Statistical Analysis of Cybersecurity Awareness Issues in Higher Education Institutes

Now-a-days, computers and the Internet are becoming increasingly indispensable tools in several aspects of our lives, including academic study, professional work, entertainment, and communication. Despite the significant advantages of information technology, particularly in information accessibility and internet applications, cyber security has risen to become a national concern in Saudi Arabia, and cyber security threats now need to be taken more seriously. Therefore, computer and network security are a concern not only for traditional security awareness organisations, for example, military, bank, or financial institutions, but also for every individual and government official who use computers. Besides, nowadays, more and more organisations’ valuable assets are stored in the computerised information system; security has become an essential and urgent issue. However, it is remarkable that most systems today are designed with little attention to security concerns. This study aims to examine and analyse cyber security issues, including cyber risk, cyber security, cyber security awareness, and cyber trust, among higher education students in Saudi Arabia. Based on an analysis of the collected data using SPSS, the findings of this study highlight a lack of awareness of basic information related to cyber security among Saudi students. In addition, the number of students attending training programs was very low. Considering other security issues, this study reveals that while Saudi students are aware of cyber risk, they are not aware of cyber security. In addition, Saudi students are not aware of and do not have cyber trust. Keywords—Cyber security; cyber security awareness; educational institutes; cyber risk; higher education; cyber trust


I. INTRODUCTION
The persistent threats from cyber attackers are a real danger, so much so that they rise to the level of a national security concern. Cybersecurity breaches are an all too common occurrence; seemingly every day, a new attack, data theft or other intrusion makes the news [1]. The U.S. Cyber Command protects Department of Defense networks and works to guard other federal agencies against malicious activity; the FBI, Secret Service, and Department of Homeland Security are among the agencies that investigate cybercrimes. But it is still up to the private industry to secure its networks. According to Internet World Stats 2017, the Internet users in Asia accounted for approximately half of Internet users worldwide. However, they are still immature with cybersecurity, exercises or cooperation to counter cyber incidents or cyber-attacks [2]. In fact, in 2016, hackers attacked some Asian countries by withdrawing US$81 million from the Bangladesh Central bank, accessing and leaking details of 3.2 million customer cards from several Indian banks, stealing US$65 million of bitcoins from Hong Kong-based digital currency exchange Bifinex, using malware to steal US$2.17 million from eight banks in Taiwan. In 2017, a remarkable attack in Korea was recorded, indicating that seven main banks were threatened by distributed denial of service attacks claiming ransom payment [3].
The security and privacy of cyber and cyber-physical systems are increasingly considered a major issue in many industries [4,5]. Cyber security has become a national concern in Saudi Arabia because of worrying threats to be taken more seriously [6][7][8][9]. However, many users are still not knowledgeable about the online threats; therefore, they do not have an effective awareness of secure behaviour online. A recent study by McPhee and Weiss [10] highlights that lack of knowledge is an important factor that contributes to insecure online behaviour by Internet users. Awareness and education can provide Internet users with the ability to recognise and avoid any apparent risks [11][12][13]. Currently, there is a growing concern about cyber threats, the most dangerous ones worldwide. They can cause huge damage to finance, the economy, politics, and other aspects of life [10]. As a result, identifying types of cyber threats is a critical and urgent need not only for individuals and businesses but also for governments and organisations to increase awareness of cybersecurity and national security and find solutions to mitigate or reduce the damage from them [3]. Moreover, it was expected to figure out the differences in security cooperation among Asian nations to identify which model is suitable for small nations, including Saudi Arabia and its neighbours in the Asian region [2]. www.ijacsa.thesai.org as possible. However, the current computer crimes are more sophisticated than the old ones with many forms on the Internet like child pornography, copyright or trademark infringement, money laundering, cyberbullying, online gambling, etc. As a result, cybercrime is currently separated into two main categories: machine-made attacks and man-made attacks [4,9]. Machine-made attack defines some cyber-attacks by using computer network environment as a tool to exploit illegal sensitive data and sabotage them, especially in financial damage.
In contrast, a man-made attack is considered a cyberterrorist attack by an individual or group of people with the purpose of politics and military [14]. In Europe, each country has different strategies to ensure its national security, especially cybersecurity. As each country has its contexts, strengths, technology development, and policies, it may be not easy to cooperate and operate the same strategy [8]. The results of this research are very important for Saudi Arabia because the study was conducted there on a certain sample of students in higher education. In Saudi Arabia, cyber-attacks are increasing due to the rise in digital devices (computers, tablets, and smartphones), lack of security awareness among Internet users, terrorism, politics, and an increase in cybercrime groups [15] . While Saudi organisations continue to protect computer systems and their information against cybercrimes, a recent report from Kaspersky Lab highlights that Saudi Arabia has one of the highest numbers of Web threat incidents [7,16]. Consequently, this study first presents the level of awareness of cyber security in Saudi Arabia. It then proposes strategies to increase awareness and training on cyber security in line with Saudi Vision 2030 [17,18]. Preliminary research has shown that studies on cyber security in Saudi Arabia are very few, and further research is needed in this area. These results will also be of great importance to all managers and decision-makers in the fields of information security and cyber security because it provides a clear and comprehensive picture of the concept of CSA from the field of higher education. This paper aims to investigate and analyse CSA levels among higher education students in a business college in Saudi Arabia. It also aims to examine students' knowledge and attitude towards the following major security issues related to cyber security: cyber risk, cyber security, cyber awareness and cyber trust.
Section II reviews the literature on cyber security, cyber threats, cybercrimes, cyber-attacks, and the like. Moreover, it clarified the differences between cybercrime and cyberwar to consider the new trends of cyber security and cyber threats. Furthermore, it primarily expressed an urgent need for Saudi Arabia cybersecurity strategies toward the new cybersecurity trends in the world. Section III explains the methodology of our study in which the dataset, tool, and workflow has been explained. Section IV presents the results through five analysis tools: the frequency distribution of variables, multiple response analysis, factor analysis for grouping different types of security, a reliability test, and descriptive analysis. Section V presents the discussion that provides a deeper understanding of students' awareness and their basic understanding of cyber security issues. Section VI provides some significant implications for research, and Section VII explains the summary of research findings, proposed method, and contributions to the research problem.

II. RELATED WORK
Cyber security has been defined as -the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that could be used for protecting the cyber environment and organisation and user's assets‖ [19]. Individuals and families and organisations, governments, educational institutions, and businesses are now concerned about cyber security. Kritzing and Von Solms [14] studied that cyber security is critical for families and parents to safeguard children and family members from online fraud. In terms of financial security, it's critical to safeguard financial information that might impact one's financial situation. As a result, understanding how to protect oneself against online fraud and identity theft is critical for Internet users. Kim [4] concluded that even though technology has done a lot to safeguard endusers information systems, security experts claim that technology alone cannot protect these systems adequately. Appropriate learning about online behaviour and system security decreases vulnerabilities and makes the Internet a safer place to be. Because of limited resources and a lack of sufficient cyber security expertise, small and medium-sized businesses face a variety of security difficulties [8,14,20]. Because the continual advancement of technology makes cyber security increasingly difficult, we do not offer lasting answers to this troubling situation. Nonetheless, we're attempting to provide a variety of frameworks or solutions to safeguard our networks and data. All of these measures, however, only give protection in the near run. Better security knowledge and methods may aid in the protection of intellectual property and trade secrets, as well as the reduction of financial and reputational harm [14,21]. Large volumes of data and private documents are held digitally by the federal, state, and municipal governments, making them prime targets for a cyber-assault [8,22]. Governments are frequently exposed to dangers due to low financing, inadequate infrastructure, and a lack of knowledge. Government agencies must offer dependable services to society, maintain good citizen-togovernment contacts, and safeguard sensitive information [20,21,23].
With around 26 million inhabitants, Saudi Arabia is one of the largest countries in the Middle East. About 0.002% of Internet users are from Saudi Arabia [7,24]. However, the number of cyberattacks experienced by Saudi Arabian users are far larger than the population of Internet users, i.e., 1.81% in 2009 and 1.77% in 2010 [25,26]. Although Saudi Arabia is as highly censored as Iran, and the number of Internet users in Iran is also higher than in Saudi Arabia, the number of cyberattacks is greater in Saudi Arabia than in Iran. Saudi Arabia is reported to be the ninth largest country in 2008 in terms of cyber-attacks and the incidence of information security attacks. It became the seventh-largest in 2009. The reasons behind such a larger number of attacks are a lack of CSA among the general public of Saudi Arabia. Alzahrani and Alomar [7] has revealed that information security awareness is very low, and there is a higher level of risk related to cyberspace in Saudi Arabia. www.ijacsa.thesai.org DIFFERENT CATEGORIES OF CYBER-CRIME [22] Category Definition

