observation was to triangulate the interview data, gaining insight into the process of monitoring cyber threats and attacks at the university’s cybersecurity centre. Documents such as cybersecurity guidelines, supervisory audit reports and network penetration testing reports were also analysed to describe vulnerable areas of the university network and remedies used to overcome weaknesses. The study concluded that people are the main reason for cyber-attacks and that higher education institutions are not well-prepared to face them. Participants acknowledged the need for higher education institutions to consider the human dimension as key to mitigating cyber-attacks. The authors highlighted a shortage of trained cyber specialists and recommended training employees and students to understand and prevent cyber-attacks. Continuous awareness programmes should be initiated, and the behaviour and attitudes of employees need serious attention. Despite the known dangers of cyber-attacks, employee disinterest in the topic makes them vulnerable to hackers (Othman et al., 2020).
To summarise, preparation, training and awareness are crucial for successfully preventing or mitigating the consequences of cyber-attacks. Groups that have participated in training score higher in cybersecurity awareness than those who have not. Additionally, people who spend more time on the Internet are more often victims of cyber-attacks.
3. Research methodology and sample
Human behaviour on the Internet has been studied for several decades using various approaches. For example, Halevi et al. (2013) highlighted that when people perceive a threat or risk, they become more cautious and less willing to share personal information about themselves. The study tried to find connections between personality traits and the risky behaviour of sharing personal information. The results showed that individuals who are more risk-averse are also more open to trying new experiences, more likely to share personal information online and use fewer privacy settings on social media platforms. When people perceive a threat or risk, they are more cautious and less willing to share personal information about themselves (Halevi et al., 2013; Hajli and Lin, 2016). It has also been found that people with more conservative behaviour are more likely to prevent or mitigate risks by using preventive measures such as stronger passwords and antivirus programs (Yucedal, 2010). Ybarra et al. (2007) identified a relationship between sharing personal information, opening links in strangers’ emails and victimisation, indicating that risky behaviour increases the probability of becoming a victim.
The Estonian Academy of Security Sciences (SKA) was chosen for this study primarily because the author works at this university. Since SKA trains future employees in the field of internal security and reports directly to the Estonian Ministry of the Interior, it was assumed that both students and employees have received extensive training in cybersecurity. Thus, it is legitimate and justified to examine how cyber-safely the members of SKA (both students and employees) behave on the Internet and whether their daily online behaviour tends to be conservative or risky. This is the first survey of information and cybersecurity behaviour conducted in a higher education institution in Estonia, and the results can be extended to the behavioural practices of members of other higher education institutions in the country.
To identify the most common behaviours that make students and employees of SKA vulnerable, the four-scale measure developed by Öğütçü et al. (2016) was used. The scales are as follows:
- (1)
Risky Behaviour Scale (RBS) – measures the risk behaviour of Internet users, such as whether various security measures are used to protect themselves and the people they live or work with;
- (2)
Conservative Behaviour Scale (CBS) – measures the actions and activities of Internet users in protecting their personal information;
- (3)
Exposure to Offense Scale (EOS) – measures the exposure of users to cybersecurity threats, highlighting user behaviour in relation to risks, threats and effects resulting from events;
- (4)
Risk Perception Scale (RPS) – measures the level of risk or threat perceived by Internet users and their trust in the face of possible cyber-attacks (Öğütçü, 2016; Benavides-Astudillo et al., 2021).
Scales and questions were developed based on existing literature, mostly on the work of Benavides-Astudillo et al. (2021), and the opinions of IT experts at SKA. Determining the level of awareness is crucial because awareness and behaviour are closely related. According to this model, an individual’s behaviour is determined by the perception of a threat and actions taken to resolve it. Awareness is a powerful weapon against social engineering attacks, so this study provides universities of applied sciences an opportunity to use these findings to focus their cybersecurity training priorities. The survey consists of five parts: (1) questions that collect respondents’ demographic data; (2) questions about user profiles related to information technology and computer security; (3) questions dealing with risky issues related to information technology behaviour; (4) questions about respondents’ behaviour regarding information security and threats; (5) questions addressing user exposure to cybercrime.
Answers can be given according to a five-point Likert scale. The proposed scale options for RBS, CBS and EOS questions are “Always”, “Often”, “Sometimes”, “Rarely” and “Never”. For RPS, the scale options are “Very dangerous”, “Dangerous”, “Slightly dangerous”, “Not dangerous” and “I don’t know”.
