List of Constructs and Measures
Theory
Construct
Sub-Construct
Self-reaction
Outcome Expectations
Social outcomes
Cost
Social Cognitive
Self-Efficacy
Theory
Cybersecurity
Reporting phishing emails
Self-Monitoring
Self-Regulation
Judgmental Process
Self-Reaction
Intention to Report
Awareness
Antecedents
Phishing
Reporting phishing emails
Cyber Risk Belief
Prior Experience of Being Victimized*
Actual Behavior of Email Use*
Self-Monitoring of Expressive Behavior
Deficient Self-Regulation in Email Use
Dispositional Factors
Habit Strength
Prevention
Motivation Theory
Fear Appraisal
* indicates measures newly added to this version.
Email use
Cybersecurity*
Perceived Severity*
Perceived Vulnerability*
Total Number of Items
N of Items
Edited by Arun (after BH) on 4-6-16 Given to Youngsun Kwak (YK)
Edited by YK (after Arun) on 4-6-16
Edited by YK on 4-7-16
Edited by YK (after meeting with Arun on 4-13) on 4-14-16
Edited by YK (after meeting with Arun on 4-21) on 4-21-16
* Changes in this version
-
All measurement scales use a 7-Point Likert Type.
-
5 items chosen based on the pretest for self-monitoring of expressive behavior
-
5 items chosen based on the pretest for self-monitoring cybersecurity behaviors
-
3 items chosen based on the pretest for judgmental process in cybersecurity behaviors
-
7 items chosen based on the pretest for self-reaction toward cybersecurity behaviors
-
Perceived severity of cybersecurity threats is added.
-
Perceived vulnerability of cybersecurity threats is added.
-
Habit strength in cybersecurity conscious behavior is added.
-
Previous experience of being victimized is added.
-
Actual behavior of email use is added.
Awareness of Reporting Phishing Emails (developed) – 7 items
1 = strongly disagree, 7 = strongly agree
o I am aware of what phishing emails look like.
o I am aware of which phishing emails need to be reported.
o I am aware of an email address to report phishing emails.
o I am aware of a phone number to report phishing emails.
o I am aware of a website to report phishing emails.
o I am aware of whom to report phishing emails to.
o I am aware of when to report phishing emails.
Awareness of Phishing Emails (adapted) – 10 items
Arachchilage, N. A. G., & Love, S. (2014). Security awareness of computer users: A phishing
threat avoidance perspective. Computers in Human Behavior, 38, 304-312.
(Phishing Quiz by Intel Security)
1 = A legitimate email, 2 = A phishing email
10 email images for test will be presented to survey respondents.
Cybersecurity Self-Efficacy – 5 items
Amo, L.C., Zhou, M., Wilde, S., Murray, D., Cleary, K., Amo, C., Upadhyaya, S., Rao, H.R.
(2015). Cybersecurity Engagement and Self-Efficacy Scale. Unpublished instrument.
(Originally labeled as cyber threat identification self-efficacy)
1 = strongly disagree, 7 = strongly agree
o I am very confident in my ability to make changes to firewall rules.
o I am very confident in my ability to identify a secure URL.
o I am very confident in my ability to recognize tricks that cybercriminals use to steal
information.
o I am very confident in my ability to recognize malware infections.
o I am very confident in my ability to identify characteristics of advanced malware.
Self-Efficacy toward Reporting Phishing Emails (developed) – 5 items
I feel confident that I could …
1 = strongly disagree, 7 = strongly agree
o Quickly retrieve accurate contact information of who to report phishing emails to.
o Find the right organization to contact if I accidentally give away personal credentials to
a phishing email.
o Figure out which information should be included in reporting phishing emails.
o Figure out when to report phishing emails.
o Figure out how to report phishing emails.
Outcome Expectations of Engaging in Reporting Phishing Emails (developed) – 16 items
(Self-evaluative reaction, positive and negative)
1 = strongly disagree, 7 = strongly agree
o Reporting phishing emails is important.
o Reporting phishing emails is good.
o Reporting phishing emails is interesting.
o Reporting phishing emails is beneficial.
o Reporting phishing emails is useful.
o I am afraid that if I report a phishing email that is actually a legitimate email
(misreporting), it will bother IT staff and others.
o I am afraid that if I misreport, people will think I’m not good with technology.
