Do Students and Instructors See Cybersecurity the Same? A Comparison of Perceptions About Selected Cybersecurity Topics

Main Article Content

Mark Ciampa
Ray Blankenship


Cybersecurity attacks continue to increase.  This is particularly true for attacks based on social engineering or relying on the weaknesses of individuals as a means of gathering information or crafting an attack.  Along with an increase in attacks there is likewise an increase in the number of calls for educating users about attacks and equipping them with the knowledge and skills for warding off attacks.  Many entities advocate that institutions of higher education should be responsible for providing practical, applied security awareness instruction.  This study compared student and instructor attitudes towards security to determine if there is an apathy on the part of students regarding security or if they are concerned about selected security topics, and if instructors perceive that practical, applied security instruction is a necessary component to their courses, or if security instruction belongs elsewhere.  The relationship of student attitudes towards security was compared with those of instructors over six current security topics. When comparing students to instructors to students there was no significant difference between them on the topics of using anti-virus software, using a firewall, securing wireless networks, and using spam filters.  The results seem to indicate that there is a significant difference between the perceptions of students and instructors regarding the security topics of protection from phishing and how to create a strong password.


Download data is not yet available.

Article Details

How to Cite
Ciampa, M., & Blankenship, R. (2019). Do Students and Instructors See Cybersecurity the Same? A Comparison of Perceptions About Selected Cybersecurity Topics. International Journal of Innovation Education and Research, 7(1), 121-135.