Hacking
The destruction and concealment of information from the victim's operating system by attacking the weaknesses and loopholes are known as hacking. It is usually done by installing some sort of backdoor programs by hackers on the computer of victims to obtain access to the information.

Cyber theft
When the victim's computer information is stolen through electronic attacks, this is known as cyber theft. The most common example of cyber theft is credit card fraud and illegal money transfer . s

Viruses and worms
Viruses and worms are designed to damage the computers attached to other programs and documents in the computer. They appear to perform some other function, but the primary function of the virus is to corrupt the operating system of the computer.

Spamming
Spamming is done by sending massive numbers of emails to users that usually contain links designed to harm the programs of the victim's computer.

Financial fraud
This cybercrime is also known as a phishing scam, formed through social engineering and designed to obtain the victim's bank details.

Identity theft and credit card theft
In this cybercrime, emails are sent to users to induce them to provide their identity card and credit card information. The attacker represents him or herself as a representative of some well-known company, and hence unaware users provide their sensitive details by responding to these emails.

Cyber harassment
Cyber harassment is harassing and bullying individuals using electronic means; one such example is cyberstalking.

Cyber laundering
The transfer of illegally obtained money between two parties is known as cyber laundering.

Website cloning
Copying the websites of renowned companies and attacking the users who are unaware of this is a new category of cybercrime. Unaware consumers provide their details to the fraudster's personal database.
According to a report in 2016, the number of Internet users in Saudi Arabia has reached 22.4 million. These users belong to different sectors such as health, education, government, and other service sectors. However, with the growth of digital devices, the rate of cyber-attacks in Saudi Arabia also increases more quickly. To tackle this increasing problem, the CSA of the general public should be improved, and the government of Saudi Arabia is now taking practical steps to counter these problems. The report suggests that around 40% of companies in Saudi Arabia were the victim of cyber-attacks in 2015, leading to the leakage of the confidential data of Saudi employees. The primary step that the Saudi government could take to reduce the number of cyber-attacks is to increase CSA and educate children and young people about anti-cybercrime laws [14] [7] [27]. Very recent reports about the CSA level in Saudi Arabia have suggested that the government has yet taken no practical measures to respond to the issues of cyber-attacks. As a result, a large number of attacks have been experienced. Table I presents the different categories of cyber-crime.

III. METHODOLOGY
This study used a quantitative research technique to emphasise the relation between students' cyber security awareness and their cyber security practices. Quantitative research designs are either descriptive (in which subjects are generally measured just once) or experimental (subjects are measured many times). A relationship between variables is established in a descriptive investigation; causation is established in an experimental study. According to Quantitative Methods, objective measurements and statistical, mathematical, or numerical analysis of data collected through polls, questionnaires, and surveys, or by manipulating preexisting statistical data using computational techniques, are the most important aspects of quantitative methods [28,29]. Quantitative research collects statistical information and the generalisation or description of phenomena across groups of individuals. A pilot study was carried out for the questionnaire.
The pilot study aimed to test the understandability of the questionnaire before it was presented to the sampling frame of this study [30] [28] [31]. To analyse the collected data, SPSS was utilised to measure students' awareness about cyber security. With a wide range of graphs, methods and charts, SPSS provides many types of statistical analysis for quantitative research. The techniques of screening and cleaning data within SPSS are useful for future analysis. Because the issue of cyber security is an important topic in Saudi Vision 2030, this study was conducted in Saudi Arabia. Cyber security in Saudi Arabia still faces many challenges that need to be addressed. The sample selected for this study comprises Saudi students in a business college in a Saudi university. Questionnaires were distributed by both an online link and in hard copy to Saudi students. The online link was sent to students' emails, while hard copies of the questionnaire were distributed in classrooms. Table II lists the questionnaire items used in this study. To achieve the objectives of this research given the nature of the data collected, five analysis tools were utilised: the frequency distribution of variables, multiple response analysis, factor analysis for grouping different types of security, a reliability test, and descriptive analysis. The following paragraphs provide more details for each tool. Table III shows the demographics of the survey participants, revealing that the majority of respondents were 18-30 years old (94.5 percent) or 31-40 years old (4.7 percent). Overall, most respondents were between the ages of 18 and 30, indicating that a younger generation was more engaged in this study. Table III shows that the female population (52.0%) was somewhat greater than the male population (50.0%). (48.0 percent). In terms of educational attainment, the biggest cohort (96.2 percent) had a bachelor's degree, followed by a master's degree (96.2 percent) (3.8 percent). Finally, 46.5 percent of participants had 6-10 years of experience using the Internet, followed by 26.3 percent with 1-5 years of experience, and 15.3 percent with 11-20 years of experience.
The results in Table IV show that 82.5% of students do not know what cyber security means. The results in Table V also show that 97.4% of students are not attending any training or educational programs in cyber security. Considering the behaviour of maintaining up-to-date protection software, the results (Table VI) show a variation in the participants' responses. Here, 38.1% of the participants automatically update their protection software. However, 40% fail to update their software. In addition, just over 10% annually update their software.
A multiple response analysis was utilised to answer the question, "What types of protection software do you use?" As shown in Table VII, 43.6% of respondents do not know what protection software they are using for protection. In addition, 36.6% of respondents use an anti-virus program for software protection, and 11.5% of respondents use a firewall for software protection. Only 6.4% use anti-spyware software, and 1.9% use anti-spam software. Table VIII presents the results of Kaiser-Meyer-Olkin (KMO) and Bartlett's tests. The KMO measure of sampling adequacy and Bartlett's test of sphericity were used in this research. KMO must be greater than 0.7 to be considered good. In Table VIII, the value of KMO is 0.795, which indicates that factor analysis is appropriate for these data. In addition, Table  IX presents the total variance explained results, where all the variables are grouped into four components with eigenvalues greater than 1.      Table X, cyber risk has six items, and cyber security has four items. The reliability of a group of variables is tested with Cronbach's alpha method. If Cronbach's alpha is greater than 0.7, then the data are reliable as shown in Table XI. Both cyber trust and cyber awareness have three items. The results of descriptive statistics (Table XII) show a high cyber risk score with a mean of 3.19 and a lower score for cyber security (mean = 2.01). In addition, both cyber awareness (mean = 2.37), cyber trust (mean = 2.41) have low scores. Overall, the findings of this study highlight a lack of awareness of basic information related to cyber security among Saudi students. www.ijacsa.thesai.org In addition, the number of students attending training programs was very low: 92% have never taken any type of security training. Considering other security issues, this study reveals that while Saudi students are aware of cyber risk, they are not aware of cyber security and the important steps and processes needed to protect their personal information. Thus, Saudi students need to increase their awareness about cyber security to become educated about protecting their online data.

