Understanding Cybersecurity Behaviour and Attitudes of Young Adults in Saudi Arabia

Abstract

As the use of the Internet for personal and business purposes continues to grow exponentially, cybersecurity has become a global issue for individuals as well as governments and organisations, who face increasing risks in their online activities. The Kingdom of Saudi Arabia (KSA), for instance, has been a target of persistent cyberattacks that threaten its economic and social well-being. Indeed, it has the highest level of cyber risk among all Middle Eastern countries. Young adults in KSA are particularly vulnerable to cyber threats as their engagement with the Internet expands rapidly. Yet the cybersecurity behaviour (CSB) of young people, especially those in late-adopting countries like KSA, remains an under-researched topic. This thesis addresses this gap in knowledge. It adopted a socio-behavioural perspective, with particular focus on better understanding the intrinsic and sociodemographic factors that influence the engagement in safe online practices of young adults in KSA. To this end, it developed an original theoretical model based on the main constructs of the theory of planned behaviour (TPB), combined with the additional factors of perceived awareness and knowledge of cyber threats. The demographic characteristics examined were gender, age, type of residence, educational history, information technology (IT) experience, previous training, and level of IT professionalism. Most previous cybersecurity studies have relied on quantitative data collected via survey methodology, a researcher-directed approach that limits our ability to understand the perspectives of users themselves. Accordingly, the present study adopted a mixed-methods design and used an online questionnaire to collect both quantitative and qualitative data from a random sample of 1,581 young Saudi college students aged 18-30. The quantitative data were analysed using least-squares partial structural equation modelling (SEM). The results indicated that attitude (ATT), subjective norms (SN), and perceived behavioural control (PBC) strongly influenced young adults’ intentions to practise positive CBT (IPC), and that three factors—KCT, ATT, and SK—were predictors of young adults’ perceived awareness of cyber threat (PACT). In addition, PACT was found to play a significant role in young adults’ CSB by positively influencing their IPC. Both PACT and IPC were identified as the direct determinants of practising positive CSB, but PBC was not. In relation to sociodemographic factors, the results suggested that young men were more likely than young women to practise positive online CSB. There was also a direct relationship between increasing age and good CSB practices. Multi-group analysis was used to investigate moderating effects and assess the interactions among the factors considered. Of the potential mediators, only gender and type of residence were found to have no effect on CSB across socio-demographic divisions, while factors related to the IT-educational field, IT-related work experience and training, and professionalism in IT were shown to strongly influence the behaviour of young adults. The survey instrument included two open-ended items to collect qualitative data. These asked participants about the most prominent cyber threats encountered by young Saudi adults and the most common practices they adopted to protect themselves online. Although 1,581 students completed the questionnaire, only 621 usable responses were obtained for these items. Analysis of the qualitative data indicated that most respondents were aware of cyber-threats online associated with use of online social networks, accounts and digital cards, online communication and interaction, e-mail, web/internet access, and personal e-devices, but not access to online services, online privacy policies, or access control – passwords. The results also suggested that most participants were aware of good online security behaviours regarding securing and regularly updating personal passwords, ensuring secure use of email, using antivirus software, and never sharing personal data with unreliable parties online, but not complying with safe online use policies or ensuring secure online data storage. Overall, the results provide previously unavailable information on young Saudi adults’ online CSB and the factors that influence their motivation to engage in positive CSB. The qualitative results, in particular, contribute to a more in-depth understanding of the prominent cyber threats that young adults encounter online, as well as the most common practices that they adopt to protect themselves. The findings have important implications for the development of policies, strategies and education and training programs to improve cybersecurity awareness among young people and protect them from the risks of cyber threats in schools, universities, and professional spaces in KSA and other late-adopting, developing countries. In particular, they highlight the importance of adopting a socio-behavioural perspective in future research.