A Case Study: Targeting the Stop.Think.Connect. Cybersecurity Campaign to University Campuses
Summary and Keywords
University students, faculty, and staff are among those most vulnerable to cybersecurity risks due to their reliance on modern technologies, the nature of their online activities, and the open infrastructure of institutional networks. Furthermore, cyberbullying has emerged as a public health concern by the Centers for Disease Control and Prevention (CDC), which first warned of electronic aggression in 2008, or any type of harassment or bullying that occurs via email, chat, instant messaging, websites, blogs, or text messaging. Roberto and Eden emphasized the communicative nature of cyberbullying, defining it as the “deliberate and repeated misuse of communication technology by an individual or group to threaten or harm others” in 2010 (p. 201). In response to serious cybersecurity concerns and growing evidence of cyberbullying behavior, the national Stop.Think.Connect. (STC) campaign was developed to educate Americans on cybersecurity risks and equip citizens with tools for safe, respectful, and appropriate online behavior; however, it lacks targeted messaging for those on university campuses. Formative research is needed to ascertain the specific cybersecurity risks and challenges identified by those living and working on large university campuses. Research by Noar in 2006 demonstrates that formative evaluation leads to more successful campaigns. The process involves learning about target populations, discovering communicative determinants of behavior change, and testing message concepts. To that end, this case study is a first step in targeting STC campaign messages to university students, faculty, and staff. Specifically, we sought to identify the distinct cybersecurity needs faced by university students and personnel, their perceptions of the saliency of the problem, and potential motives for increasing their cybersecurity-enhancing behaviors. These activities are needed to implement the campaign on college campuses and to increase the likelihood of any future outcome evaluation efforts that yield evidence of campaign effectiveness. Currently, we are unaware of any outcome evaluation.
Focus group methodology was conducted to examine the target audiences’ knowledge, interests, needs, and attitudes regarding the management of cybersecurity threats. Additionally, practical recommendations for enhancing STC campaign implementation on university campuses were ascertained. Results emphasized key ways to improve the theoretical underpinnings of the campaign using the Integrated Behavioral Model (IBM). We identified how determinants of behavior change can be utilized to strengthen campaign messaging. Students displayed laissez-faire attitudes toward cybersecurity, while faculty and staff attitudes demonstrated a much higher level of concern. Social norms for personal cybersecurity action taking were notably low among students as well as faculty and staff. Students displayed limited personal agency in regards to enacting cybersecurity measures, while faculty and staff had greater knowledge of steps they could take, but little faith that these actions would be efficacious. Finally, thematic recommendations for implementing an effective cybersecurity campaign on a university campus were identified.
Cybersecurity on College Campuses
University students, faculty, and staff are highly vulnerable to cyberattacks. The U.S. Department of Homeland Security (DHS, 2016a) notes that Americans are continuously threatened by cybercriminals who exploit individuals through direct contact or social media to engage in identity theft or entice individuals to download malware. College students are among those most at risk of cybersecurity threats; Rasmussen (2011) commented that, “student Internet use is nothing short of the Wild West. Malware, phishing, infrastructure attacks, social network targeting, and peer-to-peer information leakage are not potential threats; they’re actual, daily issues” (para. 1). This puts pressure on universities to manage complicated information technology security programs (e.g., Wilson & Hash, 2003) and challenging employee awareness programs (Winkler & Manke, 2013). In 2012, college students reported 24% of all identity theft complaints made to the Federal Trade Commission (Identity Theft Resource Center, 2016). College students are prime targets for cybercriminals because they are newly independent, setting up new bank and credit accounts, and living in open environments (Higgins, 2012). Sharing too much private information online without precaution also leads to vulnerability to potential stalkers (Jones & Soltren, 2005) and cyberbullies (Roberto, Eden, Savage, Salazar, & Deiss, 2014a, 2014b).
Poor cybersecurity practices by college students leave them vulnerable to cyberbullying. Among adolescents, cyberbullying victimization ranges from 20% to 40% (Moreno, 2014; Tokunaga, 2010), and although most studies have focused on minors, cyberbullying has also been shown to occur among college-age students at similar rates (Crosslin & Golman, 2014; Foody, Samara, & Carlbring, 2015; Zalaquett & Chatters, 2014). Research with college students suggests that being cyberbullied is associated with depressive symptomatology (Feinstein, Bhatia, & Davila, 2014), whereas cyberbullying perpetration is associated with lower self-esteem (Na, Dancy, & Park, 2015), anger and stress (Zalaquett & Chatters, 2014), and higher scores on psychological measures of depression, paranoia, and anxiety (Schenk, Fremouw, & Keelan, 2013). Yet despite three decades of interest in workplace bullying as a serious problem (Baum, Catalano, Rand, & Rose, 2009) and despite interest in “cyberstalking” (e.g., Spitzberg & Hoobler, 2002), cyberbullying among college students has only recently been a focus of scholarship (Foody et al., 2015). An important opportunity exists to address cyberbullying by enhancing cybersecurity and appropriate Internet use through safe online behavior.
University faculty and staff are also susceptible to cybersecurity risks because of open Internet networks, shared computing resources, and the management of sensitive personnel or research-related data (Higgins, 2012). Most universities’ financial, administrative, and research and clinical systems are accessible through campus networks and housed on campus servers. As such, they are vulnerable to security breaches that may compromise confidential information and expose the university to risk. Universities that also include a medical school are even more vulnerable. According to the Open Security Foundation (2014), the education sector accounts for 8.2% and the medical sector accounts for 11.5% of all reported data breach incidents world-wide. Cybersecurity risks have impacted over 200 colleges and universities, resulting in lost control of over 22 million detailed data files that include social security numbers and other personal, medical, financial, professional, and sensitive research information (Higgins, 2012). In sum, the immense risks for university students, faculty, and staff stress the need to bolster the cybersecurity practices of those at university campuses.