V. DISCUSSION
This study provides a deeper understanding of students' awareness and their basic understanding of cyber security issues. Additionally, this study contributes significantly by investigating students' behaviour about the major topics related to cyber security: the security issues related to passwords, emails, wireless, social networks, and smartphones. SPSS was employed to analyse students' awareness and reveal their behaviour. The following subsections first discuss the results of general information about cyber security and then discuss major topics related to cyber security. Finally, some strategies are recommended to increase student awareness about cyber security. The results of this survey indicate that the participants' level of awareness about cyber security was generally unsatisfactory. A total of 82% of the participants were not aware of cyber security. The results also show that 97% of the participants have not had any related training, which suggests a lack of training programs available to the students.
The knowledge about cyber risks of the participants was very good. Most of the participants from all demographic distributions had a good understanding of the importance of password security rules, had an accurate knowledge of password security, and recognised that passwords should not contain only real words or significant dates or names. There were, however, some aspects of wireless technology about which many students lacked knowledge. An excellent level of participant awareness about social security was recorded. Most of them are aware that they should not share their personal information on social applications. Even though a minority of the participants use cloud storage to save their files, most do not use passwords to secure their data while sharing them. In addition, most of the participants are aware of the risk of using smartphones. However, few of them use anti-virus programs to protect them.
To summarise, this section discussed in-depth Saudi students' awareness of and their behaviour towards cyber security. The study results show that students in higher education need to increase their awareness about cybercrime and cyber security by involving them in training programs, workshops, and lessons. Universities in Saudi Arabia must take on more responsibility in encouraging CSA and practice. Several strategies were recommended for individuals, network users, and organisations to enhance CSA and practice.
Currently, the cyber-threats are very complicated for all countries in general and Saudi Arabia in specific. As a result, the Saudi Arabian government established several decrees and programs to promote cybersecurity awareness and human resources. They gave Decree No. 99/QĐ-TTG and 153/QĐ-TTg to develop human cybersecurity resources, attract experts or students, individuals in government offices, and increase the number of students studying abroad in ICT from 2014 to 2020. Moreover, the Saudi Arabian Information Security Association also organised annual national contests and conferences for students of all universities and colleges to introduce artificial intelligence to safeguard cybersecurity and information security in ICT, IoT and protect critical databases or infrastructure.
In summary, Saudi Arabia is a developing country that quickly approaches ICTs and innovative technologies, but it is a newbie in cybersecurity protection. A series of cyber-attacks on government, companies, agencies, and airport websites greatly damaged data loss, data leakage, and finance. Hence, the Vietnamese government paid attention to making cyber laws, legal documents, and legal infrastructure to ensure the safety of critical infrastructure protection. Regarding the connection between government organisations and private sectors, it helps strengthen the safety of critical infrastructure systems and cyber resilience capacity, develop research and training, and promote cybersecurity solutions, products or services. Besides, the Vietnamese government also considered the important role of international cooperation as a key factor to boost cybersecurity development to a new level in the same region.
The cyber risks and challenges in the industry are diverse, spanning technological and organisational competencies, stemming from purpose-built components that operate in an ecosystem where cybersecurity is an afterthought. Practical and xi reasonable recommendations to address these problems are discussed to close the gap, some specific and unique to the manufacturing industry. In contrast, other fundamental applications discussed with a manufacturing industry lens are commonly ignored due to perceived complexity, cost, or lack of awareness. Lastly, several of these recommendations were selected for further evaluation and implementation; challenges, approaches, benefits, and outcomes are shared, showing measureable improvements to the organisation's cybersecurity posture. www.ijacsa.thesai.org

VI. STUDY IMPLICATIONS
This study provides some significant implications for research. First, it extends the literature on cyber security by providing a critical and comprehensive literature review as the primary theoretical contribution of this study. The findings of this review reveal an insufficient number of research studies in the field of CSA. Most researchers focus only on the technical aspects of information technology, with limited consideration of users' security awareness and their security behaviour. Gefen et al. [32] agree that it is important to study the issue of cyber security from the aspect of users' security awareness to have a clear understanding of the concept of CSA and to address the issue of security behaviour as a whole successfully. Thus, more research should address the issue of cyber security from the perspective of users' awareness as the existing research on this topic has somewhat ignored this issue.
Second, a quantitative survey was developed to consider basic information about CSA and investigate other security issues related to cyber security, such as passwords, emails, cloud storage, social networks, wireless networks, and smartphones. Analysing the collected data using SPSS revealed a lack of awareness of basic information related to cyber security among Saudi students. In addition, the number of students attending training programs was very low.
This study also has some fundamental implications for Saudi universities. Universities in Saudi Arabia need to empower their students by increasing their awareness of cyber security. Thus, Saudi universities must adopt mass media for educational purposes and introduce cyber security concepts. In addition, universities could offer seminars, lectures, and workshops on the negative impacts of cybercrimes and the importance of cyber security. This approach would encourage students to practice effective security behaviours and then increase the cyber security culture among students. In addition, Saudi Universities could publish such information in newsletters, and magazines, which would help to increase student's awareness about cyber security and encourage them to adopt secure behaviour.
Training Compromises via social engineering techniques are an ever-evolving threat landscape. The attackers devise sophisticated schemes to gain personal information and/or entry into an environment. A specific counter-action cannot mitigate these attack schemes; however, preventing and protecting against breaches can be accomplished by applying a defence-in-depth approach and an effective security awareness training program. Specific to the educational institutes, as part of creating a comprehensive security awareness program, organisations need to deliberately and consciously educate individuals. As part of this comprehensive approach, organisations need to educate personnel on the threat vectors and downstream effects of using social media and how compromising can lead to other lateral advances.

