Determining the Efficacy of Cybersecurity Awareness Programs on Enhancing WIFI Security Behavior

Abstract

Wireless networking, commonly referred to as WiFi, has had numerous benefits for institutions, employees, students, and the public. Such benefits include but are not limited to: (1) increased mobility and collaboration of employees, (2) efficient access to information assets hosted within a network (3) improved responsiveness from a network, (4) enhanced guest access with various internet needs, (5) easier network expansion and (6) cost-effective ways for network expansion. While protective controls are generally installed on technology systems, prior studies have shown that they do not entirely mitigate cybersecurity breaches. This is because the weakest link in the cybersecurity chain remains the human element. There are limited studies about how individuals differ in WiFi security awareness, their knowledge, and their security behavior within financial institutions in Kenya. Security Behavior Intention is an indication of a person's readiness to perform a given security behavior, and it is the immediate antecedent of behavior. End users usually respond in different ways when confronted with varied security decisions and this could be attributed to the level of cyber security awareness. The main objective of this study was to determine the efficacy of cybersecurity awareness programs on enhancing the WiFi security intentions and the subsequent security behavior of employees within an institution. The security behavior constructs under the scope of this study are: ‘subjective norms’, ‘attitude’ and ‘perceived behavior control’ which are adopted from the Theory of Planned Behavior (TPB). The security behavior constructs were influenced by cybersecurity security awareness training fused together with the ‘proactive awareness’ construct borrowed from Security Behavior Intentions Scale (SeBIS). The study employed the action research approach because this research methodology creates knowledge by conducting research in practical contexts. This methodology describes, interprets, and explains research phenomena while executing a change of intervention. This research study drew its target population from employees of a financial technology institution based in Nairobi. This institution was chosen because financial data has a higher potential for monetization meaning that institutions in the financial sector are constantly targeted by hackers making security critical. Stratified random sampling was employed to guarantee that the target population was well represented. This sampling approach generated a study population drawn from the following departments: finance & administration, technology & operations, risk & legal, customer service, and sales & marketing. A total of 89 employees were surveyed during this study. This study started with a planning of the change stage where questionnaires were distributed to sampled employees. The purpose of these questionnaires was to acquire information that could be used to baseline the initial information security awareness level and associated security behavior amongst employees of the target financial institution. Focus group discussions were arranged as a follow up to the questionnaires. This assisted the researcher to get end-user suggestions on WiFi related topics that they required training to improve their security awareness. Secondly, the acting and observing stage involved creating an awareness program package that incorporated input from the focus group discussions on desired WiFi security topics. Thereafter, training was administered to the group of sampled employees. The main objective of the training was to enhance the WiFi security behaviors of the employees as observed during the baselining stage. Finally, the reflecting stage involved administering a final round of questionnaires to all sampled employees to assess the final state of security awareness level and security behavior. This study spanned a period of approximately one month. The efficacy of cyber security awareness on enhancing user WiFi security behavior was measured using the sub-scales of ‘updating’, ‘passwords’ and ‘device securement’ adopted from the Security Behavior Intentions Scale (SeBIS). These sub-scales provided a quantitative way to measure the efficacy of cybersecurity awareness programs on user behavioral intentions to perform a desired security behavior. Security Attitudes (SA-6) scale was also applied to measure end users’ ‘attitude’ sub-scale of Security Behavior Intentions Scale (SeBIS) to guarantee the predictability of the proposed study model. The findings from this study showed that cyber security awareness has a significant and positive relationship with security behavior intentions as indicated by coefficient of correlation (r) and as the significant value (p-value) which was lower than 0.05 (r = .656, p = .000). The study also found that, perceived behavioral control has a strong relationship with security behavior intention (r = .705, p = .000), subjective norms have a strong relationship with security behavior intention (r = .696, p = .000), while attitude has a moderate relationship with security behavior intention (r = .572, p = .000). The results also indicate that cyber security awareness (R2 = .430, p = .000), perceived behavioral control (R2 = .498, p = .000), subjective norms (R2 = .485, p = .000) and attitude (R2 = .328, p = .000) all had a significant relationship with security behavior intentions as indicated by their coefficient of determination (R2). The multilinear regression results show that all the factors studied (cyber security awareness, attitude, perceived behavioral control, and subjective norms) explain 80.4% of the proportion in security behavior intentions in the institution studied, as indicated by the overall R2 value of 0.804. To advance this study, researchers can undertake a study on the same subject area focusing on different sectors and organizations in Kenya to bring forth additional insights. A comparative study could also be undertaken to draw comparisons between the WiFi security behavior of employees from two or more unique institutions within the same industry or compare security behavior for institutions drawn from different economic sectors.