Before considering campaign strategies that might transform university practice, a review of relevant scholarly literature is necessary. Scholarship from communication studies and allied fields related to cybersecurity, cyber-safety, and predominant threats like cyberbullying is considered from a prevention perspective. Discussion of the literature and approach to the overall case study center on the United States. Scholars in international publications have also stressed the need to bolster cybersecurity practices (Bada & Sasse, 2014), noting many of the same aforementioned threats (e.g., Millman, Whitty, Winder, & Griffiths, 2012) and calling for increased awareness and policy (e.g., Coventry, Briggs, Blythe, & Tran, 2014; Information Security Forum [ISF], 2014; Khan, Alghathbar, Nabi, & Khan, 2011). Some have even referenced Stop.Think.Connect. (STC) as a model, albeit briefly and in passing (e.g., Kortjan & Von Solms, 2014). However, given that the STC campaign was developed by the DHS for national cybersecurity efforts, has not yet been officially evaluated, and so has yet to be integrated at the global level, the present case study is similarly designed in scope, which might inform future expansion.
Discussion of the Literature
In 2015, accidental email or Internet exposure and employee error or negligence combined resulted in 28.6% of compromised data incidents. Meanwhile, hacking incidents reached a nine-year high of 37.9% (a jump of 8.4% over 2014 figures) (Identity Theft Resource Center, 2016). While research on personal cybersecurity communication and behavior is still desperately needed, as a result of changing threats, the attention (and research funding) is focusing much more narrowly on the technology infrastructure designed to limit threat exposure.
In contrast to the limited research on cybersecurity communication campaigns, cyberbullying intervention scholarship has grown in the last decade. The interconnectedness of cybersecurity and cyberbullying are important to realize from a prevention perspective. On one hand, cybersecurity campaigns include persuasive strategies to curb cyberbullying perpetration and address victimization. On the other hand, cyberbullying prevention programs and curricula stand to help audiences promote their knowledge and preparedness to withstand cybersecurity breaches. Communication studies are inherent to cyberbullying research, as messages that harm, threaten, taunt, harass, or embarrass the victim are defining characteristics of cyberbullying. This area of cyber safety is a fruitful area for future health communication research.
The increasingly interconnected world online exposes individuals and organizations to a variety of cyber threats. Large-scale data breaches can, in many cases, just be an annoyance requiring the issuance of a new credit card or creation of a new password for the individuals affected. However, businesses must spend millions of dollars to correct security breaches, and the devastating effects of personal identity theft can continue for years after the theft. Arlitsch and Edelman (2014) suggest that “some data theft is simply malicious or mischievous, but most occurs because it’s lucrative” (p. 47). Personal information such as names, birthdates, social security numbers, and other permanently assigned markers give cybercriminals access to academic, financial, health, and legal records that can be sold online to the highest bidder. Research has shown that cybersecurity awareness campaigns do increase knowledge of cyber threats (Case & King, 2013). However, knowledge about cybersecurity does not affect risky online behavior. Whitty, Doodson, Creese, and Hodges (2015) found that risky online behavior correlates with the individual characteristic of lack of perseverance and not a lack of knowledge of cyber threats.
Researchers have produced a large body of data highlighting the widespread and potentially dangerous nature of cyberbullying (for recent reviews, see Aboujaoude, Savage, Starcevic, & Salame, 2015; Kowalski, Giumetti, Schroeder, & Lattanner, 2014). These problems underscore the need to develop and disseminate specific behaviors that can empower victims and minimize morbidity. Investigations that empirically test theory-based interventions at the intersection of cybersecurity and cyberbullying would contribute to communication research, theory, and practice in three ways: (1) meeting the calls for theory-based message design research (Harrington, 2015), (2) laying groundwork for evidence-based strategies (Jacobs, Jones, Gabella, Spring, & Brownson, 2012), and (3) supporting the development of cyberbullying prevention programming (Ramirez, Palazzolo, Savage, & Deiss, 2010). Communication scholars are well suited to this task given their expertise in messaging, which could be incorporated into formal anti-cyberbullying interventions (see also Ramirez, Eastin, Chakroff, & Cicchirillo, 2008; Roberto & Eden, 2010; Roberto, Eden, Savage, Ramos-Salazar, & Deiss, 2014a, 2014b) that concomitantly promote cybersecurity behavior.
The most cited studies on cyberbullying range from germinal studies to meta-analyses and research briefs, spanning numerous disciplines and audiences. Tokunaga’s meta-synthesis work (2010) clarified early formative cyberbullying research. Together, they provide thorough consideration of the dyadic interaction between cyberbully and cyber-victim, as well as critical observation of cyberbullying characteristics, motivations for perpetration, and deleterious effects. The work of Hinduja and Patchin (2008, 2010, 2014; Patchin & Hinduja, 2006), for example, notes that cyberbullying is unique in its asymmetry, resources of power, and, of course, the setting in which the bullying takes place. Moreover, they note that cyberbullying attempts can be all the more severe and threatening due to the cyberbully’s anonymity and power cultivated from technological skill, and the ubiquitous nature of the Internet.
Several other resources are particularly important for interested readers. Kowalski, Limber, and Agatston’s edited volume, Cyberbullying: Bullying in the Digital Age (2012), as well as Hinduja and Patchin’s recent book, Bullying Beyond the Schoolyard: Preventing and Responding to Cyberbullying (2014), both offer excellent summaries of the aforementioned works and others. Each details the defining characteristics, current studies, and laws and policies related to cyberbullying, and most important, outline tactics for parents, educators, and others to address the phenomenon and its deleterious effects. Aboujaoude et al. (2015) also review past and current campaigns and interventions that promote a sustainable society and prevention of risky behaviors online. Further, related areas of research include reviews and studies of related phenomenon among university students such as cyberstalking (e.g., Baum et al., 2009) and cyber harassment (for a detailed review, see Wick et al., 2017). Indeed, scholars interested in the topic of cyberbullying or cybersecurity would be well-served to read the important works cited. Doing so would help to determine ways that cybersecurity interventions can also work to address and protect against cyberbullying in times when online dating and cyber harassment are quickly evolving.