1) Security awareness training:
Relative to a security awareness program, studies by Gartner showed that there are four key objectives when deploying an effective security awareness program that drives real meaningful actions [16].
2) Build a knowledge base: Creation of a referenceable and easy to understand security and risk knowledge base across the workforce results in a shared understanding of what is important to the organisation (e.g. password management, encryption of removable media). Make it available to endusers and market its' usefulness.
3) Ability to comply with regulatory requirements: Where required, a regulated enterprise must maintain a cybersecurity training program to ensure that the culture is aligned with the regulatory body requirements. This involves the identification of specific provisions for compliance, capturing specific criteria to satisfy the regulation(s) and applying the necessary controls/provisions to demonstrate adherence.

4) Define a behavioural baseline:
To hold an individual accountable for adhering to the organisation's security policies, the organisation's expectations must be clearly defined. Additionally, proper education must be provided with objective evidence (signing an acknowledgement form, etc.) indicating the employee has been educated on the required policy and related practices. 5) Motivate secure behavior: Encouraging positive actions while disapproving of undesired behaviours is necessary to achieve the desired representative behaviours. Using classical conditioning techniques via reward and penalty systems, the desired and undesired behaviours must be identified and described in enough detail to enable targeted monitoring and reinforcement. Educational institutes need to begin applying the same importance and rigour to cybersecurity with overall human safety. It can be expected that in some organisations, cybersecurity training is either not addressed or only executed to -check the box‖ for insurance or regulatory purposes. 6) Communication/Social media exposure to the network: Organisations should ensure that there is a clear separation between the functions (email, internet access, etc.) that can be performed on P.C.s with access to the factory operations network(s) and those that should be conducted outside of the network entirely.
In addition, Saudi universities need to adopt effective training programs for students, with the major consideration being students' security behaviours. In addition, it is important to involve students in the training programs by researching cyber security. If students were involved in the development process, they would be regularly asked how to develop a secure system and the important steps to encourage students to adopt secure behaviours. Having the students participate in the process and consulting them for their views will create a cyber security culture among students. According to Chun et al. [33], citizens are not just recipients of e-government. They are also the key chain that guides policy formulation through their opinion and views. Carter and Bélanger [34] state that 74.2% of government agencies in the U.K. have a website. However, 90.5% of these agencies have not surveyed to see what online services their citizens and businesses want. Thus, the students' levels of CSA would increase when they are informed of the importance and strategies of cyber security. www.ijacsa.thesai.org

VII. CONCLUSION
The purpose of this research was to look into and analyse cyber security concerns in Saudi Arabia. According to the conclusions of this survey, Saudi students are unaware of the importance of cyber security. This research indicated a poor score for training and awareness, with 92 percent of respondents have never received any form of cyber security training. According to the findings of this study, Saudi institutions should teach their students about anti-cybercrime legislation and the key information security awareness issues discovered in this study. Much more research is needed to establish how students' knowledge levels might be increased by implementing appropriate awareness-raising initiatives. Further research may be needed to identify how best practices might improve the issue areas identified in this study.