1.1 EXTENT OF CYBERATTACKS
In November 2018, the personal data (including credit card details, passport numbers, and dates of birth) of up to 500 million people were stolen in a âcolossalâ hack of Marriott International, the parent company of hotel chains including W, Westin, Le MĂ©ridien, and Sheraton [1]. Two months earlier, in September 2018, press reports surfaced that British Airways had suffered an enormous data breach affecting almost 400,000 customers and including personal and financial details [2]. A month earlier, in August 2018, T-Mobile was hacked and hackers swiped the data of 2 million subscribers [3]. In March 2018, the New York Times reported that Cambridge Analytica, a political data firm, gained access to the private information of more than 50 million Facebook users. The firm offered tools that could identify the personalities of American voters and influence their behaviour [4]. Almost a year earlier in September 2017, Equifax, one of three major credit-reporting agencies in the United States, revealed that highly sensitive personal and financial information for about 143 million American consumers was compromised in a cybersecurity breach that began in late spring that year [5].
Every day, cyber-criminals exploit a variety of threat vectors, including email, network traffic, user behaviour, and application traffic to insert ransomware [6]. For example, cyber-criminals use email wiretapping to create an hypertext markup language (HTML) email that, each time it is read, can send back a copy of the emailâs contents to the originator. It gives the author of the email an opportunity to see to whom the email was subsequently forwarded and any forwarded messages.
Today, technology facilitates communication to the extent that one can chat with someone else in the next room or as far as another country with ease, via a variety of technologies. This ease of communication also prepares the ground for cyber-stalking. Cyber-stalking is defined as the use of technology, particularly the Internet, to harass someone. Typical characteristics include false accusations, monitoring, threats, identity theft, and data destruction or manipulation. Cyber-stalking also includes exploitation of minors, be it sexual or otherwise. Reyns [7] reports that approximately 4.9% of students had perpetrated cyber-stalking in 2009.
Consequently, cybersecurity, or information technology (IT) security, has become one of the major concerns of organizations, communities, and individuals. Cyberspace has become a new site of crime and illegal behaviour. While a wide range of acts of crime and criminalityâincluding robbery, identity theft, ransom, spying, subterfuge, deception, and black marketsâhave been parts of the experience of social life, globalization and the expansion of new media technologies have presented us with new changes and challenges. With the expansion of digital media, these activities have taken unique forms requiring specific, and sometimes fundamentally distinct, ways of understanding.
1.2 REVIEW OF THE LITERATURE
The cases of cyber-attacks show the extent to which any individual using the Internet and computers is vulnerable to cyber-attacks, which affect not just businesses or organizations but also individuals.
In the following sections, some of the recent studies on studentsâ cybersecurity awareness and privacy will be briefly reviewed.
1.2.1 Cybersecurity Awareness of College Students
User understanding of privacy and security risks, and how to protect themselves from cyber-attacks is a fundamental need in modern life. After all, from banking and e-commerce to pictures of private information and documents, so much can be compromised. Also, information breaches of companies containing user information can easily subject users to identity theft. What users can do to protect themselves and what actions they should take depend on their awareness and knowledge of the risks. The Federal Trade Commissionâs Consumer Sentinel Network, which collects data about consumer complaints, including identity theft, found that 18% of people who experienced identity theft in 2014 were between the ages of 20 and 29 [8,9].
In recent years, several studies have been conducted to measure the level of awareness among college students concerning information security issues. For example, Slusky and Partow-Navid [10] surveyed students at the College of Business and Economics at California State University, Los Angeles, Los Angeles, California. The results suggested that the major problem with security awareness is not due to a lack of security knowledge but somewhat in the way that students apply that knowledge in real-world situations. Simply put, according to the results of this study, compliance with information security knowledge is lower than the understanding or awareness of it.
Another study conducted by Al-Janabi and Al-Shourbaji [11] analysed cybersecurity awareness among academic staff, researchers, undergraduate students, and employees in the education sector in the Middle East. The results revealed that the participants did not have the requisite knowledge and understanding of the importance of information security principles and their practical applications in day-to-day work.
Hussein and Zhang [12] designed a survey to study the awareness of privacy among a group of users (92% of between 21 and 35, and 76% either engineers or students) who use social media. Their study included 377 participants who use social media services such as Facebook, Twitter, LinkedIn, and Google. The researchers found that 44% of the respondents showed a lack of knowledge of privacy policy and the mechanisms governing it on the online social networks they used. In addition, 34% were gravely concerned, and 41% were somewhat concerned about their privacy online. A staggering 80% indicated that they were not satisfied enough with the level of privacy provided by online social networks.
In a study, Senthilkumar et al. [13] aimed to analyse cybersecurity awareness among college students in Tamil Nadu (a state in India) about various security threats. Five hundred students in five major cities took the online survey. The result showed that 70% of these students were more conscious of basic virus attacks and using antivirus software (updating frequently) or Linux platforms to safeguard their system from virus attacks. The remaining students were not using any antivirus and were the victims of virus attacks. It was also reported that 11% of them were using antivirus but not updating their antivirus software. More than 97% of them did not know the source of the virus.
A study by Grainne et al. [14] was conducted among Malaysian undergraduate students in which 295 took part. The objective was to understand the awareness of risks related to social networking sites (SNSs). The study reported that more than one-third of participants had fallen victim to SNS scams.
1.2.2 Privacy and Self-Disclosure
The Internet and a multitude of social networking applications have massively increased the possibility of the disclosure of personal information. Despite usersâ concerns and awareness about privacy, their behaviours do not mirror those concerns [15].
Chen et al. [16] discussed a new type of privacy concern, called Information Privacy Control about Peer Disclosure (IPCPD). They studied the decisional control to alleviate such a privacy concern by taking certain factors into consideration. âDecisional controlâ is defined as the availability of technical options to stop the disclosure of private information, which could potentially cause privacy violations. Since most social network users are in the habit of sharing pictures with other people online, the privacy of those in the photographs may be unwittingly compromised. This phenomenon is described as IPCPD. Their findings reveal that decisional control is generally a vital privacy protection tool in online social networks. Moreover, the importance of decisional control stems from different contextual situations specified by the âwhatâ and âwhomâ aspects of information privacy.
Liang et al. [17] discussed another type of privacy concern online called deletion delay of photo sharing. They explored the possible access to a userâs image even after deleting the image from social media platforms. They found that by using the Uniform Resource Locator (URL) of the image, it was possible to access the image anywhere from 7 to 30 days after the image was deleted. Popular social media platforms were also not immune to this problem. For example, on Facebook, it took up to 7 days for the image to entirely disappear. Also, it was observed that in cross-platform sharing, the original image from the source platform could still be accessed on the destination platform using the image URL on the destination platform.
Li et al. [18] investigated Amazon Wishlist and possible privacy exposures. They collected complete Amazon Wishlists of over 30,000 users and were able to make interesting observations based on the shopping preferences of users. To access the Wishlists, they constructed a crawler in Python (a programming language) that crawled through the search results for Amazon Wishlist search. They were able to predict shopping preferences based on gender, demographic groups, geolocation, and so on. Using machine learning and semantic analysis on Wishlist descriptions, they were able to extract usersâ private information. In their observation, they found that users tend to expose their activities, affiliations, educational backgrounds, and spouse names the most, thus compromising their privacy through the information provided about themselves.
Will et al. [19] proposed a system that would ensure that vendors would not be able to hold the personal information of users and store it for future use or sell it to other third-party vendors. In the proposed model, personal information is stored on the usersâ mobile device and requested by vendors when needed. In this centralized model, a relay service is used to hide data from vendors or websites, encrypt cache response, authorize vendors, filter unwanted requests, and provide features automatically like anonymous email. The authors proposed a model where personal information is stored on the usersâ mobile devices and requested by vendors when needed. Information can then be given in either a private or a trusted manner, and encrypted responses can be cached by a relay service. Vendors should only use the data inflight and never store personal information. This provides the user with data provenance and access control, while providing the vendor with accountability and enhanced security.
Harikant et al. [20] designed a study in which they modelled the behaviours of Facebook users based on their engagement with other users. They categorized these behaviours as anomalous and non-anomalous. If the users, based on their behavioural features, were showing anomalous behaviour, they were classified into different types of attacks invading the privacy of the said users. The behavioural features such as friend rate, comment rate, post-rate, and post-feedback rate determined the types of attacks on users. Based on some or all threshold values for these features, the attacks were categorized as compromised account attacks, sybil attacks, software attacks, identity clone attacks, creepers attacks, cyberbullying attacks, and clickjacking attacks.
1.2.3 Cybersecurity Awareness among College Students and Faculty
To investigate student and faculty membersâ awareness and attitudes towards cybersecurity, students and faculties in public universities in the San Francisco Bay Area of California were surveyed. The Bay Area is recognized for its most advanced community regarding wealth, technology, progress, and the diversity of the population [21]. For example, according to the San Jose State University website, 51% of its students are male and 49% are female. The diversity of students by ethnicity is 41% Asian, 26% Hispanic, 19% white, and 14% other. The average age of undergraduate students in fall 2017 was 22.6 years [22].
As part of this investigation, several surveys were administered. The first survey included ten general questions about cybersecurity awareness. The objectives were to understand studentsâ awareness in such a tech-savvy environment of cyber-attacks (Silicon Valley) and to explore how they protected themselves against cyber-attacks. It is important to underline that the results of this study which are reported in this book are to show trends and cannot be generalized.