The Stop.Think.Connect. Campaign
In 2009, President Obama tasked the DHS with creating a national ongoing cybersecurity awareness campaign. To that end, the Anti-Phishing Working Group (APWG) and National Cyber Security Alliance (NCSA) led the effort to develop a unified online safety message that could be adopted across public and private sectors. Relying on both qualitative and quantitative studies utilizing samples of industry experts and the general public (Stop.Think.Connect. [STC], 2016), seven federal agencies and 25 leading corporations (e.g., Google, Yahoo, Facebook, Microsoft, Visa, AT&T) contributed to and endorsed the Stop.Think.Connect. campaign (hereafter referred to as “STC”). Broadly, the STC campaign aims to educate Americans on Internet risks and the importance of practicing safe online behavior.
DHS worked to disseminate the STC campaign, providing online sets of campaign messages. Some campaign messages are informational in nature, promotion awareness, and education gain, whereas others are persuasive and attempt to garner compliance with recommendations for how to act online. All campaign materials can be found online. Campaign messages disseminated online are targeted toward specific audiences (e.g., secondary students, parents or educators, young professionals, older Americans; DHS, 2016b), however with the exception of an “undergraduate tip card,” no targeted campaign messaging was created for university students. Some general campaign messages developed by the NCSA help fill this gap, but these general materials lack targeting to any particular group. Although the STC campaign is a useful resource available for addressing cybersecurity, systematic work is needed to target STC messaging to university constituents. Accomplishing this warrants review of the theory underlying the STC campaign.
Although STC is not explicitly guided by a particular behavior change theory, a communication studies approach reveals particular insights about the theoretical underpinnings of such a campaign. In short, STC aims to: (1) change audiences’ attitudes, intentions, and behaviors; (2) convince audiences that others have strong expectations for individuals to make the Internet a safe place for the collective; and (3) bolster audiences’ confidence in their control over and ability to perform simple effective strategies to reduce cybersecurity threats. In other words, the STC campaign contains attitudinal, normative, and personal agency determinants of behavior change. Thus, the campaign is implicitly guided by the Integrated Behavioral Model (IBM; Fishbein & Cappella, 2006).
The IBM explains and predicts that the most important determinant of behavior is intention to perform the behavior due to one’s motivational state, which is predicated upon three key factors (Fishbein & Cappella, 2006). First, an individual’s motivational state is influenced by attitudes, which the IBM defines as both an experiential and instrumental concept (Fishbein & Cappella, 2006). Second, motivational state is influenced by perceived norms; the IBM describes such norms as both descriptive (i.e., the degree to which a person believes that others perform the behavior) and injunctive (i.e., beliefs that others think they should perform the behavior). Third, motivational state is influenced by personal agency or structures within the environment that aid or prevent enactment of the behavior (Montano & Kasprzyk, 2008). The IBM states that personal agency manifests in both perceived control and self-efficacy.
STC messaging appears to manipulate all of these variables and thus fits within the theoretical framework of the IBM. Therefore, IBM guides this study of cybersecurity beliefs and STC message targeting.
The Present Case Study
Given the significant problem of cybersecurity vulnerability on college campuses and the availability of non-targeted campaign materials designed to address the problem, the purpose of this study is twofold. First, the present study aims to conduct important theoretically grounded exploratory message targeting research to identify the perspectives of college students, faculty, and staff regarding the management of cybersecurity threats. Second, this research aims to ascertain practical recommendations to enhance STC campaign messaging and guide campaign implementation on university campuses. These objectives are important first steps for understanding how to bolster cybersecurity on college campuses throughout the United States. These research objectives must be met prior to successful implementation or outcome evaluation of the campaign (or one like it) to increase awareness or change attitudes and behavior. Drawing upon the IBM, the present case study addresses these objectives by posing five research questions:
RQ1: What attitudes and beliefs do students, faculty, and staff hold regarding cybersecurity?
RQ2: What normative perceptions do students, faculty, and staff hold regarding cybersecurity?
RQ3: How much personal agency do students, faculty, and staff feel they have over their cybersecurity?
RQ4: In what ways can STC campaign materials be improved to have greater relevance for students, faculty, and staff?
RQ5: What suggestions do students, faculty, and staff have regarding the implementation of cybersecurity campaigns on university campuses?
Case Study Methodology
Participants were students, faculty, and staff from a large, southern university. Six focus group interview sessions (four student; two faculty and staff) were conducted with 5−10 participants each (N = 44). Two of the student groups consisted of freshmen or sophomore students and two groups were juniors or seniors. Participants included 30 students (50% women, 46.7% men, 1 unreported) and 14 faculty or staff (50% women, 50% men). Ages ranged from 18 to 60; student participants averaged 21.53 years old and faculty and staff averaged 45.79 years old. Faculty and staff were administrative, research support, or technical staff (57.1%, n = 8), teaching or research assistants (21.4%, n = 3), or faculty (21.3%, n = 3).
Focus group interviews were conducted to investigate the research questions. Students were recruited through a research recruitment system; faculty and staff were recruited through snowball sampling by contacting university department chairs. A comprehensive focus group interview guide was developed to explore the types of threats students, faculty, and staff recognize and encounter when using the Internet. Focus group sessions focused on eliciting attitudinal, normative, and efficacy perceptions regarding cybersecurity practices. Additionally, reactions to STC campaign materials were explored. Questions aimed to elicit evaluations and recommendations for STC campaign messaging. Finally, recommendations were solicited for university cybersecurity campaign implementation.
Audio recordings and transcripts were analyzed using qualitative data analysis techniques to identify themes (Lindlof & Taylor, 2002). Each audio file and transcript was thoroughly reviewed by two coders simultaneously through the process of data immersion and coded for specific constructs: knowledge, behaviors, and attitudes regarding cybersecurity, and criticisms and suggestions regarding STC campaign materials and implementation. Open coding was used to determine preliminary themes and then in vivo coding was used to recognize words or phrases utilized by participants to describe the cybersecurity phenomena or strategies to improve the STC campaign. Both coders engaged in the constant comparative method to ensure that the data were applicable to each emerging theme or category (Creswell, 2013; Tracy, 2013). After thematizing, coders co-created a loose analysis outline as a methodological technique to evaluate the completeness of the analysis by closely comparing the data to the original research questions, which allowed us to “note the primary research questions/foci and the potential ways the emerging codes are attending to them” (Tracy, 2013, p. 197). The outline revealed that the emergent themes were both salient in the data and connected to the specific research questions.