Invitations to participate were sent to the email addresses of 1,000 undergraduate students, 69 master’s students, 439 faculty members and 271 staff members. The survey was conducted using the LimeSurvey platform used by SKA, and a link to the online survey was sent via email. Data collection lasted for two months, during which repeated reminders were sent. Estonians are not very eager to answer questionnaires, and if there is an opportunity to leave it unfinished and save it for later, it is often forgotten. There were 363 total responses, including incomplete ones. The data was screened, and any results missing one or more responses were deleted, resulting in a final sample size of n = 277.
4. Results
The presentation of survey results is descriptive. The primary aim was to provide a quick and comprehensive overview of the content and results, for which descriptive statistics were used. The results are presented largely in tables to convey accurate numerical information. Frequency tables were created to answer the following question: What proportion of respondents chose a certain answer option?
4.1 General results
The Table 1 below shows the results obtained based on general user information. There were more women than men among the respondents. Regarding age groups, the highest number of respondents was from the 19–25-year-old group (30%), followed by the 41–50-year-old group (27%), and the 31–40-year-old group (19%). The largest groups of respondents were applied higher education students (35%) and teaching staff (26%). When naming their position in higher education, 19 respondents identified themselves as “others”, including 8 guest lecturers, 3 researchers, 1 external student, 1 head of department-lecturer, 2 recent alumni, 1 head of department and 1 pensioner. Sixty per cent of respondents have completed cybersecurity training. Most people spend 1–5 h a day on the Internet (52%), while 3% spend 11 or more hours a day online. Outside school, mobile Internet (48%) and private Wi-Fi networks (46%) are the primary means of accessing the Internet.
Based on the survey results, it can be said that although the employees and students of the SKA are frequent Internet users, they are careful, as public Wi-Fi networks are practically not used. However, the higher education institution should ensure that all its members undergo cybersecurity training at least once a year. As Estonia’s leading institution for training internal security officers, it is critical to address the 40% of patrons who reported not having completed cyber training.
4.2 Results of the risky behaviour scale
In this sub-chapter, the answers are analysed both by scale across all respondents, and a deeper investigation into the password management culture of the members of the SKA is conducted.
According to Statistics Estonia, the Internet is mostly used for email (91%) and Internet banking (91%), as well as for searching information (86%) and reading online publications (87%). Due to the end of coronavirus restrictions, the number of e-shoppers has decreased slightly. However, with the easing of restrictions, the purchase of event tickets, accommodation services, and other travel services and related insurance from e-shops has grown rapidly. Additionally, 17% of e-commerce users have purchased investment products such as stocks, funds and bonds – a figure higher than ever before (Koorits, 2022).
Table 2 presents the frequency of activities performed on the Risk behaviour scale. The results are ranked, starting with the most frequently performed activities and ending with activities that the members of the higher education institution either rarely do online or do not perform at all. The most frequent activities are using email and Internet banking (96% and 94% of respondents, respectively). Additionally, 86% of respondents use their organisation’s email, and 85% use some chat program daily or often. Online communication programs such as WhatsApp, Telegram, Signal, Messenger and Skype are widely used – 39% use them daily, 46% often, 10% occasionally, 3% rarely and 2% never.
Sixty-five per cent of respondents use government e-services daily or often and 26% sometimes. These services include entering the state employee’s self-service portal (the State Shared Service Centre), which automates the flow of information from institutions to the state’s financial, personnel and payroll systems. The portal has different modules, such as the vacations module, the assignment module, which allows employees to submit assignment orders and expense reports, and the training module, which provides an overview of all directed and completed training, submitting training requests, registering for training, accessing training materials and giving feedback on training. Educational platforms such as Tahvel, Moodle and eKool serve as comprehensive solutions for schools, teachers, parents and students. Additionally, portals like the Tax and Customs Board and the Centre of Registers and Information Systems administer registries and information systems crucial for the state and its citizens, including the e-Business Register, the e-Notary system and the e-Land Register.
In this study, we focused on the habit of online shopping. Media coverage often gives the impression that online shopping has grown significantly, with many people engaging in it daily. All respondents have paid for products and services in online stores, although their frequency varies. The study revealed that online shopping is not a daily activity for most respondents. Only 7% shop online daily, while 25% do so frequently, 41% occasionally, 24% rarely and 3% never. However, 21% of respondents pay for products and/or services online daily, 38% often, 30% occasionally and 11% rarely. This finding is surprising, given that only 7% shop online daily, yet 21% pay for products/services online daily. One explanation for this discrepancy could be the results from Statistics Estonia, which indicate that more payments are made for services– such as theatre and cinema tickets, accommodation and travel – than for specific goods.
Although 75% of respondents rarely open emails from strangers or download attachments, 18% always do, which is concerning.
