Edited by Arun (after BH) on 4-6-16 Given to Youngsun Kwak (YK)
Edited by YK (after Arun) on 4-6-16
Edited by YK on 4-7-16
Edited by YK (after meeting with Arun on 4-13) on 4-14-16
Awareness of Reporting Phishing Emails (developed) – 7 items
1 = strongly disagree, 7 = strongly agree
o I am aware of what phishing emails look like.
o I am aware of which phishing emails need to be reported.
o I am aware of an email address to report phishing emails.
o I am aware of a phone number to report phishing emails.
o I am aware of a website to report phishing emails.
o I am aware of whom to report phishing emails to.
o I am aware of when to report phishing emails.
Awareness of Phishing Emails (adapted) – 10 items
Arachchilage, N. A. G., & Love, S. (2014). Security awareness of computer users: A phishing
threat avoidance perspective. Computers in Human Behavior, 38, 304-312.
(Phishing Quiz by Intel Security)
1 = A legitimate email, 2 = A phishing email
10 email images for test will be presented to survey respondents.
Cybersecurity Self-Efficacy – 5 items
Amo, L.C., Zhou, M., Wilde, S., Murray, D., Cleary, K., Amo, C., Upadhyaya, S., Rao, H.R.
(2015). Cybersecurity Engagement and Self-Efficacy Scale. Unpublished instrument.
(Originally labeled as cyber threat identification self-efficacy)
1 = strongly disagree, 5 = strongly agree
o I am very confident in my ability to make changes to firewall rules.
o I am very confident in my ability to identify a secure URL.
o I am very confident in my ability to recognize tricks that cybercriminals use to steal
information.
o I am very confident in my ability to recognize malware infections.
o I am very confident in my ability to identify characteristics of advanced malware.
Self-Efficacy toward Reporting Phishing Emails (developed) – 5 items
I feel confident that I could …
1 = strongly disagree, 7 = strongly agree
o Quickly retrieve accurate contact information of who to report phishing emails to.
o Find the right organization to contact if I accidentally give away personal credentials to
a phishing email.
o Figure out which information should be included in reporting phishing emails.
o Figure out when to report phishing emails.
o Figure out how to report phishing emails.
Outcome Expectations of Engaging in Reporting Phishing Emails (developed) – 16 items
(Self-evaluative reaction, positive and negative)
1 = strongly disagree, 5 = strongly agree
o Reporting phishing emails is important.
o Reporting phishing emails is good.
o Reporting phishing emails is interesting.
o Reporting phishing emails is beneficial.
o Reporting phishing emails is useful.
o I am afraid that if I report a phishing email that is actually a legitimate email
(misreporting), it will bother IT staff and others.
o I am afraid that if I misreport, people will think I’m not good with technology.
(Social outcome, positive and negative)
1 = strongly disagree, 5 = strongly agree
Reporting phishing emails…
o Will save others from being victimized.
o Will have a positive impact on combating phishing.
o Could result in IT staff ridiculing me if I misreport.
o Is useless because IT staff will probably just dismiss my report, making my effort
useless.
o
Someone might have already reported a phishing email, so I probably don’t need to
report it.
o Will not elicit any response from IT staff.
(Cost)
1 = strongly disagree, 5 = strongly agree
o I should learn about what phishing emails look like.
o I don’t think my reporting will really make a difference.
o I don’t have enough time to report phishing emails.
Intention to Report Phishing Emails (adapted) – 4 items
Kruger, H., Drevin, L., & Steyn, T. (2010). A vocabulary test to assess information security
awareness. Information Management & Computer Security, 18(5), 316-327.
When receiving an e-mail that appears to be coming from UB and asking you to go to a
specific web link to confirm your personal details, what would you do?
1= strongly disagree, 7=strongly agree
o I would make an effort to find an email address of the UB IT department to report it as
a phishing email.
o I would make an effort to find a phone number of the UB IT department to report it as
a phishing email.
o I would make an effort to visit the UB IT department in person to report it as a
phishing email.
o I will mark the email in a separate folder for my record.
Cyber Risk Belief (adopted) – 6 items
Vishwanath, A., et al. (2016). "Suspicion, Cognition, and Automaticity Model of Phishing
Susceptibility." Communication Research: 0093650215627483.
I believe that the risk of getting infected by spyware, malware, or a virus is …
1=strongly disagree, 2=somewhat disagree, 3=neither disagree nor agree, 4=somewhat agree,
5=strongly agree
o A lot less on a mobile device (phone or tablet using mobile OS) than on a computer.
o A lot less on Facebook/social media messages than traditional emails.
o A lot less when you open an attachment in an email on a mobile device (phone or
tablet using mobile OS) than on a computer.
o A lot less when you use a browser based email (such as Yahoo Mail or GMail) than
when you use an email client (Thunderbird, Apple Mail, Outlook, etc.).
o A lot less when you open a file with an .exe (executable file) when you open a .pdf
(Adobe PDF) type file.
o A lot less when you open a .pdf (Adobe PDF) file than when you use a .doc (Microsoft
word or other Office) type document.
Self-Monitoring of expressive behavior
(A pretest is in progress to decrease items as of 04-14-2016.)
Lennox, R. D., & Wolfe, R. N. (1984). Revision of the self-monitoring scale.
0 = certainly, always false, 1 = generally false, 2 = somewhat false, but with exception, 3 =
somewhat true, but with exception, 4 = generally true, 5 = certainly, always true (These
weights were reversed for negatively worded items.)
o
In social situations, I have the ability to alter my behavior if I feel that something else
is called for.
o 1 have the ability to control the way I come across to people, depending on the
impression I wish to give them.
o When I feel that the image I am portraying isn't working, I can readily change it to
something that does.
o 1 have trouble changing my behavior to suit different people and different situations.
o 1 have found that I can adjust my behavior to meet the requirements of any situation I
find myself in.
o 1 am often able to read people's true emotions correctly through their eyes.
o In conversations, I am sensitive to even the slightest change in the facial expression of
the person I'm conversing with.
o 1 can usually tell when others consider a joke to be in bad taste, even though they may
laugh convincingly.
o 1 can usually tell when I've said something inappropriate by reading it in the listener's
eyes.
o If someone is lying to me, I usually know it at once from that person's manner of
expression
Self-monitoring of cybersecurity behavior (developed)
(A pretest is in progress as of 04-14-2016.)
1= strongly disagree, 7=strongly agree
o I log off my computer whenever I leave my computer.
o I check that antivirus software is updated.
o I change my password regularly.
o I keep my password a secret and only I know it.
o It is my routine to scan external disks/thumb drives/USB drives with antivirus software
when first plugging it into a computer.
o I do not to reveal sensitive personal information on social networking websites (email,
real date of birth, full address, or phone number).
o I ensure nobody is looking at my keyboard each time I enter my password.
o I read the privacy statement before I proceed with an action (such as registering with a
website, installing an application or making a financial/online banking transaction).
Judgmental process in cybersecurity behavior (developed)
(A pretest is in progress as of 04-14-2016.)
1= strongly disagree, 7=strongly agree
o Online safety is my personal responsibility.
o Online safety is someone else’s job, not mine. (reverse scored)
o Online safety is something I leave to the experts. (reverse scored)
o Online safety is something I leave to security software. (reverse scored)
o I consider my previous experience with information security in order to avoid making
future mistakes regarding my online safety.
o When faced with an online security decision, I look for the recommendations of
security experts.
o Before taking any action that could affect my information security, I think about its
consequences.
o I talk (search online) with security experts before I do something that relates to my
information security.
Self-reaction toward cybersecurity behavior (developed)
(A pretest is in progress as of 04-14-2016.)
1= strongly disagree, 7=strongly agree
o I feel that I can ensure the safety of my online behaviors.
o I put effort into understanding security threats and devote time to my online security.
o I put my effort into gaining knowledge about how to secure my computer.
o I try to change my online behaviors to make myself more secure.
Deficient Self-regulation in email use (adopted) – 8 items
Vishwanath, A., et al. (2016). "Suspicion, Cognition, and Automaticity Model of Phishing
Susceptibility." Communication Research: 0093650215627483.
1=strongly disagree, 2=somewhat disagree, 3=neither disagree nor agree, 4=somewhat agree,
5=strongly agree
o I feel my email use has gotten out of control.
o I feel tense, moody, or irritable when I am not able to check my email accounts.
o I have tried unsuccessfully to cut down the amount of time I spend checking email.
o I go out of my way to satisfy my urge to check my email often.
o I check my email account when I am in the midst of a conversation with someone.
o I check my email account whenever a device that can go online is available to me.
o I feel isolated when I am offline without access to email for an extended period of
time.
o I feel anxious when I am offline without access email for an extended period of time.
Habit strength in email use (adopted) – 5 items
Vishwanath, A., et al. (2016). "Suspicion, Cognition, and Automaticity Model of Phishing
Susceptibility." Communication Research: 0093650215627483.
1=strongly disagree, 2=somewhat disagree, 3=neither disagree nor agree, 4=somewhat agree,
5=strongly agree
o I do frequently.
o that makes me feel weird if I do not do it.
o I do without thinking.
o that belongs to my (daily, weekly, monthly) routine.
o I start doing before I realize I’m doing it.