Case Study Results
The present case study can be understood as type of formative research, which involves both preproduction research and message pretesting (Atkin & Freimuth, 2013). Essentially, these results allow us to learn as much as possible about the target audience, including cognitions, skills, and behaviors related to the campaign, and also to determine which forms of media would best reach members of that target audience. Moreover, these results reveal the audience’s reactions to preliminary STC campaign messages (e.g., Are they memorable? Relatable? Easily understood?), which is essential for implementation, evaluation, and revision of the campaign.
Students’ Attitudes and Beliefs about Cybersecurity
RQ1 addressed current attitudes and beliefs regarding cybersecurity. Students were fairly aware of various threats to their cyber safety. For example, as one student described, “The current trend … people will rely more on the Internet and the cloud to store their information securely. We need to be worried about protecting that information.” However, students admitted they do not spend a lot of time thinking about such threats: “I’m one of them,” another student noted, “I have the same passwords for a lot of stuff and we use the Internet for everything and [I] don’t think about the possible risks.” Similarly, another student shared:
I don’t think we really had a reason to worry about cyber security at least anywhere around here. I’m sure in other parts of the country they tell you to be careful because there has been recent like cyber terrorism or whatever that is. So I’ve heard that in some states they tell you to watch for that. Mostly in Washington, DC, though.
By and large, students identified financial loss as the most salient threat. As one student summarized:
I definitely agree that the biggest importance, well one of them, is your money. If you’re doing banking or stock brokerage or anything that relates to numbers that can be traced to where your money is. That’s important because you could have your identity stolen, somebody use all your credit cards, max them all out.
The students indicated this threat as being most visible in the form of seemingly random website pop-ups: “sometimes they have the pop ups and they ask for credit card numbers and stuff like that if you’re ordering or social security numbers. I just feel like people are really careless with stuff like that.” Students also expressed concern about the amount and types of information people reveal on social networking sites (SNSs) and whether their information is being shared with other parties, especially given the ubiquitous nature of the Internet. “I [am] careful of what I put out there,” one student described. “Once you put something on there like a picture or a blog or something it doesn’t go away. Even if you delete it.” Finally, some students expressed concern about the phenomenon of “catfishing,” identifying this “being duped” as an increasingly common cyber threat. For instance:
on that website [Kik] I know this dude that met a girl on there that I guess wasn’t really a girl. And I guess it was just somebody playing him to show what he could offer the person I guess. And ended up putting him on the internet … I know he felt embarrassed and bad.
Interestingly, students did not consider general Twitter or e-mail hacks to be serious threats because the consequences were not detrimental. As one student noted, “There’s very little beyond reputation that can be affected by changing your information and using your account like Twitter.” Another student even discussed the lack of consequences among those in their wider social networks:
My email got hacked … It just like sent out a bunch of spam email to people and they texted me and were like “can you fix that?” [laughs]… But, I mean, it wasn’t bad, I guess … It was annoying, but I fixed it in a day.
Students’ Perceptions of Campus Norms for Cybersecurity
RQ2 addressed perceptions of norms for practicing cybersecurity. Among students, there was consensus that their peers are not as concerned as they should be about cybersecurity; in short, “there’s not enough good awareness.” As two students inferred:
They [students] don’t really think about it. It’s not present on their minds unless it’s brought up. Like their mom mentioned that they got their identity stolen. Then they’ll think about it for a day and then go back to not thinking about it.
If you get on Instagram like you will scroll through and see 5 different posts saying hit me up here’s my number blah blah … like people aren’t afraid, they aren’t afraid to put themselves out there. Like we are a generation that we don’t fear that because we think we are invincible in that aspect anyways.
The students indicated that they felt they were outside this norm and were more actively concerned than the general student population. “We can talk about horror stories,” one student laughed. “Things that other colleges, other students, things that have gone wrong and easy ways they could have been prevented.” Many provided specific examples of “stupid” things others do, such as posting drunken photos or checking-in to current locations on mobile apps for SNSs like this student’s peer:
I have a friend that locates themselves (laughs) … you can tell where she is at. Anyone can come into our hall you need an ID, but they can STILL come into your space. I just don’t think that’s pretty smart.
In the end, although students’ online behavior may be influenced by norms, the risks associated with cyber threats often outweighed the desire to conform.
Students’ Personal Agency Regarding Their Cybersecurity
RQ3 examined beliefs associated with control over cyber safety. While most students had ideas for how to ensure their online security, many could not identify specific steps beyond changing passwords frequently. Some students felt that a solution like changing a password was relatively easy to carry out and likely ameliorated any present threat. For example, one student described, “my Twitter got hacked and sent out a bunch of spam direct messages. People emailed me and I just reset my password. No big deal as far as I know.” Nonetheless, students were not actively or consistently using such strategies. For example, one student shared:
Sometimes I just I feel like I don’t pay attention whenever I put information out there and maybe it’s because, I don’t know, I just don’t pay attention. Other times I’m really careful, but sometimes I’m not, so now that I think about it, I’m not too confident about my ability.
Another likened this confidence or lack of safe cyber security practices to more systemic risk. “I have stuff stored on my computer,” they shared, “like passwords for different accounts. So if they hack my computer, they hack everything I own.”
Additionally, many students suggested that the privacy settings available on the websites they frequent would provide sufficient protection. “If I’m using eBay, my bank,” one student specified, “I just assume that I have some level of trust as opposed to some site where … I don’t know if it’s safe or secure.” Others thought that the university network would provide sufficient security. For example, one student said, “I’m sure that they have firewalls and stuff that protect our information because they basically have everyone’s information on campus.” In contrast, some students felt that it is impossible to adequately protect themselves against cyber criminals because they will always find a way to access their information regardless of security precautions. One student summarized:
As many hackers as there are, if they want to, they’re going to find a way to steal your identity or do something bad. So, you can, I mean you can be secure about everything you’re doing, but at the end of the day, there’s always a chance.
Faculty and Staff’s Attitudes and Beliefs about Cybersecurity
Findings regarding RQ1 suggest that, in contrast to students, faculty and staff are acutely attuned to their ever-present vulnerabilities, as exemplified in the following sentiment:
There’s too many people in the world that know a way around everything … So much information is interconnected from different sites … [If] they get one small part of your information, they can build all that to invade all sorts of private territory.
In that vein, faculty and staff were also aware of the harmful and potentially debilitative practices by employees that may make them more susceptible to cybersecurity threats. For example, several participants described scenarios similar to the following:
[Employees] walk away from workstations and they’re still logged on … someone can slip in and can send an email that you didn’t send, but it looks like you sent it … they could get into huge trouble, they could lose their jobs … again, evil people.
Overall, the faculty and staff felt that since the majority of their time at work involves using technology, cybersecurity was “an incredibly important concern” because, as multiple participants put it, “nothing is secure.” Ultimately, these concerns with cybersecurity-related threats focused on access to confidential information and third-party mobile applications that run through SNSs, as well as the loss or theft of financial assets.
Faculty and Staff’s Perceptions of Campus Norms for Cybersecurity
Results of RQ2 indicated that faculty and staff have an overwhelming reliance on information technology (IT) personnel to provide protection. “I’m pretty illiterate,” one participant acknowledged. “I know how to get onto a computer, but when it comes to [the] security part, I know next to nothing about that.” Other faculty and staff agreed, some considering how such reliance manifested in terms of protecting subject data according to Institutional Review Board (IRB) policy:
I could potentially get audited by IRB for information on study subjects … [but] I want to be able to [use] that information … with students who have permission and IRB clearance. So I really want to feel like our IT people provide that protection, because I don’t know how that works; I don’t know how to keep bad people out. I want to be able to rely on having that. If anyone from IRB showed up and asked what my systems were, I want to be able to call these guys.
Moreover, some participants felt their colleagues may not be adequately concerned about the risks associated with online behavior. “They really have no idea,” one participant succinctly stated. Other participants followed up, offering their perceptions of why such a lack of concern might exist among university personnel, despite being aware of ever-present risks:
from the top down it is spoken of, but there is no true desire behind it. I think they know that it’s a joke to just say your password has to change every three months. That’s not going to be what … that’s not going to stop problems. There’s more to it than that. They know there is, so they don’t really take it seriously, and they don’t really know what they need to know. Even if they were told, probably wouldn’t remember because of other things being of a higher priority.
The norm participants follow is that while operating within the university environment there is little need for concern. One participant put it this way: “Most depend on [university] folks to make sure data is clean and clear. Theoretically, if we follow the rules, we should be protected.” In other words, the norm suggests there is no reason to practice more than basic protection strategies because campus-wide cybersecurity is the responsibility of IT personnel.
Faculty and Staff’s Personal Agency Regarding Their Cybersecurity
In regards to RQ3, faculty and staff were only moderately confident in their personal abilities to enact cybersecurity. Some reported taking basic steps toward cybersecurity, mostly in an effort to protect personal finances, such as logging out of computers, noting the level of encryption when online, regularly changing passwords, and closely monitoring banking accounts. Those who had worked for cybersecurity companies or who had previous experience with cybersecurity breaches reported often taking more extensive steps like primarily using websites with “https” designations, selecting the incognito mode on web browsers, opting out of automatic program updates, and reading the details on all program update texts. However, even those who took more extensive steps suggested that being overly concerned could be futile because at some point, “efficiency outweighs concern.” For example, as one participant discussed:
I don’t know if concern is useful if … our concern is not directed at anything. If it’s directed at I don’t want my credit card getting stolen, well, I look for “https,” but I don’t really know … It’s secure, but I don’t really know how it’s secure. I just trust that it’s secure.
Moreover, faculty and staff expressed skepticism about security’s legitimacy. Nearly all participants suspected that someone within the network always has access. For example:
every time I do something online, if I’m connected to [the university] network, [the university] has access to that data or can get access to that data. If I’m at home on my own Internet, I use Comcast, someone at the Comcast has access to every piece of data I put on the Internet.
Consequently, if someone “has access to every piece of data,” and threats to individuals’ cybersecurity are omnipresent, then true security is a myth. As one participant summarized: “there’s no such thing as real security with computers online,” and so in the end, this may render cybersecurity concerns and attempts at protection obsolete.
Evaluations of Stop.Think.Connect. Campaign Materials
RQ4 addressed ways to improve STC campaign materials to have greater relevance for students, faculty, and staff. To this end, participants reviewed two sets of general STC campaign posters. Suggestions for improving campaign materials encompassed five themes: dynamism, personal relevance, action, repetition, and risk. Participants wanted a dynamic presentation via graphics, bright colors, and attention-catching images—“something to make it pop.” As one participant observed, “The message you’re trying to show us [is] more fierce … blue is such a friendly color, like that’s a nice thing. But if it was red or something like that, I would be like, I should pay attention.” Participants across all focus groups also suggested increasing personal relevance of the materials by incorporating images of real students, faculty, and staff, and even campus “celebrities” like student athletes or coaches to depict a more relatable, community approach.
Third, materials must display exactly what needs to be done so recipients can apply their newfound knowledge and engage in best practices. For example, one student surmised:
… most college students must not understand the word “cybersecurity,” but they know they need to be safe on the Internet … maybe like giving examples and offering advice. Otherwise, you’re expecting them to know things they might not know.
Faculty and staff participants concurred, recommending supplemental resources like hyperlinks on digital campaign materials so viewers could access more specific, step-by-step information on how to deal with particular cybersecurity threats, such as “how to protect your identity or make your password safe.”