Various meeting and lecture environments such as Meet, Zoom and Teams became familiar during the COVID-19 pandemic and remain popular, although only 14% use them daily and 2% never use them. Interestingly, 70% and 59% of respondents have never used TikTok or ChatGPT, respectively. ChatGPT, a relatively new tool launched on 30 November 2022, is a chatbot designed to answer questions as humanly as possible. It has gained significant attention over the past year, becoming a hot topic due to its ability to generate human-like responses by processing vast amounts of text data found on the Internet. Despite being an inanimate app, ChatGPT is quite effective at mimicking human conversation. There are concerns that in the near future, ChatGPT could elevate the sophistication of scams, presenting challenges for which we may not yet be prepared.
Notably, while Table 1 indicates that public Wi-Fi is almost never used, Table 2 shows that 3% often, 14% occasionally, 26% rarely and 57% never use internet banking in places with public Wi-Fi. Students and employees of the SKA prefer not to use TikTok – 70% never use it. They are also aware that it is safer to send confidential emails through work accounts rather than common chat programs.
For each statement, indicate how often you perform the actions below:
4.3 Results of the conservative behaviour scale
Table 3 shows that SKA members are relatively conservative in matters of internet security: 91% use licenced software and 87% use antivirus programs.
It is human nature to trust colleagues and friends, often believing it is rare for someone to misuse personal information. However, misuse does occur, and it is essential to remain cautious and aware that others may use personal information illegally. The survey indicates that 90% of respondents are always or often careful and aware of this risk.
In today’s digital age, managing without giving a digital signature is challenging, especially when using e-Government services. Thus, it is natural that 89% of respondents provide electronic signatures daily or often.
Phishing websites go to great lengths to disguise themselves as legitimate services. They often mimic the login windows of major services such as Facebook, Google, PayPal, DHL and others to deceive users. Since many people use the passwords of their Google, Facebook, etc., accounts to log in to other services as well, it is increasingly easy for these phishing sites to appear genuine. However, instead of logging into the intended service, users are unknowingly sending their credentials to a fraudster. It is important to emphasise that an electronic page protected by an SSL certificate will have a green lock icon on the left of the address bar and “https://” at the beginning of the address, confirming the site’s security. The most important thing is to view the full length of the address. Therefore, it is crucial to pay attention to the websites you visit and check if they have the HTTPS lock in the address bar. According to the study, 18% of respondents always pay attention to this, 25% often, 19% sometimes, 19% rarely and 19% never do so.
It is highly recommended to remove cookies and other temporary Internet files occasionally. However, only 16% of respondents always or often delete their browsing history before leaving the computer, 31% do it sometimes, 35% rarely and 18% never.
For each statement, note how your computer, accounts and personal data are protected:
4.4 Results of the exposure to offence scale
Table 4 presents the exposure to various threats faced by members of the SKA. It should be noted that since the employees of the SKA are provided laptops by the Ministry of the Interior, these devices are more securely managed than typical personal devices. Given that SKA trains future specialists for roles in rescue, finance, justice, police and border guard services, the members are likely more cyber-aware than the average population.
Social media posts should be made with an understanding of the information environment and potential risk areas. When posting on social media, it is important to create a strategy and follow the code of ethics of the public sector, ensuring that you do not damage the reputation of your institution and colleagues, both in work and private life. Public sector employees also represent their employer in their spare time. SKA employees and students rarely encounter problems sharing their personal information online – 91% never do, 7% rarely and only 2% sometimes. As future civil servants, SKA students cannot afford to share personal information widely on social media.
Despite the fact that social media sites have improved our social lives, several problems persist, and fake accounts are one of them. Fake social media accounts are profiles that are not associated with a real person or are created using a real person’s sensitive information without their consent. These impostor accounts, also known as “sock puppet” accounts, are designed to praise, protect or support a person or organisation, manipulate public opinion, or circumvent restrictions, such as viewing a blocked social media account. The purposes of creating fake accounts can include extorting money from followers through scams (usually by pretending the original account owner is in trouble and needs donations), harassing people online, spreading false information – usually political – and hate speech, or destroying a person’s reputation. Most, if not all, major social media platforms, such as Facebook, Twitter, Instagram, LinkedIn, Pinterest, YouTube and Snapchat, are plagued with fake accounts (Jones, 2022). Among SKA respondents, 89% have never encountered a fake account in their name, while 9% have rarely and 2% sometimes.
Online shopping can be risky, with the main risk factors being performance risk, financial risk and time loss risk (Guru et al., 2020). In this study, we have highlighted the financial loss associated with online shopping. Hassan et al. (2006) define financial loss as “any financial loss that may occur as a result of online shopping”. Boksberger et al. (2007) further explain that “Financial loss can occur both when money has been paid for a product or service, but the product/service has not been received, and also when the purchased service/product may not be worth the money paid for it.” Biswas and Biswas (2004) argue that the risk of financial loss is high when buying online because buyers cannot contact the seller directly, and in some cases, the risk is increased due to the seller’s lack of credibility. Among respondents, 80% have never experienced financial loss while online shopping, but 18% have rarely, 1% sometimes and 1% often.
The purpose of login notifications is to inform users of recent logins and help them protect their accounts from unauthorised access. These notifications are typically sent when a login occurs from a new location or device, which may indicate malicious activity. Users must determine whether a reported login is legitimate or malicious and are advised to change their password if the login is unfamiliar. Logging can be accidental or malicious when users share accounts with friends or family without notifying each other (Markert et al., 2023, p. 1). Among respondents, 67% have never received such notifications, 25% have rarely, 7% sometimes and 1% often.
In the digital age, where data is the new gold, cybersecurity is essential to protecting businesses from various threats. When computer viruses hit an organisation, they cause problems that can lead to financial loss, loss of customer trust, reputational damage, theft of intellectual property, and disruptions to critical infrastructure. For individuals, computer viruses are dangerous because they pose risks such as identity theft, financial fraud, unauthorised access to personal files and private information, and breaches of privacy through webcam and microphone access. However, it is possible to strengthen defences and mitigate risks by staying informed, practising good cybersecurity habits and using reliable antivirus software. (Gordon, 2023). While the computers provided by the Ministry of the Interior and used by employees are very well secured, the personal computers of students are definitely more at risk. Among respondents, 51% have rarely encountered viruses, 10% occasionally and 39% never.
Millions of people around the world use PayPal as a quick and easy way to pay for things online. However, no online service is perfect. The most common security threats PayPal experiences are from phishing and identity fraud, fraud on invoices and money requests, overpayment scam, shipping scam (Knutsson, 2023). Although there is plenty of advice on the Internet regarding how to spot PayPal fakes, users still need to be very careful. When making online purchases with a credit card, only 2% of respondents always use secure online payment environments, 9% often, 22% sometimes, 32% rarely and 35% never.
For each statement, indicate how often you have been exposed to the threat:
4.5 Results of the risk perception scale
What are considered the most dangerous activities? According to the respondents (see Table 5), the most dangerous activities include exposure to spyware, computer viruses, lack of anti-virus programs, and using illegal software or public Wi-Fi networks, with a perceived danger level of 76% or higher. Conversely, the least dangerous activities are using internet banking, entrusting your identity document to a security guard (e.g. when entering a government institution), online shopping, using ChatGPT and file-sharing programs.
Of the following items, indicate the degree of danger that you perceive in each one:
The use of removable media can be very dangerous and should therefore be controlled, limited and used appropriately. Many government agencies prohibit the use of devices with removable media (including USB sticks) because they can facilitate the exfiltration of sensitive data. Despite their convenience, removable media also pose the risk of infecting machines with malware. Organisations can mitigate these risks by banning all removable media from the workspace and disabling the ability of computers to accept, read, or write to removable media (Sherman et al., 2017). Surprisingly, only 46% of respondents consider the use of removable media very dangerous or dangerous, while 32% perceive it as low risk and 9% consider it completely safe.
4.6 Results of the attitudes towards password management
Correct password management is a crucial component of information security. Confidential or classified information should only be accessed by those with granted permissions. Users are typically given the necessary rights for their work or study tasks, and it is important to be especially careful with usernames and passwords in the workplace. If these credentials fall into the hands of criminals, they can cause data leakage and significant damage. For example, if a criminal gains access to an email account, they can access all information processed through that email. Additionally, if they obtain online shopping credentials, they can easily find credit card information and use stolen data for purchases.
It is strongly recommended that passwords be changed regularly, such as every three months, to prevent misuse if a password is compromised. If the minimum length of a password is 15–18 characters, the password change interval can be extended to 6–9 months. The length of the password is considered more important than complexity, provided it is not just a single long word. Long passwords with multiple elements are more secure than short ones. A short sentence like “congratulations” is very difficult to guess, even though it is just a 15-character lowercase word. Adding a single number or special character increases security further (Waugh, 2013).
According to the survey results shown in Figure 1, 91% of respondents never share their passwords with others, and 95% never keep their passwords visible to others. The attitude towards password managers is mixed. Although it is convenient to remember only one username and password, if the master password is compromised, the cybercriminal would have access to all other passwords. This is likely why 58% of respondents never use a password manager, while only 14% use one always or often.
Within the SKA, all laptops provided to employees belong to the Ministry of the Interior, requiring a two-system login – first to the computer and then to the personal account. Consequently, 61% of respondents use passwords to access their work computers. It is recommended that passwords be long rather than complicated, even if it is just one long word. Therefore, 63% of respondents use long and complicated passwords. However, the real issue is the regularity of password changes – only 22% do it regularly, 31% often, 19% rarely and 2% never.