(Social outcome, positive and negative)
1 = strongly disagree, 7 = strongly agree
Reporting phishing emails…
o Will save others from being victimized.
o Will have a positive impact on combating phishing.
o Could result in IT staff ridiculing me if I misreport.
o Is useless because IT staff will probably just dismiss my report, making my effort
useless.
o
Someone might have already reported a phishing email, so I probably don’t need to
report it.
o Will not elicit any response from IT staff.
(Cost)
1 = strongly disagree, 7 = strongly agree
o I should learn about what phishing emails look like.
o I don’t think my reporting will really make a difference.
o I don’t have enough time to report phishing emails.
Intention to Report Phishing Emails (adapted) – 4 items
Kruger, H., Drevin, L., & Steyn, T. (2010). A vocabulary test to assess information security
awareness. Information Management & Computer Security, 18(5), 316-327.
When receiving an e-mail that appears to be coming from UB and asking you to go to a
specific web link to confirm your personal details, what would you do?
1= strongly disagree, 7=strongly agree
o I would make an effort to find an email address of the UB IT department to report it as
a phishing email.
o I would make an effort to find a phone number of the UB IT department to report it as
a phishing email.
o I would make an effort to visit the UB IT department in person to report it as a
phishing email.
o I will mark the email in a separate folder for my record.
Cyber Risk Belief (adopted) – 6 items
Vishwanath, A., et al. (2016). "Suspicion, Cognition, and Automaticity Model of Phishing
Susceptibility." Communication Research: 0093650215627483.
I believe that the risk of getting infected by spyware, malware, or a virus is …
1=strongly disagree, 7=strongly agree
o A lot less on a mobile device (phone or tablet using mobile OS) than on a computer.
o A lot less on Facebook/social media messages than traditional emails.
o A lot less when you open an attachment in an email on a mobile device (phone or
tablet using mobile OS) than on a computer.
o A lot less when you use a browser based email (such as Yahoo Mail or GMail) than
when you use an email client (Thunderbird, Apple Mail, Outlook, etc.).
o A lot less when you open a file with an .exe (executable file) when you open a .pdf
(Adobe PDF) type file.
o A lot less when you open a .pdf (Adobe PDF) file than when you use a .doc (Microsoft
word or other Office) type document.
Self-Monitoring of expressive behavior
Lennox, R. D., & Wolfe, R. N. (1984). Revision of the self-monitoring scale.
1 = certainly, always false, 2 = generally false, 3 = somewhat false, but with exception, 4 =
can’t tell, 5 = somewhat true, but with exception, 6 = generally true, 7 = certainly, always true
o I am often able to read people's true emotions correctly through their eyes.
o I can usually tell when others consider a joke to be in bad taste, even though they may
laugh convincingly.
o I can usually tell when I've said something inappropriate by reading it in the listener's
eyes.
o If someone is lying to me, I usually know it at once from that person's manner of
expression
o Once I know what the situation calls for, it’s easy for me to regulate my actions
accordingly.
Self-monitoring of cybersecurity behaviors (developed)
1= strongly disagree, 7=strongly agree
o I keep my password a secret and only I know it.
o I always choose different long complicate password for each account.
o I do not to reveal sensitive personal information on social networking websites (email,
real date of birth, full address, or phone number).
o I read the privacy statement before I proceed with an action (such as registering with a
website, installing an application or making a financial/online banking transaction).
o I ensure nobody is looking at my keyboard each time I enter my password.
Judgmental process for cybersecurity behaviors (developed)
1= strongly disagree, 7=strongly agree
o I consider my previous experience with information security in order to avoid making
future mistakes regarding my online safety.
o Online safety is my personal responsibility.
o Before taking any action that could affect my information security, I think about its
consequences.
o I feel that I can ensure the safety of my online behaviors.
