Experiences of Online Threats Among Younger Adults in the Kingdom of Saudi Arabia and the United Kingdom

Abstract

This programme of research explored how younger adults (aged 40 or younger) in the Kingdom of Saudi Arabia (KSA) and the United Kingdom (UK) experience, detect and respond to online security threats. Through online studies, two using an innovative diary method, the research investigated the online threats younger people in the two countries encounter, their concerns about these threats, the cues they use to identify threats and how they respond to them. The first study involved a scenario-based online survey designed using the MITRE ATT&CK framework and the Cyber Kill Chain model to present 12 realistic online threat scenarios to participants. Participants were asked whether they had encountered threats like these scenarios and to report their concerns, detection strategies, and responses to them. The results highlighted attacks from seemingly trusted sources as a top threat in both countries. However, malware and data theft were more frequently reported among KSA participants compared to those in the UK. To explore these experiences in greater depth, a 30-day online diary study was conducted with 16 participants from KSA. Participants recorded their encounters with online threats through a short questionnaire sent to them daily. Phishing was the most common threat encountered. A substantial proportion of threats could not be fully classified due to the limited information provided. Detection cues reported by participants were systematically coded using a modified version of the NIST Phish Scale, expanded to include cues applicable to a wider range of threat sources beyond email (e.g. voice calls and social media). Language and content cues were the most frequently reported cues of threats, followed by technical indicators and prior knowledge of encountered threats. A second diary study was conducted in the UK with 45 participants over 7- and 14-day periods. Insights from the KSA study, particularly regarding the ambiguity of open-ended responses and decreased participant engagement over the long study duration, informed the design of this study. Consequently, the UK study was shorter, had more participants and used a more structured approach, incorporating mainly closed-ended questions. The modified Phish Scale cues were used as a set of options to select from. Phishing and spear phishing were the most frequently reported threats. Technical indicators such as suspicious links and email addresses were the most frequent cues used by British participants. The studies also investigated the influence of individual differences among participants, such as levels of security knowledge, security behaviour intentions (measured by the SeBIS scale), unrealistic optimism, risk-taking, and thinking orientation. This thesis contributes new empirical evidence on how younger adults experience, detect, and respond to online threats across two distinct cultural contexts (UK and KSA). Its principal contribution lies in methodological innovation: combining surveys with the novel application of diary methods to capture real-world encounters. This approach generated rich insights into behaviours that are often overlooked in lab-based studies.