Can completed cyber training influence risky behaviour in password management? The data in Table 6 shows a significant effect. Regularly changing passwords is a habit for 65% of those who have completed the training, compared to only 37% of those who have not. Similarly, 93% of those who have completed cyber training always or often choose long and complicated passwords, compared to 83% of those who have not. Those who have undergone cyber training also hide their passwords more diligently and share them less frequently than those who have not undergone training.
Additionally, two-factor authentication is more commonly used by respondents who have received training. Therefore, it is evident that cyber training would be beneficial for SKA employees and students who have not yet completed it.
5. Conclusions
Cybersecurity plays a significant role in the management systems of every higher education institution. It is critical to protect sensitive information of students and teachers from unauthorised access and potential threats. Strong data security measures ensure data integrity and confidentiality, inspire stakeholder trust, and protect against reputational damage. Higher education institutions should prioritise data security to protect valuable assets and comply with relevant regulations. While the organisation can primarily be responsible for the technical side of cybersecurity, the human side is the responsibility of all individuals. Each user must make informed decisions about how they access and store their data and how they behave online.
This is best achieved when the organisation has a work culture that strongly supports cybersecurity. Management must ensure the protection of employees, students and researchers, safeguarding the institution and its stakeholders from accidental information security violations and malicious cyber-attacks.
The structure of the questionnaire was designed considering previously conducted research, the opinions and recommendations of SKA’s IT experts, and ensuring that it was quick and easy for higher education institution members to complete. The target group was limited to SKA members to identify weak points and design future training and tests.
This study focused on the general presentation of the results without detailing the influence of separate demographic factors. However, password management, often the weakest link in cybersecurity, was analysed separately. The results revealed that the majority of respondents possessed commendable cybersecurity skills. Although the number of those who completed cyber training was lower than expected, this can be corrected. SKA members are knowledgeable internet users – they use secure network connections and avoid public Wi-Fi networks. It is impossible to work or study without engaging in potentially risky online activities. All survey respondents use email, internet banking and government e-services, pay for services or products online, give electronic signatures, participate in online meetings and use social media communication programmes. SKA members are generally security-conscious – they handle links in emails from strangers with caution, avoid sending confidential files through communication programs and do not leave passwords visible or share them. They are also careful when using TikTok and ChatGPT and when playing video games. Licenced software and anti-virus programs are commonly used. However, there are areas of concern, such as not paying enough attention to website security (checking for HTTPS locks) and not regularly deleting browsing history. SKA members have rarely encountered real cyber threats, such as computer viruses, financial loss from online purchases, or unauthorised use of usernames and passwords. In terms of risk perception, more caution is needed when handling USB media and emails with apparent advertising content.
If we compare the results with the studies described in the literature review, we can state that, similar to the study by Yerby and Floyd (2018), this study confirms that SKA members are aware of how to behave on websites, how to respond to emails from strangers, including any attachments/links they contain, and the dangers of opening emails with advertising content. While Yerby and Floyd (2018) found anti-virus protection to be at a satisfactory level, the results of this study show that SKA members consider computer viruses and the lack of antivirus protection to be a threat. It can be stated that almost all respondents use antivirus programs and, as a result, have not experienced problems with computer viruses. Moreover, SKA respondents understood the importance of strong passwords at an almost excellent level. Unlike the Muniandy et al. (2017) survey, where sharing personal passwords with others was highlighted as a significant problem, SKA members are commendably aware of not sharing their passwords with others, whether colleagues or fellow students. However, it should be emphasised that only slightly more than half of SKA members change their passwords regularly.
Completed cybersecurity training definitely influences cybersecurity behaviour. This was confirmed by both the research analysed in the literature review section and the present study.
Future studies should be planned for a time when all SKA members have completed mandatory cybersecurity training, focusing on addressing the weaknesses found in this study. Comparing the results of this study with a post-training study will provide valuable insights. Additionally, the cybersecurity level of members of other Estonian higher education institutions should be investigated to compare levels and shortcomings across institutions. This will help make broader recommendations for developing necessary training for information security specialists in higher education institutions. Future studies should also focus more on the risk behaviour of individual groups within higher education institutions to explore the cyber behaviour of employees and students separately. Investigating whether those who have undergone training exhibit safer and more aware cyber behaviour, and whether the time spent on the Internet affects risky behaviour, will provide deeper insights.
Figures
Figure 1
Attitudes towards password management
Results of the user profile section
| Characteristic | Category | Number of respondents | Percentage (%) |
|---|---|---|---|
| Gender | Male | 120 | 43 |
| Female | 157 | 57 | |
| Age range | 19–25 | 68 | 30 |
| 26–30 | 27 | 9 | |
| 31–40 | 58 | 19 | |
| 41–50 | 81 | 27 | |
| 51–60 | 32 | 11 | |
| 61–70 | 9 | 3 | |
| 70+ | 2 | 1 | |
| Position in the SKA | Vocational student | 33 | 12 |
| Under-graduate | 98 | 35 | |
| Graduate | 14 | 5 | |
| Lecturer | 71 | 26 | |
| Administrative staff | 42 | 15 | |
| Others | 19 | 7 | |
| Completed cyber security training | Yes | 165 | 60 |
| No | 112 | 40 | |
| Time range of Internet use | 1–5 h/day | 145 | 52 |
| 6–10 h/day | 123 | 44 | |
| 11 or more hours/day | 9 | 3 | |
| How do you access the Internet from outside your workplace? | Using Mobile Internet | 133 | 48 |
| Using public Wi-Fi network(Cafes, Shopping malls) | 1 | 1 | |
| Using private Wi-Fi network (Home) | 15 | 46 | |
| Using remote connection of my organization | 128 | 5 |
Source(s): Table by author
Risky behaviour scale (RBS)
|
Conservative behaviour scale (CBS) (% of respondents)
|
Exposure to offence scale (EOS) (% of respondents)
|
Risk perception scale (RPS) (% of respondents)
|
Attitudes towards password management according to the completed cyber security training
| Completed cyber security training/password management | Always (%) | Often (%) | Sometimes (%) | Rarely (%) | Never (%) | Total (%) |
|---|---|---|---|---|---|---|
| Do you share your passwords with other people? | ||||||
| No | 1 | 10 | 1 | 88 | 100 | |
| Yes | 7 | 93 | 100 | |||
| Do you use a password manager? | ||||||
| No | 4 | 12 | 9 | 19 | 56 | 100 |
| Yes | 9 | 4 | 14 | 13 | 60 | 100 |
| Do you keep your passwords visible so they can be easy to find? | ||||||
| No | 9 | 91 | 100 | |||
| Yes | 2 | 98 | 100 | |||
| Do you use long and complicated passwords? | ||||||
| No | 54 | 29 | 3 | 10 | 4 | 100 |
| Yes | 70 | 23 | 2 | 4 | 1 | 100 |
| Do you have a password to access your computer? | ||||||
| No | 90 | 2 | 2 | 2 | 4 | 100 |
| Yes | 92 | 4 | 1 | 1 | 2 | 100 |
| Do you have a password to access your account? | ||||||
| No | 81 | 14 | 3 | 2 | 100 | |
| Yes | 91 | 5 | 2 | 1 | 1 | 100 |
| Do you change your passwords regularly? | ||||||
| No | 10 | 27 | 28 | 34 | 1 | 100 |
| Yes | 31 | 34 | 24 | 9 | 2 | 100 |
Source(s): Table by author
Declaration of generative AI and AI-assisted technologies in the writing process: Statement: during the preparation of this work, the author did not use any AI or AI-assisted technologies.
References
Alavi, R., Islam, S. and Mouratidis, H. (2016), “An information security risk-driven investment model for analysing human factors”, Information and Computer Security, Vol. 24 No. 2, pp. 205-227, doi: 10.1108/ICS-01-2016-0006.
Benavides-Astudillo, E., Silva-Ordoñez, L., Rocohano-Rámos, R., Fuertes, W., Fernández-Peña, F., Sanchez-Gordon, S. and Bastidas-Chalan, R. (2021), “Analysis of vulnerabilities associated with social engineering attacks based on user behavior”, International Conference on Applied Technologies, Springer International Publishing, pp. 351-364.
Biswas, D. and Biswas, A. (2004), “The diagnostic role of signals in the context of perceived risks in online shopping: do signals matter more on the web?”, Journal of Interactive Marketing, Vol. 18 No. 3, pp. 30-45, doi: 10.1002/dir.20010.
Boksberger, P.E., Bieger, T. and Laesser, C. (2007), “Multidimensional analysis of perceived risk in commercial air travel”, Journal of Air Transport Management, Vol. 13 No. 2, pp. 90-96, doi: 10.1016/j.jairtraman.2006.10.003.
Chapman, J. (2019), “How safe is your data? Cyber-security in higher education”, Higher Education Policy Institute (HEPI) Policy Note, Vol. 12, available at: https://www.hepi.ac.uk/wp-content/uploads/2019/03/Policy-Note-12-Paper-April-2019-How-safe-is-your-data.pdf
Ciampa, M. (2013), “A comparison of user preferences for browser password managers”, Journal of Applied Security Research, Vol. 8 No. 4, pp. 455-466, doi: 10.1080/19361610.2013.825751.