Ajzen, I. &. (1980). Understanding attitudes and predicting social behavior. Inglewood Cliffs, NJ: Prentice-Hall.
Ajzen, I. (1988). Attitudes, personality, and behavior. Chicago: Dorsey Press.
Bada, M., & Sasse, A. (2015). Cyber Security Awareness Campaigns: Why do they fail to change behaviour? First International Conference on Cyber Security for Sustainable Society 2015 (pp. 1-38). Coventry: Coventry University. Retrieved from
Bandura, A. (1977). Self-efficacy: Toward a unifying theory of behavioral change. Psychological Review, 84(2), 191-215. doi:
Berry, M., & Houston, J. (1993). Psychology at work. New York: Brown and Benchmark.
Bright, P. (2016, April 25). Billion dollar Bangladesh hack: SWIFT software hacked, no firewalls, $10 switches. Retrieved from ArsTechnica:
Ciampa, M. (2018). Security+ Guide to Network Security Fundamentals (6th ed.). Boston: Cengage Learning.
Cisco. (n.d.). Cisco Security Reports. Retrieved from Cisco:
Cranor, L. (2006). What do they "indicate?" Evaluating security and privacy indicators. Interations, 45-47.
Crowe, J. (2017, July). Must-know phishing statistics 2017. Retrieved from Barkly:
Crowley, E. (2003). Information systems security curricular development. Conference on Information Technology Education (pp. 249-255). Lafayette, IN: ACM.
Da Veiga, A. (2015). An information security training and awareness approach (istaap) to instil an information security-positive culture. Proceedings of the Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015) (pp. 95-107). Lesvos, Greece: International Symposium on Human Aspects of Information Security & Assurance.
Da Veiga, A., & Eloff, J. (2010). A framework and assessment instrument for information security culture. Computers and Security, 29, 196-207.
Dean, J. (2018, January 18). Conversations around digital security. Retrieved from Gemalto:
Dhamija, R., & Tygar, J. (2005). The battle against phishing: Dynamic security skins. Proceedings of the 2005 Symposium on Usable Privacy and Security (pp. 77-88). Pittsburgh: ACM.
Dhamija, R., Tygar, J., & Hearst, M. (2006). Why phishing works. Conference on Human Factors In Computing Systems (pp. 1-10). Montreal: ACM.
Downs, J., Holbrook, M., & Cranor, L. F. (2006). Decision strategies and susceptibility to phishing. Proceedings of the Second Symposium on Usable Privacy and Security (pp. 79-90). Pittsburgh: ACM.
Elson, D. (2017, July 31). Attack of the hack. Retrieved from The Sun:
Fishburn, P. (1988). Expected utility: An anniversary and a new era. Journal of Risk and Uncertainty, 267-283. Retrieved from
Frincke, D., & Bishop, M. (2004). oining the security education community. IEEE Security and Privacy, 61-63.
Gemalto. (2015, August 15). Retrieved from
Group, A.-P. W. (2016, March 22). APWG news. Retrieved from APWG:
Gyunka, B., & Christiana, A. (2017). Analysis of human factors in cyber security: A case study of anonymous attack on Hbgary. Computing and Information Systems Journal, 21(2), 10-18.
Hendrix, M., Al-Sherbaz, A., & Bloom, V. (2016). Game based cyber security training: are serious games suitable for cyber security training? International Journal of Serious Games, 3(1), 53-61.
Huang, Z. (2015). Human-centric training and assessment for cyber situation awareness. Ann Arbor, MI: ProQuest.
IBM 2015 Cyber Security Intelligence Index . (2015). Retrieved from Essextec:
Jackson, C., Simon, D., Tan, D., & Barth, A. (2007). An evaluation of extended validation and picture-in-picture phishing attacks. Trinidad/Tobago: Commercenet.
Korolov, M. (2015, August 25). Phishing is a $3.7-million annual cost for average large company. Retrieved from CSO:
Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L. F., Hong, J., & Nunge, E. (2007). Protecting people from phishing: the design and evaluation of an embedded training e-mail system. CHI 2007 Procedeedings (pp. 905-914). San Jose: ACM.
Larson, S. (2015). The cyber security fair: An effective method for training users to improve their cyber security behaviors? Information Security Education Journal, 2(1), 11-19.
Long, C. (1999). A socio-technical perspective on information security knowledge and attitudes. Doctoral dissertation, The University of Texas at Austin. Austin, TX, USA: Dissertation Abstracts International.
Macmanus, S. A. (2013). Cybersecurity at the local government level: balancing demands for. ournal Of Urban Affairs, 35(4), 451-470.
Mangus, T. (2002). Perspectives and culture. A study of first-year community college students and proposed responsible computing guide. Doctoral dissertation, Union Institute and University. Cincinnati, OH, USA: Dissertation Abstracts International.
McDaniel, E. A. (2013). Securing the information and communications technology global supply chain from exploitation:. Issues In Informing Science and Information Technology, 313-324.
McFarland, C., Paget, F., & Samani, R. (2016). McAfee Resources. Retrieved from McAfee:
Mitnick, K., & Simon, L. (2001). The art of deception: controlling the human element of security. Indianapolis: John Wiley & Sons.
Null, L. (2004). Integrating security across a computer science curriculum. Journal of Competing Science In Colleges, 170-178.
Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. (2014). Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Computers and Security, 42, 165-176.
Phishlabs. (2016). 2016 phishing trends & intelligence report: hacking the human . Retrieved from Phishlabs:
Prentice-Dunn, S., & Rogers, R. (1986, September). Protection motivation theory and preventive health: Beyond the health belief model. Health Education Research, 1(3), 153-161. doi:
Ranjeev, M., & Lawless, W. (2015). The human factor in cybersecurity and the role for AI. AAAI Spring Symposium (pp. 39-43). Palo Alto: AAAI. Retrieved from
Schechter, S., D. R., Ozment, A., & Fischer, I. (2007). The Emperor's new security indicators: an evaluation of website authentication and the effect of role-playing on usability studies. 2007 IEEE Symposium On Security and Privacy (pp. 51-65). Oakland: IEEE.
Straub. (1990). Discovering and disciplining computer abuse in organizations: A field study. MIS Quarterly, 45-55.
Straub, D. W., Carlson, P., & Jones, E. (1993). Deterring cheating by student programmers: A field experiment in computer science. ournal of Management, 33-48.
Tobin, D., & Ware, M. (2005). Using a windows attack intRusion emulator (AWARE) to teach computer security awareness. 10th Annual SIGSCE Conference on Innovation and Technology in Computer Signs Education (pp. 213-217). Caparica, Portugal: SIGSCE.
Tulloch, M., Northrup, T., & Honeycutt, J. (2007). Windows vista resource kit. Redmond: Microsoft Press.
Valentine, D. (2005). Practical computer security: A new service course based upon the national strategy to secure cyberspace. Conference on Information Technology Education, 185-189.
Werner, L. (2005). Redefining computer literacy in the age of ubiquitous computing. Conference on Information Technology Education (pp. 95-99). Newark: ACM.
Whalen, T., & Inkpen, K. (2005). Gathering evidence: use individual security cues in web browsers. Proceedings of Graphics Interface 2005 (pp. 137-144). Victoria, British Columbia: ACM.
Whitson, G. (2003). Computer security: Theory, process and management. Journal of Computing Sciences in Colleges, 57-66.
Wu, M., Miller, R., & Garfinkel, S. (2006). Do security toolbars actually prevent phishing attacks? Conference on Human Factors in Computing Systems (pp. 1-10). Montreal: ACM.
Yang, T. (2001). Computer security: An impact on computer science education. Journal of Computing Sciences in Colleges, 233-246.
Zetter, K. (2016, January 28). NSA hacker chief explains how to keep him out of your system. Retrieved from Wired: