The human factor: assessing individuals' perceptions related to cybersecurity

Purpose The purpose of this paper is to reveal and describe the divergent viewpoints about cybersecurity within a purposefully selected group of people with a range of expertise in relation to computer security. Design/methodology/approach Q methodology [Q] uses empirical evidence to differentiate subjective views and, therefore, behaviors in relation to any topic. Q uses the strengths of qualitative and quantitative research methods to reveal and describe the multiple, divergent viewpoints that exist within a group where individuals sort statements into a grid to represent their views. Analyses group similar views (sorts). In this study, participants were selected from a range of types related to cybersecurity (experts, authorities and uninformed). Findings Four unique viewpoints emerged such that one represents cybersecurity best practices and the remaining three viewpoints represent poor cybersecurity behaviors (Naïve Cybersecurity Practitioners, Worried but not Vigilant and How is Cybersecurity a Big Problem) that indicate a need for educational interventions within both the public and private sectors. Practical implications Understanding the divergent views about cybersecurity is important within smaller groups including classrooms, technology-based college majors, a company, a set of IT professionals or other targeted groups where understanding cybersecurity viewpoints can reveal the need for training, changes in behavior and/or the potential for security breaches which reflect the human factors of cybersecurity. Originality/value A review of the literature revealed that only large, nation-wide surveys have been used to investigate views of cybersecurity. Yet, surveys are not useful in small groups, whereas Q is designed to investigate behavior through revealing subjectivity within smaller groups.

[1]  S. Furnell,et al.  Fifteen years of phishing: can technology save us? , 2019, Computer Fraud & Security.

[2]  P. Trivellas,et al.  The Human Factor of Information Security: Unintentional Damage Perspective☆ , 2014 .

[3]  S. Ramlo Q Methodology as Mixed Analysis , 2021, The Routledge Reviewer's Guide to Mixed Methods Analysis.

[4]  Arash Habibi Lashkari,et al.  A new Evaluation Criteria for Effective Security Awareness in Computer Risk Management based on AHP , 2012 .

[5]  Marijn Janssen,et al.  Building Cybersecurity Awareness: The need for evidence-based framing strategies , 2017, Gov. Inf. Q..

[6]  W. STEPHENSON,et al.  Technique of Factor Analysis , 1935, Nature.

[7]  Dan B. Thomas,et al.  The Issue of Generalization in Q Methodology: "Reliable Schematics" Revisited , 1992, Operant Subjectivity.

[8]  Bruce McKeown,et al.  Technical Research Note: Loss of Meaning in Likert Scaling: A Note on the Q Methodological Alternative , 2001, Operant Subjectivity.

[9]  Grayson Kemper Improving employees' cyber security awareness , 2019 .

[10]  Mariana Cains,et al.  Trust as a Human Factor in Holistic Cyber Security Risk Assessment , 2015 .

[11]  Isadore Newman,et al.  USING Q METHODOLOGY AND Q FACTOR ANALYSIS IN MIXED METHODS RESEARCH , 2010 .

[12]  S. Ramlo Student Views about a Flipped Physics Course: A Tool for Program Evaluation and Improvement. , 2015 .

[13]  J. Good,et al.  Introduction to William Stephenson's quest for a science of subjectivity. , 2010, Psychoanalysis and history.

[14]  S. Ramlo,et al.  Divergent student views of cybersecurity , 2020, Journal of Cybersecurity Education, Research and Practice.