Student Information Security Behaviors and Attitudes at a Private Liberal Arts University in the Southeastern United States

Information security is of concern to individuals, businesses, organizations, and education institutions. Information security breaches, whether due to external or internal agents, exact a heavy cost on these entities every year. Much of the cost is due to employees and other insiders who willfully or ignorantly violate information security policies. A difference seems to exist between what students know about information security, and what they actually do. Since college students are the employees of the future, it is important that they be educated and trained in correct information security practices. In order to create effective training material, it is necessary to gain an understanding into what students do, and their attitudes toward information security. Previous studies have produced varying and sometimes conflicting findings with regard to student information security attitudes and behaviors. This non-experimental quantitative study employed a cross-sectional approach, with both comparative and correlation analysis, in an effort to identify the factors related to information security attitudes and behaviors of students at ABC University [actual name redacted], a liberal arts university in the Southeastern United States. Graduate and undergraduate students across all majors were surveyed. Data was collected through an online survey instrument that had been used and validated in previous research. The results from 699 valid responses suggested that neither information security attitudes or behaviors were significantly related to academic major (F (12, 1382) = 1.160, p = .307; Wilks' Lambda = 0.980, partial eta2 = .010). However, while information security attitudes were slightly related to previous information security training, information security behaviors were significantly related to prior information security training (F (10, 1384) = 1.160, p < .001; Wilks' Lambda = 0.959, partial eta2 = .021). Finally, information security attitudes seemed to have a strong predictive power with regard to information security behaviors, with attitudes accounting for 17% of the variance in behaviors. These results suggest that information security training that influences both attitudes and behaviors should be provided for higher education students. The results of this study should be useful in building university classes and training programs to bridge the gap between students' knowledge and their actual behaviors.