Furthermore, they recommended more repetition throughout the series in order to better solidify the message(s) in their memory. As one faculty/staff participant acknowledged, it was not until a repeated word appeared on the fourth campaign poster that “it finally dawned on me that there was something there I should have read.” Yet, as several noted, this repetition must be founded on realistic action; in other words, “if … you’re going to be repeating a message, it should be a message that … [is] an action they can actually do.” Finally, all participants advocated for an increased sense of risk in the materials, such as displaying images that portrayed potential consequences or use fear appeals with direct references to real, previous incidents.
Recommendations for Campaign Implementation
To address RQ5, students, faculty, and staff offered recommendations for integrating a cybersecurity campaign on campus. Suggestions primarily included offering both material and non-material incentives for promotion of and participation in such a campaign. For students, material incentives included T-shirts and sports tickets, and for faculty and staff, T-shirts, flash drives, and microfiber cleaning cloths. Collectively, these material incentives utilizing STC messaging have a multipurpose function—motivation, reciprocation, and networked advertising.
In terms of nonmaterial incentives for taking part in campus cybersecurity events, students suggested volunteer opportunities for service credit hours or résumé-building, as well as more email storage or space on their university cloud account. Conversely, faculty and staff suggested longer time frames between mandatory password changes (e.g., every 120 days instead of every 90 days) in exchange for doing online cybersecurity trainings. Faculty and staff also suggested that the campaign involve mini-training sessions where feedback is required and use in-person presentations during classes or meetings.
Discussion of Case Study Findings
University communities are among those most vulnerable to cybersecurity risks. The STC campaign exists to equip individuals with tools for safe online behavior; however, the campaign lacks targeted messaging for members of university campuses. Therefore, the present study aimed to gain insight into the relevant attitudes, normative perceptions, and agency of university students, faculty, and staff concerning cybersecurity practices. Findings revealed important perceptions that impact cybersecurity behaviors and suggest considerations for improved campaign messaging and implementation.
An underlying purpose of the present case study was to draw upon the IBM to determine how STC campaign messages could be improved by integrating determinants of behavior change. Results from RQ1 identified participants’ current attitudes, both experiential and instrumental, regarding cybersecurity. While participants generally felt favorably toward cybersecurity behaviors (experiential attitudes), many had doubts that those same behaviors would effectively enhance their security (instrumental attitudes). Thus, future campaign messages should work to manipulate instrumental attitudes by demonstrating correlations between practicing recommended cybersecurity and improving outcomes.
RQ2 focused on the second tenet of the IBM, which elucidates individuals’ tendency to engage in behaviors they perceive to be socially normative in both descriptive and injunctive ways. Among faculty and staff, normative perceptions suggested that most people rely on campus IT professionals to manage cyber safety (descriptive norm), and thus, it is not necessarily their responsibility to do so (injunctive norm). Among students, participants overwhelmingly indicated that others were not performing the recommended behaviors (descriptive norm) and that this was indicative of a lack of concern for cybersecurity (injunctive norm). To improve compliance with the prescribed behavior, campaign messages should seek to reify norms that reflect a high level of concern shared by campus populations, as well as a sense of shared responsibility to engage in behaviors that enhance cybersecurity.
The final construct of the IBM, personal agency, was addressed by RQ3. Results indicated that, with some exceptions, participants felt relatively uncertain in regard to their perceived control over their own cybersecurity. Many doubted their ability to adopt behaviors that would effectively thwart the efforts of cybercriminals who possess greater technological skills and resources. This indicates the necessity of producing messages that demonstrate the degree of control individuals have over their own cybersecurity. One way to do this might be my considering one’s locus of control. Persuading victims to understand differences in active and the passive ways of avoidance by developing or strengthening an internal locus of control through reframing might to encourage the internalization of victims’ control when responding to threats of cybersecurity or incidents of cyberbullying (e.g., Ariso & Reyero, 2016). Additionally, self-efficacy among all participants regarding cybersecurity was fairly low. In some instances, such as using different passwords for different sites, participants admitted to knowing the correct practice but that it required too much effort to implement. Thus, campaign messages should focus on reducing barriers to performing recommended behaviors such as providing ways in which people can take quick and easy steps to increase their cybersecurity.
Regarding RQ4, these behavioral constructs inform how STC campaign materials should be revised to be more relevant among target populations. This can be done by adopting targeting techniques based on audience characteristics such as “demographics, variables, risk characteristics, experience with the behavior, personality characteristics, and so forth” (Noar, 2006, p. 23). Additionally, materials should be designed to increase message attention by integrating greater dynamism into design elements and specific threats and how to prevent them into the copy to emphasize main ideas (Lefebvre, 2013).
Creating a more secure and trustworthy cyberspace can provide direct benefits to university communities. This project identifies ways to move toward accomplishing this goal by elucidating the determinants of behavior that can be used to change cybersecurity behaviors, identifying strategies for enhancing campaign messaging, and establishing recommendations for campaign implementation. The targeting information found here could be used to advance effective cybersecurity campaigns on university campuses. Future research that documents the process of STC campaign implementation and evaluates its effectiveness can help to establish best practices for the implementation and evaluation of campaigns on university and college campuses and other environments vulnerable to cybersecurity threats. Although our efforts here were organized to support the application and evaluation of the campaign relative to students, faculty, and staff on college campuses in the United States, we applaud efforts to advance and broadly apply STC to other countries.
Interested readers should go to stopthinkconnect.org to view campaign messaging and other materials.