Gordon, A. (2023), “Do you still need to worry about computer viruses?”, LinkedIn, available at: https://www.linkedin.com/pulse/do-you-still-need-worry-computer-viruses-adrian-gordon/
Guru, S., Nenavani, J., Patel, V. and Bhatt, N. (2020), “Ranking of perceived risks in online Shopping”, Decision, Vol. 47 No. 2, pp. 137-152, doi: 10.1007/s40622-020-00241-x.
Hajli, N. and Lin, X. (2016), “Exploring the security of information sharing on social networking sites: the role of perceived control of information”, Journal of Business Ethics, Vol. 133 No. 1, pp. 111-123, doi: 10.1007/s10551-014-2346-x.
Halevi, T., Lewis, J. and Memon, N. (2013), “A pilot study of cybersecurity and privacy related behaviour and personality traits”, 22nd International Conference on World Wide Web, pp. 737-744, doi: 10.1145/2487788.2488034.
Hassan, A.M., Kunz, M.B., Pearson, A.W. and Mohamed, F.A. (2006), “Conceptualization and measurement of perceived risk in online shopping”, Marketing Management Journal, Vol. 16 No. 1, pp. 138-147.
Jones, J. (2022), “Tracking down fake social media accounts”, Bosco Legal Services Fake Accounts Investigations, September 14, available at: https://www.boscolegal.org/blog/tracking-down-fake-accounts/
Jones, B.H. and Heinrichs, L.R. (2012), “Do business students practice smartphone security?”, Journal of Computer Information Systems, Vol. 53 No. 2, pp. 22-30, doi: 10.1080/08874417.2012.11645611.
Kearney, P. (2016), Security: The Human Factor, IT Governance.
Knutsson, K. (2023), “The dark side of PayPal and how to stay safe. Don't fall for scammers using PayPal to steal your money”, Fox News Scitech, May 29, available at: https://www.foxnews.com/tech/dark-side-paypal-stay-safe
Koorits, V. (2022), “Eestlased kasutavad internetis enim e-maili ja internetipanka, kasvab ettevõtete turvateadlikkus”, Eesti Statistikaamet, September 16, available at: https://www.stat.ee/et/uudised/infotehnoloogia-ettevotetes-ja-leibkondades-2022
Kost, E. (2024), The State of University Cybersecurity: 3 Major Problems in 2024, Upguard, available at: https://www.upguard.com/blog/top-cybersecurity-problems-for-universities-colleges
Kraemer, S. and Carayon, P. (2007), “Human errors and violations in computer and information security: the viewpoint of network administrators and security specialists”, Applied Ergonomics, Vol. 38 No. 2, pp. 143-154, doi: 10.1016/j.apergo.2006.03.010.
Kruger, H.A. and Kearney, W.D. (2006), “A prototype for assessing information security awareness”, Computers and Security, Vol. 25 No. 4, pp. 289-296, doi: 10.1016/j.cose.2006.02.008.
Lacey, D. (2011), Managing the Human Factor in Information Security: How to Win over Staff and Influence Business Managers, John Wiley & Sons, Chichester.
Markert, P., Lassak, L., Golla, M. and Dürmuth, M. (2023), “Understanding users' interaction with login notifications”, Computer Science, Vol. 5, pp. 1-26, available at: https://arxiv.org/pdf/2212.07316.pdf
Mauro, A. (2022), Hacking in the Humanities: Cybersecurity, Speculative Fiction, and Navigating a Digital Future, Bloomsbury Publishing.
Metalidou, E., Marinagi, C., Trivellas, P., Eberhagen, N., Giannakopoulos, G. and Skourlas, C. (2014), “Human factor and information security in higher education”, Journal of Systems and Information Technology, Vol. 16 No. 3, pp. 210-221, doi: 10.1108/JSIT-01-2014-0007.
Muniandy, L. and Muniandy, B. (2012), “State of cyber security and the factors governing its protection in Malaysia”, International Journal of Applied Science and Technology, Vol. 2 No. 4, pp. 106-112.
Muniandy, L., Muniandy, B. and Samsudin, Z. (2017), “Cyber security behaviour among higher education students in Malaysia”, Journal of Information Assurance and Cybersecurity, Vol. 2017, pp. 1-13, doi: 10.5171/2017.800299.
National Security Concept of Estonia (2023), “Republic of Estonia government”, available at: https://www.kaitseministeerium.ee/sites/default/files/eesti_julgeolekupoliitika_alused_eng_22.02.2023.pdf
Norum, P.S. and Weagley, R.O. (2006), “College students, Internet use, and protection from online identity theft”, Journal of Educational Technology Systems, Vol. 35 No. 1, pp. 45-63, doi: 10.2190/VL64-1N22-J537-R368.
Nurbojatmiko, F.A., Aini, Q., Saehudin, A. and Amsariah, S. (2020), “Information security awareness of students on academic information system using Kruger approach”, 8th International Conference on Cyber and IT Service Management (CITSM 2020), Pangkal Pinang, Indonesia, October 23-24, 2020, Institute of Electrical and Electronics Engineers (IEEE), pp. 407-413.
Ög˘ütçü, G., Testik, O.M. and Chouseinoglou, O. (2016), “Analysis of personal information security behavior and awareness”, Computers and Security, Vol. 56, pp. 83-93, doi: 10.1016/j.cose.2015.10.002.
Othmana, Z., Rahimb, N. and Sadiq, M. (2020), “The human dimension as the core factor in dealing with cyberattacks in higher education”, International Journal of Innovation, Creativity and Change, Vol. 11 No. 1, pp. 1-19, available at: https://ijicc.net/images/vol11iss1/11101_Othman_2020_E_R.pdf
Sherman, A.T., DeLatte, D., Neary, M., Oliva, L., Phatak, D., Scheponik, T. and Thompson, J. (2017), “Cybersecurity: exploring core concepts through six scenarios”, Cryptologia, Vol. 42 No. 4, pp. 337-377, doi: 10.1080/01611194.2017.1362063.
Soltanmohammadi, E. and Naraghi-Pour, M. (2014), “Fast detection of malicious behavior in cooperative spectrum sensing”, IEEE Journal on Selected Areas in Communications, Vol. 32 No. 3, pp. 377-386, doi: 10.1109/JSAC.2014.140301.
Teer, F.P., Kruck, S.E. and Kruck, G.P. (2007), “Empirical study of students' computer security practices/perceptions”, Journal of Computer Information Systems, Vol. 47 No. 3, pp. 105-110, doi: 10.1080/08874417.2007.11645971.
Verizon. (2022), “2022 data breach investigations report”, available at: https://www.verizon.com/business/resources/T9be/reports/dbir/2022-data-breach-investigations-report-dbir.pdf
Waugh, R. (2013), “How to create strong passwords (without driving yourself mad). Digital Security”, available at: https://www.welivesecurity.com/2013/07/17/how-to-create-strong-passwords-without-driving-yourself-mad/ (accessed 17 July 2013).
Ybarra, M.L., Mitchell, K.J., Finkelhor, D. and Wolak, J. (2007), “Internet prevention messages: targeting the right online behaviors”, Archives of Pediatrics and Adolescent Medicine, Vol. 161 No. 2, pp. 138-145, doi: 10.1001/archpedi.161.2.138D.
Yerby, J. and Floyd, K. (2018), “Faculty and staff information security awareness and behavior”, Journal of The Colloquium for Information System Security Education (CISSE), Vol. 6 No. 1, pp. 138-160, available at: https://cisse.info/journal/index.php/cisse/article/view/90
Yucedal, B. (2010), Victimisation in Cyberspace: An Application of Routine Activity and Lifestyle Exposure Theories, Kent State University, available at: http://rave.ohiolink.edu/etdc/view?acc_num=kent1279290984
Zelko, P. (2024), “A recap of recent cybersecurity incidents at universities”, Cybersecurity Assessments, available at: https://www.schellman.com/blog/cybersecurity/cybersecurity-incidents-at-universities-2023
Acknowledgements
I want to thank all the colleagues and students at the Estonian Academy of the Security Sciences, who kindly took their time and filled my questionnaire. Many thanks also to the HYBRIDC programme.
Corresponding author
About the author
Kate-Riin Kont graduated from the Department of Librarianship and Information Science, Tallinn University in 1995; she earned a MA from the same department in 2004. Since 2009, she has been involved in doctoral studies at Tallinn University, Department of Digital Technologies. Since 2008 she has been working as Head of the Acquisition Division of the Tallinn University of Technology Library and in 2018 she started work in Tallinn Health Care College as a Senior Lecturer in Lifelong Learning Centre. She is a member of the Terminology Working Group of the Estonian Librarians’ Association. Since 2014 she leads Collection Development Committee of the Estonian Librarians’ Association and acts as a member of EBSCO Information Services Academic Advisory Board. Since 2020 she leads Library Working Group of the Estonian Rectors’ Conference of Universities of Applied Sciences. After graduating from Tallinn University School of Digital technologies as PhD in March 2022, she has been working as a researcher in Estonian Academy of Security Sciences, Institute of Internal affairs.