Self-reaction toward cybersecurity behaviors (developed)
1= strongly disagree, 7=strongly agree
o I try to change my online behaviors to make myself more secure.
o I put effort into understanding security threats and devote time to my online security.
o I put my effort into gaining knowledge about how to secure my computer.
o I check that antivirus software is updated.
o I log off my computer whenever I leave my computer.
o I change my password regularly.
o It is my routine to scan external disks/thumb drives/USB drives with antivirus software
when first plugging it into a computer.
Deficient Self-regulation in email use (adopted)
Vishwanath, A., et al. (2016). "Suspicion, Cognition, and Automaticity Model of Phishing
Susceptibility." Communication Research: 0093650215627483.
1=strongly disagree, 7=strongly agree
o I feel my email use has gotten out of control.
o I feel tense, moody, or irritable when I am not able to check my email accounts.
o I have tried unsuccessfully to cut down the amount of time I spend checking email.
o I go out of my way to satisfy my urge to check my email often.
o I check my email account when I am in the midst of a conversation with someone.
o I check my email account whenever a device that can go online is available to me.
o I feel isolated when I am offline without access to email for an extended period of
time.
o I feel anxious when I am offline without access email for an extended period of time.
Habit strength in email use (adopted)
Vishwanath, A., et al. (2016). "Suspicion, Cognition, and Automaticity Model of Phishing
Susceptibility." Communication Research: 0093650215627483.
1=strongly disagree, 7=strongly agree
o I do frequently.
o that makes me feel weird if I do not do it.
o I do without thinking.
o that belongs to my (daily, weekly, monthly) routine.
o I start doing before I realize I’m doing it.
Perceived Severity of cybersecurity threats (adopted)
Comesongsri, V. (2010). Motivation for the avoidance of phishing threat. The University of
Memphis.
o Response to phishing email or website will cause you to directly lose money due to a
scam (1=strongly disagree, 7=strongly agree)
o The severity of potential loss due to scam from phishing is: (1=negligible, 7=serious)
o Responding to phishing will result in virus or spyware infections (1=strongly disagree,
7=strongly agree)
o If a computer were infected with a virus or spyware resulting from phishing, the
damage would be: (1=negligible, 7=serious)
o The damage from identity theft caused by phishing would be: (1=negligible, 7=serious)
Perceived Vulnerability of cybersecurity threats (adopted)
Comesongsri, V. (2010). Motivation for the avoidance of phishing threat. The University of
Memphis.
o The chance that you will lose money due to phishing is: (1=very low, 7=very high)
o The chance that your computer will get a virus or spyware from phishing is: (1=very
low, 7=very high)
o The chance that you will be a victim of Identity theft because of phishing is: (1=very
low, 7=very high)
Habit Strength in Cybersecurity Conscious Behaviors (adapted)
Vishwanath, A., et al. (2016). "Suspicion, Cognition, and Automaticity Model of Phishing
Susceptibility." Communication Research: 0093650215627483.
Taking a moment to be certain before sharing sensitive personal information online (full name,
residential address, phone number, email address, date of birth, social security number or bank
account number) is…
1=strongly disagree, 7=strongly agree
I do without thinking.
I start doing before I realize I’m doing it.
I do frequently.
that make me feel weird if I do not do it.
that belongs to my routine.
Previous Experience of being victimized by cybersecurity threats (developed)
Did you have experience of being victimized by cybersecurity threats?
1=yes, 2=no
o Identity theft (someone illegally used my credit card)
o Being phished (duped into revealing personal confidential information to a scammer)
Actual Behavior of Email Use
o How much time do you spend using email, every day, throughout all your devices
(desktop computer, notebook, tablet, smartphone, ...) ?
1= 30 minutes or less
2= About an hour
3= From 2 to 3 hours
4= From 4 to 6 hours
5 = More than 6 hours
o Which device(s) do you use to check email most often?
1= desktop computer
2= notebook
3= tablet
4= smartphone
5= cell phone
6= others
o
How often do you use email on your mobile device?
1= Never (I don't even have a mobile device)
2= Rarely (once or twice a day)
3= Occasionally (three to five times a day)
4= Often (five to ten times a day)
5= Addicted (my refresh button is totally worn out)
o On your desktop, how do you check email?
1= via email software installed in a desktop computer (e.g., Microsoft Outlook)
2= via webmail (e.g., Gmail.com)