Bada, M., & Sasse, A. (2014). Cyber security awareness campaigns: Why do they fail to change behavior. Global Cyber Security Capacity Center. Available at http://discovery.ucl.ac.uk/id/eprint/1468954.Find this resource:
Frank, C. E., McGuffee, J. W., & Thomas, C. (2016). Early undergraduate cybersecurity research. Journal of Computing Sciences in Colleges, 32(1), 46–51.Find this resource:
Korpela, K. (2015). Improving cyber security awareness and training programs with data analytics. Information Security Journal: A Global Perspective, 24(1–3), 72–77.Find this resource:
Mirkovic, J., Dark, M., Du, W., Vigna, G., & Denning, T. (2015). Evaluating cybersecurity education interventions: Three case studies. IEEE Security & Privacy, 13(3), 63–69.Find this resource:
Olano, M., Sherman, A. T., Oliva, L., Cox, R., Firestone, D., Kubik, O., et al. (2014, August). SecurityEmpire: Development and evaluation of a digital game to promote cybersecurity education. 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 14), 1–10. Paper presented at the conference of The Advanced Computing Systems Association. Available at https://www.usenix.org/system/files/conference/3gse14/3gse14-olano.pdf.Find this resource:
Paulsen, C., McDuffie, E., Newhouse, W., & Toth, P. (2012). NICE: Creating a cybersecurity workforce and aware public. IEEE Security & Privacy, 10(3), 76–79.Find this resource:
Pfleeger, S. L., & Caputo, D. D. (2012). Leveraging behavioral science to mitigate cyber security risk. Computers & Security, 3(4), 597–611.Find this resource:
Singer, P. W., & Friedman, A. (2014). Cybersecurity: What everyone needs to know. Oxford: Oxford University Press.Find this resource:
Wick, S. E., Nagoshi, C., Basham, R., Jordan, C., Kim, Y. K., Nguyen, A. P., & Lehmann, P. (2017). Patterns of cyber harassment and perpetration among college students in the United States: A test of routine activities theory International Journal of Cyber Criminology, 11(1), 24–38.Find this resource:
Aboujaoude, E., Savage, M. W., Starcevic, V. D, & Salame, W. O. (2015). Cyberbullying: Review of an old problem gone viral. Journal of Adolescent Health, 57, 10–18.Find this resource:
Ariso, J. M., & Reyero, D. (2016). Reconsidering the scenario of cyberbullying: Promoting the internalization of the locus of control in adolescents through cognitive restructuring. Adolescent Psychiatry, 4(2), 98–103.Find this resource:
Arlitsch, K., & Edelman, A. (2014). Staying safe: Cyber security for people and organizations. Journal of Library Administration, 54(1), 46–56.Find this resource:
Atkin, C. K., & Freimuth, V. (2013). Guidelines for formative evaluation research in campaign design. In R. E. Rice & C. K. Atkin (Eds.), Public communication campaigns (4th ed., pp. 53–68). Thousand Oaks, CA: SAGE.Find this resource:
Bada, M., & Sasse, A. (2014). Cyber security awareness campaigns: Why do they fail to change behaviour?. Global Cyber Security Capacity Centre.Find this resource:
Baum, K., Catalano, S., Rand, M., & Rose, K. (2009). National Crime Victimization Survey: Stalking victimization in the United States.
Case, C. J., & King, D. L. (2013). Cyber security: A longitudinal examination of undergraduate behavior and perceptions. American Society of Business & Behavioral Sciences eJournal, 9(1), 21–29.Find this resource:
Centers for Disease Control and Prevention. (2008). Electronic aggression: Emerging adolescent health issue.Find this resource:
Coventry, L., Briggs, P., Blythe, J., & Tran, M. (2014). Using behavioural insights to prove the public’s use of cyber security best practices. Government Office for Science.Find this resource:
Creswell, J. W. (2013). Qualitative inquiry and research design: Choosing among five approaches (3d ed.). Thousand Oaks, CA: SAGE.Find this resource:
Crosslin, K., & Golman, M. (2014). “Maybe you don’t want to face it”—College students’ perspectives on cyberbullying. Computers in Human Behavior, 41, 14–20.Find this resource:
Feinstein, B. A., Bhatia, V., & Davila, J. (2014). Rumination mediates the association between cyber-victimization and depressive symptoms. Journal of Interpersonal Violence, 29(9), 1732–1746.Find this resource:
Fishbein, M., & Cappella, J. N. (2006). The role of theory in developing effective health communications. Journal of Communication, 56(s1), S1–17.Find this resource:
Foody, M., Samara, M., & Carlbring, P. (2015). A review of cyberbullying and suggestions for online psychological therapy. Internet Interventions, 2(3), 235–242.Find this resource:
Harrington, N. G. (2015). Introduction to the Special Issue: Message Design in Health Communication Research. Health Communication, 30(2), 103–105.Find this resource:
Higgins, K. J. (2012). Lessons in campus cybersecurity. Dark Reading.
Hinduja, S., & Patchin, J. W. (2008). Cyberbullying: An exploratory analysis of factors related to offending and victimization. Deviant Behavior, 29(2), 129–156.Find this resource:
Hinduja, S., & Patchin, J. W. (2010). Bullying, cyberbullying, and suicide. Archives of Suicide Research, 14(3), 206–221.Find this resource:
Hinduja, S., & Patchin, J. W. (2014). Bullying beyond the schoolyard: Preventing and responding to cyberbullying. Thousand Oaks, CA: Corwin.Find this resource:
Identify Theft Resource Center. (2015). Breach report hits near record high in 2015.
Identity Theft Resource Center. (2016). ITRC solution 26: College students and identity theft.
Information Security Forum. (2014). From promoting awareness to embedding behaviours: Security by choice, not by chance.
Jacobs, J. A., Jones, E., Gabella, B. A., Spring, B., & Brownson, R. C. (2012). Tools for implementing an evidence-based approach in public health practice. Preventing Chronic Disease, 9, 1–9.Find this resource:
Jagatic, T. N., Johnson, N. A., Jakobsson, M., & Menczer, F. (2007, October). Social phishing. Communications of the ACM, 50(10), 94–100.Find this resource:
Jones, H., & Soltren, J. H. (2005). Facebook: Threats to privacy. Project MAC: MIT Project on Mathematics and Computing.Find this resource:
Khan, B., Alghathbar, K. S., Nabi, S. I., & Khan, M. K. (2011). Effectiveness of information security awareness methods based on psychological theories. African Journal of Business Management, 5(26), 10862.Find this resource:
Kortjan, N., & von Solms, R. (2014). A conceptual framework for cyber-security awareness and education in SA. SACJ, 52, 29–41.Find this resource:
Kowalski, R. M., Giumetti, G. W., Schroeder, A. N., & Lattanner, M. R. (2014). Bullying in the digital age: A critical review and meta-analysis of cyberbullying research among youth. Psychological Bulletin, 140(4), 1073–1137.Find this resource:
Kowalski, R. M., Limber, S. P., & Agatston, P. W. (2012). Cyberbullying: Bullying in the digital age. Malden, MA: John Wiley.Find this resource:
Lefebvre, R. C. (2013). Social marketing and social change: Strategies and tools for improving health, well-being, and the environment. San Francisco, CA: Jossey-Bass.Find this resource:
Lindlof, T. R., & Taylor, B. C. (2002). Qualitative communication research methods (2d ed.). Thousand Oaks, CA: SAGE.Find this resource:
Millman, C., Whitty, M., Winder, B., & Griffiths, M. D. (2012). Perceived criminality of cyber-harassing behaviors among undergraduate students in the United Kingdom. International Journal of Cyber Behavior, Psychology and Learning (IJCBPL), 2(4), 49–59.Find this resource:
Montano, D. E., & Kasprzyk, D. (2008). Theory of reasoned action, theory of planned behavior, and the integrated behavioral model. In K. Glanz, B. K. Rimer, & K. Viswanath (Eds.), Health behavior and health education: Theory, research, and practice (pp. 67–96). San Francisco: Jossey-Bass.Find this resource:
Moreno, M. A. (2014). Cyberbullying. JAMA Pediatrics, 168(5), 500.Find this resource:
Na, H., Dancy, B. L., & Park, C. (2015). College student engaging in cyberbullying victimization: cognitive appraisals, coping strategies, and psychological adjustments. Archive Psychiatric Nursing, 29(3), 155–161.Find this resource:
Noar, S. M. (2006). A 10-year retrospective of research in health mass media campaigns: Where do we go from here? Journal of Health Communication, 11(1), 21–42.Find this resource:
Open Security Foundation. (2014). Data breach quickview. Risk Based Security.Find this resource:
Patchin, J. W., & Hinduja, S. (2006). Bullies move beyond the schoolyard: A preliminary look at cyberbullying. Youth Violence and Juvenile Injustice, 4(2), 148–169.Find this resource:
Ramirez, A., Eastin, M. S., Chakroff, J., & Cicchirillo, V. (2008). Towards a communication based approach to cyberbullying. In S. Kelsey & K. St. Amant (Eds.), Handbook of research on computer mediated communication (pp. 339–352). Hershey, PA: Information Science Reference.Find this resource:
Ramirez, A., Palazzolo, K., Savage, M. W., & Deiss, D. (2010). Developing a message-based approach to understanding cyber-bullying. In R. Taiwao (Ed.), Handbook of research in discourse behavior and digital communication: Language structures and social interaction. Hershey, PA: IGI Global.Find this resource:
Rasmussen, R. (2011). The college cyber security tightrope: Higher education institutions face greater risks. Security Week.
Roberto, A. J., & Eden, J. (2010). Cyberbullying: Aggressive communication in the digital age. In T. A. Avtgis & A. S. Rancer (Eds.), Arguments, aggression, and conflict: New directions in theory and research. New York: Routledge.Find this resource:
Roberto, A. J., Eden, J., Savage, M. W., Ramos-Salazar, L., & Deiss, D. M. (2014a). Outcome evaluation results of school-based cybersafety promotion and cyberbullying prevention intervention for middle school students. Health Communication, 29(10), 1029–1042.Find this resource:
Roberto, A. J., Eden, J., Savage, M. W., Ramos-Salazar, L., & Deiss, D. M. (2014b). Prevalence and predictors of cyberbullying behavior in high school seniors. Communication Quarterly, 62(1), 97–114.Find this resource:
Schenk, A. M., Fremouw, W. J., & Keelan, C. M. (2013). Characteristics of college cyberbullies. Computers in Human Behavior, 29(6), 2320–2327.Find this resource:
Smith, P. K., Mahdavi, J., Carvalho, M., & Tippett, N. (2006, July). An investigation into cyberbullying, its forms, awareness and impact, and the relationship between age and gender in cyberbullying. U.K. Department for Education Research Brief No. RBX03-06.Find this resource:
Spitzberg, B. H., & Hoobler, G. (2002). Cyberstalking and the technologies of interpersonal terrorism. New Media & Society, 4(1), 71–92.Find this resource:
Stop.Think.Connect. (2016). Research & surveys overview: The research behind the message.
Tokunaga, R. S. (2010). Following you home from school: A critical review and synthesis of research on cyberbullying victimization. Computers in Human Behavior, 26(3), 277–287.Find this resource:
Tracy, S. J. (2013). Qualitative research methods: Collecting evidence, crafting analysis, communicating impact. Hoboken, NJ: Wiley-Blackwell.Find this resource:
U.S. Department of Homeland Security. (2012). National cybersecurity awareness campaign: Undergraduate student presentation.
U.S. Department of Homeland Security. (2016a). Combating cyber crime.
U.S. Department of Homeland Security. (2016b). Stop.Think.Connect..
Whitty, M., Doodson, J., Creese, S., & Hodges, D. (2015). Individual differences in cybersecurity behaviors: An examination of who is sharing passwords. Cyberpsychology, Behavior, and Social Networking, 18(11), 3–7.Find this resource:
Wick, S. E., Nagoshi, C., Basham, R., Jordan, C., Kim, Y. K., Nguyen, A. P., & Lehmann, P. (2017). Patterns of cyber harassment and perpetration among college students in the United States: A test of routine activities theory. International Journal of Cyber Criminology, 11(1), 24–38.Find this resource:
Wilson, M, & Hash, J. (2003). Building an information technology security awareness and training program. National Institute of Standards and Technology. Computer Security Division Information Technology Laboratory.Find this resource:
Winkler, I., & Manke, S. (2013). The 7 elements of a successful security awareness program. CSO Online.Find this resource:
Zalaquett, C. P., & Chatters, S. J. (2014). Cyberbullying in college: Frequency, characteristics, and practical implications. SAGE Open, 4, 1–8.Find this resource: