Embed Size (px)
Citation preview
i
A Study of Cybersecurity for Telecommunication Services
Concerning Smartphone Users in Thailand
Varin Khera
BIT Central Queensland University
PG Cert Monash University M.S. Assumption University
This Thesis is presented for the Degree of Doctor of Information Technology
2018
ii
DECLARATION PAGE
I declare that this thesis is my own account of my research and contains as its main
content work which has not previously been submitted for a degree at any tertiary
education institutions.
Varin Khera
iii
ABSTRACT
Smartphones are powerful handheld computers that allow users to connect in real-time
with others around the globe through high quality phone calls, and data exchange. They
are 2.1 billion smartphones users worldwide in 2016 with this number expected to grow
to almost 3 billion by the end of 2020 (www.statista.com). This enormous uptake
together with valuable information contained in smart phones makes them an attractive
target for attackers to exploit.
This study was conducted to indicate the abilities and behaviours of Thai smartphone
users in protecting their smartphones from cyber threats. The objectives of this study
are: (1) to investigate cyber threats on smartphones and trends; (2) to investigate
cybersecurity handlings for smartphone users in Thailand; (3) to investigate general
behaviours and protection behaviours of Thai smartphone users; and (4) to analyze
causal relationship among constructs of the proposed protection behaviour model.
This study utilizes mixed methods research, qualitative and quantitative studies, to
collect and analyze the data. Document research was performed in the qualitative part.
For the quantitative study, a total of 720 samples from smartphone users were collected
with cluster sampling technique from main regions of Thailand. Data were then
analyzed with descriptive statistic, T-Test, and ANOVA to create a model, based on
Roger, R.W. (1983)’s Protection Motivation Theory (PMT), with the Structural
Equation Modeling (S.E.M.) technique to find the factors that affect behaviour of Thai
in protecting their smartphones from cyber threats.
Based on the collected data, the main findings of this study show that: (1) threats on
smartphones that can be caused by attackers - malware attacks, wireless network
attacks, denial of service attacks, break-in attacks, and threats due to unawareness of
users themselves such as malfunctions, phishing, phone thefts/loses, and platform
alterations; (2) identification of the agent responsible for providing incident response
to computer security threats, the Thailand Computer Emergency Response Team or
ThaiCERT, and their services should be extended to the whole of Thailand; (3) the
overall protection behaviours of Thai people were in good level; (4) females had less
degree in protecting themselves from mobile threats than males; (5) people whose ages
iv
between 41 – 60 had less degree in protecting themselves from mobile threats than the
other age-groups; (6) people who have never experienced with phone virus/malware
infection, who have never used public Wi-Fi, and who have never transferred money
using Internet banking on their phones had less degree in protecting themselves from
mobile threats than the other groups; and (7) the protection behaviour model of Thai
smartphone users consisted of the following variables: Perceived Vulnerability, Self-
efficacy, Social Influence, Threat Appraisal, Coping Appraisal, and Protection
Motivation and Protection Behaviours. Among these, only variables that had impacts
on Protection Behaviour of Thai smartphone users are: Self-efficacy, Social Influence,
Coping Appraisal, and Protection Motivation. The findings provide strategic directions
for the education and raising of awareness among smartphone users in Thailand so as
to strengthen their protection against potential threats.
v
ACKNOWLEDGEMENTS
First and foremost, I would like to acknowledge my principal supervisor,
Emeritus Professor Lance Chun Che Fung who has provided invaluable and wise
guidance in the development of my research work. Without his support, constant
guidance and push for me to complete, I would have never completed this enormous
work.
I would especially like to acknowledge my lovely wife and parents whose supports and
unconditional love gave me the drive to pursue this near impossible and long enduring
dream.
I would like to thank my manager, Mr Stan Fiala, and my good friend and advisor, Dr.
Suthee Chantrapunth, for their support in helping me through this long and extensive
program.
vi
CONTRIBUTION AND LIST OF PUBLICATIONS
Journal Papers
(J1) From Chapter 2 - Khera, V., Chantrapunth, S., & Fung, C., (2017). “Protection
Motivation Theory Model for Smartphone User.” RTAFA Journal of
Humanities and Social Sciences. Year 13 Volume 13.
Contribution to thesis - The paper proposes a protection behaviour model which
is based on Roger, R.W. (1983)’s Protection Behaviour Model (PMT) and
related studies. This model is useful for analyzing protection behaviour of
people who use internet connected devices (such as desktops, laptops,
smartphones, or tablets) in protecting themselves from cyber threats.
(J2) From Chapter 4 - Khera, V., Chantrapunth, S., & Fung, C., (2017). “Behaviours of
Thai in Protecting their Smartphones from Cyber Threats.” Volume 8, Number 2,
May – August 2017. National Defense Studies Institute Journal. pp.86-100.
Contribution to thesis – The paper compares mean values of the proposed
model’s constructs among demographic and characteristic of sample. The
results identified the groups of smartphone users, with low constructs’ mean
values, that have low security, and need to be concerned more in order to raise
their behaviour in protecting their phones from threats.
Conference Proceedings
(P1) From Chapter 5 - Khera, V., Chantrapunth, S., & Fung, C., (2017). “Developing
a Protection Behaviour Model for Smartphone User Security Assessment.” 8th
International Science, Social Science, Engineering and Energy Conference
(iSEEC 2017), 15th -17th March, 2017. Phranakhon Rajabhat University. ID
Paper: 161212160068.
Contribution to thesis – The paper details the result of testing the proposed
theoretical PMT model with empirical data which are smartphone users in
Thailand. The tested model shows the significant causal relationships among
the model’s constructs. The result also shows that two exogenous constructs,
Self-efficacy and Social Influence, are important in driving the behaviour of
Thai people in protecting themselves from smartphone threats.
vii
(P2) From Chapter 2 - Khera V., Fung C., Chaisiri S. “A Review of Security Risks in the
Mobile Telecommunication Packet Core Network.” Advances in Information
Technology. IAIT 2013. Communications in Computer and Information Science,
vol. 409. Springer, Cham (DOI: https://doi.org/10.1007/978-3-319-03783-7_9)
Contribution to thesis – This paper reviews the security risks in the mobile core
network and then provides a recommendation on how to address these risks
using the ITU X.805 reference framework. This will benefit mobile operators
and network designers to secure the mobile packet core system.
(P3) From Chapter 6 - Fung, C.C., Khera, V., Depickere, A., Tantatsanawong, P. and
Boonbrahm, P. (2008). “Raising information security awareness in digital ecosystem
with games - a pilot study in Thailand.” In: 2nd IEEE International Conference on
Digital Ecosystems and Technologies, 2008. DEST 2008., 26-29 Feb. 2008,
Phitsanulok, Thailand pp. 375-380. (DOI: 10.1109/DEST.2008.4635145)
Contribution to thesis – This paper reports an initial pilot study on the use of a
simulation game for raising the awareness and knowledge on Information
Security among a small group of Thai students. The paper proves that simulation
can enhance and stimulate cyber security learning amongst young population,
therefore any government sponsored cyber security training program for smart
phones users should incorporate simulation to have the best impact on
participants
viii
TABLE OF CONTENTS
Page
DECLARATION PAGE ii
ABSTRACT iii
ACKNOWLEDGEMENTS v
CONTRIBUTION AND LIST OF PUBLICATIONS vi
TABLE OF CONTENTS viii
LIST OF TABLES xii
LIST OF FIGURES xiv
ACRONYMS AND SYMBOLS xvii
CHAPTER 1 INTRODUCTION 1
1.1 Background of the Study 1
1.2 Statement of the Problem 2
1.3 Objectives of the Study 3
1.4 Research Questions 4
1.5 Research Methodology 5
1.6 Significance of the Study 5
1.7 Benefits of the Study 5
1.8 Scope of the Study 6
1.9 Limitations of this Study 7
1.10 Workflow of this Study 7
1.11 Organization of Thesis 9
1.12 Definition of Terms 10
1.13 Conclusion 11
CHAPTER 2 CYBER THREAT, CYBERSECURITY AND PMT MODEL 12
2.1 Concepts of Cyber Threat and Cyber Security 12
2.2 Cyber Threats on Smartphones and Trends 13
2.2.1 Types of Cyber Threats and Effects 13
2.2.2 Statistic of Malware Attacks on Smartphones and Trend 14
2.3 Smartphone Threats Handling in Thailand 17
2.3.1 Organization Handling Cyber Threat in Thailand 17
2.3.2 Security on Mobile Telecommunication Network 19
ix
Page
2.4 Behaviours of Smartphone Users 23
2.5 Protection Motivation Theory 23
2.6 Related Studies 25
2.6.1 Study by Liang & Xue (2009) 25
2.6.2 Study by Srisawang, Thongmak & Ngarmyarn (2015) 27
2.6.3 Study by Tu, Z.L. & Yuan, Y.F. (2012) 28
2.7 Proposed Theoretical PMT Model 30
2.7.1 Selected Constructs 30
2.7.2 Determining Relationships between Constructs 33
2.7.3 The Proposed Protection Motivation Model and Hypotheses 34
2.8 Operational Definitions 37
2.9 Conclusion 38
CHAPTER 3 SURVEY RESEARCH DESIGN 39
3.1 Population and Sampling 39
3.2 Protocol for Survey 40
3.3 Questionnaire Construction and Scale 40
3.3.1 Questionnaire Construction 40
3.3.2 Measuring Scale 44
3.4 Validity and Reliability Testing 45
3.4.1 Internal Validity Testing 45
3.4.2 Reliability Testing 45
3.5 Data Analysis 46
3.6 Conclusion 47
CHAPTER 4 DEMOGRAPHICS AND BEHAVIOURS OF THAI
SMARTPHONE USERS
48
4.1 Smartphone Users in Thailand 48
4.1.1 Demographic data of Smartphone Users in Thailand 48
4.1.2 Demographic data of Smartphone Users by Region 51
4.2 Behaviours of Thai Smartphone Users 56
4.2.1 Overall General Behaviours of Thai Smartphone Users 56
x
Page
4.2.2 General Behaviours of Smartphone Users by Region 58
4.2.3 General Behaviours of Smartphone Users by Age 64
4.3 Overall Means of Constructs of Protection Behaviour Model 71
4.4 Compare Means of Constructs of Protection Behaviours Model 72
4.4.1 Means of Constructs by Gender 72
4.4.2 Means of Constructs by Age 73
4.4.3 Means of Constructs by Region 77
4.4.4 Means of Constructs by Virus Infection 78
4.4.5 Means of Constructs by Using Public Wi-Fi 79
4.4.6 Means of Constructs by Using Money Transfer Services via
Smartphones
80
4.5 Conclusion 81
CHAPTER 5 THE PMT MODEL OF THAI SMARTPHONE USERS 82
5.1 Testing Hypotheses for the Proposed Theoretical Model 82
5.2 Preparing the Model with AMOS Software 84
5.3 Testing Basic Assumptions of Structural Equation Modeling 85
5.3.1 Valid Sample Size for Structural Equation Modeling 85
5.3.2 Normality of Distribution of Data 86
5.4 Testing the Goodness of Fit of the Model 89
5.4.1 Goodness of Fit of the Measurement Model 89
5.4.2 Goodness of Fit of the Structural Equation Modeling 91
5.5 The Result PMT Model of Thai Smartphone Users 93
5.5.1 Results of Testing Hypotheses and the Final Model 93
5.5.2 Direct and Indirect Effects among PMT Constructs 95
5.6 Conclusion 97
CHAPTER 6 SUMMARY AND ANSWERS OF RESEARCH QUESTIONS 98
6.1 Recap of Objectives and Methodology 98
6.2 Summary of the Results 99
6.2.1 Answer for Research Question #1.1 99
6.2.2 Answer for Research Question #1.2 101
xi
Page
6.2.3 Answer for Research Question #2.1 102
6.2.4 Answer for Research Question #2.2 102
6.2.5 Answer for Research Question #3.1 103
6.2.6 Answer for Research Question #3.2 104
6.2.7 Answer for Research Question #3.3 108
6.2.8 Answer for Research Question #4.1 116
6.2.9 Answer for Research Question #4.2 117
6.3 Conclusion 118
CHAPTER 7 DISCUSSION, CONCLUSION, AND RECOMMENDATION 119
7.1 Discussion and Conclusion 119
7.1.1 Smartphone Threats and Trend 119
7.1.2 Computer Security Incident Response Team 120
7.1.3 Secured Telecommunication Network for Smartphone 120
7.1.4 Protection Behaviour Model of Thai Smartphone Users 121
7.1.5 Factors’ Impact Values on Protection Behaviour 122
7.1.6 Groups with Low Protection Motivation and Behaviour 123
7.1.7 Increasing Protection Behaviour of Smartphone Users 124
7.2 Recommendations 127
7.3 Suggestions for Future Studies 130
BIBLIOGRAPHY 131
APPENDIX 136
APPENDIX A Questionnaire (THAI) 136
APPENDIX B Questionnaire (ENGLISH) 143
APPENDIX C Mean Difference Test 148
APPENDIX D Confirmatory Factor Analysis 189
APPENDIX E Structural Equation Modeling Analysis 191
APPENDIX F Examples of Increasing Self-efficacy and Social
Influences for Smartphone Users
210
xii
LIST OF TABLES
Page
Table 2.1: Threats against Smartphones 13
Table 2.2: Symptoms of Smartphone Malwares 16
Table 2.3: Security Dimensions and risk Mitigations 22
Table 2.4: Summary of Constructs from Reviewed Theories and Related Studies 30
Table 2.5: Selected Constructs and References 32
Table 2.6: Relationships between Constructs and References 33
Table 2.7: Hypotheses for Testing the Theoretical Model 36
Table 3.1: Questionnaire Construction 41
Table 3.2: Result Interpretation Table 44
Table 3.3: Reliability of the Questionnaire 46
Table 4.1: Demographic Data of the Samples 49
Table 4.2: Number and Percentage of Sample’s Gender by Region 51
Table 4.3: Number and Percentage of Sample’s Age by Region 52
Table 4.4: Number and Percentage of Sample’s Education by Region 53
Table 4.5: Number and Percentage of Sample’s Education by Region 54
Table 4.6: Number and Percentage of Sample’s Monthly Income by Region 55
Table 4.7: Number and Percentage of Sample’ Behaviour in Using
Smartphone
56
Table 4.8: Number and Percentage of Preferred Phone Service by Region 59
Table 4.9: Number and Percentage of Operating System Usage by Region 60
Table 4.10: Number and Percentage of Phone Loss by Region 61
Table 4.11: Number and Percentage of Phone Infected by Virus by Region 62
Table 4.12: Number and Percentage of People who Use Public Wi-Fi by Region 63
Table 4.13: Number and Percentage of People who Transfer Money through
their Phones by Region
64
Table 4.14: Number and Percentage of Phone Service Usage by Age 65
Table 4.15: Number and Percentage of Operating System Usage by Age 66
Table 4.16: Number and Percentage of Phone Loss by Age 67
Table 4.17: Number and Percentage of Phone Infected by Virus of by Age 68
xiii
Page
Table 4.18: Number and Percentage of People who Use Public Wi-Fi by Age 69
Table 4.19: Number and Percentage of People who Transferred Money by Phone 70
Table 4.20: Protection Behaviour Constructs of Smartphone Users in Thailand 71
Table 5.1: Null and Alternative Hypotheses for Testing the Theoretical Model 83
Table 5.2: Variables Used in the Hypothesized Model 85
Table 5.3: Number of Parameters of the Hypothesized Model 86
Table 5.4: Skewness and Kurtosis of Data 86
Table 5.5: Goodness of Fit Statistics of the Measurement Model 91
Table 5.6: Goodness of Fit Statistics for Structural Equation Modeling 92
Table 5.7: Relationships among Variable of the Hypothesized Model 93
Table 5.8: Summary of the Testing Hypothesis Ha – Hk 94
Table 5.9: Direct and Indirect Effects among Variables of the Model 95
Table 6.1: Summary of Threats Caused by Attackers 100
Table 6.2: Cyber Threats and Effects Caused from User’s Unawareness 100
Table 6.3: Summary of General Behaviours of Smartphone Users by Region 106
Table 6.4: Summary of General Behaviours of Smartphone Users by Age 107
Table 6.5: Summary of Overall Means of the Model’s Constructs 109
Table 6.6: Summary of Mean Comparisons of the Model’s Constructs 115
Table 6.7: Total Effects on Protection Behaviour Construct 118
Table 7.1: Summary of the Recommendations 127
xiv
LIST OF FIGURES
Page
Figure 1.1: Workflow of this study 8
Figure 2.1: New Mobile Malware Threat Statistics 15
Figure 2.2: Distribution of Attacks by Malware Types (August 2013 – July
2014)
16
Figure 2.3: Thailand Computer Emergency Readiness Team (ThaiCERT) 18
Figure 2.4: Incident Survey 19
Figure 2.5: CIA Triad 20
Figure 2.6: ITU X.805 Framework 22
Figure 2.7: Cognitive Process of Protection Motivation Theory 25
Figure 2.8: The Variance Theory View of TTAT 26
Figure 2.9: The Proposed Research Model of Srisawang et al. (2015) 28
Figure 2.10: The Proposed Research Model of Tu, Z.L. & Yuan, Y.F. (2012) 29
Figure 2.11: The Proposed Protection Motivation Model 35
Figure 2.12: The Proposed Theoretical Model of this Study 36
Figure 4.1: Percentage of Demographic Data 48
Figure 4.2: Percentage of Sample’s Gender by Region 51
Figure 4.3: Percentage of Sample’s Age by Region 52
Figure 4.4: Percentage of Sample’s Education by Region 53
Figure 4.5: Percentage of Sample’s Education by Region 54
Figure 4.6: Percentage of Sample’s Monthly Income by Region 55
Figure 4.7: Overall Behaviour of Smartphone Users 56
Figure 4.8: Percentage of Phone Service Usage by Region 58
Figure 4.9: Percentage of Operating System Usage by Region 59
Figure 4.10: Percentage of Phone Loss by Region 60
Figure 4.11: Percentage of Smartphones Infected by Virus in Each Region 61
Figure 4.12: Percentage of People who Use Public Wi-Fi by Region 62
Figure 4.13: Percentage of People who Transferred Money through their
Phones by Region
63
Figure 4.14: Percentage of Phone Service Usage by Age 65
xv
Page
Figure 4.15: Percentage of Operating System Usage by Age 66
Figure 4.16: Percentage of Phone Loss by Age 67
Figure 4.17: Percentage of Phone Infected by Virus of Each Age Group 68
Figure 4.18: Percentage of People who Use Public Wi-Fi by Age 69
Figure 4.19: Percentage of People Who Transferred Money by Phone 70
Figure 4.20: Behaviours of Smartphone Users 71
Figure 4.21: Gender of Samples 72
Figure 4.22: Comparison of the Model Constructs by Gender 73
Figure 4.23: Age of Samples 73
Figure 4.24: Comparison of the Model Constructs by Age 74
Figure 4.25: Smartphone Users in BKK & Metropolitan and Upcountry 77
Figure 4.26: Comparison of the Model Constructs by Region 77
Figure 4.27: Number of People whose Phones were Infected with Malware 78
Figure 4.28: Comparison of Constructs between People whose Phones were
Infected with Malware and those who were not
78
Figure 4.29: Number of People who Used Public Wi-Fi 79
Figure 4.30: Comparison of Constructs between People who Used Public Wi-Fi
and who did not
79
Figure 4.31: Number of People who Transfer Money via Phones 80
Figure 4.32: Comparison of Constructs between People who Transfer
Money via Smartphone and who did not
80
Figure 5.1: Theoretical Model for Testing 82
Figure 5.2: Theoretical Model Created by The AMOS Software for Testing 84
Figure 5.3: Test of Fitness of the Measurement Model 90
Figure 5.4: Test of Fitness of the Structural Equation Model 92
Figure 5.5: Result Model 94
Figure 6.1: Mobile Malware Attack During August 2013 – July 2014 101
Figure 6.2: Summary of the Demographic of this Study 104
Figure 6.3: Summary of the Behaviours Thai of Smartphone Users by
Region
105
xvi
Page
Figure 6.4: Behaviours of Smartphone Users by Region 106
Figure 6.5: Behaviours of Smartphone Users by Age 108
Figure 6.6: Overall Meal of Model’s Constructs 109
Figure 6.7: Mean Difference of Construct by Gender 110
Figure 6.8: Mean Differences of Constructs by Age 110
Figure 6.9: Mean Differences of Protection Behaviour by Age 111
Figure 6.10: Mean Differences of Self-efficacy by Age 111
Figure 6.11: Mean Difference of Constructs by Region 112
Figure 6.12: Mean Difference of Constructs by Malware Infection 113
Figure 6.13: Mean Difference of Constructs by Using Public Wi-Fi 114
Figure 6.14: Mean Difference of Constructs by Transferring Money via Phone 115
Figure 6.15: The Result Model of This Study 116
Figure 6.16: Total Effects on Protection Behaviour Constructs 118
Figure 7.1 The Result Model 121
xvii
ACRONYMS AND SYMBOLS
Symbol Meaning
n Number of Sample
X Mean
% Percentage
sd Standard Deviation
F
t
Statistical F Value
Statistical t Value
p Probability
Sig. / p-value Significance Level
* Statistical Significance at .05 Level
** Statistical Significance at .01 Level
df Degree of Freedom
Beta Coefficient
ANOVA Analysis of Variance
DTACT DTAC & DTAC Trinet
BKK Bangkok
WI-FI Wi-Fi (Wireless Fidelity)
1
CHAPTER 1
INTRODUCTION
Thailand has one of the highest smartphone penetration rate in Southeast Asia (National
Statistical Office of Thailand, 2014). It is imperative that a research is needed to
understand the potential vulnerability of smartphone users in Thailand. This research
addressed this need by focusing on understanding of the state of cyber awareness and
behaviours of Thai smartphone users with respect to protection of their devices from
cyber threats. The research also investigated cybersecurity measures provided by the
governmental agency for internet users.
As telecommunication services provide the communication channels for smartphones,
any weakness in the network can compromise the entire communication flows. Thus,
this study also investigated the issues and recommends a secure telecommunication
network to increase security for smartphone users from cyber threats. Both quantitative
and qualitative methodologies were applied in this study. Results of the study indicate
the essential awareness and behaviour of Thai smartphone users that needed to be
focused on.
Finally, the recommendations for increasing cybersecurity capacity for Thai agency in
dealing with cyber threats and appropriate security standard that should be implemented
in the telecommunication network are also provided.
1.1 Background of the Study
Today’s world is undergoing an age of transformation in which more and more people
and devices are interconnected. The fundamental changes that have brought about this
development is mainly due to the availability of high speed Third Generation (3G) and
Fourth Generation (4G) telecommunication networks, and the advancement of
powerful and user-friendly portable devices that allow easy access to the Internet,
making the worldwide network of information being accessible almost anytime and
anywhere.
2
A smartphone is essentially a mini computer capable of making high quality calls,
taking photos, sharing data and location information, downloading new applications
and providing on demand access to information from the Internet. Smartphone is
becoming around the clock companion to provide access online and it has become an
essential element in modern societies. However, as users shared every detail such as
their whereabouts and what they do on the social media, the factor most overlooked is
that it also presents a single point of attack, anyone with access to a user’s smartphone
may be able to acquire a lot of personal information about the user’s behaviours and
activities. This could subsequently lead to illegal or criminal acts such as identity thefts.
In Thailand, the number of Smartphone user obtained from a survey in 2015 was
estimated at 42 . 8 M (Thailand Mobile Landscape, 2015( . Given the amount of cyber
risks associated with smart phone and the lack of awareness on the topics, it is therefore
important that a study is needed to gauge the actual awareness of the Thai population
towards cyber security in smartphone usage, by analyzing their behaviours and
protection measures being put in place, and the level of awareness towards utilization
of possible security practices. With such information, it will be possible to provide a
clearer picture of the situation and to recommend the appropriate ways forward on how
best government agencies or related organizations can do in orer to develop successful
cyber defence policies that will help to reduce the risks from cyber threats for
smartphone users.
1.2 Statement of the Problem
The number of mobile internet subscriptions via smartphone, tablet or any other device
with a cellular connection is reaching around 550 million by the end of 2022(Ericson,
2016). As more and more people rely on daily use of smartphones, cyber threats are
now targeting more on smartphone users (Ruggiero & Foote, 2011). The cyber security
landscape, thus, has now changed and the focus needs to be shifted towards
smartphones in addition to computers and laptops.
Majority of the research have been conducted on the technical aspect of security
whereas limited research has been conducted on the weakest link of the chain, which is
3
the people (Hong et al., 2015). In particular, little has been done with respect to the
subject on how smartphone users in Thailand should adopt security processes to protect
themselves from cyber threats.
In order to bridge these gaps, this study was conducted and it was based on the
Protection Behaviour Theory Model (PMT) developed by Roger (1983). The model
focuses on studying patients’ fear appeals that affect their intentions and behaviour in
protecting themselves from ailments and diseases. Recently, the PMT has been applied
to a study on information system security (Choobineh et al., 2007). The PMT can
explain security behaviours of users and it provides a theoretical explanation as to why
people have intention in performing secure behaviours in detecting and preventing their
computers from cyber threats (Crossler, R. E., 2010)
In this research, the PMT model was adopted as the base theory to study the cyber risks
associated with smartphone users in Thailand. The aim of this study was to evaluate the
strength and weakness of the fear appeal of Thai smartphone users that influent their
intentions and behaviours in protecting their phones from cyber threats.
1.3 Objectives of Study
This study is designed to gain insights into smartphone threats, levels of security
measures adopted, and users’ behaviours, with an aim to promote successful changes
and developments in using smartphones in Thailand. The main purpose of this study is
to investigate the cyber threats and security in Thailand, law and regulations, security
handlings, and the awareness and behaviours of smartphone users in Thailand. The
study is divided into four objectives below so as to meet the above-mentioned purpose:
1) to investigate cyber threats on smartphones and trends;
2) to investigate cybersecurity handlings for smartphone users in Thailand;
3) to investigate general behaviours and protection behaviours of Thai
smartphone users; and
4) to analyze the causal relationship among constructs of the proposed
protection behaviour model.
4
1.4 Research Questions
In order to achieve the objectives of this study, the following research questions and
sub-questions are established:
1) Research Questions for Objective #1, “to investigate cyber threats on
smartphones and trends”:
1.1) “What are the types of cyber threats that smartphone users are confronting?”
1.2) “What are the statistics on malware attacks on smartphones and trends in the
future?”
2) Research Questions for Objective #2, “to investigate cybersecurity handlings for
smartphone users in Thailand”
2.1) “Which organizations handle cybersecurity in Thailand?”
2.2) “What should telecommunication network operators in Thailand do to handle
cybersecurity for smartphones?”
3) Research Questions for Objective #3, “to investigate general behaviours and
protection behaviours of Thai smartphone users”
3.1) “What are demographic of smartphone users in Thailand?”
3.2) “What are the general behaviours of Thai people in using smartphones?”
3.3) “What are the protection behaviours of Thai smartphone users?”
4) Question for Objective #4, “to analyze causal relationship among constructs of the
proposed protection behaviour model”
4.1) “What is the protection behaviour model of Thai smartphone users?”
4.2) “What are degrees of direct and indirect effects between constructs of
protection behaviour model of Thai smartphone users?”
5
1.5 Research Methodology
This study used mixed-method approach which comprised qualitative study and
quantitative study, together with data collection and analysis. For the qualitative study,
related documents and literatures were reviewed, and key issues were drawn in order
to answer Research Questions#1 and #2 of this study. The quantitative study was aimed
to answer Research Questions#3 and #4. In this part, a survey research was conducted
and the collected data were then analyzed with statistical software package.
1.6 Significance of the Study
This study is important and significant for two reasons. First, results from this study
contributed broad knowledge as regard to the cyber threats targeting smartphones in
Thailand, and the security handling practices by relevant organizations, and what
network or telecommunication operators should do in order to provide protection for
the smartphone users in Thailand. Second, the study aimed to provide an in-depth
knowledge about Thai smartphone users’ security-perceptions and behaviours, and the
differences based on demographic distributions such as genders, ages, incomes,
occupations and residence locations. In addition, this study also aimed to establish the
causal relationship among various perceptions related to security and protection
behaviours of smartphone users in Thailand. The findings of this study therefore
provide detailed insights and recommendations for the government and network
operators that could lead to improvement on the security for smartphone users in Thailand.
1.7 Benefits of the Study
The overall benefits of this study include availability of detailed knowledge and
recommendations on secure smartphone usage in Thailand. To elaborate further, the
benefits of this study can be summarized in three areas:
1) Academic-related benefits: The insight gained from this study will provide a
broad view of cyber security awareness relating to smartphone usage among the
population in Thailand, contributes towards the identification of the current cyber
6
threats landscape in Thailand, how it is handled and in what context does it relate
to smartphone users. The result obtained from this study will have a direct impact on
the wider community, allowing researchers to further the field of cyber security and
enabling government policy makers to compare between smartphone users in other
countries in creating or fine-tuning their policies to best match with the requirements to
alleviate the risks faced by the country;
2) Application-related benefits: Results obtained from this study will allow an
understanding of the causes or causal factors that impact protection behaviours for
smartphone users. This will allow building of models to assess the protection
behaviours of smartphone users at periodic points in order to find out what are the
strongest and the weakest links, allowing measurements based on empirical data by
comparing different types of data such as district or provincial areas, gender, education
level and other factors. This study will also allow researchers to develop software that
can assess patterns of behaviours that are risky and alert the users of such behaviours
and averting them to safer environments of usage; and
3) Policy-related benefits: Administrators can set policies or guidelines to
modify the behaviours of smartphone users in Thailand in order to avoid threats by
addressing the behavioural weaknesses and closing of gaps that may pose threats which
allow attackers to exploit. These policies or guidelines will result in reduction of risks
in Thailand and allowing the country to be less exposed to cyber security risks.
1.8 Scope of the Study
In order to gain the benefits, this study has focused on specific content, area of study
and time frame as follows:
1) Content: This study focused on cyber threats and security handlings in
Thailand. It also focused on the general behaviours and protection behaviours from
cyber threats among the smartphone users;
2) Area of study: This study covered six regions of Thailand, including Bangkok
and metropolitan area, central region, northern region, north-eastern region, eastern
region, and southern region; and
3) Time frame: This study was conducted during July 2015 to December 2016.
7
1.9 Limitations of this Study
Smartphones as mobile communication devices have gained popularity in the world,
including Thailand. Statistics in 2015 showed that the age of Thai smartphone users
range between 6 to over 60 years old, and the majority of the smartphone users are
between 15 to 59 years old (Veedvil, 2015). For the sake of data gathering and
eliminating the minors, the participants in this study are those between 18 to 60 years
old only.
1.10 Workflow of this Study
This study composed of two main parts: a qualitative study and a non-experimental
quantitative study. In the qualitative study, analysis of relevant documents was
performed. In this part, relevant documents and information were reviewed, and the key
issues were drawn and categorized into themes. For the quantitative study, the
researcher reviewed the related theories and proposed a theoretical model. The model
was then tested against empirical data with the use of statistical software. Findings from
both parts were then integrated as outcomes from this study.
The study began with the interested issues of which related data were gathered using
qualitative and quantitative methods. These data were then subsequently analyzed and
synthesized as outcomes. Detail of the workflow in this study is shown in Figure 1.1.
8
Figure 1.1: Workflow of this study
Data Analysis
1. Current cyber threats on smartphones and trends 2. Cybersecurity handling for smartphone users in Thailand
Outputs
Data Collection
Quantitative Method: Use survey questionnaire to
collect demographic data and behaviours of smartphone
users in Thailand
-Current cyber threats -Security handlings for smartphone users in Thailand
Interested Issues
1) Descriptive Statistics 2) t-test and ANOVA 3) Structural Equation Modeling
Document Analysis
Qualitative Method: Use record form to collect
data from related documents
Behaviours of smartphone users in protecting themselves from cyber threats
1. Demographic of Thai smartphone users 2. Perceptions and behaviours of Thai smartphone users 3. Degrees of effects of factors towards protection behaviours of Thai smartphone users
Recommendations for improving cybersecurity for Thai smartphone users
Outcomes
9
1.11 Organization of Thesis
This document is divided into six chapters as described below.
Chapter 1 Introduction - This chapter mainly includes the background of this study,
objectives, research questions and methodologies used, the significance and benefits of
this study, scope, assumptions, and definition of terms. This chapter also describes the
research design and limitations of this study.
Chapter 2 Cyber Threats, Cybersecurity and PMT Model - This chapter depicts cyber
threats and security on smartphones and agency that handles cybersecurity in Thailand.
It also introduces a standard for telecommunication network that can increase security
for smartphones. Moreover, the chapter reviews the concept of the PMT model and the
related literatures that adopted this concept to investigate the fear appeal of internet
users. At the end of this chapter, a conceptual framework is created and the theoretical
PMT model is proposed for studying behaviours of Thai smartphone users in securing
their phones from cyber threats.
Chapter 3 Survey Research Design - This chapter describes details of the survey
methodology, tools, and analysis. It includes information on the target groups for
sampling, sample size, instrument design, validity and reliability testing, and data
analysis used in this study.
Chapter 4 Demographic and Behaviours of Thai Smartphone Users - This chapter
contains the survey findings, including the descriptive results of the demographics and
behaviours of smartphone users. In addition, comparisons of the perceptions on the
PMT’s constructs among difference categories of Thai smartphone users are deliberated
in this chapter.
Chapter 5 The PMT Model of Thai Smartphone Users - This chapter analyzes the
casual relationships among the variables in the theoretical PMT model, including
demonstrations of the goodness of fits of measurement in the model and a structural
equation model based on empirical data. The statistical significant relationships
between constructs of the theoretical PMT model are shown here. Lastly, the final PMT
10
model with significant relationships are given, together with the calculated degrees of
direct and indirect effects of factors in the PMT model.
Chapter 6 Research Summary - This chapter contains a review of the research objectives,
methodologies used in this study, and the answers to the research questions.
Chapter 7 Discussion, Conclusion and Recommendation - This chapter deliberates all
the findings with respect to literatures and it also provides recommendations and
suggestions for further study.
1.12 Definitions of Terms
Cybersecurity: The ability to protect or defend the use of cyberspace from cyber-
attacks (Kissel, 2013).
Cyber threat/attack: An attack, via cyberspace, targeting an enterprise’s use of
cyberspace for the purpose of disrupting, disabling, destroying, or maliciously
controlling a computing environment/infrastructure; or destroying the integrity of the
data or stealing controlled information (Kissel, 2013).
Mobile device: A mobile device is a general term for any type of portable computing
device such as a smartphone or tablet computer (English Oxford Living Dictionary, 2016).
Smartphone: A mobile phone that serves as both a communication and computing
device with information storage capability (adapted from Kissel, 2013). It performs
many of the functions of a computer, typically having a touchscreen interface, Internet
access, and an operating system capable of executing downloaded application programs
(English Oxford Living Dictionary, 2016).
Protection Motivation Theory: Protection Motivation Theory (PMT) is the model
that describes how people can protect themselves from threats through four factors: (1)
perceiving severity of a threatening event; (2) perceiving vulnerability of the
occurrence; (3) responding to the recommended preventive behaviour; and (4)
perceiving self-efficacy (Rogers, 1975).
11
1.13 Conclusion
This chapter provided the background to this thesis, a statement of the problem,
objectives of the research and formulation of the research questions, together with the
constraints of this research. In the next chapter, the theories and related literatures,
including concept of cyber threats and cyber security, cybersecurity agencies, secured
telecommunication network, and concept of PMT are reviewed. Subsequently, the
conceptual framework and theoretical PMT model of this study are established.
12
CHAPTER 2
CYBER THREATS, CYBERSECURITY AND PMT MODEL
This chapter reviews the concepts of cyber threats and cybersecurity, the organization
that handles cybersecurity in Thailand, and secured telecommunication networks.
Moreover, theories and literatures related to Protection Motivation Theory (PMT) are
also covered in this chapter. The latter part of this chapter deliberates the constructs and
their relationships in the proposed theoretical model based on the PMT model for
testing with the empirical data.
2.1 Concepts of Cyber Threats and Cyber Security
Cyber threats denote possible danger that may exploit vulnerabilities in a system in
order to breach security and cause potential damages to the processing equipment such
as computers and mobile devices. A threat can be either "accidental", such as a
computer malfunction or natural disasters; or "intentional", such as hacking or stealing
of the device (Shirey, 2000). Cyber threats, especially the intentional one, intensify
along with an increase uptake of new technologies, and they have become a focal point
for cybercrime.
Cybersecurity is the protection of information systems from theft or damages to
the hardware, software, and the information processed by or stored in them.
Cybersecurity also means freedom from disruptions or misdirection from the services
provided by computer systems (Gasser, 1988). Cyber security includes controlling of
physical access to the hardware, as well as protecting the system against harm that may
originate via network access, data and code injection, (PC Mag, 2015). The threats may
also be due to malpractices by the operators, whether intentional, accidental, or due to
the operators being tricked into deviation from secure procedures (Rouse, 2015). The
field is of growing importance due to the increasing reliance on computer systems and
Internet in almost every modern society (Tate, 2013).
13
2.2 Cyber Threats on Smartphones and Trends
2.2.1 Types of Cyber Threats and Effects
Cyber threats can occur in many forms which can cause damages to the economic,
financial and business systems, and critical infrastructures of any countries including
Thailand. Cyber threats can sabotage or espionage essential data and they can release
false information, discredit individuals or organizations by spoofing news releases to
destruction of the server’s operating system, personal computers, or mobile devices.
Cyber threats can be caused by any perpetrators or cybercriminals who want benefits
from these illegal activities.
Currently, mobile devices have computation capabilities compatible to personal
computers. On the other hand, smartphones have gained huge popularity and they have
outsold personal computers (Canalys, 2012). However, smartphones but generally lack
of security measures and they have become targets of perpetrators (Ruggiero, P. &
Foote, J., 2011).
According to Jeon, W. et al. (2011) who authored “A Practical Analysis of Smartphone
Security”, existing cyber threats of smartphones can be categorized into two groups:
threats caused by attackers, and threats caused by users’ unawareness of security.
Details of such threats are shown in Table 2.1.
Table 2.1: Threats against Smartphones
Threats Descriptions
Threats Caused by Attackers
Malware Attack Attacks that can change or illegally access private
information in smartphone, risk or affect availability by
meaningless operations such as random code execution, or,
abuse of costly services and functions.
Wireless Network
Attack
Attacks that can corrupt smartphones, block, or modify
information on the wireless network by sniffing, spoofing,
or eavesdropping.
14
Threats Descriptions
Denial of Service Attacks that can risk availability of smartphone through
denial of service attacks to base stations, wireless networks,
web servers, or to intervene smartphones by using radio
interferences
Break-in Attack Attackers gain partial or full control over the target
smartphones by using flawed code, code injection or abuse
of logic errors.
Threats Caused by User Unawareness
Malfunction The smartphone users unintentionally disable or cause
malfunction to the applications by mistakes or
misappropriate configurations. Besides, smartphone
applications can malfunction themselves due to
incompatibility between platforms and applications
Phishing The users unintentionally expose private information in their
devices due to access of phishing sites, messenger phishing,
or SMS phishing
Phone Theft/Loss Smartphones can be lost or theft
Platform Alteration The user alters his/her smartphone platform intentionally
(e.g. jail breaking in iPhone, rooting in Android phone)
Source: Rewritten from Jeon, W. et al. (2010: 315)
2.2.2 Statistic of Malware Attacks on Smartphones and Trend
Over the years, there has been a dramatic increase in the number of new malware, as
well as increase in its sophistication and complexity. The McAfee Mobile Threat Report
2016 by Snell & Bruce, as shown in Figure 2.1, depicts the increasing number of
malware between year 2014 and 2015.
15
Figure 2.1: New Mobile Malware Threat Statistics
Source: http://www.mcafee.com/us/resources/reports/rp-mobile-threat-report-2016.pdf
The above figure shows that number of new malware had been dramatically increased.
By the end of Q4 in 2015, the number of new malware had been tripled since 2014.
Moreover, Kaspersky Lab reported that, in the year 2015, there were 2,961,727
malicious installation packages worldwide and 884,774 were new malicious mobile
programs, which was three times increased from the year 2014. This was in addition to
7,030 mobile banking Trojans. Kaspersky Lab also stated that there is rising in the
number of malicious attachments that users are unable to delete, ransomware, programs
using super-user rights to display aggressive advertising, and cybercriminals actively
using phishing windows to conceal legitimate applications (Snell & Bruce, 2016).
Survey conducted by Kaspersky Lab also disclosed the top 10 most widespread
malware attacked during August 2013 – July 2014 (Kaspersky Lab, 2014) and they are
shown in Figure 2.2.
16
Figure 2.2: Distribution of Attacks by Malware Types (August 2013 – July 2014)
Source: Kaspersky Lab and INTERPOL Joint Report, October 2014.
The above figure shows the distribution of malware attacks during August 2013 to July
2014. Trojan-SMS was the most widespread malware which was accounted for 57.08%
of all attacks. The next was the RiskTool which was accounted for 21.52%, followed
by AdWare (7.37%), Trojan (3.33%), Monitor (2.72%) and Backdoor (2.51%).
Symptoms of these malwares are shown in Table 2.2.
Table 2.2: Symptoms of Smartphone Malwares
Malwares Symptoms
Trojan SMS Infects smartphones keep sending text messages to
premium-rate SMS numbers.
RiskTool Concealing files in the system, hiding mobile device’s
running applications, or terminating active processes.
AdWare Automatically displays or downloads advertising material
(often unwanted) when mobile device is online.
17
Malwares Symptoms
Trojan Enable cyber-criminals to spy on the mobile devices, steal
sensitive data, and gain backdoor access to the system. It
also deletes data, blocks data, modifies data, copies data, or
disrupts the performance.
Monitor Unauthorized access to the system or program by using
someone else's account or other methods.
Backdoor Exploit the system by bypassing security mechanisms of the
mobile device.
Trojan- Banker Gain access to confidential information stored or processed
through online banking systems.
Exploit An exploit is an attack on a system, especially one that takes
advantages of a particular vulnerability that the system
offers to intruders.
HackTool Generate keys for illegitimately-obtained versions of
different applications. It may also download harmful files
and deteriorate the system performance.
Trojan-
Downloader
Download additional malware onto the infected mobile
device.
Source Kaspersky Lab and INTERPOL Joint Report, October 2014.
2.3 Smartphone Threats Handling in Thailand
2.3.1 Organization Handling Cyber Threat in Thailand
Cyber threat surveillance and response teams are groups of experts that handle computer
security incidents. These teams are commonly recognized as the Computer Security
Incident Response Team (CSIRT) or the Computer Emergency Readiness Team
(CERT). The CERT organization is a part of the Software Engineering Institute
operated by Carnegie Mellon University, United States of America. This team provides
the necessary services to handle cyber threats and support its members (constituents) to
recover from security breaches. It provides appropriate technologies and practices in
order to (1) resist attacks on networked systems, (2) limit damage to the devices and
18
networks, and (3) ensure continuity of critical services even though the systems have
been attacked (CERT, 2016).
In Thailand, the organization that is responsible of cybersecurity is ThaiCERT (Thailand
Computer Emergency Readiness Team). ThaiCERT is also the Computer Security
Incident Response Team (CSIRT) of Thailand. The organization was founded in 2000
by National Electronics and Computer Technology Center (NECTEC) under the
Ministry of Science and Technology. Presently, ThaiCERT is part of the Electronic
Transactions Development Agency (ETDA) under the supervision of the Ministry of
Information and Communication Technology (MICT).
Figure 2.3: Thailand Computer Emergency Readiness Team (ThaiCERT)
Source: ThaiCERT Annual Report 2013 by Wayuparb, S. et al. (2013)
ThaiCERT is responsible for providing incident response to computer security threats.
It provides an official trust contact-point for dealing with computer security incidents.
ThaiCERT has conducted various activities by collaborating with public and private
organizations, universities, Internet Service Providers (ISPs) and other relevant entities
to strengthen the integrity of important internal processes and infrastructure, and
safeguard cybersecurity for government agencies and the general public. Moreover,
the team gives necessary supports and advices for solutions to threats, follow up
actions and disseminates news and updates on computer security, including mobile
security, to the public.
19
2.3.2 Security on Mobile Telecommunication Network
2.3.2.1 Introduction of Telecommunication Services in Thailand
The major mobile operators in Thailand are AIS, DTAC, and True Move. There is a
total of 93.6 million mobile subscribers with the proportion of non-voice (data packet)
revenue at 59% of the total revenue stream for the operators. 2G network has been
officially phased out in Thailand with current subscribers predominantly on 4G services
in large cities and 3G in remote areas, the main difference between 3G and 4G is speed
as 4G provides broadband services to the mobile phones.
2.3.2.2 Risks of Telecommunication Network in Thailand
Telecommunication network providers in Thailand operate and manage the complex
network infrastructures used by the users for voice and data services with every
communication traverses through the telecommunication networks. Therefore, these
networks and systems store and process vast amounts of sensitive information, making
them a top target for cyber attacks. The following description provides an overview of
a survey on the types of incidents that occurred in the telecommunication network
conducted by PWC in 2013.
Figure 2.4: Incident Survey
Source: Redrawn from PWC (2013)
0 5 10 15 20 25 30
Network Exploit
Application Exploit
Removable Stroage Exploit
Data Exploited
System Exploit
Mobile Device Exploit
Types of incident survey
Types of incident survey
20
As indicated in the survey, one of the most exploited incident is network related issues.
This is one of the least understood areas as mobile telecommunication network consists
of two layered networks, namely access and core networks. Access networks are edge
networks where mobile devices (i.e., mobile users) connect to the telecommunication
system. The mobile core network plays the most important role of the mobile
telecommunication system since every access network is attached to the core. Thus,
vulnerabilities in the core network could severely affect the entire telecommunication
network (Chouhan, Gaikwad & Sharma, 2013).
Attacks at the packet core layer regardless of what technologies used at the access layer
can be categorised into three domains as shown in Figure 2.5.
Figure 2.5: CIA Triad
Confidentiality - A common form of attacks on the packet core network is the
confidentiality attacks. Confidentiality attack is usually carried out to steal information
traversing the packet network (Dimitriadis, 2007). This type of attack allows an attacker
to intercept and change data traversing the network in real time.
Availability - Another common type of attacks on the packet core network which is the
Denial of Service (DOS). A DoS is a highly visible attack and it could cause prominent
damages to the operator’s network (Xenakis, 2008).
I
C
A
21
Integrity - One more common form of attack is related to integrity. In this form of
attacks, data is changed or modified without the consent of the users (Dimitriadis, 2007).
At the mobile packet core level integrity attacks is generally accomplished by
manipulating the billing information of the subscriber. This type of attacks allows an
attacker to target individual subscribers and potentially exploit them for trivial purposes
or bring them into an extensive social engineering scheme.
2.3.2.3 Improving Risks in Mobile Telecommunication Network in Thailand
To improve the security of the mobile core network from the risks related to
confidentiality, integrity and availability, the authors of “A Review of Security Risks
in the Mobile Telecommunication Packet Core Network” (Khera et al., 2013), proposed
the use of the ITU X.805 framework as the reference architecture to secure the mobile
core network.The ITU X.805 network security model provides a set of principles and
recommended guidelines to safeguard the network.
ITU X.805 including three layers (i.e., application, services, and infrastructure), three
planes (i.e., end user, control, and management planes), eight security dimensions (i.e.,
access control, authentication, non-repudiation, data confidentiality, communication
security, data integrity, availability, and privacy), and five threats/attacks (i.e.,
destruction, corruption, removal, disclosure, and interruption) which can be mapped to
the mobile core network in order to determine if a network is vulnerable to any attack
listed in the risk domains and to pinpoint where such weaknesses exist, and how to
mitigate the detected risks (Harmantzis & Malek, 2004). Figure 2.6 and Table 2.3 show
the framework and description of ITU X.805.
22
Figure 2.6: ITU X.805 Framework
Source: ITU-T Recommendation X.805 (2003)
Table 2.3: Security Dimensions and risk Mitigations
Dimension Description Mitigation Threats Solved
Access Control Only allow access
to authorized
system
Firewall Destruction,
interruption
Authentication Verify the identity
of persons on device
who observe or
modify the data
Network access
control system
with single sign
on service
Disclosure,
disruption
Non-repudiation Provide a record that
identifies individuals
or devices that
observed or
modified the data
Certificate
authority, identity
management
system
Destruction,
corruption
Data
Confidentiality
Data is confidential
and is only
readable by
authorized person
Encryption such
as SSL/VPN
Disclosure
23
Dimension Description Mitigation Threats Solved
Communication
Security
Data access and
communication is
secured
VPN/IPSec
Tunnel
Interruption
Data Integrity Data is not changed
or modified
Digital certificate Corruption
Availability Data or access is
available
DDos protection
system and
backup links
Destruction,
removal,
interruption
Privacy Privacy Encryption Disclosure
Source: Khera V., Fung C.C., Chaisiri S. (2013).
2.4 Behaviours of Smartphone Users
As users have become more dependent on mobile devices, such as smartphones users,
they have to be aware of threats and security as they go about their day-to-day activities.
Behaviours of smartphone users play an important role in keeping threats away from
their devices. Behaviours, such as, keeping the phone’s operating system updated, using
only applications from trustable providers, regularly scanning the phones for malicious
software, or using complicate password, can protect their phones from cyber threats.
As a reason, the rest of this study focuses on studying the factors that can increase
behaviours of people in protecting their smartphones from cyber threats, and the
Protection Motivation Theory (PMT) model is used as the base theory of this study.
2.5 Protection Motivation Theory
R.W. Rogers developed the Protection Motivation Theory (PMT) in 1975 and it was later
expanded to a more general theory of persuasive communication in the social psychology
and health domains (Rippetoe & Rogers, 1987). PMT model is very popular and has been
considered as one of the most powerful explanatory theories for predicting an individual’s
intention to engage in protective actions (Anderson & Agarwal, 2010).The PMT is used to
explain if a threat is perceived by people as fearful, they will be more cautious and tend to
24
prevent the possible threat (Humaidi & Balakrishnan, 2012). Originally, PMT was
designed to be used in the health area, to study how people react when diagnosed with
health-related illnesses. Currently, PMT has been extended to other areas of study such as
information security. Many recent studies have used the PMT in predicting behaviours
related to an individual’s computer security behaviours both at home and in organizations
(Srisawang, Thongmak & Ngarmyarn, 2015).
PMT is a concept for understanding the fear appeals of people by focusing on how people
behave and cope during stressful situations (Rogers, 1983). People can be motivated to
take a particular action, divert behaviour through the threat of impending danger or harm,
by arousing fear (Maddux & Rogers, 1983). PMT describes the adaptive and maladaptive
coping with particular health threat through process of appraisal of the health threat, and an
individual’s assessment of the level of danger posed by a threatening event (Woon et al.,
2005). Through the process of appraisal of the coping responses result, it will increase the
behaviour in lessening the threat (Boer & Seydel, 1996).
PMT model consists of threat appraisal and the coping appraisal that can increase the
behaviours in protecting people from threats (Boer & Seydel, 1996). For threat appraisal,
three factors are used to appraise the threats: (1) the perceived severity of a threatening
event; (2) the perceived probability of the occurrence and the probability that one will
experience harm; and, (3) rewards, the positive aspects of starting or continuing the
unhealthy behaviour, such as, continued smoking which is psychological pleasure
(Prentice-Dunn & McClendon, 2001).
The model shows that the total amount of threat experienced equals to the summation of
severity and vulnerability, minus with rewards. For coping appraisal, three factors are used
to evaluate the responsive result: (1) the efficacy of the recommended preventive behaviour
or response efficacy, which is the effectiveness of the recommended behaviour in removing
or preventing possible harm; (2) the perceived self-efficacy, which is the belief that one can
successfully enact the recommended behaviour (Roger, 1975); and (3) response costs which
are associated with the recommended behaviour. Lastly, the total amount of coping ability
that a person can experience is the summation of response effectiveness and self-efficacy,
minus the response costs. The PMT model proposed by Roger (1983) is shown in Figure 2.7.
25
Figure 2.7: Cognitive Process of Protection Motivation Theory
Source: Redrawn from Rogers (1983)
2.6 Related Studies
2.6.1 Study by Liang & Xue (2009)
Liang & Xue (2009), proposed the Technology Threat Avoidance Theory (TTAT) in
“Avoidance of Information Technology Threats: A Theoretical Perspective” which
explains the preventing behaviours of the computer and internet users from cyber
threats. They contended that there are two cognitive processes that motivate users to
protect themselves from threats, they are: threat appraisal and coping appraisal. By
integrating models from three studies: PMT of Rogers (1975 & 1983); Health Belief
Model of Janz and Becker (1984) & Rosenstock (1974); and Risk Analysis Research
of Baskerville (1991 & 1991), Liang & Xue proposed the variance theory view of
TTAT which consists of three main parts, they are (1) Threat Appraisal;
(2) Coping Appraisal; and (3) Coping. Threat Appraisal consists of three constructs
including perceived susceptibility, perceived severity and perceived threat. Coping
Appraisal consists of four constructs, they are Perceived Effectiveness, Perceived
Costs, Self-efficacy, and Perceived Avoidability. Coping consists of three constructs,
they are: Avoidance Motivation, Avoidance Behaviour, and Emotion-focused Coping.
In addition, there are two social environment factors that affect the model, they are Risk
Tolerance and Social Influence. Details of the model are shown in Figure 2.8.
Severity
+ Vulnerability
- Rewards
Response Effectiveness
+ Self-efficacy
-Response Cost
Protection
Motivation
Threat
Appraisal
Coping
Appraisal
26
Figure 2.8: The Variance Theory View of TTAT
Source: Redrawn from Liang & Xue (2009)
The figure above shows the relationships among the constructs and their sub-constructs
and they can be explained as follows:
1) Risk Tolerance and Social Influence affects threat response of IT users.
2) Threat Appraisal and Coping Appraisal leads to Problem-focused Coping
and Emotion-focused Coping.
Threat Appraisal
Coping Perceived Susceptibility
Perceived Severity
Perceived Threat
Perceived Avoidability
Avoidance Motivation
Avoidance Behaviour
Emotion-focused Coping
Perceived Effectiveness
Perceived Costs
Self-efficacy
Coping Appraisal
Problem-focused Coping
Risk Tolerance
Social Influence
27
3) Perceived Susceptibility and Perceived Severity positively affect the
Perceived Threat.
4) Perceived Effectiveness, Perceived Costs, and Self-efficacy Severity
positively affect the Perceived Avoidability.
5) Perceived Threat positively affects the Avoidance Motivation and the
Emotion-focused Coping.
6) Perceived Avoidability positively affects the Avoidance Motivation and the
Emotion-focused Coping.
7) Avoidance Motivation positively affects the Avoidance Behaviour.
2.6.2 Study by Srisawang, Thongmak & Ngarmyarn (2015)
Srisawang, Thongmak & Ngarmyarn (2015) proposed “Factors Affecting Computer
Protection Behaviour” which is based on the PMT model. Their proposed factors that
affect computer crime protection behaviour (shown in Figure 2.9) include:
(1) Conscientious Personality, individuals’ traits of being painstaking and careful;
(2) Perceived Value of Data, individuals’ perceptions on the value of data in terms of
monetary value and emotional value; (3) Prior Experience, the past experiences of
individuals; (4) Subjective Norm, individual perception on social pressures to perform
or not to perform some things; (5) Security Knowledge, individuals’ knowledge of
computer security; and (6) Safeguard Costs, costs in performing the recommended
behaviour.
28
Figure 2.9: The Proposed Research Model of Srisawang et al. (2015)
Source: Redrawn from Srisawang, Thongma & Ngarmyarn (2015)
The model was tested with 600 empirical data from participants who used personal
computers at homes and workplaces in Thailand. The results showed that all the factor
variables had significant effects on the computer crime protection behaviour. However,
coping appraisal has greater impacts on protection motivation and protection behaviour
than threat appraisal. The authors also recommended that the efforts to motivate users
in protecting their computers from threats is to focus on coping appraisal. Thus,
encourage individuals’ coping appraisal will increase the degree of protection
motivation and behaviour.
2.6.3 Study by Tu, Z.L. & Yuan, Y.F. (2012)
The study by Tu, Z.L. & Yuan, Y.F. (2012) in “Understanding User’s Behaviours in
Coping with Security Threat of Mobile Devices Loss and Theft” concerned the potential
+
+
+
+ +
+
+
+
+ + +
+
+
Threat Appraisal
Perceived Value of Data
Protection Behaviour
Protection Motivation
Prior (Threat) Experience
Security Knowledge
Subjective Norm
Coping Appraisal
Conscientious-nessPersonalit
Safeguard Costs
29
risks of mobile devices being loss and theft, and the countermeasures to cope with these
risks. Their study adopted the PMT as the core model of the study. They presented a
framework for analyzing behaviours of mobile device users in coping with the risk of
mobile devices loss and theft (shown in Figure 2.10). The model consists of five
constructs: Threat Appraisal, Coping Appraisal, Social Influence, Coping Intention of
Mobile Devices Loss and Theft, and, Coping Behaviour of Loss and Theft Threat.
Threat Appraisal has two sub-constructs including Perceived Vulnerability and
Perceived Severity. On the other hand, Coping Appraisal has four sub-constructs:
Locus of Control, Self-efficacy, Perceived cost, and Perceived Effectiveness.
Figure 2.10: The Proposed Research Model of Tu, Z.L. & Yuan, Y.F. (2012)
Source: Redrawn form Tu, Z.L. & Yuan, Y.F. (2012)
+
+
+
+
+
+
+
+
Perceived Vulnerability
Perceived Severity
Locus of Control
Self-efficacy
Perceived Cost
Perceived Effectiveness
Social Influences
Loss and Theft Threat
Coping Behaviour
Threat Appraisal
Coping Appraisal
Intention to Cope with
Mobile Devices Loss and Theft
30
According to the model, the authors proposed that user’s threat appraisal, coping
appraisal, and social influence impact the coping intention of mobile devices lost and
theft, and coping intention impacts the coping behaviour of loss and theft threat.
Moreover, the threat appraisal is determined by perceived vulnerability and perceived
severity, and the coping appraisal is determined by locus of control, self-efficacy,
perceived cost, and perceived effectiveness.
2.7 Proposed Theoretical PMT Model
2.7.1 Selected Constructs
The proposed model in this research study is established through analyzing and
choosing the essential constructs from the previous reviewed theories and related
studies. The constructs from the PMT and the related literatures are listed in two
categories - they are exogenous variables and endogenous variables. The exogenous
variables are independent variables (IVs) while the endogenous variables can be
independent variables and dependent variables (DVs). Details of the constructs are
shown in Table 2.4.
Table 2.4: Summary of Constructs from Reviewed Theories and Related Studies
Theories& Related
Studies
Constructs
Exogenous Variables
(IVs)
Endogenous Variables
(IVs& DVs)
PMT Model
(Rogers,1983)
1) Severity
2) Vulnerability
3) Rewards
4) Response
Effectiveness
5) Self-efficacy
6) Response Cost
1) Threat Appraisal
2) Coping Appraisal
3) Protection Motivation
31
Theories& Related
Studies
Constructs
Exogenous Variables
(IVs)
Endogenous Variables
(IVs& DVs)
Avoidance of
Information Technology
Threats: A Theoretical
Perspective(Liang &
Xue, 2009)
1) Perceived
Susceptibility
2) Perceived Severity
3) Perceived
Effectiveness
4) Perceived Costs
5) Self-efficacy
6) Risk Tolerance
7) Social Influence
1) Perceived Threat
2) Perceived Avoidability
3) Avoidance Motivation
4) Avoidance Behaviour
5) Emotion-focused
Coping
Factors Affecting
Computer Protection
Behaviour (Srisawang,
Thongmak & Ngarmyarn,
2015)
1) Conscientiousness
Personality
2) Perceived Value of Data
3) Prior Experience
4) Subjective Norm
5) Security Knowledge
6) Safeguard Costs
1) Threat Appraisal
2) Coping Appraisal
3) Protection Motivation
4) Protection Behaviour
Understanding User’s
Behaviours in Coping
with Security Threat of
Mobile Devices Loss and
Theft (Tu, Z.L. & Yuan,
Y.F., 2012)
1) Perceived
Vulnerability
2) Perceived Severity
3) Locus of Control
4) Self-efficacy
5) Perceived Cost
6) Perceived
Effectiveness
7) Social Influence
1) Coping Intention
2) Coping Behaviour
32
Based on the above table, it is observed that most of the constructs from the studies are
similar and they are based on the PMT. However, some constructs are slightly different
in names yet having similar meanings.
With respect to the selection of variables for this study, precedence is given to exogenous
and endogenous variables that basically comply with the PMT, and their impact on the
appraising abilities of the smartphone users in coping with cyber threats. The selected
constructs for this study are: (1) five exogenous variables: Perceived Severity, Perceived
Vulnerability, Social Influence, Self-efficacy, and Response Effectiveness; and (2) four
endogenous variables: Threat Appraisal, Coping Appraisal, Protection Motivation, and
Protection Behaviour. Details of these constructs and their supported scholars are shown
in Table 2.5.
Table 2.5: Selected Constructs and References
Selected Constructs
References
Rogers
(1983)
Liang
&Xue
(2009)
Srisawang,
Thongmak,
Ngarmyarn
(2015)
Tu, Z.L. &
Yuan, Y.F.
(2012)
Perceived Severity /
Prior (Threat)
Experience
Perceived Vulnerability /
Perceived Susceptibility
Social Influence /
Subjective Norm
Response Effectiveness
/ Perceived Effectiveness
Self-efficacy /
Security Knowledge
33
Selected Constructs
References
Rogers
(1983)
Liang
&Xue
(2009)
Srisawang,
Thongmak,
Ngarmyarn
(2015)
Tu, Z.L. &
Yuan, Y.F.
(2012)
Threat Appraisal /
Perceived Threat
Coping Appraisal /
Perceived Avoidability
Protection Motivation /
Avoidance Motivation /
Coping Intention
Protection Behaviour /
Avoidance Behaviour /
Coping Behaviour
2.7.2 Determining Relationships between Constructs
Next, the relationships between the selected constructs are determined according to
PMT and the related studies. Details are shown in Table 2.6.
Table 2.6: Relationships between Constructs and References
Relationships
(Positive Impact)
References
Rogers
(1983)
Liang &
Xue (2009)
Srisawang,
Thongmak,
Ngarmyar
n (2015)
Tu, Z.L. &
Yuan, Y.F.
(2012)
Perceived
Severity
Threat
Appraisal
Perceived
Vulnerability
Threat
Appraisal
34
Relationships
(Positive Impact)
References
Rogers
(1983)
Liang &
Xue (2009)
Srisawang,
Thongmak,
Ngarmyar
n (2015)
Tu, Z.L. &
Yuan, Y.F.
(2012)
Social
Influence
Threat
Appraisal
Social
Influence
Coping
Appraisal
Response
Effectiveness
Coping
Appraisal
Self-
efficacy
Coping
Appraisal
Threat
Appraisal
Protection
Motivation
Threat
Appraisal
Protection
Behaviour
Coping
Appraisal
Protection
Motivation
Coping
Appraisal
Protection
Behaviour
Protection
Motivation
Protection
Behaviour
2.7.3 The Proposed Protection Motivation Model and Hypotheses
Based on the selected constructs and their relationships found in the previous sections,
the constructs, their descriptions, and their relationships between them are depicted in
Figure 2.11 below.
35
Figure 2.11: The Proposed Protection Motivation Model
+
+
+
+
+
+
+
+
+
+
+
Perceived Severity - severity of consequences of cyber threats on smartphone
Perceived Vulnerability
- probability that one’s smartphone may be attacked
Self-efficacy - believe in one’s ability to execute the recommend courses of action successfully
Response Effectiveness
- effectiveness of the recommended behaviour in avoiding the threat
Protection Behaviour
- perform the recommended behaviour
Protection Motivation
- variable that arouse, sustain and direct protective behaviour
Social Influence - social pressure to perform or not perform a given behaviour
Threat Appraisal
- estimation of chance of contracting a threat and seriousness of a threat
Coping Appraisal
- expectancy that carrying out recommendation to remove the threat
36
The proposed theoretical model for testing with empirical data is shown in Figure 2.12.
Figure 2.12: The Proposed Theoretical Model of this Study
The hypotheses for testing this theoretical model are shown in Table 2.7.
Table 2.7: Hypotheses for Testing the Theoretical Model
Hypotheses Descriptions
Ha+ Perceived Severity has a positive effect on Threat Appraisal
Hb+ Perceived Vulnerability has a positive effect on Threat Appraisal
Hc+ Social Influence has a positive effect on Threat Appraisal
Hd+ Social Influence has a positive effect on Coping Appraisal
He+ Response Effectiveness has a positive effect on Coping Appraisal
Hf+ Self-efficacy has a positive effect on Coping Appraisal
Hg+ Threat Appraisal has a positive effect on Protection Motivation
Threat Appraisal
Perceived Severity
Protection Behaviour
Protection Motivation
Coping Appraisal
Perceived Vulnerabili
ty
Response Effectivene
ss
Self-efficacy
Social Influence
Ha
+
Hb
+
Hc+
Hd+
He
+
Hf+
Hh
+
Hj+
Hk+
Hg
+
Hi+
37
Hypotheses Descriptions
Hh+ Threat Appraisal has a positive effect on Protection Behaviour
Hi+ Coping Appraisal has a positive effect on Protection Motivation
Hj+ Coping Appraisal has a positive effect on Protection Behaviour
Hk+ Protection Motivation has a positive effect on Protection Behaviour
2.8 Operational Definitions
Operational Definitions for the constructs of this study are as follows:
1) Perceived Severity: Severity of consequences of cyber threats on one’s smartphone
(Adapted from Boer & Seydel, 1996).
2) Perceived Vulnerability: Probability that one’s smartphone may be attacked by
cyber threats (Adapted from Boer & Seydel, 1996).
3) Social Influence: Perceived social pressure to perform or not perform a given
behaviour (Adapted from Ajzen, 1991).
4) Response Effectiveness: Effectiveness of the recommended behaviour in avoiding
the negative consequence (Adapted from Boer & Seydel, 1996).
5) Self-efficacy: The extent that a person can perform the recommended behaviour
successfully (Adapted from Boer & Seydel, 1996).
6) Threat Appraisals: Assessment of the level of danger on my smartphone posed by the
threat (Adapted from Woon et al., 2005).
7) Coping Appraisals: Assessment of one’s ability to cope with and avert the potential
loss or damage resulting from the danger (Adapted from Woon et al., 2005).
8) Protection Motivations: Person’s intention to perform the recommended behaviour
(Adapted from Boer & Seydel, 1996).
9) Protection Behaviour: Performing the recommended behaviour (Adapted from Boer &
Seydel, 1996).
38
2.9 Conclusion
This chapter provided a model, derived from the PMT theory, for testing the
smartphone user data in Thailand. The next chapter will cover the research design
which includes the research methodologies used in this study, creating and testing the
questionnaire, defining steps for gathering the data, and statistical methods used to
analyze the data.
39
CHAPTER 3
SURVEY RESEARCH DESIGN
This chapter describes the quantitative methodology used in this study including
population and sampling, questionnaire development and testing, and, data analysis.
3.1 Population and Sampling
In order to obtain a set of appropriate samples to generalize over 40 million Thai
smartphone user spectrum (Digital Advertising Association Thailand, 2015), at least
625 samples are required (at 4% margin of error, Yamane, 1973). To allow for margin,
a total of 720 samples were used in this study. The cluster sampling technique was
adopted to gather data from six regions of Thailand including Bangkok and
metropolitan area, central and western region, northern, north eastern, eastern and
southern. 120 samples were drawn from large-population provinces in each region. The
selected participants were people who used smartphones at the condensed areas, such
as, shopping mall, schools, and/or public/private offices of targeted provinces. The ages
of the participants were from 18 to 60 years old, and they are divided into 5 groups as
follows: 18 – 22 years old, 23 – 30 years old, 31 – 40 years old, 41 – 50 years old and
51 – 60 years old. The lowest sample age of 18 is the starting age for an individual to
register a smartphone in Thailand. 60 is the official retirement age in Thailand and the
group above 60 have provided very limited information about their phone security
status. They were therefore excluded from the survey. The range in between was
divided in 5 groups. 18-22 corresponds to most of the college or university students.
23-30, 31-40, 41-50 and 51-60 are considered at different stages of career and they
largely correspond to the ranges of income in the survey.
40
3.2 Protocol for Survey
Protocols of the survey are as follows:
1) The surveyor invited and distributed the information to potential
participants to participate in the survey study. The information explained the purpose
and objectives of the study, the time and efforts it required from the participants to
answer the questions.
2) After a participant had granted his/her consent to take part in the survey, the
surveyor provided him/her a notebook or tablet with online questionnaire to fill in.
3) Participants were advised that they can withdraw their consent and
participation in the survey at any time.
4) The survey closed after the completion and submission of answers to the
questionnaire by the participant.
5) Interested participants who had indicated their interest to receive feedback
and research outcomes were sent a summary of the research findings after the study
was completed via email.
3.3 Questionnaire Construction and Scale
3.3.1 Questionnaire Construction
The instrument was developed in order to gather all the information needed for this
study. It was created for a cross-sectional study, which uses the data gathered from
samples of the population of interest at a single point in time with only one instrument
(Ary, Jacobs & Razavieh, 1996: pp.377). Based on the PMT and related instruments
created by many scholars, the survey questionnaire of this study was developed. It
consisted of two main parts: Part 1 demographic, used for gathering demographic of
the smartphone users; Part 2 perceptions and behaviour of smartphone users, used for
gathering users’ perceptions that related to severity and vulnerability to cyber threats,
social influences, response effectiveness, their efficacies, appraisals, intention
motivations, and their protection behaviours. The questionnaire developing is shown in
Table 3.1.
41
Table 3.1: Questionnaire Construction
Construct and Item Description Reference
Perceived Severity: Severity of consequences of cyber
threats on my smartphone.
Adapted from Boer &
Seydel (1996)
1) Overall, I am aware of the potential security threats
and their negative consequences.
Adapted from
Bulgurcu et al. (2010)
2) I understand the concerns regarding information
security and the risks they pose in general.
Adapted from
Bulgurcu et al. (2010)
3) I have sufficient knowledge about the cost of
potential security problems.
Adapted from
Bulgurcu et al. (2010)
Perceived Vulnerability: Probability that my smartphone
may be attacked by cyber threats.
Adapted from Boer &
Seydel (1996)
4) I think that my chance of getting virus on my
smartphone is high.
Created by the
researcher
5) I think that my chance that my identity can be
thieved is high.
Created by the
researcher
6) I think that the chance that my important data can
be thieved is high.
Created by the
researcher
Response Effectiveness: Effectiveness of the recommended
behaviour in avoiding the negative consequence.
Adapted from Boer &
Seydel (1996)
7) Using complicated password would secure my
smartphone.
Created by the
researcher
8) Update software or applications often can secure
my smartphone.
Created by the
researcher
9) Using virus protection software can protect my
smartphone.
Created by the
researcher
Self-efficacy: The extent that a person can perform the
recommended behaviour successfully.
Adapted from Boer &
Seydel (1996)
10) I know how to use complicate password on my
smartphone.
Created by the
researcher
42
Construct and Item Description Reference
11) I can install virus protection software on my
smartphone.
Created by the
researcher
12) I know how to setup my smartphone for advanced
protection.
Created by the
researcher
13) I know how to update software or applications on
my smartphone.
Created by the
researcher
Social Influence: Perceived social pressure to perform or
not perform a given behaviour.
Adapted from Ajzen
(1991)
14) My friends often talk about bad things happening
on their smartphones.
Adapted from Chai et
al. (2009)
15) My friends would think that I should take security
measures on my smartphones.
Adapted from
Anderson & Agarwal
(2010)
16) It is likely that the majority of smartphone users
comply with the smartphone security recommendations.
Adapted from Brown
& Venkatesh (2005)
17) Information from mass media (TV, radio,
newspapers, internet) suggests that I should comply
with the smartphone security recommendations.
Adapted from Brown
& Venkatesh (2005)
Threat Appraisal: My assessment of the level of danger on
my smartphone posed by the threat.
Adapted from Woonet
al. (2005)
18) I know my smartphone could be vulnerable to
security breaches if I don't adhere to protection
measures.
Adapted from Ifinedo
(2011)
19) It is extremely likely that cyber threats will infect
my smartphone.
Adapted from Liang
& Xue (2010)
20) Threats to the security of my smartphone are
harmful.
Adapted from Liang
& Xue (2010)
21) The likelihood of an information security violation
occurring at my smartphone is likely.
Adapted from
Johnston &
Warkentin (2010)
43
Construct and Item Description Reference
Coping Appraisal: Assessment of my ability to cope with
and avert the potential loss or damage resulting from the
danger.
Adapted from Woon
et al. (2005)
22) I have the necessary skills to protect my
smartphones from information security violations.
Adapted from
Johnston &
Warkentin (2010)
23) I have the expertise to implement preventative
measures to stop people from getting my confidential
information.
Adapted from
Srisawang, Thongmak
& Ngarmyarn (2015)
24) For me, taking information security precautions is
easy.
Adapted from
Srisawang, Thongmak
& Ngarmyarn (2015)
Protection Motivation: Person’s intention to perform the
recommended behaviour.
Adapted from Boer &
Seydel (1996)
25) I intend to follow the information security
guidelines on how to use a smartphone safely.
Adapted from Liang
& Xue (2010)
26) I intend to use antivirus/anti-spyware software on
my smartphone.
Adapted from Liang
& Xue (2010)
27) I intend to protect my smartphone from cyber
threats.
Adapted from
Siponen et al. (2010)
28) I intend to follow the security news and find out
how to prevent cyber threats.
Adapted from
Srisawang, T hongmak
& Ngarmyarn (2015)
Protection Behaviour: Performing the recommended
behaviours.
Adapted from Boer &
Seydel (1996)
29) I always using complicated password on my
smartphone.
Created by the
researcher
30) I always logout/sign out after finishing using
applications (such as ebanking, email or facebook).
Created by the
researcher
44
Construct and Item Description Reference
31) I always use antivirus software to prevent my
smartphone from getting virus and malware.
Adapted from (Liang
& Xue 2010)
32) I always update software or applications on my
smartphones.
Adapted from (Liang
& Xue 2010)
33) I always follow the suggestions for using a
smartphone safely and appropriately.
Created by the
researcher
3.3.2 Measuring Scale
The questionnaire asked respondents to describe the factors used in the theoretical
model. The questionnaire employed a 5-point Likert scale, ranging from one to five
points. The anchors used for each scale were as follows:
1 = Strongly Disagree
2 = Disagree
3 = Neutral
4 = Agree
5 = Strongly Agree
The interval for interpreting result can be calculated as follows:
Interval = Range Class
= 5 – 1
5
= .80
With this range, the result interpretation table can be defined as shown in Table 3.2.
Table 3.2: Result Interpretation Table
Internal Level
4.21 – 5.00 Very High
3.41 – 4.20 High
2.61 – 3.40 Neutral
1.81 – 2.60 Low
1.00 – 1.80 Very Low
45
3.4 Validity and Reliability Testing
3.4.1 Internal Validity Testing
Validity refers to whether the questionnaire or survey measures what it is intended to
measure. Internal validity testing is a method for checking how accurately the
instrument measures the underlying phenomenon of interest. The validity of the
instrument was determined with content-related testing. This test was established
through a panel of experts chosen based on their familiarity with the concepts of
information technology, consumer behaviours and research methodology. The chosen
expert panel was comprised of:
1) Professor Dr. Sulyuth Sawangwan, an instructor at the Royal Thai Air Force
Academy. He is an expert in the field of information technology.
2) Associate Professor Anuruk Chotidirok, an instructor at the Royal Thai Air Force
Academy. He is an expert in the field of research methodology.
3) Mr. Atcha Yamkesorn, consultant at The Association of Researchers of Thailand.
He is an expert in the field of research methodology.
The panel of experts was requested to evaluate the questionnaire on clarity of using the
Thai language in the questionnaire, the clarity of the instructions and questions on the
questionnaire, and the comprehensibility of the questionnaire. The researcher contacted
each member to explain the details of the study and their role in inspecting this
instrument. Each of them was, then, given a questionnaire for review and return the
instruments with their comments to the researcher within one week. The next phase of
the construct content and face validity of the instrument was to revise the instrument
based on the suggestions from the experts.
3.4.2 Reliability Testing
Reliability refers to the consistency of a measure. The primary purpose of the pilot testing
was to determine the consistency of measurement instruments and to identify potential
problems that might occur during the formal data collection phase. The reliability of a
measurement instrument concerns whether it produces identical results in repeated
applications.
46
After passing the internal validity testing, the researcher conducted a pilot study used a
separate sample of 30 participants who use smartphones. The data were tested for reliability
through the internal consistency method, specifically Cronbach’s Alpha. Further, an item
analysis was conducted on the questionnaire to determine the measure of internal
consistency or Cronbach Alpha measure. The internal consistency of this instrument, as
shown in Table 3.3, showed that the Cronbach Alpha of each domain was .70 or higher,
demonstrating an acceptable level of internal consistency (Nunnally, 1978: 245).
Table 3.3: Reliability of the Questionnaire
Constructs Number of
Items Cronbach
Alpha
Perceived Severity 3 .752
Perceived Vulnerability 3 .726
Response Effectiveness 3 .835
Self-efficacy 4 .881
Social Influences 4 .806
Threat Appraisal 4 .801
Coping Appraisal 3 .769
Protection Motivation 4 .823
Protection Behaviour 5 .738
3.5 Data Analysis
The surveyed data were analyzed with descriptive statistics. Frequency and percentage
calculations were performed on categorized data such as genders or educations of
smartphone users. Mean and standard deviation calculations were performed on ordinal
data such as perceptions and behaviours of smartphone users. The comparisons of mean
and standard deviation of smartphone users’ perceptions and behaviours between different
groups (such as male and female) were performed via t-test and ANOVA (Analysis of
Variance). The t-test was used to compare means between two groups while ANOVA was
used to compare means between 3 groups or more.
47
Finally, the causal relationship among exogenous variables and endogenous variables
defined in the conceptual model of this study were explored with the SEM (Structural
Equation Modeling) technique.
3.6 Conclusion
This chapter covers the research design which includes the research methodologies,
creating and testing the questionnaire, defining steps for gathering the data, and
statistical methods used for analyzing the data. The data and results from the survey are
described in the two subsequent chapters. Chapter 3 provides the details of the survey
methodology, tools, and analysis. It includes target group for sampling, sample size,
instrument design, validity and reliability testing, and data analysis used in this study
and Chapter 4 contains the survey findings, including the descriptive results of the
demographics and behaviours of smartphone users. In addition, comparisons of the
perceptions on the PMT’s constructs among difference categories of Thai smartphone
users are deliberated Chapter 4.
48
CHAPTER 4 DEMOGRAPHIC AND BEHAVIOURS OF THAI SMARTPHONE
USERS
In this chapter, the data were analyzed with descriptive statistic, t-test and ANOVA.
The analysis results computed by using the SPSS software package are shown in
Appendix C.
4.1 Smartphone Users in Thailand
4.1.1 Demographic data of Smartphone Users in Thailand
A detailed breakdown in terms of the demographics from the samples is shown in
Figure 4.1 and Table 4.1.
Figure 4.1: Percentage of Demographic Data
-
10.0
20.0
30.0
40.0
50.0
60.0
Mal
e
Fem
ale
18
–2
2 Y
ears
Old
23
–3
0 Y
ears
Old
31
–4
0 Y
ears
Old
41
–5
0 Y
ears
Old
51
–6
0 Y
ears
Old
Bel
ow
Bac
hel
or
Deg
ree
Bac
hel
or
De
gree
Mas
ter
Deg
ree
or
Ab
ove
Stu
den
t
Entr
epre
neu
r
Go
vern
men
t Em
plo
yee
Stat
e En
terp
rise
Co
mp
any
Emp
loye
e
No
Em
plo
ymen
t
Less
th
an 1
5,0
00
Bh
t.
15
,00
1 -
30
,00
0 B
ht.
30
,00
1 -
40
,00
0 B
ht.
40
,00
1 –
50
,00
0 B
ht.
50
,00
1 B
ht.
or
abo
ve
47.8 52.2
20.0 21.1
21.0 20.0
17.9
45.1 44.6
10.3
22.5 20.6
19.7
2.2
24.4
10.6
43.2
25.4
12.8 11.1
7.5
Gender Age Education Employment Monthly Income
49
Table 4.1: Demographic Data of the Samples
Demographic Data
Number of Samples N = 720
n %
Gender
Male 344 47.8
Female 376 52.2
Age
18 – 22 Years Old 144 20.0
23 – 30 Years Old 152 21.1
31 – 40 Years Old 151 21.0
41 – 50 Years Old 144 20.0
51 – 60 Years Old 129 17.9
Education
Below Bachelor Degree 325 45.1
Bachelor Degree 321 44.6
Master Degree or Above 74 10.3
Occupation
Student 162 22.5
Entrepreneur 148 20.6
Government Employee 142 19.7
State Enterprise 16 2.2
Company Employee 176 24.4
50
Demographic Data
Number of Samples N = 720
n %
No Employment 76 10.6
Monthly Income
Less than 15,000 Bht. 311 43.2
15,001 - 30,000 Bht. 183 25.4
30,001 - 40,000 Bht. 92 12.8
40,001 – 50,000 Bht. 80 11.1
50,001 Bht. or above 54 7.5
Note: 33 Baht = 1 USD.
Table 4.1 above shows that the total number of sample size taken was 720. Out of this,
47.8% of the total (or 344 samples) were male and the rest 52.2% were female. The
samples age between 18 years to 60 years old and they were divided into 5 ranges, each
range has around 20% of the total sample size. When analyzing the data for education,
45.1% of samples have below bachelor degree, 44.6% were at bachelor degree level,
and the rest 10.3% have degree at master level or above. When analyzing the data for
occupation, 24.4% of samples were company employees, 22.5% were students, 20.6%
were entrepreneurs, 19.7% were government employees, 10.6% have no occupation (or
housekeeper), and the rest 2.2% were state enterprises. In terms of income, the majority
of 43.2% have incomes less than 15,000Bht. a month, 25.4% have incomes between
15,001 - 30,000Bht. a month, 12.8% have 30,001– 40,000 Bht. a month, 11.1% have
40,001 - 50,000 Bht. a month, and the rest 7.5% have 50,001 Bht. or above per month.
51
4.1.2 Demographic data of Smartphone Users by Region
Next, the breakdowns on the demographic data of sample categorized by regions are
illustrated in the following figures and tables.
The gender of the samples categorized by region is shown in Figure 4.2 and Table 4.2.
It illustrates the ratios between males and females collected from each region were
about 50% each.
Figure 4.2: Percentage of Sample’s Gender by Region
Table 4.2: Number and Percentage of Sample’s Gender by Region
BKK & Metro.
Northern North
Eastern Eastern
Central Reg.
Southern
Gender n % n % n % n % n % n %
Male 55 45.8 56 46.7 61 50.8 60 50.0 57 47.5 55 47.8
Female 65 54.2 64 53.3 59 49.2 60 50.0 63 52.5 65 52.2
Total 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0
40.0
42.0
44.0
46.0
48.0
50.0
52.0
54.0
56.0
BKK &Metro.
Northern NorthEastern
Eastern CentralRegion
Southern
45.8 46.7
50.8 50.0
47.5 47.8
54.2 53.3
49.2 50.0
52.5 52.2
Male Female
52
The next figures show the percentage of sample’s age ranges by region. It was planned to
collect equal number of sample (around 20%) for each age ranges, spanned from 18 – 22
years old, 23 – 30 years old, 31 – 40 years old, 41 – 50 years old, and 51 – 60 years old.
However, the number of sample of each age ranges of Bangkok & Metropolitan area were
a bit deviant from 20% as planned. Details are shown in Figure 4.3 and Table 4.3.
Figure 4.3: Percentage of Sample’s Age by Region
Table 4.3: Number and Percentage of Sample’s Age by Region
BKK & Metro.
Northern North
Eastern Eastern
Central Reg.
Southern
Age n % n % n % n % n % n %
18 - 22 19 15.8 24 20.0 25 20.8 25 20.8 28 23.3 23 20.0
23 – 30 32 26.7 24 20.0 24 20.0 24 20.0 24 20 24 21.1
31 – 40 30 25.0 27 22.5 23 19.2 24 20.0 22 18.3 25 21.0
41 – 50 26 21.7 25 20.8 25 20.8 23 19.2 21 17.5 24 20.0
51 – 60 13 10.8 20 16.7 23 19.2 24 20.0 25 20.8 24 17.9
Total 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0
-
5.0
10.0
15.0
20.0
25.0
30.0
BKK & Metro. Northern North Eastern Eastern CentralRegion
Southern
15.8
20.0 20.8 20.8
23.3
20.0
26.7
20.0 20.0 20.0 20.0 21.1
25.0
22.5
19.2 20.0
18.3
21.0 21.7 20.8
20.8 19.2
17.5 20.0
10.8
16.7 19.2
20.0 20.8
17.9
18 - 22 23 – 30 31 – 40 41 – 50 51 – 60
53
The distribution of sample’s education by region is shown in Figure 4.4 and Table 4.4.
The bar-chart shows that most samples from Bangkok & Metropolitan and Northern
areas had Bachelor degree, while samples of North Eastern, Central Region, and
Southern had almost equal percentage in Below Bachelor degree and Bachelor degree.
However, most samples from the Eastern area had Bachelor degree.
Figure 4.4: Percentage of Samples’ Education by Region
Table 4.4: Number and Percentage of Samples’ Education by Region
BKK & Metro.
Northern North
Eastern Eastern
Central Reg.
Southern
Education n % n % n % n % n % n %
Below Bachelor
20 16.7 45 37.5 56 46.7 83 69.2 50 41.7 71 45.1
Bachelor 74 61.7 66 55.0 49 40.8 35 29.2 55 45.8 42 44.6
Master or Above
26 21.7 9 7.5 15 12.5 2 1.7 15 12.5 7 10.3
Total 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0
-
10.0
20.0
30.0
40.0
50.0
60.0
70.0
BKK & Metro. Northern North Eastern Eastern CentralRegion
Southern
16.7
37.5
46.7
69.2
41.7 45.1
61.7 55.0
40.8
29.2
45.8 44.6
21.7
7.5 12.5
1.7
12.5 10.3
Below Bachelor Bachelor Master or Above
54
The occupations of the samples are distributed in 6 ranges, including: student;
entrepreneur; government employee; state enterprise; company employee; and no
employment. It was obvious that most samples of Bangkok & Metropolitan area were
company employees, of Eastern area were entrepreneurs, and of central region area
were government employees. Details are shown in Figure 4.5 and Table 4.5.
Figure 4.5: Percentage of Sample’s Education by Region
Table 4.5: Number and Percentage of Sample’s Education by Region
BKK & Metro.
Northern North
Eastern Eastern
Central Reg.
Southern
Occupation n % n % n % n % n % n %
Student 26 21.7 33 27.5 36 30.0 11 9.2 34 28.3 22 22.5
Entrepreneur 11 9.2 23 19.2 31 25.8 57 47.5 7 5.8 19 20.6
Government Employee
3 2.5 20 16.7 14 11.7 5 4.2 63 52.5 37 19.7
State Enterprise
3 2.5 4 3.3 3 2.5 1 0.8 3 2.5 2 2.2
Company Employee
66 55.0 33 27.5 27 22.5 19 15.8 10 8.3 21 24.4
No Employment
11 9.2 7 5.8 9 7.5 27 22.5 3 2.5 19 10.6
Total 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0
-
10.0
20.0
30.0
40.0
50.0
60.0
BKK & Metro. Northern North Eastern Eastern CentralRegion
Southern
21.7
27.5 30.0
9.2
28.3
22.5
9.2
19.2 25.8
47.5
5.8
20.6
2.5
16.7 11.7
4.2
52.5
19.7
2.5 3.3 2.5 0.8 2.5 2.2
55.0
27.5 22.5
15.8
8.3
24.4
9.2 5.8 7.5
22.5
2.5
10.6
Student Entrepreneur Government Employee
State Enterprise Company Employee No Employment
55
Figure 4.6 and Table 4.6 show the monthly incomes of the samples categorized by
region. It was shown that most samples from Bangkok & Metropolitan, Northern,
Northeastern, Central Region, and Southern had income below 15,000 baht per month,
except most samples in the Eastern region which had income between 15,001 – 30,000
baht per month.
Figure 4.6: Percentage of Samples’ Monthly Income by Region
Table 4.6: Number and Percentage of Samples’ Monthly Income by Region
BKK & Metro.
Northern North
Eastern Eastern
Central Reg.
Southern
Monthly Income
n % n % n % n % n % n %
Less than 15,000 Baht
36 30.0 59 49.2 50 41.7 37 30.8 62 51.7 67 43.2
15,001 - 30,000 Baht
26 21.7 31 25.8 32 26.7 42 35.0 28 23.3 24 25.4
30,001 - 40,000 Baht
15 12.5 13 10.8 16 13.3 21 17.5 12 10.0 15 12.8
40,001 - 50,000 Baht
23 19.2 6 5.0 16 13.3 11 9.2 13 10.8 11 11.1
50,001 Baht or above
20 16.7 11 9.2 6 5.0 9 7.5 5 4.2 3 7.5
Total 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0
-
10.0
20.0
30.0
40.0
50.0
60.0
BKK & Metro. Northern North Eastern Eastern Central Region Southern
30.0
49.2
41.7
30.8
51.7
43.2
21.7 25.8 26.7
35.0
23.3 25.4
12.5 10.8 13.3
17.5
10.0 12.8
19.2
5.0
13.3
9.2 10.8 11.1
16.7
9.2 5.0
7.5 4.2
7.5
Less than 15,000 Baht 15,001 - 30,000 Baht 30,001 - 40,000 Baht
40,001 - 50,000 Baht 50,001 Baht or above
56
4.2 Behaviours of Thai Smartphone Users 4.2.1 Overall General Behaviours of Thai Smartphone Users
General behaviours of smartphone users encompass the users’ characteristics in using
smartphone such as service provider they selected, type of operating systems, losing
their smartphones, their smartphone infected by virus and others. Figure 4.7 and
Table 4.7 provide a detailed breakdown of in terms of the samples’ general behaviours
in using smartphones.
Figure 4.7: Overall Behaviours of Smartphone Users
Table 4.7: Number and Percentage of Sample’s Behaviour in Using Smartphone
Behaviours
Number of Samples (N = 720)
n %
Phone Service
Truemove 161 22.4
DTACT 219 30.4
AIS 335 46.5
Don’t know 5 0.7
Phone O.S.
-
10.0
20.0
30.0
40.0
50.0
60.0
70.0
80.0
Tru
em
ove
DTA
CT
AIS
Do
n’t
kn
ow
iOS
An
dro
id
Win
do
ws
Sym
bia
n
Do
n’t
kn
ow
Oth
ers
No
Yes
No
Yes
Nev
er
Som
etim
es
Alw
ays
Nev
er
Som
etim
es
Alw
ays
22.4
30.4
46.5
0.7
36.0
53.1
3.6 0.8
5.6 1.0
73.9
26.1
68.8
31.3
39.4
46.3
14.3
58.2
30.4
11.4
Service Provider Operating System Phone Lost Virus Infected Use Public Wifi Transfer Money
57
Behaviours
Number of Samples (N = 720)
n %
iOS 259 36.0
Android 382 53.1
Windows 26 3.6
Symbian 6 0.8
Don’t know 40 5.6
Others 7 1.0
Phone Loss
No 532 73.9
Yes 188 26.1
Virus Infection
No 495 68.8
Yes 225 31.3
Use Free Public Wi-Fi
Never 284 39.4
Sometimes 333 46.3
Always 103 14.3
Transferring Money
Never 419 58.2
Sometimes 219 30.4
Always 82 11.4
Table 4.7 above shows that the majority of 46.5% of samples were using AIS service
provider, 30.4% were DTACT, and 22.4% were True move. For operating system, the
majority of the system in used was Android at 53.1% following by IOS at 36.0%,
58
Windows phone 3.6%, Symbian 0.8%, don’t know 5.6%, and other system not listed
above at 1%. When asked if samples had ever lost their phone, 73.9% indicated that
they have never lost their phone while 26.1% have lost their phone in the past. When
asked if the samples smartphones have been infected with a virus 68.8% said they have
never been infected whereas 31.3% believed they phone has been infected at some
point. When asked if the samples have ever used public Wi-Fi 33.9% said they have
never used a public Wi-Fi whereas 46.3% indicated that they use public Wi-Fi at some
point and 14.3% indicated that they are always connected to public Wi-Fi when it’s
available to them. Next the samples were asked if they have ever transferred or made
payment via their smartphone such as access to mobile banking and email commerce
websites. 58.3% indicated that they have never used, 30.4% indicated that they used it
sometimes and 11.4% used it on a daily basis.
4.2.2 General Behaviours of Smartphone Users by Region
For phone service provider, the result shows that samples preferred to use AIS in most
regions, except North Eastern where DTACT was a little more popular. Details show
in Figure 4.8 and Table 4.8.
Figure 4.8: Percentage of Phone Service Usage by Region
-
10.0
20.0
30.0
40.0
50.0
60.0
BKK&Metro.
Northern NorthEastern
Eastern CentralRegion
Southern
28.3 23.3
20.8 15.8
27.5 22.4
32.5
40.0
22.5
40.8
23.3 30.4
39.2 35.8
56.7
42.5 46.7 46.5
- 0.8 - 0.8 2.5 0.7
Truemove DTACT AIS Don’t know
59
Table 4.8: Number and Percentage of Preferred Phone Service by Region
Service Provider
Region
BKK& Metro.
Northern
North Eastern
Eastern
Central Region
Southern
n % n % n % n % n % n %
Truemove 34 28.3 28 23.3 25 20.8 19 15.8 33 27.5 22 22.4
DTACT 39 32.5 48 40.0 27 22.5 49 40.8 28 23.3 28 30.4
AIS 47 39.2 43 35.8 68 56.7 51 42.5 56 46.7 70 46.5
Don’t know
0 0.0 1 0.8 0 0.0 1 0.8 3 2.5 0 0.7
Total 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0
Next is the distribution of preferred operating systems used by the samples. Figure 4.9
and Table 4.9 show that Android was the most popular operating system in most
regions except Northern where iOS was more preferred.
Figure 4.9: Percentage of Operating System Usage by Region
-
10.0
20.0
30.0
40.0
50.0
60.0
70.0
BKK&Metro.
Northern NorthEastern
Eastern CentralRegion
Southern
41.7 50.0
31.7 34.2
28.3 30.0
55.0
41.7 50.0
55.8 61.7
54.2
1.7
1.7 11.7
1.7 1.7 3.3
- 0.8 - -3.3 0.8
0.8 5.0 5.8 6.7 4.2 10.8
0.8 0.8 0.8 1.7 0.8 0.8
iOS Android Windows Symbian Don’t know Others
60
Table 4.9: Number and Percentage of Operating System Usage by Region
Phone O.S.
Region
BKK& Metro.
Northern
North Eastern
Eastern
Central Region
Southern
n % n % n % n % n % n %
iOS 50 41.7 60 50.0 38 31.7 41 34.2 34 28.3 36 30.0
Android 66 55.0 50 41.7 60 50.0 67 55.8 74 61.7 65 54.2
Windows 2 1.7 2 1.7 14 11.7 2 1.7 2 1.7 4 3.3
Symbian 0 0.0 1 0.8 0 0.0 0 0.0 4 3.3 1 0.8
Don’t know 1 0.8 6 5.0 7 5.8 8 6.7 5 4.2 13 10.8
Others 1 0.8 1 0.8 1 0.8 2 1.7 1 0.8 1 0.8
Total 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0
One interesting piece of data analyzed from the responses is in term of phone loss. The
result shows that Bangkok & Metropolitan had the highest percentage of phone loss (at
37.5%), followed with Central Region (29.2%) and Southern (26.1%). Details are
shown in Figure 4.10 and Table 4.10.
Figure 4.10: Percentage of Phone Loss by Region
-
5.0
10.0
15.0
20.0
25.0
30.0
35.0
40.0
BKK&Metro.
Northern NorthEastern
Eastern CentralRegion
Southern
37.5
24.2 20.0 21.7
29.2 26.1
61
Table 4.10: Number and Percentage of Phone Loss by Region
Phone Loss
Region
BKK& Metro.
Northern
North Eastern
Eastern
Central Region
Southern
n % n % n % n % n % n %
No 75 62.5 91 75.8 96 80.0 94 78.3 85 70.8 91 73.9
Yes 45 37.5 29 24.2 24 20.0 26 21.7 35 29.2 29 26.1
Total 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0
When focusing on virus infection, the result shows that Bangkok & Metropolitan had
the highest percentage of people who experienced with virus infection on their phones
(40.0%), follows with Central Region (37.5%) and Southern (31.3%). Details are
shown in Figure 4.11 and Table 4.11.
Figure 4.11: Percentage of Smartphones Infected by Virus in Each Region
-
10.0
20.0
30.0
40.0
BKK&Metro.
Northern NorthEastern
Eastern CentralRegion
Southern
40.0
28.3 24.2
20.0
37.5
31.3
62
Table 4.11: Number and Percentage of Phone Infected by Virus by Region
Virus Infection
Region
BKK& Metro.
Northern
North Eastern
Eastern
Central Region
Southern
n % n % n % n % n % n %
No 72 60.0 86 71.7 91 75.8 96 80.0 75 62.5 75 68.8
Yes 48 40.0 34 28.3 29 24.2 24 20.0 45 37.5 45 31.3
Total 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0
Free public Wi-Fi are internet services offered in many places, such as, restaurants,
shopping malls, and hotels. The following bar-chart shows the percentage of people
who preferred to connect their smartphones to the free public Wi-Fi. Obviously,
Bangkok & Metropolitan had the highest percentage of using free public Wi-Fi
(75.0%), followed with Central Region (71.7%) and Northern (64.2%). Details are
shown in Figure 4.12 and Table 4.12.
Figure 4.12: Percentage of People who Use Public Wi-Fi by Region
-
20.0
40.0
60.0
80.0
BKK&Metro.
Northern NorthEastern
Eastern CentralRegion
Southern
25.0
35.8
53.3 62.5
28.3
39.4
53.3 45.8
38.3 32.5
58.4
46.3
21.7 18.3
8.3 5.0 13.3 14.3
Never Sometimes Always
63
Table 4.12: Number and Percentage of People who Use Public Wi-Fi by Region
Use Public Wi-Fi
Region
BKK& Metro.
Northern
North Eastern
Eastern
Central Region
Southern
n % n % n % n % n % n %
Never 30 25.0 43 35.8 64 53.3 75 62.5 34 28.3 38 39.4
Sometimes 64 53.3 55 45.8 46 38.3 39 32.5 70 58.4 59 46.3
Always 26 21.7 22 18.3 10 8.3 6 5.0 16 13.3 23 14.3
Total 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0
For using smartphone to transfer money, it became apparent that people in Bangkok &
Metropolitan had the highest percentage in using this service (65.8%), followed with
Northern (42.5%), Southern (41.8%) and Central Region (41.7%). Details are shown in
Figure 4.13 and Table 4.13.
Figure 4.13: Percentage of People who Transferred Money through their Phones by Region
-
20.0
40.0
60.0
80.0
BKK&Metro.
Northern NorthEastern
Eastern CentralRegion
Southern
34.2
57.5
68.3 75.0
58.3 58.2
44.2
26.7 27.5 17.5
30.1 30.4 21.7
15.8 4.2 7.5 11.6 11.4
Never Sometimes Always
64
Table 4.13: Number and Percentage of People who Transfer Money through their
Phones by Region
Transfer Money
Region
BKK& Metro.
Northern
North Eastern
Eastern
Central Region
Southern
n % n % n % n % n % n %
Never 41 34.2 69 57.5 82 68.3 90 75.0 70 58.3 67 58.2
Sometimes 53 44.2 32 26.7 33 27.5 21 17.5 36 30.1 44 30.4
Always 26 21.7 19 15.8 5 4.2 9 7.5 14 11.6 9 11.4
Total 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0 120 100.0
In conclusion, it is evident that the behaviours of smartphone users in BKK &
Metropolitan were quite different from other five regions, namely Northern, North
Eastern, Eastern, Central Region, and Southern, in many aspects. Thus, the researcher
combined all five regions into one variable called “Upcountry” for further analysis
purpose.
4.2.3 General Behaviours of Smartphone Users by Age
Concerning phone service providers, it was clear that most samples in all age
ranges preferred AIS, followed with DTACT and Truemove. Details are shown in
Figure 4.14 and Table 4.14.
65
Figure 4.14: Percentage of Phone Service Usage by Age
Table 4.14: Number and Percentage of Phone Service Usage by Age
Service Provider
Age Range (Years Old)
18 – 22 23 – 30 31 – 40 41 – 50 51 – 60
n % n % n % n % n %
Truemove 38 26.4 37 24.3 33 21.9 30 20.8 23 17.8
DTACT 39 27.1 52 34.2 46 30.5 40 27.8 42 32.6
AIS 65 45.1 63 41.4 72 47.7 73 50.7 62 48.1
Don’t know
2 1.4 0 0.0 0 0.0 1 0.7 2 1.6
Total 144 100.0 152 100.0 151 100.0 144 100.0 129 100.0
.0
10.0
20.0
30.0
40.0
50.0
60.0
18 - 22 Years Old 23 - 30 Years Old 31 - 40 Years Old 41 - 50 Years Old 51 - 60 Years Old
26.424.3
21.9 20.817.8
27.1
34.230.5
27.8
32.6
45.1
41.4
47.7 50.748.1
1.4 .0 .0 .71.6
Truemove DTACT AIS Don’t know
66
For operating system used in the phone, the result shows that people of all age ranges
preferred to use Android to iOS. Surprisingly, 20.2% of people of ages 51 – 60 did not
know what operating system they were using. Details are shown in Figure 4.15 and
Table 4.15.
Figure 4.15: Percentage of Operating System Usage by Age
Table 4.15: Number and Percentage of Operating System Usage by Age
Operating System
Age Range (Years Old)
18 – 22 23 – 30 31 – 40 41 – 50 51 – 60
n % n % n % n % n %
iOS 57 39.6 62 40.8 69 45.7 46 31.9 25 19.4
Android 76 52.8 81 53.3 74 49.0 83 57.6 68 52.7
Windows 1 0.7 4 2.6 5 3.3 9 6.3 7 5.4
Symbian 5 3.5 0 0.0 0 0.0 0 0.0 1 0.8
Don’t know
4 2.8 3 2.0 2 1.3 5 3.5 26 20.2
Others 1 0.7 2 1.3 1 0.7 1 0.7 2 1.6
Total 144 100.0 152 100.0 151 100.0 144 100.0 129 100.0
-
10.0
20.0
30.0
40.0
50.0
60.0
18 - 22 Years Old 23 - 30 Years Old 31 - 40 Years Old 41 - 50 Years Old 51 - 60 Years Old
39.6 40.8
45.7
31.9
19.4
52.8 53.3 49.0
57.6
52.7
0.7 2.6 3.3
6.3 5.4
3.5 - - - 0.8
2.8
2.0 1.3 3.5
20.2
0.7 1.3 0.7 0.7 1.6
iOS Android Windows Symbian Don’t know Others
67
When considering phone loss, the result shows that people ages 18 – 22 years old had
lost their phones at the highest percentage (34.0% of people in their age range),
followed with 23 – 30 years old (28.9%), and 31 – 40 years old (25.2%). Details are
shown in Figure 4.16 and Table 4.16.
Figure 4.16: Percentage of Phone Loss by Age
Table 4.16: Number and Percentage of Phone Loss by Age
Phone Loss
Age Range (Years Old)
18 – 22 23 – 30 31 – 40 41 – 50 51 – 60
n % n % n % n % n %
No 95 66.0 108 71.1 113 74.8 108 75.0 108 83.7
Yes 49 34.0 44 28.9 38 25.2 36 25.0 21 16.3
Total 144 100.0 152 100.0 151 100.0 144 100.0 129 100.0
-
5.0
10.0
15.0
20.0
25.0
30.0
35.0
18 - 22 YearsOld
23 - 30 YearsOld
31 - 40 YearsOld
41 - 50 YearsOld
51 - 60 YearsOld
34.0
28.9 25.2 25.0
16.3
68
For Virus Infection, the results show similar patterns to phone loss. Users age 18 -22
had the highest percentage of virus infection (42.4% of sample in their age range),
followed by the group ages 23 – 30 years old (35.5%), and ages 31 – 40 years old
(33.1%). Details are shown in Figure 4.17 and Table 4.17.
Figure 4.17: Percentage of Phone Infected by Virus of Each Age Group
Table 4.17: Number and Percentage of Phone Infected by Virus by Age
Virus Infected
Age Range (Years Old)
18 – 22 23 – 30 31 – 40 41 – 50 51 – 60
n % n % n % n % n %
No 83 57.6 98 64.5 101 66.9 105 72.9 108 83.7
Yes 61 42.4 54 35.5 50 33.1 39 27.1 21 16.3
Total 144 100.0 152 100.0 151 100.0 144 100.0 129 100.0
-
5.0
10.0
15.0
20.0
25.0
30.0
35.0
40.0
45.0
18 - 22 YearsOld
23 - 30 YearsOld
31 - 40 YearsOld
41 - 50 YearsOld
51 - 60 YearsOld
42.4
35.5 33.1
27.1
16.3
69
When focusing on using public Wi-Fi, the result shows that smartphone 74.3% of
smartphone users of ages 23 – 30 years old used free public Wi-Fi, followed by18 – 22
year olds (73.6%), and 31 – 40 years old (67.5%). On the other hand, only 30.2% of
ages 51 – 60 years old used free public Wi-Fi. Details are shown in Figure 4.18 and
Table 4.18.
Figure 4.18: Percentage of People who Use Public Wi-Fi by Age
Table 4.18: Number and Percentage of People who Use Public Wi-Fi by Age
Use Public Wi-Fi
Age Range (Years Old)
18 – 22 23 – 30 31 – 40 41 – 50 51 – 60
n % n % n % n % n %
Never 38 26.4 39 25.7 49 32.5 68 47.2 90 69.8
Sometimes 78 54.2 92 60.5 76 50.3 51 35.4 36 27.9
Always 28 19.4 21 13.8 26 17.2 25 17.4 3 2.3
Total 144 100.0 152 100.0 151 100.0 144 100.0 129 100.0
-
10.0
20.0
30.0
40.0
50.0
60.0
70.0
18 - 22 YearsOld
23 - 30 YearsOld
31 - 40 YearsOld
41 - 50 YearsOld
51 - 60 YearsOld
26.4 25.7 32.5
47.2
69.8
54.2 60.5
50.3
35.4
27.9
19.4 13.8 17.2 17.4
2.3
Never Sometimes Always
70
For transferring money, the result shows that 57.6% of smartphone users of ages 31 –
40 years old transferred money through their phones, and 54.6% of ages 23 – 30 years
old used this service. However, only 10.1% of ages 51 – 60 years old used this service.
Details are shown in Figure 4.19 and Table 4.19.
Figure 4.19: Percentage of People who Transferred Money by Phone
Table 4.19: Number and Percentage of People who Transferred Money by Phone
Transfer Money
Age Range (Years Old)
18 – 22 23 – 30 31 – 40 41 – 50 51 – 60
n % n % n % n % n %
Never 78 54.2 69 45.4 64 42.4 92 63.9 116 89.9
Sometimes 54 37.5 60 39.5 55 36.4 38 26.4 12 9.3
Always 12 8.3 23 15.1 32 21.2 14 9.7 1 0.8
Total 144 100.0 152 100.0 151 100.0 144 100.0 129 100.0
-
20.0
40.0
60.0
80.0
100.0
18 - 22 YearsOld
23 - 30 YearsOld
31 - 40 YearsOld
41 - 50 YearsOld
51 - 60 YearsOld
54.2 45.4 42.4
63.9
89.9
37.5 39.5 36.4 26.4
9.3 8.3
15.1 21.2
9.7 0.8
Never Sometimes Always
71
4.3 Overall Means of Constructs of Protection Behaviour Model
The overall means of Constructs of protection behaviour of Thai smartphone users in
Figure 4.20 and Table 4.20 show that only 7 constructs, including Perceived Severity,
Perceived Vulnerability, Response Effectiveness, Self-efficacy, Coping Appraisal,
Protection Motivation, and Protection Behaviour were in between 3.48 - 3.85 which
were in “high-level” range and the details were explained in Section 3.3.2 of
Chapter 3. Among these constructs, Perceived Severity had the highest mean of 3.85,
followed with Protection Behaviour with the mean of 3.62, and Perceived Vulnerability
with the mean of 3.58. There were two constructs, namely Social Influence and Threat
Appraisal, were at “neutral-level” range with the means of 3.34 and 3.40 respectively.
Figure 4.20: Behaviours of Smartphone Users
Table 4.20: Protection Behaviour Constructs of Smartphone Users in Thailand
Behaviours X S.D. Level
Perceived Severity: Severity of consequences of
cyber threats on smartphone 3.85 .753 high
Perceived Vulnerability: Probability that smartphone
may be attacked by cyber threats 3.58 .829 high
Social Influence: Perceived social pressure to
perform or not perform a given behaviour 3.34 .853 neutral
Response Effectiveness: Effectiveness of the
recommended behaviour in avoiding the negative
consequence
3.57 .783 high
2.0
2.5
3.0
3.5
4.0
Persev PerVuln SocInfe ResEffe SelEffi ThrAppr CopAppr BehMoti ProBeha
3.853.58
3.343.57 3.55
3.40 3.48 3.53 3.62
72
Behaviours X S.D. Level
Self-efficacy: The extent that a person can perform
the recommended behaviour successfully 3.55 .839 high
Threat Appraisal: Assessment of the level of danger
on smartphone posed by the threat 3.40 .827 neutral
Coping Appraisal: Assessment of ability to cope with
and avert the potential loss or damage resulting from
the danger
3.48 .772 high
Protection Motivation: Intention to perform the
recommended behaviour 3.53 .783 high
Protection Behaviour: Performing the recommended
behaviour 3.62 .747 high
4.4 Compare Means of Constructs of Protection Behaviours Model
4.4.1 Means of Constructs by Gender
Using descriptive statistic, the samples were categorized by gender and the pie chart in
Figure 4.21 shows that, from a total of 720 samples, 344 (47.8%) were males and 376
(52.2%) were female.
Figure 4.21: Gender of Samples
73
By using t-test statistic to compare the mean differences of all the constructs by gender,
the result shows that male’s Response Effectiveness (with a mean of 3.64) was 0.14
higher than female’s (3.58) at .05 statistically significant level. Details are shown in
Figure 4.22.
Figure 4.22: Comparison of the Model Constructs by Gender
4.4.2 Means of Constructs by Age
The age spectrum of samples of this study were between 18 – 60 years old and they
were divided into 5 different age groups: 18 – 22 years old, 22 – 30 years old, 31 – 40
years old, 41 – 50 years old, and 51 – 60 years old. In each group, around 120 samples
were collected and the details are shown in Figure 4.23.
Figure 4.23: Age of Samples
When considering the comparison between Thai smartphone users on the proposed
model’s constructs by age, the results are shown in Figure 4.24.
3.0
3.2
3.4
3.6
3.8
4.0
PerSev PerVuln SocInflu ResEffec SelEffi ThrAppr CopAppr ProMoti ProBeha
3.86
3.57
3.28
3.64 3.61
3.453.52 3.54
3.64
3.84
3.58
3.383.50 3.50
3.353.44
3.523.61
Male Female
74
Figure 4.24: Comparison of the Model Constructs by Age
Each constructs can be explained as follows:
1) for Perceived Severity, the group of ages 51 – 60 had the largest mean in
Perceived Severity (with a mean of 3.93), followed by the group of ages 31 – 40 (3.92),
and ages 23 – 30 (3.87).The group of ages 18 – 22 had the lowest mean (3.69). With
the use of ANOVA for comparing means of Perceived Severity between 5 different age
groups, the result shows that there were no significance differences among these means
(at .05 statistically significance level);
2) considering Perceived Vulnerability, the top three groups with the high mean
were users of ages 31 – 40 (3.69), ages 41 – 50 (3.64), and ages 23 – 30 (3.61)
respectively, while users of ages 18 – 22 had the lowest mean (3.44). Nevertheless, the
ANOVA result shows that these mean have no significance differences (at .05
statistically significance level);
3) for Social Influence, the bar chart shows that group ages 18 – 50 had mean
in between 3.38 - 3.41. Surprisingly, the group of ages 51 – 60 had a very low mean of
3.04.When comparing the mean of Social Influence among difference age groups by
using ANOVA (Appendix C), the result shows that smartphone users of ages 51 – 60
had lower mean in Social Influence (with a mean of 3.04) than all other groups, namely
ages 18 – 22 (with a mean of 3.38), ages 23 – 30 (3.41), ages 31 – 40 (3.41), and ages
41 – 50 (3.40), all at .05 statistically significance level. Thus, it was clear that
smartphone users of ages 51 -60 had less influence form social than other groups in
protecting themselves from smartphone threats;
3.0
3.2
3.4
3.6
3.8
4.0
4.2
PerServ PerVuln SocInflu ResEffec SelEffi ThrAppr CopAppr ProMoti ProBeha
3.69
3.44 3.38
3.47
3.67
3.51
3.61 3.64 3.62
3.87
3.61
3.41
3.68
3.73
3.42
3.593.63
3.71
3.92
3.69
3.41
3.60 3.64
3.37 3.533.59
3.61
3.85
3.64
3.40
3.57 3.53
3.463.46
3.603.69
3.93
3.50
3.04
3.48
3.11
3.23 3.16 3.15
3.46
18-22 Yrs. Old 23–30 Yrs. Old 31–40 Yrs. Old 41–50 Yrs. Old 51–60 Yrs. Old
75
4) when considering Response Effectiveness, smartphone users of ages 23 – 30
had the largest mean of Response Effectiveness (3.68), the second largest was users
ages 31 – 40 (3.60), and the third largest was users ages 41 – 50 (3.57). The ANOVA
result shows that the groups ages 18 – 22 and 51 – 60 had almost equal mean of
Response Effectiveness (with mean of 3.47 and 3.48 respectively). Yet, the analysis in
Appendix C shows that there were no significant differences among these means (at .05
statistically significance level);
5) concerning Self-efficacy, the large mean went to smartphone users ages 23 – 30
(with mean of 3.73), ages 18 – 22 (3.67), and ages 31 – 40 (3.64) respectively.
Interestingly, people of ages 51 – 60 had the lowest mean in Self-efficacy with mean
of 3.11. According to ANOVA results in Appendix C, it was clear that smartphone
users of ages 51 – 60 had lower mean of Self-efficacy than the others. The bar chart
shows that people of ages 51 – 60 had lower mean in Self-efficacy (with a mean of
3.11) than people of ages 18 – 22 (with a mean of 3.67), ages 23 – 30 (3.73), ages 31 – 40
(3.64), and ages 41 – 50 (3.53), all at .05 statistically significance level. Furthermore,
people of ages 41 – 50 also had mean in Social Influence (with a mean of 3.53) lower
than people of ages 23 – 30 (3.73) at .05 statistically significance level. This could be
concluded that Thai smartphone users of ages 51 – 60 had the lowest Self-efficacy of
all other age groups, while people of ages 41 – 50 had lower Self-efficacy when
compared to people of ages 23 – 30;
6) for Threat Appraisal, the chart shows that smartphone users ages 18 – 22 had
the largest mean (with mean 3.51), the second largest was people ages 41 – 50 (3.46),
and the third largest was people ages 23 – 30 (3.42). When considering deliberately,
people age 51 – 60 had the lowest mean (3.23). Nonetheless, the mean of all age groups
were not significantly different (at .05 statistically significance difference);
7) for Coping Appraisal, smartphone users ages 18 – 22 had the largest mean
(with a mean of 3.61), followed by ages 23 – 30 (3.59), and ages 31 – 40 (3.53). With
the use of ANOVA as detailed in Appendix C, it was clear that smartphone users of
ages 51 – 60 had the lowest mean in Coping Appraisal when compared with all other
age groups. Their mean in Coping Appraisal (which was 3.16) was lower than people
of ages 18 - 22 (with a mean of 3.61), ages 23 – 30 (3.59), ages 31 – 40 (3.53), and ages
41 – 50 (3.46) at .05 statistically significance level. It could be concluded that Thai
76
smartphone users of ages 51 – 60 had lower appraising ability in coping with cyber
threats on their smartphones;
8) considering Protection Motivation, Thai smartphone users ages 18 – 50 were
between 3.46 – 3.64, except people ages 51 – 60 which had the lowest mean. The
ANOVA results show that people of ages 51 – 60 had a mean of 3.15 in Protection
Motivation which is lower than people of ages 18 - 22 (with a mean of 3.64), ages 23 – 30
(3.63), ages 31 – 40 (3.59), and ages 41 – 50 (3.60) at .05 statistically significance level. In
other words, Thai smartphone users of ages 51 – 60 had the lowest motivation in
protecting themselves from cyber threats on their phones. This can be concluded that,
among all other groups, people of ages 51 – 60 had the least motivation in protecting
their smartphones from cyber threats;
9) lastly, for Protection Behaviour, Thai smartphone users ages 23 – 30 had the
largest mean (with a mean of 3.71), the second largest came to people ages 41 – 50
(3.69). Following the first two came with people ages 18 – 22 (3.62) and ages 31 – 40(3.61)
while people ages 51 – 60 had the lowest mean. However, when deliberately analyzed with
ANOVA, the results show that smartphone users ages 51 – 60 had lower mean (3.46)
than people of ages 23 – 30 (3.71) and ages 41 – 50 (3.69) at .05 statistically significance
level. This result can be interpreted that people of ages 18 – 22 had the lower Protection
Behaviour than people of ages 23 – 30 and ages 41 – 50. Since the mean of Protection
Behaviour of people ages 51 – 60 were not significantly different from people of ages
18 – 22 and ages31 – 40, it can be concluded that people of ages 18 – 22, ages 31 – 40,
and ages 51 – 60 had low protection behaviour.
77
4.4.3 Means of Constructs by Region
As there were a significant difference between smartphone users who lived in Bangkok
& Metropolitan and Upcountry. Detail is shown in Figure 4.25.
Figure 4.25: Smartphone Users in BKK & Metropolitan and Upcountry
By using t-test to compare the model constructs between smartphone users who lived
in BKK & Metropolitan and those who lived in Upcountry, the result shows that people
in BKK & Metropolitan had lower mean in Perceived Vulnerability (3.29), Threat
Appraisal (3.21), and Coping Appraisal (3.26) than people who lived in Upcountry
(with mean of 3.64, 3.44, and 3.52) at .05 statistically significant level. The details are
shown in Figure 4.26.
Figure 4.26: Comparison of the Model Constructs by Region
Thus, it can be concluded that smartphone users who live in Bangkok & Metropolitan area
had lower abilities than upcountry people in perceiving their phones’ vulnerabilities to
BKK & Metro.,
120, 17%
Upcountry, 600, 83%
Region
2.80
3.00
3.20
3.40
3.60
3.80
4.00
PerServ PerVuln SocInfe ResEffe SelEffi ThrAppr CopAppr BehMoti ProBeha
3.61
3.293.23
3.383.46
3.213.26
3.463.55
3.90
3.64
3.36
3.60 3.57
3.443.52 3.54
3.64
BKK & Metro. Upcountry
78
cyber threats, lower abilities in evaluating the consequences from cyber threats, and lower
ability to assess their own ability in coping with cyber threats.
4.4.4 Means of Constructs by Virus Infection
Virus or malware is a type of cyber threat that can pose a serious threat to smartphones.
The pie chart in Figure 4.27 shows that 31.3% of samples used to have bad experience
with virus/malware infection on their phones.
Figure 4.27: Number of People whose Phones were Infected with Malware
The bar chart above shows a comparison of constructs of Thai people whose
smartphones used to be infected against those who had never experienced this incident.
The details are shown in Figure 4.28.
Figure 4.28: Comparison of Constructs between People whose Phones were Infected
with Malware and those who were not
The t-test result shows that the people whose smartphones were infected by virus/malware:
(1) had larger mean in Perceived Vulnerability (with a mean of 3.68) than other group who
were not (3.53); (2) had larger mean in Threat Appraisal (3.53) than other group who were
not (3.34); and (3) had larger mean in Protection Motivation (3.61) than other group who
were not (3.49), all were at .05 statistically significance level.
3.0
3.2
3.4
3.6
3.8
4.0
PerSev PerVuln SocInflu ResEffec SelEffi ThrAppr CopAppr ProMoti ProBeha
3.82
3.68
3.35
3.55 3.63.53 3.49
3.61 3.64
3.86
3.53
3.33
3.57 3.53
3.34
3.47 3.493.61
Yes No
79
4.4.5 Means of Constructs by Using Public Wi-Fi
Public Wi-Fi are free internet connection services provided by many stores such as
shopping malls or restaurants. Pie chart in Figure 4.29 shows that 60.6% of samples
prefer to connect their phones through public Wi-Fi.
Figure 4.29: Number of People who Used Public Wi-Fi
The following bar chart in Figure 4.30 shows a comparison between people who used
public Wi-Fi and who did not. The chart illustrated that that people who used public
Wi-Fi to access the internet had larger mean in all constructs than people who do not.
Figure 4.30: Comparison of Constructs between People who Used Public Wi-Fi and
who did not
However, when taking a closer look into the comparisons by using the t-test technique,
the results show that people who used public Wi-Fi had larger mean in Self-efficacy
(3.67), in Coping Appraisal (3.53), and in Protection Motivation (3.60), and in
3.0
3.2
3.4
3.6
3.8
4.0
PerSev PerVuln SocInfe ResEffe SelEffi ThrAppr CopAppr ProMoti ProBeha
3.89
3.62
3.35
3.58
3.67
3.41
3.533.60
3.69
3.79
3.51
3.31
3.54
3.37 3.39 3.40 3.42
3.51
Yes No
80
Protection Behaviour (3.69) than people who did not (with mean of 3.37, 3.40, 3.42,
and 3.51 respectively). All were at .05 statistically significance level.
4.4.6 Means of Constructs by Using Money Transfer Services via Smartphones
Nowadays, buying goods or transferring money can be done easily through the use of
smartphone. The pie chart in Figure 4.31 shows that 41.8% of samples preferred
transferring money through their phones, while the rest did not.
Figure 4.31: Number of People who Transfer Money via Phones
The bar chart in Figure 4.32 compares mean of the model’s constructs between people
who had used their phone to buy things or transfer money and those who had not. The
chart shows that people who had transferred money through their phones had larger
mean in all constructs.
The following chart compares level of constructs’ mean between people who
transferred money through smartphone and who did not.
Figure 4.32: Comparison of Constructs between People who Transfer Money via
Smartphone and who did not
3.0
3.2
3.4
3.6
3.8
4.0
PerSev PerVuln SocInfe ResEffe SelEffi ThrAppr CopAppr ProMoti ProBeha
3.90
3.65
3.46
3.64
3.75
3.46
3.59
3.71 3.723.82
3.52
3.24
3.513.40
3.363.40 3.40
3.55
Yes No
Use Smartphone to Transfer Money
81
However, after comparing these means by using the t-test, the result shows that there
were significance differences in the means of all constructs, except Perceive Severity
and Threat Appraisal, between people who transferred money through their phones
(at .05 statistically significant level). The first largest difference was in Self-efficacy,
in which the mean of people who transferred money through their phones )3.75) is .35
larger than people who did not (3.40). The second largest difference was in Protection
Motivation, whereas the mean of people who used their phones to transfer money (3.71)
was .31 higher than the other (3.40).
4.5 Conclusion
In summary, this chapter shows the results of the survey data which are the
demographics and the comparisons of the perceptions on the PMT’s constructs among
difference categories of Thai smartphone users. The next chapter will demonstrate the
analysis part of the theoretical PMT model with the survey data of Thai smartphone
users.
82
CHAPTER 5
THE PMT MODEL OF THAI SMARTPHONE USERS
The aim of this chapter is to analyze the theoretical model with empirical data, to
indicate the significant relations in the model and to calculate the direct and indirect
effects between constructs toward the dependent construct, the Protection Behaviour.
To perform the analysis, a number of steps are needed which include: restate the
hypotheses for testing the proposed theoretical PMT model; test the required basic
assumptions for SEM; test the goodness of fit of the Measurement Model and Structural
Equation Modeling; and identify valid causal relationships and calculate the effects
among constructs on the dependent variable of the empirical model.
5.1 Testing Hypotheses for the Proposed Theoretical Model
The proposed theoretical model as developed in Chapter 2, is repeated in Figure 5.1 to
show its causal relationships among its 11 constructs. The relationships are
hypothesized with Ha to Hk for testing its statistically significant validity.
Figure 5.1: Theoretical Model for Testing
Threat Appraisal
Perceived Severity
Protection Behaviour
Protection Motivation
Coping Appraisal
Perceived Vulnerabili
ty
Response Effectivenes
s
Self-efficacy
Social Influence
Ha+
Hb
+
Hc+
Hd+
He+
Hf+
Hh
+
Hj+
Hk+
Hg
+
Hi+
83
There are a total of 11 testing hypotheses (Ha to Hk), each of them is hypothesized as
null hypothesis (H0) and alternative hypothesis (H1) for testing as shown in Table 5.1.
Table 5.1: Null and Alternative Hypotheses for Testing the Theoretical Model
Relationship
Hypotheses Null and Alternative Hypotheses for Testing
Ha H0: Perceived Severity does not positively affect Threat Appraisal
H1: Perceived Severity positively affects Threat Appraisal
Hb H0: Perceived Vulnerability does not positively affects Threat Appraisal
H1: Perceived Vulnerability positively affects Threat Appraisal
Hc H0: Social Influence does not positively affects Threat Appraisal
H1: Social Influence positively affects Threat Appraisal
Hd H0: Social Influence does not positively affects Coping Appraisal
H1: Social Influence positively affects Coping Appraisal
He H0: Response Effectiveness does not positively affects Coping Appraisal
H1: Response Effectiveness positively affects Coping Appraisal
Hf H0: Self-efficacy does not positively affects Coping Appraisal
H1: Self-efficacy positively affects Coping Appraisal
Hg H0: Threat Appraisal does not positively affects Protection Motivation
H1: Threat Appraisal positively affects Protection Motivation
Hh H0: Threat Appraisal does not positively affects Protection Behaviour
H1:Threat Appraisal positively affects Protection Behaviour
Hi H0: Coping Appraisal does not positively affects Protection Motivation
H1: Coping Appraisal positively affects Protection Motivation
Hj H0: Coping Appraisal does not positively affects Protection Behaviour
H1:Coping Appraisal positively affects Protection Behaviour
Hk H0: Protection Motivation does not positively affects Protection Behaviour
H1: Protection Motivation positively affects Protection Behaviour
84
5.2 Preparing the Model with AMOS Software
Prior to testing with empirical data, the theoretical model was created with the AMOS
software package as shown in Figure 5.2. Notice that the latent variables of the model
were explained by the data gathered by all questions in the questionnaire except
question q7, q20, q21, q24, q29, and q33, since they provided low factor weighs for
each latent variable they explained (the analysis of this part is shown in Appendix D).
Figure 5.2: Theoretical Model Created by the AMOS Software for Testing
85
This model consists of five exogenous latent-variables, including: Perceived Severity
(PerSev), Perceived Vulnerability (PerVul), Social Influence (SocInf), Response
Effectiveness (ResEff), and Self Efficacy (SelEff). It also consists of four endogenous
latent-variables and they are: Threat Appraisal (TheApp), Coping Appraisal (CopApp),
Protection Motivation (BehMot), Protection Behaviour (ProBeh). These latent
variables were measured through observed variables which are questionnaire q1 – q33
(from Appendix B). Details are deliberated in Table 5.2.
Table 5.2: Variables Used in the Hypothesized Model
Latent Variable Independent or
Dependent Variables (IV or DV)
Observed Variable (questions from the
questionnaire) Exogenous Variables
Perceived Severity IV q1 – q3
Perceived Vulnerability IV q4 – q6
Social Influence IV q14 – q17
Response Effectiveness IV q8 – q9
Self Efficacy IV q10 – q13
Endogenous Variables
Threat Appraisal IV and DV q18 – q19
Coping Appraisal IV and DV q22 – q23
Protection Motivation IV and DV q25 – q28
Protection Behaviour DV q30 – q32
5.3 Testing Basic Assumptions of Structural Equation Modeling
5.3.1 Valid Sample Size for Structural Equation Modeling
In performing path analysis, a set of appropriate samples for testing the theoretical
model must be provided. Bentler & Cho (1987) suggests that there should be 5 – 10
observations per estimated parameters. Result from AMOS shows that there are 127
parameters in the theoretical model (Appendix E), the number of samples required for
this study should be no less than 127*5, which equals to 635 samples. Details are shown
in Table 5.3.
86
Table 5.3: Number of Parameters of the Hypothesized Model
Weights Covariances Variances Means Intercepts Total
Fixed 40 0 0 0 0 40
Labeled 0 0 0 0 0 0
Unlabeled 29 22 36 0 0 87
Total 69 22 36 0 0 127
5.3.2 Normality of Distribution of Data
To use the data in analyzing the SEM and other analyses, the data has to be normally
distributed which is measured through skewness and kurtosis of the data. Skewness is
a measure of symmetry of the data distribution, while kurtosis is a measure of whether
the data are heavy-tailed or light-tailed relative to a normal distribution. For normality
of distribution of data, Bulmer M. G. (1979) suggested that its skewness should not be
less than -1 or greater than 1. George & Mallery (2010) stated that the kurtosis between
-2 and +2 are considered acceptable for normal distribution. Moreover, Kline (2011)
proposed that the absolute value of skewness and kurtosis should not be greater than 3
and 10 for normal distribution of a data set.
The data of this study had skewness and kurtosis between -1 and 1, thus it was well-
modeled by a normal distribution. The details are shown in Table 5.4.
Table 5.4: Skewness and Kurtosis of Data
Variable Skewness Kurtosis
Q1: Overall, I am aware of the potential security threats
and their negative consequences. -.794 .698
Q2: I understand the concerns regarding information
security and the risks they pose in general. -.759 .531
Q3: I have sufficient knowledge about the cost of
potential security problems. -.800 .738
Q4: I think that my chance of getting virus on my
smartphone is high. -.599 .092
87
Variable Skewness Kurtosis
Q5: I think that the chance that my identity can be
stolen is high. -.739 .220
Q6: I think that the chance that my important data can
be stolen is high. -.560 .003
Q7: Using complicated password would secure my
smartphone. -.654 -.008
Q8: Software or applications updates can increase the
security of my smartphone. -.423 -.016
Q9: Using virus protection software can increase the
security of my smartphone. -.482 .153
Q10: I know how to use complicate password on my
smartphone. -.619 -.077
Q11: I can install virus protection software on my
smartphone. -.598 .072
Q12: I know how to setup my smartphone for advanced
protection. -.562 -.112
Q13: I know how to update software or applications on
my smartphone. -.528 -.185
Q14: My friends discuss security issues related to their
smartphones. -.582 -.013
Q15: My friends would think that I should take security
measures on my smartphone. -.527 -.125
Q16: It is likely that the majority of smartphone users
comply with the smartphone security recommendations. -.606 -.036
Q17: Information from mass media (TV, newspapers,
internet) suggests that I should comply with the -.659 .090
Q18: I know my smartphone could be vulnerable to
security breaches if I don't adhere to protection -.457 -.420
Q19: It is extremely likely that cyber threats will infect my
smartphone. -.235 -.479
88
Variable Skewness Kurtosis
Q20: Threats to the security of my smartphone are
harmful. -.583 .032
Q21: The likelihood of an information security
violation occurring at my smartphone is high. -.312 -.239
Q22: I have the necessary skills to protect my
smartphone from information security violations. -.731 .466
Q23: I have the expertise to implement preventative
measures to stop people from getting my confidential -.384 -.004
Q24: For me, taking information security precautions
is easy. -.483 -.215
Q25: I intend to follow the information security
guidelines on how to use a smartphone safely. -.887 .948
Q26: I intend to use antivirus/anti-spyware software
on my smartphone. -.667 .593
Q27: I intend to protect my smartphone from cyber
threats. -.562 .273
Q28: I intend to follow the security news and find out
how to prevent cyber threats. -.613 .487
Q29: I always use complicated passwords protection on
my smartphone. -.690 .055
Q30: I always logout/sign out after finishing using
applications (such as ebanking, email or facebook). -.597 -.229
Q32: I always use antivirus software -.554 .098
Q32: I always update software or applications on my
smartphone. -.605 .176
Q33: I always follow safety guide in using a
smartphone safely and appropriately. -.445 .191
89
5.4 Testing the Goodness of Fit of the Model
5.4.1 Goodness of Fit of the Measurement Model
The measurement model from Figure 5.3 was assessed using multiple goodness-of-fit
indices in order to indicate the hypothesized model fit in the theoretical model. The
goodness-of-fit measures from Table 5.5 show the Chi-Square as 892.988, with
331degrees of freedom (df), making the relative Chi-Square (Chi-Square/df) equals to
2.698 which is less than 3.0 (Kline, 1998, & Ullman, 2001). In addition, the Normed
Fit Index (NFI) is .920 which exceeds .90 (Byrne, 1994), the Goodness of Fit Index
(GFI) is .915 which exceeds .90 (Byrne, 1994), the Comparative Fit Index (CFI) is .948
which exceeds .90 (Byrne, 1994), the Root Mean Square Residual (RMS) is .037 which
is less than .05 (Steiger, 1990), and the Root Mean Square Error of Approximation
(RMSEA) is .049 which is less than .06 (Hu & Bentler, 1999). Thus, the measurement
model is regarded as acceptable fit with the empirical data and could be used in the
Structural Equation Modeling (SEM) analysis in the next part.
90
Chi-Square = 892.988, df = 331, p = .000, Relative Chi-square = 2.698
Figure 5.3: Test of Fitness of the Measurement Model
91
Table 5.5: Goodness of Fit Statistics of the Measurement Model
Index Criteria
Level Goodness of Fit Statistics
Relative Chi-square ≤ 3.00 Chi-square/df = 2.666
Normed Fit Index ≥ .90 NFI = .922
Goodness of Fit Index ≥ .90 GFI = .917
Comparative Fit Index ≥ .90 CFI = .950
Root Mean Square Residual ≤ .05 RMR = .037
Root Mean Square Error of Approximation ≤ .06 RMSEA = .049
Note: See more details in Appendix E
5.4.2 Goodness of Fit of the Structural Equation Modeling
The Structural Equation Modeling from Figure 5.4 was also assessed using multiple
goodness-of-fit indices in order to indicate the hypothesized model fit in the theoretical
model. The goodness-of-fit measures from Table 5.6 show the Chi-Square as 735.054,
with 291degrees of freedom (df), making the relative Chi-Square (Chi-Square/df)
equals to 2.526 which is less than 3.0 (Kline, 1998, Ullman, 2001). In addition, the
Normed Fit Index (NFI) is .927 which exceeds .90 (Byrne, 1994), the Goodness of Fit
Index (GFI) is .927 which exceeds .90 (Byrne, 1994), the Comparative Fit Index (CFI)
is .954 which exceeds .90 (Byrne, 1994), the Root Mean Square Residual (RMS) is .036
which is less than .05 (Steiger, 1990), and the Root Mean Square Error of
Approximation (RMSEA) is .046 which is less than .06 (Hu & Bentler, 1999). Thus,
the Structural Equation Modeling is regarded as acceptable fit the empirical data and
could be used for further analysis.
92
Chi-Square = 735.054, df = 291, p = .000, Relative Chi-square = 2.526
Figure 5.4: Test of Fitness of the Structural Equation Model
Table 5.6: Goodness of Fit Statistics for Structural Equation Modeling
Index Criteria
Level Goodness of Fit Statistics
Relative Chi-square (Chi-square/df) ≤ 3.00 Chi-square/df = 2.526
Normed Fit Index (NFI) ≥ .90 NFI = .927
Goodness of Fit Index (GFI) ≥ .90 GFI = .927
Comparative Fit Index (CFI) ≥ .90 CFI = .954
Root Mean Square Residual (RMS) ≤ .05 RMR = .036
Root Mean Square Adjusted
(RMSEA)
≤ .06 RMSEA = .046
93
5.5 The Result PMT Model of Thai Smartphone Users
5.5.1 Results of Testing Hypotheses and the Final Model
Table 5.7 shows the Statistical results from the AMOS program, as shown in Table 5.7,
indicates the p-values of relationships among constructs of the hypothesized. The p-values
that were below .05 are indicated as with asterisk (*) symbols which mean that the
relationships between the two constructs are significant.
Table 5.7: Relationships among Variable of the Hypothesized Model
Relationship p-value
From To
Perceived Severity Threat Appraisal .577
Perceived Vulnerability Threat Appraisal *
Social Influence Threat Appraisal *
Social Influence Coping Appraisal *
Response Effectiveness Coping Appraisal .306
Self-efficacy Coping Appraisal *
Threat Appraisal Protection Motivation .541
Threat Appraisal Protection Behaviour *
Coping Appraisal Protection Motivation *
Coping Appraisal Protection Behaviour *
Protection Motivation Protection Behaviour *
* Statistically significance at .05 level
94
A summary of the testing of hypotheses Ha – Hk is shown in Table 5.8.
Table 5.8: Summary of the Testing Hypothesis Ha – Hk
Tested Hypothesis Result
Ha: Perceived Severity positively affects Threat Appraisal Rejected
Hb: Perceived Vulnerability positively affects Threat Appraisal Accepted
Hc: Social Influence positively affects Threat Appraisal Accepted
Hd: Social Influence positively affects Coping Appraisal Accepted
He: Response Effectiveness positively affects Coping Appraisal Rejected
Hf: Self-efficacy positively affects Coping Appraisal Accepted
Hg: Threat Appraisal positively affects Protection Motivation Rejected
Hh: Threat Appraisal positively affects Protection Behaviour Accepted
Hi: Coping Appraisal positively affects Protection Motivation Accepted
Hj: Coping Appraisal positively affects Protection Behaviour Accepted
Hk: Protection Motivation positively affects Protection Behaviour Accepted
The result model can be drawn as shown in Figure 5.5.
* Statistically Significant at .05 level
Figure 5.5: Result Model
Threat Appraisal
Perceived Severity
Protection Behaviour
Protection Motivation
Perceived Vulnerabilit
y
Self-efficacy
Social
Influence
.34*
.28*
.24*
.69*
.02
.72*
.23*
Response Effectiveness
.03
.14
R2 = .28
R2 =.87
R2 =.53 R2 =.67
.09*
.60*
Coping Appraisal
95
5.5.2 Direct and Indirect Effects among PMT Constructs
Figure above shows the significant relationships with solid arrow lines and non-
significant relationship with dotted arrow lines. Only the significant relationship lines
are used to calculate the direct effects and indirect effects between the exogenous
variables and endogenous variables of the model which is shown in Table 5.9.
Table 5.9: Direct and Indirect Effects among Variables of the Model
Variables
Threat
Appraisal
Coping
Appraisal
Protection
Motivation
Protection
Behaviour
T
E IE
D
E
T
E IE
D
E
T
E IE
D
E
T
E IE
D
E
Perceived
Vulnerability .34 - .34 - - - - - - .03 .03 -
Social Influence .28 - .28 .24 - .24 .17 .17 - .21 .21 -
Self-efficacy - - - .69 - .69 .50 .50 - .53 .53 -
Threat Appraisal - - - - - - - - - .09 - .09
Coping Appraisal - - - - - - .72 - .72 .77 .17 .60
Protection
Motivation - - - - - - - - - .23 - .23
R2 .28 .87 .53 .67
Note: TE = Total Effect, DE = Direct Effect, and IE = Indirect Effect IE from Perceived Vulnerability to Protection Behaviour is .34*.09 = .03 IE from Social Influence to Protection Motivation is .24*.72 = .17 IE from Social Influence to Protection Behaviour is .28*.09+.24*.72*.23+.24*.60 = .21 IE from Self-efficacy to Protection Motivation is .69*.72= .50 IE from Self-efficacy to Protection Behaviour is .69*.72*.23+.69*.60 = .53 IE from Coping Appraisal to Protection Behaviour is .72*.23 = .17
96
Results of the above table can be explained as follows:
1) Perceived Vulnerability directly affects Threat Appraisal with a Beta
Coefficient () value of .34 and accounted for 28% of variances in the Threat Appraisal.
It also indirectly affects Protection Behaviour (through Threat Appraisal) with a value
of .03, and accounted for 67% of variances in Protection Behaviour. Thus, the total
effect that Perceived Vulnerability had on Protection Behaviour is equal to .03.
2) Social Influence directly affects Threat Appraisal with value of .28 and
accounted for 28% variance in the Threat Appraisal; directly affects Coping Appraisal,
with a value of .24 and accounted for 87% of the variances in the Coping Appraisal.
Social Influence indirectly affects Protection Motivation through Threat appraisal with
a value of .17 and accounted for 53% of variances in the Protection Behaviour, and it
also indirectly affects Protection Behaviour through Coping Appraisal and Protection
Motivation with a value of .21 and accounted for 67% of the variances in the
Protection Motivation. Thus, the total effect of Social Influence had on Protection
Behaviour is equal to .21.
3) Self-efficacy directly affected Coping Appraisal, with a value of .69 and
accounted for 87% of the variances in the Coping Appraisal. It also indirectly affects
Protection Motivation (through Coping Appraisal) with a value of .50 and accounted
for 53% of the variances in the Protection Motivation. In addition, Self-efficacy also
indirectly affects Protection Behaviour (though Coping Appraisal and Protection
Motivation) with a value of .53 and accounted for 67% of the variances in the
Protection Motivation. Thus, the total effect that Social Influence had on Protection
Behaviour is equal to .53.
4) Threat Appraisal directly affects Protection Behaviour with a value of .09
and accounted for 67% of the variances in the Protection Motivation. Thus, the total
effect of Threat Appraisal had on Protection Behaviour equals to .09.
5) Coping Appraisal directly affected Protection Motivation, with a value
of .72 and accounted for 53% of the variances in the Protection Motivation. It also
directly affects Protection Behaviour with a value of .60 and accounted for 67% of
the variances in the Protection Motivation, and indirectly affects Protection Behaviour
(through protection motivation) with a value of .17 and accounted for 67% of the
97
variances in the Protection Motivation. Thus, the total effect of Coping Appraisal had
on Protection Behaviour is equal to .77.
6) Protection Motivation directly affects Protection Behaviour, with a value
of .86 and accounted for 73% of the variances in the Protection Behaviour. Thus, the
total effect of Protection Motivation had on Protection Behaviour is equal to .23.
5.6 Conclusion
This chapter analyzed the theoretical PMT model with the Structural Equation
Modeling (SEM) technique. The result showed the statistical significant relationships
of factors in the PMT model and the level of direct and indirect impacts of these factors
on the protection behaviours of Thai smartphone users. The next chapter will
summarize all the work, and answers to the questions in this research.
98
CHAPTER 6
SUMMARY AND ANSWERS TO RESEARCH QUESTIONS
The research process and results found from the previous chapters are summarized in
this chapter including the objectives of this study, the methodologies used for gathering
and analyzing the data, and the found results. This chapter also provides the answers
for the research questions.
6.1 Recap of Objectives and Methodology
This study was designed to gain insights into smartphone threats, security, and users’
behaviours. Such knowledge may be used in the promotion and initiation of changes
and developments in improved smartphones usages in Thailand. The main purpose of
this study is to investigate the cyber threats and security in Thailand, security handlings,
awareness and behaviours of smartphone users in Thailand. To reach this purpose, the
objectives of this study were set as follows: (1) to investigate cyber threats on
smartphones and their trends; (2) to investigate cybersecurity handlings by smartphone
users in Thailand; (3) to investigate behaviours of Thai smartphone users and their
perceptions on the PMT’s constructs; and (4) to analyze the causal relationship between
constructs of the proposed PMT model.
This study used a mixed-method approach, consisting of both qualitative study and
quantitative study, for collection and analysis of the data. For the qualitative part,
content analysis was performed by reviewing related documents and literatures and
analyzing. The key issues were then drawn and categorized into themes. In the
quantitative part, the Protection Motivation Theories (PMT) and related studies were
reviewed to create the theoretical model as well as used as a tool for gathering
quantitative data for this study. The questionnaire consisted of 33 questions with
answers indicated in 1-to-5 Likert’s scale. Prior to data collection, the questionnaire
was tested for its validity and reliability.
99
This study used cluster sampling technique for data collection by dividing the sources
into six regions in Thailand. A large populated province was selected as representative
of each region. Similarly, the smartphone users at more populated areas, such as,
shopping malls, schools, and/or public/private offices, were randomly invited to
participate in this study.
Based on Yamane (1973) and the basic assumption for Structural Equation Modeling
(SEM), a total of 720 samples were used in this study of which approximately 120
samples were collected from each region. These data were then analyzed with
descriptive statistics to explain the demographic features of the samples. The t-test and
ANOVA techniques were used to compare means of Constructs between different
categories of samples. In the last part, the SEM was used for analyzing the theoretical
model with the empirical data, and the significant relationships of the model were
indicated. Finally, the degrees of direct and indirect effects of exogenous and
endogenous constructs towards the dependent variable, the Protection Behaviour, were
then calculated.
6.2 Summary of the Results
6.2.1 Answer for Research Question #1.1
This part answers research question #1.1 which states that “What are the types of
cyber threats that smartphone users are confronting?”
Smartphone threats can be caused by attackers and/or by users.
6.2.1.1 Cyber Threats Caused by Attackers
This type of cyber threats includes malware attacks, wireless network attacks, Denial
of Service attacks, and break-in attacks. Details are shown in Table 6.1.
100
Table 6.1: Summary of Threats Caused by Attackers
Cyber Threat
by Attacker Description
Malware Attack Changing or distributing private information in smartphone,
random code execution, or abuse costly services and function.
Wireless Network
Attack
Corrupting smartphones, blocking, or modifying information
on the wireless network.
Denial of Service
Attack
Attacking to base station, wireless network, web server, or to
intervene smartphones by using radio interference.
Break-in Attack Attacking to gain partial or full control over the target smartphones.
Source: Rewritten from Jeon et al (2010: 315)
6.2.1.2 Cyber Threats Caused by Unawareness of Users
Threats from user unawareness can be caused by cybercriminals, such as, malfunctions,
phishing, phone thefts/loses, and platform alterations. Details are shown in Table 6.2.
Table 6.2: Cyber Threats and Effects Caused from User’s Unawareness
Cyber Threats from
User’s Unawareness Descriptions
Disable or
Malfunction
Unintentionally disabled or malfunction of the applications
by mistakes or misappropriate configurations.
Phishing Unintentionally exposed privacy information by accessing
phishing sites, messenger phishing, or by SMS phishing.
Phone Loss/Stolen Phone lost or stolen.
Platform Alteration Intentionally alter the smartphone platform, such as jail
breaking or rooting.
Source: Rewritten from Jeon et al. (2010: 315)
101
6.2.2 Answer for Research Question #1.2
This part answers research question #1.2 which is “What are statistics of malware
attacks on smartphones and trends in the future?”
Results show the top three mobile malware attacks during August 2013 – July 2014.
The largest number of malware attacks was Trojan SMS. This malware keeps sending
text to premium-rate SMS numbers continuously which was accounted for 57.08% of
all attacks. The second largest attack was RiskTool. This malware conceals files in the
mobile devices, hides applications, or terminates active processes. This malware was
accounted for 21.52% of all attacks. Lastly, the third largest attack was AdWare which
was accounted for 7.37% of all attacks. This malware automatically downloads
unwanted information or advertising materials when mobile device is online. Details
are shown in Figure 6.1.
Figure 6.1: Mobile Malware Attack During August 2013 – July 2014
Malwares have increased in volumes and their levels of sophistication. The Kaspersky
Lap survey results in 2015 showed that there were 2,961,727 malicious installation
packages worldwide. About 884,774 of them were new malicious mobile programs,
which was three times of the year 2014, and 7,030 were mobile banking Trojans. There
are also increasing in the number of malicious attachments which are not easy to delete.
This includes ransomware, programs that display aggressive advertisements, and
cybercriminals that actively use phishing pages to conceal legitimate applications.
Trojan SMS 57.08%
RiskTool21.52%
AdWare 7.37%
Others14.03%
102
6.2.3 Answer for Research Question #2.1
This part answers research question #2.1 which states, “Which organizations handle
cybersecurity in Thailand?”
Mobile devices can be secured from threats and this depends on the cyber threat
surveillance and response team, a secured mobile telecommunication network, and the
behaviour of mobile device owners themselves.
Cyber threat surveillance and response teams consist of groups of experts that handle
computer security incidents. These teams are commonly recognized as the Computer
Security Incident Response Team (CSIRT) or the Computer Emergency Response
Team (CERT).
In Thailand, the Thailand Computer Emergency Response Team (ThaiCERT) is
responsible for providing incident response to computer security threats. ThaiCERT
has conducted various activities to strengthen the integrity of important internal
processes and infrastructure, and safeguard cybersecurity for government agencies
and the general public. This team gives necessary supports and advices for solutions
to such threats, follows up and disseminates news and updates on computer security,
including mobile security, to public.
Therefore, all sectors should engage and collaborate in order to address these problems.
To make national incident response successful, key organizations such as the Bank of
Thailand, Securities and Exchange Commission, Office of Insurance Commission,
and telecommunication operators should engage and collaborate to establish sector-
based CSIRT that could be responsible for their respective domains.
6.2.4 Answer for Research Question #2.2
This part answers research question #2.2 which states, “What should telecommunication
network operators in Thailand do to handle cybersecurity for smartphones?”
The ITU X.805 standard provides a conceptual model for cyber risk assessment and
mitigation. It consists of a set of principles, including three layers, three planes, and
eight dimensions, together with five attacks and threats. As the operator core network
103
handles flow from all mobile communication, it is imperative that operator network is
properly safeguarded, thus to improve the security of the mobile core network from the
risks related to confidentiality, integrity and availability, the telecommunication
network operator should implement proper standard and design guideline, one of which
is the ITU X.805 that was proposed by Khera, V., Fung C.C., & Chaisiri, S. in IAIT
(2013).
6.2.5 Answer for Research Question #3.1
This section answers research question #3.1 which states, “What are demographic of
smartphone users in Thailand?”
The demographic results show that, for gender, the numbers of female samples were a
little higher than males. Statistic result shows that, from a total of 720 samples, 52.2%
were female and 47.8% were male. About education, the result shows that most samples
had degree below bachelor level (45.1%), as well as, at the bachelor level (44.6%),
while the only 10.3% had master degree or above. When considering their
employments, majority were employees. Statistic result shows that 24.4% of them were
company employees and 9.7% worked for government. However, around one third of
them were entrepreneurs (20.6%) as well as students (22.5%). Lastly, for salary,
majority of sample earned less than 15,000 Baht per month (43.2%), followed with
15,001 - 30,000 Baht per month (25.4%). The rests occupied around one third of all
sample including: 11.1% had salary between 30,001 - 40,000 Baht per month,12.8%
had salary between 40,001 - 50,000 Baht per month, and 7.5% had salary more than
50,001 Baht per month. Detail is shown in Figure 6.2.
104
Figure 6.2: Summary of the Demographic of this Study
6.2.6 Answer for Research Question #3.2
This section answers research question #3.2 which states, “What are the general
behaviours of Thai people in using smartphones?”
1) Overall General Behaviours of Smartphone Users - The result shows that the
largest number of users preferred to use AIS as their service provider (46.5%), the
second group preferred DTACT (30.4%), and followed by TrueMove (22.4%). For the
phone’s operating system, the results show more than half of the users preferred to use
Android (53.1%), followed with iOS (36.0%) and Windows phone (3.6%).
Interestingly, 5.6% of them didn’t know what operating system they were using. The
result also shows that around one quarter of all samples (26.1%) had lost their phones
before, and 68.8% of them whose phones were infected by virus or malware. As there
are many free public Wi-Fi services available in many places such as restaurants or
shopping mall, many people preferred to connect their smartphone through these free
internet access services. The results show that more than half of the users preferred to
use these services and among them, 46.3% used free public Wi-Fi sometime while
14.3% always connected their phones to the free public Wi-Fi. The users also used
smartphone to pay bills, buy goods, or transfer money. This statement complies with the
research results which show that 41.8% of all users used their smartphones for financial
purposes, among this 11.4% used it on a daily basis. Detail is shown in Figure 6.3.
-
20.0
40.0
60.047.8
52.2
20.0 21.1 21.0
20.0
17.9
45.1 44.6
10.3
22.5 20.6 19.7
2.2
24.4
10.6
43.2
25.4
12.8 11.1
7.5
Gender Age Education Employment Monthly Income
105
Figure 6.3: Summary of the Behaviours of Thai Smartphone Users by Region
2) General Behaviours of Smartphone Users by Region - When considering
general behaviours of smartphone users by region, the results are as follows: For phone
service provider, the survey results show that users in most regions preferred to use
AIS, except Northern Eastern where DTAC was preferred. For operating system, the
result shows that Android was the most popular operating system in most regions except
Northern where iOS was more preferred. When focusing on the phone loss, the result
shows that Bangkok & Metropolitan had the highest percentage of phone loss (37.5%),
followed by Central Region (29.2%) and Southern (26.1%) respectively. About virus
infection, Bangkok & Metropolitan had the highest percentage of people who
experienced virus infection on their phones (40.0%), followed by Central Region
(37.5%) and Southern (31.3%) respectively. For free public Wi-Fi, Bangkok &
Metropolitan had the highest percentage of using free public Wi-Fi (75.0%), followed
by Central Region (71.7%) and Northern (64.2%) respectively. For using smartphone
to transfer money, Bangkok & Metropolitan had the highest percentage in using this
service (65.8%), followed by Northern (42.5%), Southern (41.8%) and Central Region
(41.7%) respectively.
-
10.0
20.0
30.0
40.0
50.0
60.0
70.0
80.0
22.4 30.4
46.5
36.0
53.1
3.6
73.9
26.1
68.8
31.3 39.4
46.3
14.3
58.2
30.4
11.4
Service Providers Operating System Phone Lost Virus Infected Use Public Wifi Transfer Money
106
Detail is shown in Table 6.3 and Figure 6.4.
Table 6.3: Summary of General Behaviours of Smartphone Users by Region
Upcountry
BKK &
Metro
Northern North
Eastern
Eastern Central
Region
Southern
Service Provider AIS AIS DTACT AIS AIS AIS
Operating
System Android iOS Android Android Android Android
Phone Loss (1)
37.5%
(4)
24.2%
(6)
20.0%
(5)
21.7%
(2)
(29.2%)
(3)
(26.1%)
Virus/Malware
Infection
(1)
40.0%
(4)
28.3%
(5)
24.2%
(6)
20.0%
(2)
(37.5%)
(3)
(31.3%)
Free Public Wi-Fi
Usage
(1)
75.0%
(3)
64.2%
(5)
46.7%
(6)
37.5%
(2)
71.7%
(4)
60.6%
Money Transfer
via Phone
(1)
65.8%
(2)
42.5%
(5)
32.0%
(6)
25.0%
(4)
41.7%
(3)
41.8%
Figure 6.4: Behaviours of Smartphone Users by Region
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
80.0%
Phone Loss Virus Infection Use Public Wifi Transfer Money
37.5%40.0%
75.0%
65.8%
24.2% 28.3%
64.2%
42.5%
20.0%24.2%
46.7%
32.0%
21.7%20.0%
37.5%
25.0%
29.2%
37.5%
71.7%
41.7%
26.1%
31.3%
60.6%
41.8%
BKK & Metro. North North East East Central South
107
It is also observed that behaviours of smartphone users in Bangkok & Metropolitan were
significantly different from people in other regions (at .05 statistically significant level).
3) General Behaviours of Smartphone Users by Age - As regard to phone
service providers, it was show that most smartphone users at all age ranges preferred to
use AIS, followed with DTACT and Truemove. For operating system, the results show
that smartphone users at all ages preferred Android to iOS. However, interestingly,
20.2% of people of ages 51 – 60 did not know what operating system they were using.
When considering phone loss, the results show that people ages 18 – 22 years old had
the highest percentage (34.0%), followed by 23 – 30 years old (28.9%), and 31 – 40
years old (25.2%). For Virus Infection, people age 18 -22 had the highest percentage of
virus infection (42.4%),followed by people ages 23 – 30 years old (35.5%) and ages 31
– 40 years old (33.1%). When focusing on using free public Wi-Fi, the result shows
that more than 50% of people in age ranges 18 – 22, 2 – 30, 31 – 40, and 41 – 50 years
old preferred to use free public Wi-Fi while around 30% of people ages 51 – 60 had
used free public Wi-Fi. For transferring money, the result shows that more than 50% of
people in age range 23 – 30 and 31 – 40 years old preferred to transfer money through
their smartphone. While around 10% of people ages 51 – 60 used the service.
Details are shown in Table 6.4 and Figure 6.5.
Table 6.4: Summary of General Behaviours of Smartphone Users by Age
Age (Years Old)
18 – 22 23 – 30 31 - 40 41 - 50 51 - 60
Service Provider AIS AIS AIS AIS AIS
Operating System Android Android Android Android Android
Phone Loss (1)
34.0%
(2)
28.9%
(3)
25.2%
(4)
25.0%
(5)
16.3% Virus Infection (1)
42.4%
(2)
35.5%
(3)
33.1%
(4)
27.1%
(5)
16.3% Free Public Wi-Fi (2)
73.6%
(1)
74.3%
(3)
67.5%
(4)
52.8%
(5)
30.2% Transfer Money (3)
45.8%
(2)
54.6%
(1)
57.6%
(4)
36.1%
(5)
10.1%
108
Figure 6.5: Behaviours of Smartphone Users By Age
6.2.7 Answer for Research Question #3.3
This section answers research question #3.3 which states, “What are the protection
behaviour of Thai smartphone users?”
6.2.7.1 Means of Constructs of the Protection Behaviour Model
For the overall mean of the model’s constructs, the first largest mean was Perceived
Severity (3.58) and second largest was Protection Behaviour (3.62) while Threat
Appraisal and Social Influence were the two lowest with the mean values of 3.40 and 3.34.
To conclude, based on all nine constructs, Thai smartphone users had low ability to
evaluate the smartphone threats. Additionally, little social pressure such as
recommendations from friends or news, affect smartphone users in protecting
themselves from cyber threats. Details are shown in Table 6.5 and Figure 6.6.
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
80.0%
Phone Loss Virus Infection Use Public Wifi Transfer Money
34.0%
42.4%
73.6%
45.8%
28.9%
35.5%
74.3%
54.6%
25.2%
33.1%
67.5%
57.6%
25.0%27.1%
52.8%
36.1%
16.3% 16.3%
30.2%
10.1%
18 - 22 Yr. Old 23 - 30 Yr. Old 31 - 40 Yr. Old 41 - 50 Yr. Old 51 - 60 Yr.Old
109
Table 6.5: Summary of Overall Means of the Model’s Constructs
Constructs Mean Order Level
Perceived Severity 3.85 1 High
Protection Behaviour 3.62 2 High
Perceived Vulnerability 3.58 3 High
Self-efficacy 3.57 4 High
Response Effectiveness 3.55 5 High
Protection Motivation 3.53 6 High
Coping Appraisal 3.48 7 High
Threat Appraisal 3.40 8 Neutral
Social Influence 3.34 9 Neutral
Figure 6.6: Overall Means of Model’s Constructs
6.2.7.2 Means of Constructs by Gender
When comparing the means of Constructs by gender, the result shows that male had
higher mean in Response Effectiveness (3.64) than female (3.58) at .05 statistically
significant level. Detail is shown in Figure 6.7.
3
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9 3.85
3.623.58 3.57 3.55 3.53
3.48
3.403.34
110
Figure 6.7: Mean Difference of Construct by Gender
Conclusively, female had lower ability in responding to the recommended practices to
avoid cyber threats on their smartphones than male.
6.2.7.3 Means of Constructs by Age
When focus on age, it was obvious that samples of ages 51 – 60 had lower mean in
Social Influence (3.04), Self-efficacy (3.11), Coping Appraisal (3.16), and Protection
Behaviour (3.15) than any other groups. Detail is shown in Figure 6.8.
Figure 6.8: Mean Differences of Constructs by Age
3.54
3.56
3.58
3.60
3.62
3.64
Male Female
3.64
3.58
Response Effectiveness by Gender
3.00
3.10
3.20
3.30
3.40
3.50
18-22 Yr. Old 23–30 Yr. Old 31–40 Yr. Old 41–50 Yr. Old 51–60 Yrs Old
3.383.41 3.41 3.40
3.04
3.67 3.73 3.64 3.53
3.11
3.61 3.59 3.53 3.46
3.16
3.64 3.63 3.59 3.60
3.15
SocInflu SelEffi CopAppr ProMoti
Means by Age
111
Moreover, for Protection Behaviour, the result shows that sample of ages 51 – 60 had
lower mean (3.46) than people of age 23 – 30 (3.71) and ages 41 – 50 (3.69) at .05
statistically significance level. Detail is shown in Figure 6.9.
Figure 6.9: Mean Differences of Protection Behaviour by Age
Lastly, samples of ages 41 – 50 also had lower mean in Self-efficacy (3.53) than
samples of ages 23 – 30 (3.73). All were at .05 statistically significance level. Detail is
shown in Figure 6.10.
Figure 6.10: Mean Differences of Self-efficacy by Age
In conclusion, people of ages 51 – 60 had lower affected from social influences, lower
ability to perform the recommended practices, low ability to evaluate their abilities in
coping with smartphone threats, and lower motivation to protect themselves from
smartphones than other age groups. For protection behaviour, people of ages 51 – 60
had lower protecting behaviour than ages 23 – 30 and 41 – 50. Yet, people of ages 41 – 50
had lower ability to perform the recommended practices to protect their phone from
cyber threats than people of ages 23 – 30.
3.30
3.40
3.50
3.60
3.70
3.80
23 - 30 Yr.Old 41 - 50 Yr.Old 51 - 60 Yr.Old
3.713.69
3.46
Protection Behaviour by Age
3.40
3.50
3.60
3.70
3.80
23 - 30 Yr. Old. 41 - 50 Yr. Old
3.73
3.53
Self-efficacy by Age
112
6.2.7.4 Means of Constructs by Region
When comparing model’s constructs between smartphone users who lived in BKK &
Metropolitan and those who lived in Upcountry, the result indicates that smartphone
users in BKK & Metropolitan area had lower mean in Perceived Vulnerability (3.29),
Threat Appraisal (3.21), and Coping Appraisal (3.26) than people who lived in
Upcountry (with mean of 3.64, 3.44, and 3.52) at .05 statistically significant level.
Detail is shown in Figure 6.11.
* Up Country consists of all regions of Thailand except BKK & Metropolitan
Figure 6.11: Mean Difference of Constructs by Region
Obviously, it is clear that smartphone users in Bangkok & Metropolitan area had lower
abilities in perceiving vulnerabilities to cyber threats, lower abilities in evaluating the
consequences from cyber threats, and lower ability to assess their coping ability with
cyber threats than people from upcountry.
2.80
3.00
3.20
3.40
3.60
3.80
Perceived Vulnerability Threat Appraisal Coping Appraisal
3.293.21 3.26
3.64
3.443.52
BKK & Metro Up Country
Means by Region
113
6.2.7.5 Means of Constructs by Virus Infection
When focusing on phones’ virus infections, the result shows that the people who
experienced with phones’ virus or malware had higher mean in Perceived Vulnerability
(with a mean of 3.68), in Threat Appraisal (3.53), and in Protection Motivation (3.61)
than people who were not (with means 3.53, 3.34, and 3.49 respectively) at .05
statistically significance level. Detail is shown in Figure 6.12.
Figure 6.12: Mean Difference of Constructs by Malware Infection
To conclude, people who have never experienced with phones’ virus or malware
infections had lower ability in perceiving their own vulnerabilities to smartphone
threats, lower ability in evaluating the smartphone threats, and less motivation in
protecting their smartphones from threats than the other.
6.2.7.6 Means of Constructs by Using Free Public Wi-Fi
For using free public Wi-Fi, the result shows that people who used public Wi-Fi had
higher mean in Self-efficacy (3.67), in Coping Appraisal (3.53), and in Protection
Motivation (3.60), and in Protection Behaviour (3.69) than people who do not(with
mean of 3.37, 3.40, 3.42, and 3.51 respectively). All were at .05 statistically
significance level. Detail is shown in Figure 6.13.
3.00
3.20
3.40
3.60
3.80
Yes No
3.68
3.533.53
3.34
3.61
3.49
Means by Virus Infection
PerVuln ThrAppr ProMoti
114
Figure 6.13: Mean Difference of Constructs by Using Public Wi-Fi
Assuredly, people who did not use free public Wi-Fi had lower capacity to perform the
recommended practices, less capacity to assess their abilities in coping with threat, less
motivation in protecting their smartphones from threats, and lastly, less protection
behaviours than the other group.
6.2.7.7 Means of Constructs by Using Money Transfer Services via
Smartphones.
People who paid the bills or transfer money via their smartphones had higher mean in
most of the constructs, namely Perceived Vulnerability, Social Influence, Response
Effectiveness, Self-efficacy, Coping Appraisal, Protection Motivation, and Protection
Behaviour, than those who did not with mean of 3.65, 3.46, 3.64, 3.75, 3.59, 3.71, and
3.72. All were at .05 statistically significant level. Among these, the first largest mean
differences were in construct Self-efficacy and Protection Motivation with the mean
differences of .35 and .31 respectively. Detail is shown in Figure 6.14.
3.20
3.30
3.40
3.50
3.60
3.70
Yes No
3.67
3.37
3.53
3.40
3.60
3.42
3.69
3.51
Mean by Using Free Public Wifi
SelEffi CopAppr ProMoti ProBeha
115
Figure 6.14: Mean Difference of Constructs by Transferring Money via Phone
A summary of the comparison of model’s constructs by demographic and general
behaviour of smartphone users is shown in Table 6.6.
Table 6.6: Summary of Mean Comparisons of the Model’s Constructs
PerVuln SocInflu SelfEffec ResEffi ThrApp CopApp ProMoti ProBeh
Gender Male >
Female
Age 18-50>
51-60
18-50>
51-60
18-50>
51-60
18-50>
51-60
23-30>
51-60
23-30>
41-50
41-50>
51-60
Region Upcount
> BKK
& Metro
Upcount
> BKK
& Metro
Upcount
> BKK
& Metro
Virus
Inflected
Yes>No Yes>No Yes>No
Public
Wi-Fi
Yes>No Yes>No Yes>No Yes>No
Transfer
Money
Yes>No Yes>No Yes>No Yes>No Yes>No Yes>No
* All at .05 statistically significant difference
2.80
3.00
3.20
3.40
3.60
3.80
Yes No
3.653.52
3.46
3.24
3.643.51
3.75
3.40
3.59
3.40
3.71
3.40
3.72
3.55
Means by Transferring Money via Phone
PerVuln SocInfe ResEffe SelEffi CopAppr ProMoti ProBeha
116
6.2.8 Answer for Research Question #4.1
This section answers research question #4.1 which states that “What is the protection
behaviour model of Thai smartphone users?”
After testing the theoretical protection behaviour model with empirical data, the result
shows that paths from Perceived Severity had no effect to Threat Appraisal and from
Response Effectiveness had no effect to Coping Appraisal (both at .05 statistically
significant level) and was removed from the result model. Thus, the protection
behaviour model of Thai smartphone users consisted of only seven constructs as shown
in Figure 6.15. ***
* Statistically significant at .05 level.
Figure 6.15: The Result Model of This Study
Threat Appraisal
Protection Behaviour
Protection Motivation
Social
Influence
.34*
.28*
.24*
.69*
.72*
.23*
R2 = .28
R2 =.87
R2 =.53 R2 =.67
.09*
.60*
Coping Appraisal
Perceived Vulnerability
Self-efficacy
117
6.2.9 Answer for Research Question #4.2
This section answers research question #4.2 which states that “What are degrees of
direct and indirect effects between constructs of protection behaviour model of Thai
smartphone users?”
The effects among constructs of the protection behaviour model of Thai smartphone
users are deliberated as follows:
1) Constructs that affected Protection Behaviour consisted of:
1.1) Coping Appraisal (assessment of ability in coping with damage resulting
from the danger) had a total effect on Protection Behaviour (behaviour
in protecting their smartphones from cyber threats) with a coefficient
of .77 (.60 for direct effect and .17 for indirect effects).
1.2) Self-efficacy (extent in performing the recommended behaviour
successfully) indirect affected Protection Behaviour with a coefficient of .53.
1.3) Protection Motivation (intention to perform the recommended behaviour)
directly affected Protection Behaviour with a coefficient of .23.
1.4) Social Influence (social pressure to perform or not perform a given
behaviour) indirectly affected Protection Behaviour with a coefficient of .21.
1.5) Threat Appraisal (assessment of the level of cyber danger on smartphone
posed by the threat) directly affected Protection Behaviour with a
coefficient of .09.
1.6) Perceived Vulnerability (probability that the smartphone may be attacked
by cyber threats) indirectly affected Protection Behaviour with a coefficient
of .03.
2) Constructs that affected Coping Appraisal - Self-efficacy and Social
Influence directly affected the Coping Appraisal (assessment of ability in coping with
damage resulting from the danger) with coefficients of .69 and .24 respectively.
3) Constructs that affected Protection Motivation - Coping Appraisal directly
affected Protection Motivation with a coefficient of .72. In the meantime, Self-efficacy
and Social Influence were indirectly affected Protection Motivation with coefficients
of .50 and .17 respectively.
118
4) Constructs that affected Threat Appraisal - Perceived Vulnerability and Social
Influence directly affected Threat Appraisal with coefficients of .34 and .28 respectively.
The total effects of each construct on the Protection Behaviour, as calculated in
Chapter 4, are summarized in Figure 6.16 and Table 6.7.
Figure 6.16: Total Effects on Protection Behaviour Constructs
Table 6.7: Total Effects on Protection Behaviour Construct
Construct Protection Behaviour Level
Perceived Vulnerability .03 6
Social Influence .21 4
Self-efficacy .53 2
Threat Appraisal .09 5
Coping Appraisal .77 1
Protection Motivation .23 3
6.3 Conclusion
This chapter presents the design concept of this study, methodologies, and the results.
The next chapter will compare the results against the related literatures mentioned in
Chapter 2. Recommendations for increasing cybersecurity for smartphone users and
suggestions for future studies will also be provided in the next chapter.
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.03
0.21
0.53
0.09
0.77
0.23
119
CHAPTER 7
DISCUSSION, CONCLUSION, AND RECOMMENDATION
This chapter presents the overview and summary of this study, methodologies, and the
results. Recommendations for increasing cybersecurity for smartphone users and
suggestions for future studies are also concluded this chapter.
7.1 Discussion and Conclusion
Mobile devices can be secured from threats. It depends on the cyber threat surveillance
and response team, the secured mobile telecommunication network, and the behaviour
of mobile device owners themselves. Each item is discussed as follows:
7.1.1 Smartphone Threats and Trend
Section 2.2.1 of Chapter 2 shows that there were two types of threats that can occur on
smartphone: threats can be caused by cyber attackers, such as, malware attack, wireless
network attack, denial of service attack, and break-in-attack. Other type of threats can
be caused from unawareness of users, such as, unintentionally disable or malfunction
of the applications by mistake, unintentionally expose their private information by
accessing phishing sites, phone lost or stolen by theft, or alter smartphone platform
intentionally (Jeon, W. et al, 2010: 315).
Smartphone threats are on the rise. Section 2.2.2 of Chapter 2 shows an increasing
number of new malicious mobile programs, which was three times of the year 2014
(The McAfee Mobile Threat Report 2016 by Snell & Bruce). Among these were mobile
banking Trojans, malicious attachments, ransomware, aggressive advertising malware,
and phishing web pages (Snell & Bruce, 2016). Moreover, it also shows that the largest
number of malware attack was Trojan SMS, followed by RiskTool and AdWare.
(Kaspersky Lab and Interpol Joint Report, October 2014 (August 2013 – July 2014).
120
7.1.2 Computer Security Incident Response Team
Section 2.3.1 of Chapter 2 shows that Thai government, as well as other countries, aim
to cope with cyber threats by setting up ThaiCERT (Thailand Computer Emergency
Response Team), a national Computer Security Incident Response Team (CSIRT), in
the year 2000. ThaiCERT is responsible for providing incident response to computer
security threats. ThaiCERT has conducted various activities to strengthen the
integrity of important internal processes and infrastructure, and safeguard
cybersecurity for government agencies and the general public. ThaiCERT consists of
groups of experts that surveillance cyber threats that can endanger computers and/or
mobile devices, gives necessary supports and advices for solutions to such threats,
follows up and disseminates news and updates on computer security, including
mobile security, to the public. ThaiCERT supports collaboration among
organizations to increase efficiency in ability in handling cyber threat. This gives the
opportunities to business sectors in improving their cybersecurity. However, being
supported by the government, ThaiCERT services are limited to governmental
agencies. Thus, to make cyber threat incident response successfully, private sectors
should be involved as well as the public sectors.
Currently, as subsidized by Thai government, ThaiCERT officially gives services to
constituencies that mostly are government agencies. As collaboration among trusted
organizations can speed up response to cyber threats, and efficiency (Cichonski, 2012),
ThaiCERT has been trying to expand collaboration with its member constituencies.
Nonetheless, as being subsidized by the Thai government, ThaiCERT limits its
membership to Thai government agencies only. Therefore, to increase capacity in
cybersecurity, ThaiCERT membership should cover the private sectors as well.
7.1.3 Secured Telecommunication Network for Smartphone
Section 2.3.2 shows the framework of ITU X.805 which consists of three layers, three
planes, and eight dimensions, together with five attacks and threats. According to Khera
V., Fung C.C., Chaisiri S. (2013), the ITU X.805 provides high security standard and
designed guidelines which can improve the security of the mobile core network from the
121
risks related to confidentiality, integrity and availability. Thus, Thai telecommunication
network operators, such as, AIS, DTAC or Truemove, should apply standards and
guidelines to safeguard their telecommunication networks.
Moreover, to speed up response to cyber threats efficiently, the telecommunication
network operators should collaborate closely among themselves (Cichonski, 2012).
Thus, organizing a sector-based Computer Security Incident Response Team (CSIRT)
for telecommunication network operators and regulator should affectively increase
cybersecurity, especially for Thai smartphone users.
7.1.4 Protection Behaviour Model of Thai Smartphone Users
The analysis result of chapter 5 shows that from a total of eight factors, six of them had
significant effects on Protection Behaviour of Thai smartphone users. Among these
factors were (1) Perceived Vulnerability; (2) Social Influence; (3) Self-efficacy;
(4) Threat Appraisal; (5) Coping Appraisal; and (6) Protection Motivation, with two
factors being removed. Since Perceived Severity and Response Effectiveness had no
significant effects and they were therefore removed from the model.
Figure 7.1: The Result Model
Source: Redrawn from Section 5.5.1 of Chapter 5
Threat Appraisal
Protection Behaviour
Protection Motivation
Social
Influence
.34*
.28*
.24*
.69*
.72*
.23*
R2 = .28
R2 =.87
R2 =.53 R2 =.67
.09*
.60*
Coping Appraisal
Perceived Vulnerability
Self-efficacy
122
According to the result model, Threat Appraisal and Coping Appraisal had significant
effects on Protection Motivation. The result also shows that Perceived Vulnerability had
significant effect on Threat Appraisal while Perceived Severity had not. Similarly, Self-
efficacy had significant effect on Coping Appraisal while Response effectiveness had not.
Thus, the result model is partially consistent with the cognitive process of protection
motivation theory (Rogers, R.W., 1983).
The result model is also partially consistent with the Variance Theory View of TTAT
proposed by Liang & Xue (2009). As it is clear that Social Influence of the result model
had significant effect on both Threat Appraisal and Coping Appraisal, Perceived
Vulnerability had significant effect on Threat Appraisal, Self-efficacy had significant
effect on Coping Appraisal, Threat Appraisal and Coping Appraisal both had
significant effects on Protection Motivation, and Protection Motivation had significant
effect on Protection Behaviour.
In addition, the result model is also in line with the study of Srisawang, Thongmak &
Ngarmyarn (2015), the authors of “Factors Affecting Computer Protection Behaviour,”
which is also based on PMT model. It is confirmed that Social Influence of the result
model had significant effect on both Threat Appraisal and Coping Appraisal. Moreover,
Threat Appraisal and Coping Appraisal had significant effects on both Protection
Motivation and Protection Behaviour.
7.1.5 Factors’ Impact Values on Protection Behaviour
When considering the impact values of factors on Protection Behaviour, result from
section 5.5.2 of Chapter 5 shows that four constructs were significant and had high
impacts in the model, they are: (1) Coping Appraisal with impact value of .77; (2) Self-
efficacy with impact value of .53; (3) Protection Motivation with impact value of .23;
and (4) Social Influence with impact value of .21. In addition, two factors that were
significant but had little impacts on Protection Behaviour and they are Perceived
Vulnerability with impact value of .09 and Threat Appraisal with impact value of .03.
123
When focusing on Coping Appraisal and Threat Appraisal, it is observed that Coping
Appraisal affected Protection Behaviour with an impact value of .77 and affected
Protection Motivation with an impact value of .72, while Threat Appraisal affected
Protection Behaviour with an impact value of .23 and it had no affected on Protection
Motivation. This result was consistent with the study by Srisawang, Thongmak &
Ngarmyarn (2015) as that Coping Appraisal had greater impact on both Protection
Motivation and Protection Behaviour than what Threat Appraisal had. The remaining
factors, Social Influence, Threat Appraisal, and Perceived Vulnerability, also affected
Protection Behaviour with the impact values of .21, .09, and .03 respectively. However,
although Perceived Vulnerability was significant but it had very low impact on
Protection Behaviour, thus it is withdrawn from consideration.
Accordingly, it is noted that protection motivation or intention to perform the
recommended behaviour (Boer & Seydel, 1996) can raise level of protection behaviour
of smartphone users or behaviour in performing the recommendation (Boer & Seydel,
1996). Both protection motivation and protection behaviour are driven by threat appraisal;
assessment of the level of danger posed by the threat (Woon et al, 2005); and coping
appraisal, assessment of one’s ability to cope with and avert the potential loss or damage
resulting from the danger (Woon et al, 2005). However, based on the impact value
mentioned above, effort should be focused on factors with high impact values,
including ability in perform coping appraisal, efficacy of smartphone users, social
influence on smartphone users, and ability in performing threat appraisal.
7.1.6 Groups with Low Protection Motivation and Behaviour
7.1.6.1 Groups with Low Protection Motivation
Protection motivation is individuals’ intentions to perform the recommended behaviour
(Boer & Seydel, 1996), such as, intention to follow the information security guidelines
or news on how to use a smartphone safely, intention to use antivirus/anti-spyware
software on their phones, or intention to protect their phones from cyber threats.
Protection motivation affected protection behaviour of smartphone users with an impact
value of .23. The result in Section 4.3 of Chapter 4 shows that the following groups had
124
low protection motivations, they were (1) smartphone users age 51 – 60 years old, (2)
smartphone uses whose phones were never infected by virus/malware, (3) smartphone
users who never connected their phones to the internet via free public Wi-Fi, and (4)
smartphone users who never used their phones to transfer money. All these groups were
vulnerable to cyber threat and needed to be inspired to concern more on the dangerous
of cyber threat.
7.1.6.2 Groups with Low Protection Behaviour
Protection behaviour is individuals’ performing the recommended behaviours. (Boer &
Seydel, 1996), such as using complicated passwords protection on their phones, performing
log-out or sign-out the applications after finishing using (ie. ebanking, email or social
media applications), using antivirus software, updating software or applications on
smartphone, or following safety guide in using a smartphone safely and appropriately.
The result from Section 4.3 of Chapter 4 of this study shows the groups with low
protection behaviours, they are: (1) smartphone users age between 51 – 60 years old;
(2) smartphone users who never used the free public Wi-Fi; and (3) smartphone users
who never used their phones to transfer the money. Thus, these groups were vulnerable
and had high risk to cyber threat.
7.1.7 Increasing Protection Behaviour of Smartphone Users
As mentioned in Section 2.2.2 of Chapter 2 that the number of new malicious mobile
phone programs are increasing (McAfee Mobile Threat Report 2016), especially
mobile banking Trojans, malicious attachments, ransomware, aggressive advertising
malware, and phishing web pages (Snell & Bruce, 2016), so it is essential to raise
protection behaviours of Thai smartphone users. As stated in Section 7.1.5, factors that
should be focused on are coping appraisal, self-efficacy of smartphone users, social
influence on smartphone users, and threat appraisal abilities of smartphone users.
125
7.1.7.1 Increase Coping Appraisal
According to the result from Section 5.5.2 of Chapter 5, coping appraisal can increase
protection motivation with the impact value of .72 and protection behaviour with the
impact value of .77. This can be done by increasing individual’s ability to assess their
necessary skills in coping with or averting the potential loss or damage on their phones
resulting from various threats (Woon et al., 2005), such as their abilities in appraising
the information security violations or their expertise in implementing preventative
measures to stop people from getting their confidential information. As the result from
Section 4.3 of Chapter 4 shows that individuals ages 51 – 60 years old, individuals who
live in Bangkok and metropolitan, and individuals who never connected their phones
to internet via public Wi-Fi had lower self-efficacy that other groups, thus, efforts of
increasing coping appraisal ability must be focused on these groups.
7.1.7.2 Increase Self-efficacy
Self-efficacy is the extent of a person in performing the recommended
behaviour successfully (Boer & Seydel, 1996). The result from Section 5.5.2 of Chapter
5 shows that self-efficacy of smartphone users can increase both protection motivation
with impact value of .50 and protection behaviour with impact value of .53. Examples
of self-efficacy of smartphone users including ability to setup their phones for advanced
protection, update software or applications in their phone, use complicate password for
logging in their phones or applications, or use virus protection software in their phones.
Result from Section 4.3 of Chapter 4 shows the groups of smartphone users with low
self-efficacy, need to be focused on including smartphone users of ages 41 – 60,
smartphone users who had no experiences with phones’ virus/malware infections, who
never connected their phones to free public Wi-Fi, and who never transferred money
through their phones.
126
7.1.7.3 Increase Social Influence
Social influence is the social pressure perceived by smartphone users to perform or not
perform a given behaviour (Ajzen, 1991). Social influence can increase smartphone
users’ protection motivation with impact value of .17 and protection behaviour with
impact value of .21. Social pressure perceived by smartphone users can be increased by
providing more information direct to people on how to protect the smartphones from
cyber threats through effective mass media, such as TV, newspapers, and social
network. The information can educate smartphone users, as well as, bring pressure to
them to become aware of severity of the consequences of cyber threats, then, comply
with the smartphone security recommendations and take appropriate security measures.
According to the result from Section 4.3 of Chapter 4, the effort should be focused on
the groups with low mean value in social influence, including smartphone users of ages
51 – 60 years old and group of people who have never used their phones to transfer
money.
7.1.7.4 Increasing Threat Appraisal
Threat appraisal can increase protection behaviour of smartphone users with impact
value of .09. Increasing individuals’ threat appraisal or ability of smartphone users in
performing assessment of danger level on their phones posed by the threats (Woon et al,
2005), including abilities to assess vulnerabilities to security breaches on their phones,
chances of their phones to be affected by cyber threats, or chances that information
security violation will occur on their phones. Based on result from Section 4.3 of
Chapter 4, people live in Bangkok and metropolitan, who have never experienced
phone virus infection, or who have never used their phone to transfer money have lower
ability in assessing cyber threats than other groups that efforts needed to be focused on.
127
7.2 Recommendations
Recommendations for increasing cybersecurity of smartphone users are summarized in
Table 7.2 below.
Table 7.1: Summary of the Recommendations
Item Detail
1. Cybersecurity at national level. ThaiCERT (Thailand Cyber Emergency Response Team), a
department under ETDA (Electronic Transactions
Development Agency), is Thailand national CSIRT
(Computer Security Incident Response Team) level that
acts responsively and handles computer security
incidents.
1.1 Private sector should be
allowed to be member of
ThaiCERT.
At present, memberships of ThaiCERT are for governmental
agencies only. However, if private agencies are allowed to
become members of ThaiCERT, the security incident
handling will be more affective.
1.2 All private agencies with
related business should form
sector based CSIRT to increase
efficiency of cybersecurity as a
whole.
Sector-based CSIRT (sector-based CERT) is the group of
related business with mutual purpose in securing their
computer networks from cyber threats. However, there are
not many sector based CSIRTs in Thailand at present. Thus,
to increase the efficiency of cybersecurity, all related
business agencies should form sector based CSIRTs and
performed close collaboration with ThaiCERT.
2. Cybersecurity at mobile
operator level.
Telecommunication network operator who provides services
for smartphone users.
2.1 Telecommunication operators
should adopt the ITU X.850
standard on their telecommunication
network to increase their network
security.
The ITU X.850 standard is the security architecture for
systems providing end-to-end communications recommended
by the ITU (International Telecommunication Union).
Applying the ITU X.850 standard can improve the security
of the mobile core network from the risks related to
confidentiality, integrity and availability. Thus, Thai mobile
128
Item Detail
operators should apply the high security standard and
designed guidelines based on the ITU X.805 to safeguard
their telecommunication networks from cyber threats.
2.2 Telecommunication operators
should form up a sector based
CSIRT to increase the efficacy
of cybersecurity.
Thai mobile operators, including mobile regulator,
should form up a sector based CSIRT and collaborate
closely with ThaiCERT in order to secure their
computer networks from cyber threats, and this will
lead to increased efficiency of cybersecurity for all
smartphone users.
3. Cybersecurity at phone user
level.
Cybersecurity at this level focuses on motivation and
behaviour of smartphone users in preventing their phones
from cyber threats.
3.1 Increase coping appraisal
ability of smartphone users.
Increase individuals’ assessment abilities of their skills in
dealing or averting the potential damages on their phones
resulting from cyber threats (Woon et al, 2005), such as
the abilities in appraising the information security
violations or abilities in implementing preventative
measures to secure confidential information. The groups
of smartphone users that should be focused on are adults age
51 – 60 years old, people who live in Bangkok and
metropolitan area, and people who never used public Wi-Fi.
3.2 Increase individual’s ability
in assessing cyber threat.
Increase ability of smartphone users in performing
assessment of danger level on their phones posed by cyber
threats (Woon et al, 2005). For example, increase their
abilities to assess vulnerabilities to security breaches on
their phones, to assess chance that their phones may be
affected by threats, or assess chance that information
security violation may occur on their phones. Based on
the result from Section 4.3 of Chapter 4, people live in
Bangkok and metropolitan, who have never experienced
129
Item Detail
with phone virus infection, or who have never used their
phone to transfer money had lower ability in assessing
cyber threats than other groups that efforts needed to be
focused on.
3.3 Increase self-efficacy of
smartphone users.
To increase individuals’ abilities in performing the
recommended behaviour successfully, for example, the
ability to setup advanced protection on the phone, ability
to update applications, and the ability to use complicate
password. Smartphone users can be self-educated
through eBooks, website, social network, booklets or
events. In addition, they can increase their efficacies
through mobile applications or simulation software
(examples are shown in Appendix F). The groups of
smartphone users that should be concerned including
adults age between 41 – 60 years old, people who had no
experience with virus/malware infections, people who
have never connected their phones to free public Wi-Fi,
and who have never transferred money via phones.
3.4 Increase social impact on
phone users.
To increase social impact on smartphone users by
providing more security information on how to protect
their phones from cyber threats through medias, such as,
TV, radio, newspapers. According to the result in Sector
4.3 of Chapter 4, effort should focus on the groups with
low social influence, including adult age between 51 – 60
years old and people who have never transferred money
via their phones.
130
7.3 Suggestions for Future Studies
Further research should focus on applying the proposed model with empirical
data of each group of smartphone users. This further study can be done by gathering
larger sample size allowing for an assessment of a wider category. This will then allow
analysis of separate models for each category, and compare the models to indicate the
differences.
The proposed model and tool of this study were created for analyzing protection
behaviours of smartphone users. However, further research can be done by applying
this model to perform more deep-down study on other areas of internet users, such as,
tablet users, laptop users, or Internet of Things (IOTs) user with minor adjustment.
The proposed model was designed to analyze cause and effect of smartphone
users’ protection behaviours. Further study can adapt the concepts and variables of this
study to create algorithm that can be applied to proactively monitor phone usages to
give a risk scoring and take mitigation action when appropriate automatically to reduce
the risk.
It is hopeful that adoption of the recommendations from this research study will provide
strategic directions for the education and raising of awareness among smartphone users so
as to strengthen their protection against potential threats in Thailand.
131
BIBLIOGRAPHY
Ajzen, I. (1991). The Theory of Planned Behaviour. Organizational Behaviour and
Human Decision Processes (50:2), pp. 179-211.
Anderson, C. L. & Agarwal, R. (2010). Practicing safe computing: a multi-method
empirical examination of home computer user security behavioural intentions.
MIS Quarterly, 34.
Ary, D., Jacobs, L. D., &Razazvieh, A. (1996). Introduction to research in education. 5th
ed. Fort Worth, Texas: Harcourt Brace College Publishers. pp. 377.
Baskerville, R. (1991a). Risk Analysis: An Interpretive Feasibility Tool in Justifying
Information Systems Security. European Journal of Information Systems (1:2).
pp. 121-130.
Baskerville, R. (1991b). Risk Analysis as a Source of Professional Knowledge.
Computer & Security (10:8). pp. 749-764.
Boer, H.& Seydel, E.R. (1996). Protection Motivation Theory. In: Predicting Health
Behaviour: Research and Practice with Social Cognition Models. Open
University Press, Buckingham, pp. 95-120.
Brown, S.A. &Venkatesh, V. (2005). Model of adoption of technology in households:
A baseline model test and extension incorporating household life cycle.
MISQuarterly (29:3), pp. 399-426.
Bulmer, M.G. (1979). Principles of Statistics. Dover Publications, Ind., New York.
Bulgurcu, B., Cavusoglu, H., &Benbasat, I. (2010). Information Security Policy
Compliance: An Empirical Study of Rationality-Based Beliefs and Information
Security Awareness. MIS Quarterly, 334(3), 523-548.
Byrne, B. M. (1994). Structural equation modeling with EQS and EQS/Windows.
Thousand Oaks, CA: Sage Publications.
Chai, S. et al. (2009). Internet and Online Information Privacy: An Exploratory Study
of Preteens and Early Teens. IEEE Transactions on Professional
Communication, 52(2), 167-182.
132
Choobineh, J. et al. (2007). Management of Information Security: Challenges and
Research Directions. Communications of the Association for Information
Systems, vol. 20, pp. 958-971.
Chouhan, S., Gaikwad, R. B., Sharma, N. (2013). A Study on 4G Network and Its
Security. International Journal of Computer Architecture and Mobility, vol. 1,
no. 9.
Cichonski, P. et al. (2012). Recommendations of the National Institute of Standards and
Technology. Special Publication 800-61 Revision 2. National Institute of
Standard and Technology (NIST). U.S. Department of Commerce.
Crossler, R. E., (2010). Protection Motivation Theory: Understanding Determinants to
Backing Up Personal Data. The University of Texas – Pan American, the 43rd
Hawaii International Conference on System Sciences – 2010.
Digital Advertising Association Thailand. (2015). Thailand Mobile Landscape.
Retrieved from http://www.daat.in.th/index.php/daat-mobile- 2015/
Dimitriadis, C. K. (2007). Improving Mobile Core Network Security with Honeynets.
IEEE Security & Privacy, 5(4) 40-47.
English Oxford Living Dictionary. (2016). Retrieved from
https://en.oxforddictionaries.com/definition/smartphone
Fung, C.C., Khera, V., Depickere, A., Tantatsanawong, P. and Boonbrahm, P. (2008).
Raising information security awareness in digital ecosystem with games - a
pilot study in Thailand. In: 2nd IEEE International Conference on Digital
Ecosystems and Technologies, DEST, Phitsanulok, Thailand pp. 375-380.
Gasser, M. (1988). Building a Secure Computer System. Van Nostrand Reinhold.
p. 3. ISBN 0-442-23022-2. Retrieved from
http://cs2.ist.unomaha.edu/~stanw/gasserbook.pdf
George, D., & Mallery, M. (2010). SPSS for Windows Step by Step: A Simple Guide
and Reference, 17.0 update (10a ed.) Boston: Pearson.
Harmantzis, F., Malek, M. (2004). Security Risk Analysis and Evaluation. IEEE
International Conference on Communications, vol. 4 1897–1901.
Hong, J. et al. (2015). Social Cybersecurity: Applying Social Psychology to Cybersecurity.
Human Computer Interaction Institute, Carnegie Mellon University.
133
Hu, L. T., & Bentler, P. M. (1995). Evaluating model fit. In R. H. Hoyle (Ed.), Structural
equation modeling: Concepts, issues, and applications (pp. 76-99). Thousand
Oaks, CA: Sage.
Ifinedo, P. (2011). Understanding information systems security policy compliance: An
integration of the theory of planned behaviour and the protection motivation
theory. Computers & Security, Science Direct, 31(1), 83-95.
ITU-T Recommendation X.805. (2003). Security Architect for Systems Providing
End-to-End Communication.
Janz, N. K. & Becker, M. H. (1984). The Health Belief Model: A Decade Later, Health
Education Quarterly (11:1), pp. 1-45.
Jeon, W. et al. (2011). A Practical Analysis of Smartphone Security. School of
Information and Communication Engineering. Sungkyunkwan University,
Korea. Department of Cyber Investigation Police, Howon University, Korea.
Johnston, A. C. & Warkentin, M. (2010).Fear Appeals and Information Security
Behaviours: An Empirical Study.MIS Quarterly, 34(3).
Kaspersky Lab. (2014). Mobile Cyber Threat. Kaspersky Lab & INTERPOL Joint.
Report. Retrieved from https://media.kaspersky.com/pdf/Kaspersky-Lab-KSN-
Report-mobile-cyberthreats-web.pdf
Khera V., Fung C.C., Chaisiri S. (2013). A Review of Security Risks in the Mobile
Telecommunication Packet Core Network. Advances in Information
Technology. IAIT. Communications in Computer and Information Science, vol
409. Springer, Cham
Kissel, R. (2013). Glossary of Key Information Security Terms. NISTIR 7298 Revision
2. Computer Security Division Information Technology Laboratory.
Kline, R. B. (2011). Principles and Practice of Structural Equation Modeling. 5th ed.,
pp. 3–427). New York: The Guilford Press.
Liang, H. &Xue, Y. (2009). Avoidance of Information Technology Threats: A Theoretical
Perspective. MIS Quarterly, 2009, 33(1), pp. 71 - 90.
Maddux, J. E. & Rogers, R. W. (1983). Protection motivation and self-efficacy: A
revised theory of fear appeals and attitude change. Journal of Experimental
Social Psychology. 19 (5): 469–479.
134
National Statistical Office of Thailand. (2014(. Retrieved from http://www.nso.go.th
Nokia. (2017). NetGuardEndPoint and IoT Solution. Retrieved from
https://networks.nokia.com/solutions/endpoint-security
PC Mag. (2015). Definition of Computer Security. Encyclopedia. Ziff Davis, PCMag.
Retrieved from https://www.pcmag.com/encyclopedia/term/40169/computer-
security on 6 September 2016.
PWC. (2013). BIS Cyber Security Breaches Survey 2013 Results. Retrieved from
https://www.pwc.com/us/en/cybersecurity/broader-perspectives/cyber-breach-
crisis.html
Prentice-Dunn, S., and McClendon, B. T. Reducing Skin Cancer Risk: An Intervention
Based on Protection Motivation Theory. Journal of Health Psychology (6:3),
2001, pp. 321-328.
Rippetoe, P. and Rogers, R. W. (1987). Effects of components of protection motivation
theory on adaptive and maladaptive coping with a health threat. Journal of
Personality and Social Psychology, 52, 596–604.
Rogers, R.W. (1975). A Protection Motivation Theory of Fear Appeals and Attitude
Change. Journal of Psychology, 91, pp. 93-114.
Rogers, R.W. (1983). Cognitive and Physiological Process in Fear Appeals and
Attitude Change: A Revised Theory of Protection Motivation. in Social
Psychophysiology: A Source Book, R. Petty (ed.), New York: Guilford Press,
pp.153-176.
Rosenstock, I. M. (1974). The Health Belief Model and Preventive Health Behaviour.
Health education Monographs (2), pp. 354-386.
Rouse, M. (2015). Social Engineering Definition. TechTarget. Retrieved from
http://searchsecurity.techtarget.com/definition/social-engineering on 6
September 2015.
Ruggiero, P.& Foote, J. (2011). Cyber Threats to Mobile Phones. Carnegie Mellon
produced for US-CERT.
Shirey, R. (2000). Internet Security Glossary. Network Working Group. Internet
Engineering Task Force. RFC 2828. pp. 170.
Steiger, J. H. (1990). Structural model evaluation and modification: An interval
estimation approach. Multivariate Behavioural Research, 25, 173-180.
135
Tate, N. (2013) Reliance Spells End of Road for ICT amateurs. May 07, 2013. The
Australian. Retrieved from
http://www.theaustralian.com.au/business/technology/reliance-spells-end-of-
road-for-ict-amateurs/news-story/6f84ad403b8721100f5957a472a945eb
Tu, Z.L. & Yuan, Y.F. (2012). Understanding User Behaviour in Coping with Security
Threats of Mobile Device Loss and Theft. 45th Hawaii International Conference
on System Sciences. 978-0-7695-4525-7/12.
Ullman, J. B. (2001). Structural equation modeling. In B. G. Tabachnick& L. S. Fidell
(2001). Using Multivariate Statistics (4th ed& pp 653- 771). Needham Heights,
MA: Allyn & Bacon.
Veedvil. (2015). Statistics of Mobile Users and Number of Smartphone in Thailand.
Veedvil Tech, News and Info, Retrieved from
http://www.veedvil.com/news/mobile-users-and-smartphone-in-thailand-2015/
Xenakis, C. (2008). Security Measures and Weaknesses of the GPRS Security
Architecture. International Journal of Network Security, vol .6, no. 2, 158–169.
136
APPENDIX A
QUESTIONNAIRE (THAI)
137
ตอนท� 1 สอบถามขอมลท�วไปเก�ยวกบผใชโทรศพทมอถอ(Smartphone)
ทาเคร�องหมาย ลงในชอง � ท�ตรงกบความเปนจรง
1. เพศ
1) ชาย 2) หญง
2. อาย
1) 18 – 20ป 2) 21 – 30 ป 3) 31 – 40 ป
4) 41 – 50 ป 5) 51 – 60 ป
3. การศกษา
1) ต�ากวาปรญญาตร 2) ปรญญาตร 3) ปรญญาโท หรอสงกวา
4. อาชพ
1) นกเรยน//นกศกษา 2) เจาของกจการ/ประกอบธรกจสวนตว
3) ขาราชการ พนกงานราชการ หรอลกจางของรฐ 4) พนกงานรฐวสาหกจ
5) พนกงานบรษทเอกชน 6) ไมมอาชพ/แมบาน
5. รายไดตอเดอน
1) ไมเกน 15,000 บาท 2) 15,001 – 30,000 บาท 3) 30,001 – 40,000 บาท
4) 40,001 – 50,000 บาท 5) 50,001 บาท ข�นไป
6. ปจจบนทานพกอาศยอยในภาคใดของประเทศ
1) กรงเทพและปรมณฑล 2) ภาคเหนอ 3) ภาคตะวนออกเฉยงเหนอ
4) ภาคตะวนออก 5) ภาคกลาง 6) ภาคใต
7. ทานใชบรการเครอขายโทรศพทมอถอของผใหบรการใดมากท�สด
1) True Move 2) DTAC 3) AIS
4) ไมทราบ 5) อ�นๆ (ระบ) ........................................................
8. โทรศพทมอถอของทานใชระบบปฏบตการใด
1) iOS / iPhone 2) Android 3) Windows Mobile
4) Symbian 5) ไมทราบ/ไมรจก 6) อ�นๆ (ระบ) ..............................
9. ทานเคยทาโทรศพทมอถอของทานหายหรอถกขโมยหรอไม
1) ไมเคย 2) เคย
10. โทรศพทมอถอของทานเคยตดไวรสหรอไม
1) ไมเคย 2) เคย
138
11. ทานเคยเช�อมตอโทรศพทมอถอของทานกบ Wi-Fi สาธารณะหรอไม
1) ไมเคยทา 2) ทาเปนบางคร� ง 3) ทาเปนประจา
12. ทานเคยใชโทรศพทมอถอในการซ�อสนคา ชาระคาบรการ หรอโอนเงนหรอไม
1) ไมเคยทา 2) ทาเปนบางคร� ง 3) ทาเปนประจา
สวนท� 2การรบร และพฤตกรรมของผใชโทรศพทมอถอ
ทาเคร�องหมาย ลงในชองชองวางท�ทานเลอก
(1= ไมเหนดวยอยางย�ง 2= ไมเหนดวย 3= เฉยๆ 4 =เหนดวย 5=เหนดวยอยางย�ง)
การรบรในความรนแรง:การรบรความรนแรงท�เกด
จากภยคกคามบนโทรศพทมอถอของฉน
(1) (2) (3) (4) (5)
1 ภยคกคามทางโทรศพทมอถอเปนภยท�
อนตราย สามารถสงผลเสยหายท�รายแรง
ตามมา )เชนการถกขโมยขอมลสาคญ
ภาพถาย หรอรหสผานตางๆ(
2 ฉนใหความสาคญกบความปลอดภยของ
ขอมล และความเส�ยงท�อาจจะเกดข�นกบ
โทรศพทมอถอของฉน
3 ปญหาดานความปลอดภยบนโทรศพทมอถอ
สามารถสรางความเสยหายเปนมลคาสง เชน
การถกขโมยขอมล (ภาพถายหรอรหส)
การรบรจดเปราะบาง:ความเปนไปไดท�โทรศพท
มอถอของฉนจะถกเจาะระบบถกละเมด/
(1) (2) (3) (4) (5)
4 โทรศพทมอถอของฉนมโอกาสท�จะตดไวรส
ไดโดยงาย
5 ฉนมโอกาสท�จะถกขโมยตวตนไดงาย
(identity theft) เชน ถกโจรปลอมตวเปนตว
เราเพ�อใชบตรเครดต หรอบตรประชาชนไป
ใชประโยชนในทางมชอบ
139
6 ฉนมโอกาสท�จะถกขโมยขอมลสาคญใน
โทรศพทมอถอของฉนไดงาย
การตอบโตอยางมประสทธภาพ:ประสทธภาพของ
พฤตกรรมตามคาแนะนาในการหลเล�ยงผลเสยหาย
ท�จะตามมา
(1) (2) (3) (4) (5)
7 การใชรหสผาน(password)ท�ยากและซบซอน
เชน ใชรหสผานความยาว 8 ตวอกษรข�นไป
และ/หรอใชสญลกษณเชน %&$ จะสามารถ
เพ�มการรกษาความปลอดภยใหแก
โทรศพทมอถอ
8 การอพเดทโปรแกรมหรอแอพพลเคช�นเปน
ประจาจะชวยรกษาความปลอดภยใหกบ
โทรศพทมอถอ
9 การใชโปรแกรมปองกนไวรสสามารถชวย
รกษาความปลอดภยใหแกโทรศพทมอถอ
ความสามารถสวนบคคล:ขดความสามารถของ
ตนเองในการปฏบตตามพฤตกรรมท�แนะนาอยาง
สมฤทธผล
(1) (2) (3) (4) (5)
10 ฉนสามารถต�งรหสผาน (password) ท�ยาก
และซบซอน เชน ใชรหสผานความยาว 8
ตวอกษรข�นไป และ /หรอใชสญลกษณเชน
%&$ บนโทรศพทมอถอดวยตวฉนเอง
11 ฉนสามารถตดต�งโปรแกรมปองกนไวรสบน
โทรศพทมอถอของฉนดวยตวฉนเอง
12 ฉนสามารถต�งคาโทรศพทมอถอใหม
ความสามารถในการปองกนข�นสงดวยตวฉน
เอง )เชน การส�งใหมการลบขอมลอตโนมต
เม�อโทรศพทมอถอถกขโมย (
140
13 ฉนสามารถอพเดทแอพพลเคช�นบน
โทรศพทมอถอใหมความทนสมยอยเสมอ
ดวยตวฉนเอง
ความกดดนจากสงคม:ความกดดนจากสงคมรอบ
ดานท�สงผลใหเกดพฤตกรรมท�ควรปฏบต หรอท�ไม
ควรปฏบต
(1) (2) (3) (4) (5)
14 เพ�อนๆ มการพดคยกนบอยๆ เก�ยวกบวธ
ปองกนโทรศพทมอถอใหมความปลอดภย
15 เพ�อนๆ แนะนาใหฉนมการรกษาความ
ปลอดภยโทรศพทมอถอ เชน แนะนาใหใช
รหสผานท�ยาก ใชโปรแกรมฆาไวรส
16 ผใชโทรศพทมอถอสวนใหญปฏบตตาม
คาแนะนาในการรกษาความปลอดภย
โทรศพทมอถออยางเครงครด
17 ส�อโทรทศน หนงสอพมพ หรออนเตอรเนต
แนะนาใหฉนมการรกษาความปลอดภย
โทรศพทมอถอของฉน
การประเมนภยคกคาม:ความสามารถในการ
ประเมนระดบภยอนตรายท�สามารถเกดข�นไดบน
โทรศพทมอถอของฉน
(1) (2) (3) (4) (5)
18 โทรศพทมอถอของฉนงายตอการถกเจาะ
ระบบ /ถกโจมตหากฉนไมระวงปองกน
19 เปนไปไดท�โทรศพทมอถอของฉนมโอกาสจะ
ตดไวรส หรอถกขโมยขอมล
20 ภยคกคามท�โจมตโทรศพทมอถอเปนส�งท�ม
อนตรายรายแรงมาก
21 เปนไปไดอยางย�งท�ขอมลสาคญบน
โทรศพทมอถอของฉนจะถกขโมย
141
การประเมนความสามารถ:การประเมนความสามารถ
ในการรบมอกบภยคกคามเพ�อปองกนความ
เสยหายท�จะเกดข�น
(1) (2) (3) (4) (5)
22 ฉนมความสามารถในการปองกน
โทรศพทมอถอของฉนจากการถกเจาะระบบ
การขโมยขอมลสาคญ หรอขโมยรหสผาน
อเมล /เฟสบค
23 ฉนมความสามารถในการปองกนไมใหแฮก
เกอรเขามาเจาะระบบ หรอขโมยขอมลสาคญ
จากโทรศพทมอถอของฉน
24 การระมดระวงปองกนขอมลสาคญใน
โทรศพทมอถอของฉนเปนเร�องท�ไมยาก
แรงจงใจในพฤตกรรม:ความต�งใจในการปฏบต
ตามพฤตกรรมท�ไดรบการแนะนา
(1) (2) (3) (4) (5)
25 ฉนมความต�งใจท�จะปฏบตตามข�นตอนใน
การใชโทรศพทมอถออยางปลอดภย
26 ฉนมความต�งใจท�จะใชโปรแกรมปองกน
ไวรสและสปายแวรบนโทรศพทมอถอของฉน
27 ฉนมความต�งใจท�จะปองกนโทรศพทมอถอ
ของฉนจากภยคกคาม )เชน ปองกนการเจาะ
ระบบ การขโมยรหส หรอขอมลสาคญ(
28 ฉนมความต�งใจท�จะตดตามขาวสาร และหา
วธปองกนโทรศพทมอถอของฉนจากภย
คกคาม
พฤตกรรมในการระวงปองกน:การปฏบตตาม
พฤตกรรมท�แนะนา
(1) (2) (3) (4) (5)
29 ปจจบน ฉนใชรหสผาน (password) ท�ยากและ
ซบซอนบนโทรศพทมอถอของฉน )เชน ใช
รหสผานความยาว 8 ตวอกษรข�นไป และ/
หรอใชสญลกษณเชน %&$)
142
30 ฉนลอคเอาท (logout) ทกคร� งท�ฉนเลกใช
แอพพลเคช�นสาคญ )เชน เฟสบค ทวตเตอร
หรออแบงค /ธนาคารออนไลน(
31 ปจจบน ฉนใชโปรแกรมปองกนไวรสบน
โทรศพทมอถอของฉนตลอดเวลา
32 ฉนมการอพเดทแอพพลเคช�นบนมอถอของฉน
ใหทนสมยอยเสมอ )เชน อพเดทระบบปฏบตการ
หรอโปรแกรมฆาไวรส เปนตน(
33 ฉนปฏบตตามข�นตอนการรกษาความ
ปลอดภยใหแกโทรศพทมอถออยางเครงครด
143
APPENDIX B
QUESTIONNAIRE (ENGLISH)
144
Part 1: Demographic and general behaviour of smartphone user
Mark a sign in the space for each question.
1. Gender
1) Male 2) Female
2. Age
1) 18 - 20 2) 21 - 30 3) 31 – 40 4) 41 – 50 5) 51 - 60
3. Education
1) Below bachelor degree 2) Bachelor degree 3) Master degree or above
4. Occupation
1) Student 2) Entrepreneur 3) Government employee
4) State enterprise employee 5) Private company employee
6) No employment
5. Monthly income
1) 15,000 Bht. or lower 2) 15,001 – 30,000 Bht. 3) 30,001 – 40,000 Bht.
4) 40,001 – 50,000 Bht. 5) 50,001 Bht.or above
6. Current residence
1) Bangkok and metropolitan 2) Northern 3) North Eastern
4) Eastern 5) Central Region 6) Southern
7. Which smartphone service are you using?
1) True Move 2) DTAC 3) AIS 4) Don’t Know
5) Others (specify) ………………
8. What is the operating system of your smartphone?
1) iOS 2) Android 3) Windows Mobile
4) Symbian 5) Don’t know 6) Others (specify) ………………
9. Have your smartphone ever lost or stolen?
1) No 2) Yes
10. Have your smartphone ever infected with virus?
1) Never 2) Yes 3) Don’t know
11. Have you ever connected your smartphone to public Wi-Fi?
1) Never 2) Sometimes 3) Always
145
12. Have you ever paid for products/services or transferred money through your
smartphone?
1) Never 2) Sometimes 3) Always
Part 2: Perception and behaviour of smartphone user
(1=Strongly Disagree, 2=Disagree, 3=Neutral, 4=Agree and 5= Strongly Agree)
Perceived Severity: Severity of consequences of cyber
threats on my smartphone.
(1) (2) (3) (4) (5)
1 Overall, I am aware of the potential security threats
and their negative consequences.
2 I understand the concerns regarding information
security and the risks they pose in general.
3 I have sufficient knowledge about the cost of
potential security problems.
Perceived Vulnerability: Probability that my
smartphone may be attacked by cyber threats.
(1) (2) (3) (4) (5)
4 I think that my chance of getting virus on my
smartphone is high.
5 I think that the chance that my identity can be stolen
is high.
6 I think that the chance that my important data can be
stolen is high.
Response Effectiveness: Effectiveness of the
recommended behaviour in avoiding the negative
consequence.
(1) (2) (3) (4) (5)
7 Using complicated password would secure my
smartphone.
8 Software or applications updates can increase the
security of my smartphone.
9 Using virus protection software can increase the
security of my smartphone.
146
Self-efficacy: The extent that a person can perform the
recommended behaviour successfully.
(1) (2) (3) (4) (5)
10 I know how to use complicate password on my
smartphone.
11 I can install virus protection software on my
smartphone.
12 I know how to setup my smartphone for advanced
protection.
13 I know how to update software or applications on
my smartphone.
Social Influence: Perceived social pressure to perform or
not perform a given behaviour.
(1) (2) (3) (4) (5)
14 My friends discuss security issues related to their
smartphones.
15 My friends would think that I should take security
measures on my smartphone.
16 It is likely that the majority of smartphone users
comply with the smartphone security
recommendations.
17 Information from mass media (TV, newspapers,
internet) suggests that I should comply with the
smartphone security recommendations.
Threat Appraisal: My assessment of the level of danger
on my smartphone posed by the threat.
(1) (2) (3) (4) (5)
18 I know my smartphone could be vulnerable to security
breaches if I don't adhere to protection measures.
19 It is extremely likely that cyber threats will infect my
smartphone.
20 Threats to the security of my smartphone are harmful.
21 The likelihood of an information security violation
occurring at my smartphone is high.
147
Coping Appraisal: Assessment of my ability to cope with
and avert the potential loss or damage resulting from the
danger.
(1) (2) (3) (4) (5)
22 I have the necessary skills to protect my smartphone
from information security violations.
23 I have the expertise to implement preventative
measures to stop people from getting my
confidential information.
24 For me, taking information security precautions is
easy.
Protection Motivation: My intention to perform the
recommended behaviour.
(1) (2) (3) (4) (5)
25 I intend to follow the information security
guidelines on how to use a smartphone safely.
26 I intend to use antivirus/anti-spyware software on
my smartphone.
27 I intend to protect my smartphone from cyber
threats.
28 I intend to follow the security news and find out
how to prevent cyber threats.
Protection Behaviour: Performing the recommended
behaviour.
(1) (2) (3) (4) (5)
29 I always use complicated passwords protection on my
smartphone.
30 I always logout/sign out after finishing using
applications (such as ebanking, email or facebook).
31 I always use antivirus software
32 I always update software or applications on my
smartphone.
33 I always follow safety guide in using a smartphone
safely and appropriately.
148
APPENDIX C
MEAN DIFFERENCE TEST
149
1. Gender
Independent Samples t-test
Equality of Variances
t-test for Equality of Means
F Sig. t df
Sig. (2-
tailed)
Mean Diff.
Std. Error Diff.
Perceived Severity
- Equal variances assumed
.325 .569 .359 718 .719 .02020 .05622
- Equal variances not assumed
.360 716.363 .719 .02020 .05612
Perceived Vulnerability
- Equal variances assumed
.058 .810 -.172 718 .863 -.01066 .06189
- Equal variances not assumed
-.172 714.499 .863 -.01066 .06183
Social Influence
- Equal variances assumed
1.464 .227 -1.556 718 .120 -.09888 .06355
- Equal variances not assumed
-1.553 704.882 .121 -.09888 .06369
Response Effectiveness
- Equal variances assumed
5.829 .016 2.395 718 .017 .13945 .05823
- Equal variances not assumed
2.411 715.304 .016 .13945 .05785
Self-efficacy
- Equal variances assumed
1.859 .173 1.740 718 .082 .10876 .06252
- Equal variances not assumed
1.746 717.969 .081 .10876 .06230
150
Independent Samples t-test
Equality of Variances
t-test for Equality of Means
F Sig. t df
Sig. (2-
tailed)
Mean Diff.
Std. Error Diff.
Threat Appraisal
- Equal variances assumed
.579 .447 1.695 718 .090 .10448 .06163
- Equal variances not assumed
1.691 703.247 .091 .10448 .06178
Coping Appraisal
- Equal variances assumed
3.089 .079 1.302 718 .193 .07498 .05760
- Equal variances not assumed
1.308 717.785 .191 .07498 .05733
Behavioural Motivation
- Equal variances assumed
.051 .821 .493 718 .622 .02881 .05845
- Equal variances not assumed
.494 715.535 .622 .02881 .05838
Protection Behaviour
- Equal variances assumed
3.812 .051 .555 718 .579 .03097 .05579
- Equal variances not assumed
.558 717.366 .577 .03097 .05550
151
2. Age
Variable Mean and S.D. Different Test
S.D. F p
Perceived Severity
18 – 22 Years Old 3.69 .760 2.280 .059
23 – 30 Years Old 3.87 .714
31 – 40 Years Old 3.92 .788
41 – 50 Years Old 3.85 .672
51 – 60 Years Old 3.93 .816
Perceived Vulnerability
18 – 22 Years Old 3.44 .814 2.168 .071
23 – 30 Years Old 3.61 .795
31 – 40 Years Old 3.69 .877
41 – 50 Years Old 3.64 .762
51 – 60 Years Old 3.50 .882
Social Influence
18 – 22 Years Old 3.38 .839 4.893 .001
23 – 30 Years Old 3.41 .769
31 – 40 Years Old 3.41 .826
41 – 50 Years Old 3.40 .775
51 – 60 Years Old 3.04 1.010
Response Effectiveness
18 – 22 Years Old 3.47 .820 1.893 .110
23 – 30 Years Old 3.68 .748
31 – 40 Years Old 3.60 .771
41 – 50 Years Old 3.57 .743
51 – 60 Years Old 3.48 .827
Self-efficacy
18 – 22 Years Old 3.67 .750 12.423 .000
23 – 30 Years Old 3.73 .712
31 – 40 Years Old 3.64 .849
41 – 50 Years Old 3.53 .776
51 – 60 Years Old 3.11 .978
X
152
Variable Mean and S.D. Different Test
S.D. F p
Threat Appraisal
18 – 22 Years Old 3.51 .722 2.227 .065
23 – 30 Years Old 3.42 .783
31 – 40 Years Old 3.37 .875
41 – 50 Years Old 3.46 .783
51 – 60 Years Old 3.23 .951
Coping Appraisal
18 – 22 Years Old 3.61 .660 7.789 .000
23 – 30 Years Old 3.59 .770
31 – 40 Years Old 3.53 .777
41 – 50 Years Old 3.46 .765
51 – 60 Years Old 3.16 .814
Behavioural Motivation
18 – 22 Years Old 3.64 .665 9.888 .000
23 – 30 Years Old 3.63 .738
31 – 40 Years Old 3.59 .802
41 – 50 Years Old 3.60 .743
51 – 60 Years Old 3.15 .869
Protection Behaviour
18 – 22 Years Old 3.62 .658 2.517 .040
23 – 30 Years Old 3.71 .745
31 – 40 Years Old 3.61 .772
41 – 50 Years Old 3.69 .695
51 – 60 Years Old 3.46 .847
Post Hoc Test for Age
Variable n Age
18 - 22 23 – 30 31 – 40 41 – 50 Perceived Severity
720 3.85
Age 18 - 22 144 3.69 -
Age 23 – 30 152 3.87 -.18* (.041)
X
X
153
Variable n Age
18 - 22 23 – 30 31 – 40 41 – 50 Age 31 – 40 151 3.92 -.23* (.010) -.05 (.580)
Age 41 – 50 144 3.85 -.16 (.067) .02 (.851) .07 (.463)
Age 51 – 60 129 3.93 -.24* (.010) -.06 (.526) -.01 (.917) -.08 (.419)
Perceived Vulnerability
720 3.58
Age 18 - 22 144 3.44 -
Age 23 – 30 152 3.61 -.17 (.090)
Age 31 – 40 151 3.69 -.25* (.012) -.08 (.405)
Age 41 – 50 144 3.64 -.20* (.044) -.03 (.726) .05 (.638)
Age 51 – 60 129 3.50 -.06 (.606) .11 (.261) .19 (.055) .14 (.148)
Social Influence
720 3.34
Age 18 - 22 144 3.38 -
Age 23 – 30 152 3.41 -.03 (.688)
Age 31 – 40 151 3.41 -.03 (.743) .00 (.941)
Age 41 – 50 144 3.40 -.02 (.793) .01 (.891) .01 (.949)
Age 51 – 60 129 3.04 .34* (.001) .37* (.000) .37* (.000) .36* (.000)
Response Effectiveness
720 3.57
Age 18 - 22 144 3.47 -
Age 23 – 30 152 3.68 -.21* (.020)
Age 31 – 40 151 3.60 -.13 (.145) .08 (.377)
Age 41 – 50 144 3.57 -.10 (.280) .11 (.216) .03 (.716)
Age 51 – 60 129 3.48 -.01 (.951) .20* (.028) .12 (.176) .09 (.323)
Self-efficacy 720 3.55
Age 18 - 22 144 3.67 -
Age 23 – 30 152 3.73 -.05 (.585)
Age 31 – 40 151 3.64 .03 (.742) .09 (375)
Age 41 – 50 144 3.53 .14 (.143) .20* (.042) .11 (.249)
Age 51 – 60 129 3.11 .56* (.000) .62* (.000) .53* (.000) .42* (.000)
X
154
Variable n Age
18 - 22 23 – 30 31 – 40 41 – 50 Threat Appraisal
720 3.40
Age 18 - 22 144 3.51 -
Age 23 – 30 152 3.42 .09 (.371)
Age 31 – 40 151 3.37 .14 (.142) .05 (.560)
Age 41 – 50 144 3.46 .05 (.604) -.04 (.711) -.09 (.345)
Age 51 – 60 129 3.23 .28* (.006) .19 (.054) .14 (.171) .23* (.024)
Coping Appraisal
720 3.48
Age 18 - 22 144 3.61 -
Age 23 – 30 152 3.59 .02 (.850)
Age 31 – 40 151 3.53 .08 (.358) .06 (.459)
Age 41 – 50 144 3.46 .15 (.088) .13 (.123) .07 (.418)
Age 51 – 60 129 3.16 .45* (.000) .43* (.000) .37* (.000) .30* (.001)
Behavioural Motivation
720 3.53
Age 18 - 22 144 3.64 -
Age 23 – 30 152 3.63 .01 (.827)
Age 31 – 40 151 3.59 .05 (.517) .04 (.663)
Age 41 – 50 144 3.60 .04 (.590) .03 (.743) -.01 (.919)
Age 51 – 60 129 3.15 .49* (.000) .48* (.000) .44* (.000) .45* (.000)
Protection Behaviour
720 3.62
Age 18 - 22 144 3.62 -
Age 23 – 30 152 3.71 -.09 (.277)
Age 31 – 40 151 3.61 .01 (.889) .10 (.215)
Age 41 – 50 144 3.69 -.07 (.395) .02 (.822) -.08 (.317)
Age 51 – 60 129 3.46 .16 (.072) .25* (.004) .15 (.092) .23* (.009)
* Statistically Significant at .05 level
X
155
3. Education
Variable Mean and S.D. Different Test
S.D. F p
Perceived Severity
Below Bachelor Degree 3.79 .798 2.924 .054
Bachelor Degree 3.93 .665
Master Degree or Above 3.79 .881
Perceived Vulnerability
Below Bachelor Degree 3.47 .861 5.712 .003
Bachelor Degree 3.69 .744
Master Degree or Above 3.55 .974
Social Influence
Below Bachelor Degree 3.24 .952 4.645 .010
Bachelor Degree 3.44 .729
Master Degree or Above 3.32 .843
Response Effectiveness
Below Bachelor Degree 3.49 .824 3.783 .023
Bachelor Degree 3.65 .703
Master Degree or Above 3.52 .893
Self-efficacy
Below Bachelor Degree 3.45 .915 5.047 .007
Bachelor Degree 3.66 .713
Master Degree or Above 3.49 .948
Threat Appraisal
Below Bachelor Degree 3.40 .857 .003 .997
Bachelor Degree 3.40 .782
Master Degree or Above 3.40 .893
Coping Appraisal
Below Bachelor Degree 3.46 .769 5.008 .007
Bachelor Degree 3.55 .712
Master Degree or Above 3.24 .972
Behavioural Motivation
Below Bachelor Degree 3.45 .843 4.188 .016
Bachelor Degree 3.62 .721
X
156
Variable Mean and S.D. Different Test
S.D. F p
Master Degree or Above 3.50 .734
Protection Behaviour
Below Bachelor Degree 3.52 .807 5.625 .004
Bachelor Degree 3.71 .668
Master Degree or Above 3.68 .755
Post Hoc Test for Education
Variable n
Degree Below
Bachelor Degree Bachelor Degree
Perceived Severity 720 3.85
Below Bachelor Degree 325 3.79
Bachelor Degree 321 3.93 -.14* (.021)
Master Degree or Above 74 3.79 .00 (.983) .14 (.165)
Perceived Vulnerability 720 3.58
Below Bachelor Degree 325 3.47
Bachelor Degree 321 3.69 -.22* (.001)
Master Degree or Above 74 3.55 -.08 (.502) .14 (.168)
Social Influence 720 3.34
Below Bachelor Degree 325 3.24
Bachelor Degree 321 3.44 -.20* (.002)
Master Degree or Above 74 3.32 -.08 (.456) .12 (.266)
Response Effectiveness 720 3.57
Below Bachelor Degree 325 3.49
Bachelor Degree 321 3.65 -.16* (.007)
Master Degree or Above 74 3.52 -.03 (.733) .13 (.191)
Self-efficacy 720 3.55
Below Bachelor Degree 325 3.45
Bachelor Degree 321 3.66 -.21* (.002)
Master Degree or Above 74 3.49 -.04 (.743) .17 (.117)
X
X
157
Variable n
Degree Below
Bachelor Degree Bachelor Degree
Thread Appraisal
Below Bachelor Degree 325 3.40
Bachelor Degree 321 3.40 .00 (.938)
Master Degree or Above 74 3.40 .00 (.973) .00 (.989)
Coping Appraisal 720 3.48
Below Bachelor Degree 325 3.46
Bachelor Degree 321 3.55 -.09 (.152)
Master Degree or Above 74 3.24 .22* (.025) .31* (.002)
Behavioural Motivation 720 3.53
Below Bachelor Degree 325 3.45
Bachelor Degree 321 3.62 -.17* (.004)
Master Degree or Above 74 3.50 -.05 (.588) .12 (.226)
Protection Behaviour 720 3.62
Below Bachelor Degree 325 3.52
Bachelor Degree 321 3.71 -.19* (.001)
Master Degree or Above 74 3.68 -.16 (.088) .03 (.771)
* Statistically Significant at .05 level
X
158
4. Occupation
Variable Mean and S.D. Different Test
S.D. F p
Perceived Severity
Student 3.67 .766 6.890 .000
Entrepreneur 3.86 .740
Government employee 4.15 .604
State enterprise employee 3.67 .966
Private company employee 3.79 .761
None/housekeeper 3.83 .793
Perceived Vulnerability
Student 3.48 .787 5.003 .000
Entrepreneur 3.57 .840
Government employee 3.88 .653
State enterprise employee 3.48 .911
Private company employee 3.48 .953
None/housekeeper 3.50 .751
Social Influence
Student 3.35 .775 .422 .834
Entrepreneur 3.27 .954
Government employee 3.40 .797
State enterprise employee 3.38 .890
Private company employee 3.34 .825
None/housekeeper 3.28 .969
Response Effectiveness
Student 3.53 .794 .644 .666
Entrepreneur 3.63 .738
Government employee 3.60 .801
State enterprise employee 3.60 1.020
Private company employee 3.49 .794
None/housekeeper 3.59 .740
Self-efficacy
Student 3.64 .708 1.273 .274
X
159
Variable Mean and S.D. Different Test
S.D. F p
Entrepreneur 3.64 .708
Government employee 3.64 .708
State enterprise employee 3.64 .708
Private company employee 3.64 .708
None/housekeeper 3.64 .708
Threat Appraisal
Student 3.43 .701 .286 .921
Entrepreneur 3.43 .846
Government employee 3.40 .842
State enterprise employee 3.50 .658
Private company employee 3.37 .908
None/housekeeper 3.33 .864
Coping Appraisal
Student 3.54 .681 .618 .686
Entrepreneur 3.50 .732
Government employee 3.41 .889
State enterprise employee 3.33 1.033
Private company employee 3.46 .791
None/housekeeper 3.50 .700
Behavioural Motivation
Student 3.53 .661 1.231 .293
Entrepreneur 3.42 .851
Government employee 3.60 .767
State enterprise employee 3.36 .814
Private company employee 3.59 .795
None/housekeeper 3.50 .872
Protection Behaviour
Student 3.58 .672 1.985 .079
Entrepreneur 3.56 .801
Government employee 3.79 .684
State enterprise employee 3.55 .895
X
160
Variable Mean and S.D. Different Test
S.D. F p
Private company employee 3.62 .744
None/housekeeper 3.55 .851
Post Hoc for Occupation
Variable n Occupation
Student Entrep. Gov.Emp. StateEnt PrivEmp Perceived Severity
720 3.85
Student 162 3.67 Entrepreneur 148 3.86 -.19* (.024) Gov. Employee
142 4.15 -.48* (.000) -.29* (.001)
State Enterprise
16 3.67 .00 (.966) .19 (.308) .48* (.014)
Private Emp. 176 3.79 -.12 (.147) .07 (.374) .36* (.000) -.12 (.517) None/ Housekeeper
76 3.83 -.16 (.134) .03 (.730) .32* (.002) -.16 (.424) -.04 (.713)
Perceived Vulnerability
720 3.58
Student 162 3.48 - Entrepreneur 148 3.57 -.09 (.355) Gov. Employee
142 3.88 -.40* (.000) -.31* (.001)
State Enterprise
16 3.48 .00 (.991) .09 (.681) .40 (.065)
Private Emp. 176 3.48 .00 (.945) .09 (.312) .40* (.000) .00 (.986) None/ Housekeeper
76 3.50 -.02 (.840) .07 (.584) .38* (.001) -.02 (.911) -.02 (.796)
Social Influence
720 3.34
Student 162 3.35 Entrepreneur 148 3.27 .08 (.384) Gov. Employee
142 3.40 -.05 (.649) -.13 (.198)
State Enterprise
16 3.38 -.03 (.929) -.11 (.642) .02 (.913)
Private Emp. 176 3.34 .01 (.868) -.07 (.468) .06 (.533) .04 (.874) None/ Housekeeper
76 3.28 .07 (.526) -.01 (.938) .12 (.323) .10 (.685) .06 (.610)
Response Effectiveness
720 3.57
Student 162 3.53 Entrepreneur 148 3.63 -.10 (.273) Gov. Employee
142 3.60 -.07 (.449) .03 (.784)
State Enterprise
16 3.60 -.07 (.736) .03 (.889) .00 (.997)
Private Emp. 176 3.49 .04 (.634) .14 (.113) .11 (.218) .11 (.592) None/ Housekeeper
76 3.59 -.06 (.629) .04 (.683) .01 (889) .01 (.939) -.10 (.386)
X
X
161
Variable n Occupation
Student Entrep. Gov.Emp. StateEnt PrivEmp Self-efficacy 720 3.55 Student 162 3.64 Entrepreneur 148 3.44 .20* (.038) Gov. Employee
142 3.56 .08 (.384) -.12 (.248)
State Enterprise
16 3.31 .33 (.134) .13 (.551) .25 (.267)
Private Emp. 176 3.59 .05 (.576) -.15 (.117) -.03 (.729) -.28 (.204) None/ Housekeeper
76 3.49 .15 (.203) -.05 (.678) .07 (.587) -.18 (.433) .10 (.397)
Threat Appraisal
720 3.40
Student 162 3.43 Entrepreneur 148 3.43 .00 (.987) Gov. Employee
142 3.40 .03 (.746) .03 (.763)
State Enterprise
16 3.50 -.07 (.749) -.07 (.745) -.10 (.646)
Private Emp. 176 3.37 .06 (.478) .06 (.499) .03 (.723) .13 (.538) None/ Housekeeper
76 3.33 .10 (.394) .10 (.408) .07 (.567) .17 (.462) .04 (.764)
Coping Appraisal
720 3.48
Student 162 3.54 Entrepreneur 148 3.50 .04 (.605) Gov. Employee
142 3.41 .13 (.130) .09 (.326)
State Enterprise
16 3.33 .21 (.301) .17 (.419) .08 (.713)
Private Emp. 176 3.46 .08 (.325) .04 (.664) -.05 (.553) -.13 (.530) None/ Housekeeper
76 3.50 .04 (.658) .00 (.984) -.09 (.428) -.17 (.446) -.04 (.739)
Behavioural Motivation
720 3.53
Student 162 3.53 Entrepreneur 148 3.42 .11 (.194) Gov. Employee
142 3.60 -.07 (.449) -.18* (.046)
State Enterprise
16 3.36 .17 (.405) .06 (.789) .24 (.274)
Private Emp. 176 3.59 -.06 (.499) -.17* (.047) .01 (.905) -.23 (.264) None/ Housekeeper
76 3.50 .03 (.759) -.08 (.456) .10 (.362) -.14 (.523) .09 (.398)
Protection Behaviour
720 3.62
Student 162 3.58 Entrepreneur 148 3.56 .02 (816) Gov. Employee
142 3.79 -.21* (.013) -.23* (.008)
State Enterprise
16 3.55 .03 (.877) .01 (.957) .24 (.215)
Private Emp. 176 3.62 -.04 (.616) -.06 (467) .17* (.040) -.07 (.715) None/ Housekeeper
76 3.55 .03 (.764)
.01 (.914) .24* (.021) .00 (.997) .07 (.482)
X
* Statistically Significant at .05 level
162
5. Income
Variable Mean and S.D. Different Test
S.D. F p
Perceived Severity
Less than $500 3.81 .769 .824 .510
$500 - $1,000 3.90 .694
$1,000 -$1,333 3.93 .720
$1,334 - $1,667 3.80 .773
$1,668 or above 3.88 .872
Perceived Vulnerability
Less than $500 3.53 .787 .702 .591
$500 - $1,000 3.61 .867
$1,000 -$1,333 3.68 .862
$1,334 - $1,667 3.54 .885
$1,668 or above 3.62 .798
Social Influence
Less than $500 3.27 .845 .860 .488
$500 - $1,000 3.42 .918
$1,000 -$1,333 3.36 .781
$1,334 - $1,667 3.33 .783
$1,668 or above 3.36 .882
Response Effectiveness
Less than $500 3.50 .803 1.578 .178
$500 - $1,000 3.59 .725
$1,000 -$1,333 3.59 .838
$1,334 - $1,667 3.60 .825
$1,668 or above 3.78 .673
Self-efficacy
Less than $500 3.61 .788 1.811 .125
$500 - $1,000 3.48 .889
$1,000 -$1,333 3.42 .874
$1,334 - $1,667 3.50 .884
$1,668 or above 3.70 .799
X
163
Variable Mean and S.D. Different Test
S.D. F p
Threat Appraisal
Less than $500 3.37 .804 .472 .757
$500 - $1,000 3.43 .853
$1,000 -$1,333 3.43 .804
$1,334 - $1,667 3.36 .821
$1,668 or above 3.50 .928
Coping Appraisal
Less than $500 3.49 .757 .330 .858
$500 - $1,000 3.49 .743
$1,000 -$1,333 3.43 .786
$1,334 - $1,667 3.41 .935
$1,668 or above 3.53 .684
Behavioural Motivation
Less than $500 3.54 .757 .299 .879
$500 - $1,000 3.52 .788
$1,000 -$1,333 3.49 .820
$1,334 - $1,667 3.50 .842
$1,668 or above 3.62 .782
Protection Behaviour
Less than $500 3.60 .723 .614 .652
$500 - $1,000 3.62 .794
$1,000 -$1,333 3.58 .784
$1,334 - $1,667 3.72 .773
$1,668 or above 3.69 .618
X
164
Post Hoc Test for Income
Variable n Monthly Income
Less than
$500 $500 - $1,000
$1,000 -$1,333
$1,334 - $1,667
Perceived Severity
720 3.85
Less than $500 311 3.81 -
$500 - $1,000 183 3.90 -.09 (.178)
$1,000 -$1,333 92 3.93 -.12 (.166) -.03 (.759)
$1,334 - $1,667 80 3.80 .01 (.975) .10 (.335) .13 (.271)
$1,668 or above 54 3.88 -.07 (.532) .02 (.830) .05 (.673) -.08 (.586)
Perceived Vulnerability
720 3.58
Less than $500 311 3.53 -
$500 - $1,000 183 3.61 -.08 (.225)
$1,000 -$1,333 92 3.68 -.15 (.145) -.07 (.514)
$1,334 - $1,667 80 3.54 -.01 (.971) .07 (.524) .14 (.270)
$1,668 or above 54 3.62 -.09 (.464) -.01 (.907) .06 (.704) -.08 (.557)
Social
Influence 720 3.34
Less than $500 311 3.27 -
$500 - $1,000 183 3.42 -.14 (.072)
$1,000 -$1,333 92 3.36 -.09 (.378) .06 (.621)
$1,334 - $1,667 80 3.33 -.06 (.619) .09 (.432) .03 (.783)
$1,668 or above 54 3.36 -.09 (.493) .06 (.667) .00 (.984) -.03 (.836)
Response Effectiveness
720 3.57
Less than $500 311 3.50 -
$500 - $1,000 183 3.59 -.09 (.250)
$1,000 -$1,333 92 3.59 -.09 (.364) .00 (.997)
$1,334 - $1,667 80 3.60 -.10 (.342) -.01 (.929) -.01 (.941)
$1,668 or above 54 3.78 -.28* (.017) -.19 (.115) -.19 (.155) -.18 (.187)
Self-efficacy 720 3.55
Less than $500 311 3.61 -
$500 - $1,000 183 3.48 .13 (.088)
X
165
Variable n Monthly Income
Less than
$500 $500 - $1,000
$1,000 -$1,333
$1,334 - $1,667
$1,000 -$1,333 92 3.42 .19 (.053) .06 (.577)
$1,334 - $1,667 80 3.50 .11 (.277) -.02 (.865) -.08 (.538)
$1,668 or above 54 3.70 -.09 (.492) -.22 (.093) -.28 (.053) -.20 (.177)
Threat Appraisal
720 3.40
Less than $500 311 3.37 -
$500 - $1,000 183 3.43 -.06 (.435)
$1,000 -$1,333 92 3.43 -.06 (.529) .00 (.987)
$1,334 - $1,667 80 3.36 .01 (.915) .07 (.521) .07 (.564)
$1,668 or above 54 3.50 -.13 (.261) -.07 (.548) -.07 (.596) -.14 (.309)
Coping Appraisal
720 3.48
Less than $500 311 3.49 -
$500 - $1,000 183 3.49 .00 (.946)
$1,000 -$1,333 92 3.43 .06 (.557) .06 (.552)
$1,334 - $1,667 80 3.41 .08 (.407) .08 (.411) .02 (.823)
$1,668 or above 54 3.53 -.04 (.712) -.04 (.756) -.10 (.469) -.12 (.369)
Behavioural Motivation
720 3.53
Less than $500 311 3.54 -
$500 - $1,000 183 3.52 .02 (.731)
$1,000 -$1,333 92 3.49 .05 (.585) .03 (.798)
$1,334 - $1,667 80 3.50 .04 (.632) .02 (.835) .01 (.975)
$1,668 or above 54 3.62 -.08 (.509) -.10 (.403) -.13 (.345) -.12 (.372)
Protection Behaviour
720 3.62
Less than $500 311 3.60 -
$500 - $1,000 183 3.62 -.02 (.742)
$1,000 -$1,333 92 3.58 .02 (.835) .04 (.665)
$1,334 - $1,667 80 3.72 -.12 (.184) -.10 (.311) -.14 (.211)
$1,668 or above 54 3.69 -.09 (.426) -.07 (.575) -.11 (.407) .03 (.781)
* Statistically Significant at .05 level
X
166
6. Region
Variable Mean and S.D. Different Test
S.D. F p
Perceived Severity
BKK& Metro. 3.61 .871 4.521 .000
Northern 3.92 .654
North Eastern 3.79 .720
Eastern 3.86 .751
Central Region 3.90 .694
Southern 4.04 .756
Perceived Vulnerability
BKK& Metro. 3.29 .896 5.216 .000
Northern 3.70 .738
North Eastern 3.67 .752
Eastern 3.47 .863
Central Region 3.59 .763
Southern 3.74 .875
Social Influence
BKK& Metro. 3.23 .737 1.642 .147
Northern 3.44 .697
North Eastern 3.47 .903
Eastern 3.26 .926
Central Region 3.31 .749
Southern 3.29 1.039
Response Effectiveness
BKK& Metro. 3.38 .878 3.076 .009
Northern 3.65 .660
North Eastern 3.72 .657
Eastern 3.56 .769
Central Region 3.47 .759
Southern 3.62 .906
X
167
Variable Mean and S.D. Different Test
S.D. F p
Self-efficacy
BKK& Metro. 3.46 .858 1.534 .177
Northern 3.62 .702
North Eastern 3.69 .786
Eastern 3.48 .806
Central Region 3.57 .853
Southern 3.48 .994
Threat Appraisal
BKK& Metro. 3.21 .834 3.327 .006
Northern 3.38 .823
North Eastern 3.62 .670
Eastern 3.43 .842
Central Region 3.33 .795
Southern 3.44 .935
Coping Appraisal
BKK& Metro. 3.26 .754 5.940 .000
Northern 3.54 .668
North Eastern 3.69 .746
Eastern 3.61 .674
Central Region 3.31 .829
Southern 3.45 .865
Behavioural Motivation
BKK& Metro. 3.46 .793 .298 .914
Northern 3.53 .685
North Eastern 3.54 .753
Eastern 3.56 .862
Central Region 3.53 .748
Southern 3.57 .853
Protection Behaviour
BKK& Metro. 3.55 .750 .832 .527
Northern 3.58 .648
X
168
Variable Mean and S.D. Different Test
S.D. F p
North Eastern 3.67 .770
Eastern 3.57 .813
Central Region 3.68 .694
Southern 3.68 .798
Post Hoc Test for Region
Variable n
Region BKK& Metro.
Northern North
Eastern. Eastern
Central Region
Perceived Severity
720 3.85
BKK& Metro. 120 3.61 - Northern 120 3.92 -.31* (.001)
North Eastern 120 3.79 -.18 (.069) .13 (.157)
Eastern 120 3.86 -.25* (.011) .06 (.488) -.07 (.470)
Central Region
120 3.90 -.29* (.003) .02 (.795) -.11 (.248) -.04 (.665)
Southern 120 4.04 -.43* (.000) -.12 (.225) -.25* (.009) -.18 (.057) -.14 (.141)
Perceived
Vulnerability 720 3.58
BKK& Metro. 120 3.29 - Northern 120 3.70 -.41* (.000)
North Eastern 120 3.67 -.38* (.000) .03 (.772)
Eastern 120 3.47 -.18 (.103) .23* (.025) .20 (.052)
Central Region
120 3.59 -.30* (.005) .11 (.281) .08 (.430) -.12 (.247)
Southern 120 3.74 -.45* (.000) -.04 (.693) -.07 (.494) -.27* (.009) -.15 (.141)
Social Influence
720 3.34
BKK& Metro. 120 3.23 - Northern 120 3.44 -.21 (.051)
North Eastern 120 3.47 -.24 (.026) -.03 (.776)
Eastern 120 3.26 -.03 (.747) .18 (.103) .21 (.056)
Central Region
120 3.31 -.08 (.437) .13 (.240) .16 (.145) -.05 (.649)
Southern 120 3.29 -.06 (.544) .15 (178) .18 (.103) -.03 (.776) .02 (.864)
Response Effectiveness
720 3.57
BKK& Metro. 120 3.38 - Northern 120 3.65 -.27* (.007)
X
X
169
Variable n
Region BKK& Metro.
Northern North
Eastern. Eastern
Central Region
North Eastern 120 3.72 -.34* (.001) -.07 (.472)
Eastern 120 3.56 -.18 (.064) .09 (.407) .16 (.122)
Central Region
120 3.47 -.09 (.361) .18 (.077) .25* (.013) .09 (.347)
Southern 120 3.62 -.24* (.018) .03 (.761) .10 (.306) -.06 (.599) -.15 (.143)
Self-efficacy 720 3.55
BKK& Metro. 120 3.46 - Northern 120 3.62 -.16 (.138)
North Eastern 120 3.69 -.23* (.030) -.07 (.488)
Eastern 120 3.48 -.02 (.862) .14 (.191) .21* (.045)
Central Region
120 3.57 -.11 (.299) .05 (.658) .12 (.256) -.09 (.386)
Southern 120 3.48 -.02 (.862) .14 (.191) .21* (.045) .00 (1.000) .09 (.386)
Threat Appraisal
720 3.40
BKK& Metro. 120 3.21 - Northern 120 3.38 -.17 (.107)
North Eastern 120 3.62 -.41* (.000) -.24* (.024)
Eastern 120 3.43 -.22* (.032) -.05 (.596) .19 (.084)
Central Region
120 3.33 -.12 (.263) .05 (.623) .29* (.006) .11 (.307)
Southern 120 3.44 -.23* (.032) -.06 (.555) .18 (.095) -.01 (.953) -.11 (.280) Coping Appraisal
720 3.48
BKK& Metro. 120 3.26 - Northern 120 3.54 -.28* (.005)
North Eastern 120 3.69 -.43* (.000) -.15 (.120)
Eastern 120 3.61 -.35* (.000) -.07 (.462) .08 (.412)
Central Region
120 3.31 -.05 (.610) .23* (.020) .38* (.000) .30* (.002)
Southern 120 3.45 -.19 (.054) .09 (.365) .24* (.014) .16 (.101) .14 (.157)
Behavioural Motivation
720 3.53
BKK& Metro. 120 3.46 - Northern 120 3.53 -.07 (.450)
North Eastern 120 3.54 -.08 (.384) -.01 (.908)
Eastern 120 3.56 -.10 (.324) -.03 (.818) -.02 (.908)
Central Region
120 3.53 -.07 (.470) .00 (.974) .01 (.882) .03 (.793)
Southern 120 3.57 -.11 (.278) -.04 (.742) -.03 (.831) -.01 (.921) -.04 (.718)
Protection Behaviour
720 3.62
BKK& Metro. 120 3.55 - Northern 120 3.58 -.03 (.746)
X
170
Variable n
Region BKK& Metro.
Northern North
Eastern. Eastern
Central Region
North Eastern 120 3.67 -.12 (.188) -.09 (.321)
Eastern 120 3.57 -.02 (.779) .01 (.966) .10 (.301)
Central Region
120 3.68 -.13 (.181) -.10 (.311) .00 (.983) -.11 (.291)
Southern 120 3.68 -.13 (.155) -.10 (.271) -.01 (.914) -.11 (.253) .00 (.931)
* Statistically Significant at .05 level
X
171
7. Network Service Provider
Variable Mean and S.D. Different Test
S.D. F p
Perceived Severity
TrueMove H 3.76 .750 1.252 .290
DTACT 3.87 .749
AIS 3.87 .756
Don’t know 4.20 .767
Perceived Vulnerability
TrueMove H 3.43 .826 4.181 .006
DTACT 3.62 .829
AIS 3.63 .799
Don’t know 2.73 1.817
Social Influence
TrueMove H 3.35 .810 2.781 .040
DTACT 3.35 .875
AIS 3.33 .835
Don’t know 2.25 1.714
Response Effectiveness
TrueMove H 3.58 .782 2.698 .045
DTACT 3.60 .761
AIS 3.55 .779
Don’t know 2.60 1.517
Self-efficacy
TrueMove H 3.63 .804 .692 .557
DTACT 3.53 .820
AIS 3.52 .864
Don’t know 3.60 1.181
Threat Appraisal
TrueMove H 3.36 .783 1.433 .232
DTACT 3.37 .814
AIS 3.45 .849
Don’t know 2.85 1.167
Coping Appraisal
TrueMove H 3.50 .701 .456 .713
DTACT 3.44 .794
AIS 3.49 .782
Don’t know 3.20 1.366
X
172
Variable Mean and S.D. Different Test
S.D. F p
Behavioural Motivation
TrueMove H 3.59 .752 1.581 .193
DTACT 3.53 .799
AIS 3.51 .771
Don’t know 2.88 1.591
Protection Behaviour
TrueMove H 3.68 .667 1.393 .244
DTACT 3.54 .801
AIS 3.65 .748
Don’t know 3.45 .622
Post Hoc for Network Service Provider
Variable n Service Provider
TrueMove H DTACT Perceived Severity 720 3.85
TrueMove H 161 3.76 -
DTACT 219 3.87 -.11 (.161)
AIS 335 3.87 -.11 (.126) .00 (.988)
Don’t know 5 - - -
Perceived
Vulnerability 720 3.58
TrueMove H 161 3.43 -
DTACT 219 3.62 -.19* (.025)
AIS 335 3.63 -.20* (.001) -.01 (.885)
Don’t know 5 - - -
Social Influence 720 3.34
TrueMove H 161 3.35 -
DTACT 219 3.35 .00 (.988)
AIS 335 3.33 .02 (.774) .02 (.764)
Don’t know 5 - - -
Response Effectiveness 720 3.57
TrueMove H 161 3.58 -
X
X
173
Variable n Service Provider
TrueMove H DTACT DTACT 219 3.60 -.02 (.849)
AIS 335 3.55 .03 (.734) .05 (.547)
Don’t know 5 - - -
Self-efficacy 720 3.55
TrueMove H 161 3.63 -
DTACT 219 3.53 .10 (.252)
AIS 335 3.52 .11 (.165) .01 (.871)
Don’t know 5 - - -
Threat Appraisal 720 3.40
TrueMove H 161 3.36 -
DTACT 219 3.37 -.01 (.924)
AIS 335 3.45 -.09 (.238) -.08 (.234)
Don’t know 5 - - -
Coping Appraisal 720 3.48
TrueMove H 161 3.50 -
DTACT 219 3.44 .06 (.454)
AIS 335 3.49 .01 (.876) -.05 (.470)
Don’t know 5 - - -
Behavioural
Motivation 720 3.53
TrueMove H 161 3.59 -
DTACT 219 3.53 .06 (.482)
AIS 335 3.51 .08 (.261) .02 (.687)
Don’t know 5 - - -
Protection Behaviour 720 3.62
TrueMove H 161 3.68 -
DTACT 219 3.54 .14 (.069)
AIS 335 3.65 .03 (.599) -.11 (.112)
Don’t know 5 - - -
* Statistically Significant at .05 level
X
174
8. Phone Operating System
Variable Mean and S.D. Different Test
S.D. F p
Perceived Severity
iOS 3.87 .788 1.094 .358
Android 3.86 .695
Windows 3.60 .849
Don’t know 3.88 .886
Others 3.62 1.008
Perceived Vulnerability
iOS 3.58 .854 6.961 .000
Android 3.65 .772
Windows 3.62 .781
Don’t know 3.22 .950
Others 2.64 .907
Social Influence
iOS 3.43 .830 5.162 .000
Android 3.35 .796
Windows 3.07 1.031
Don’t know 2.88 1.098
Others 2.94 1.146
Response Effectiveness
iOS 3.59 .758 4.670 .001
Android 3.59 .761
Windows 3.82 .648
Don’t know 3.13 .908
Others 3.21 1.214
Self-efficacy
iOS 3.65 .787 6.472 .000
Android 3.56 .832
Windows 3.38 .931
X
175
Variable Mean and S.D. Different Test
S.D. F p
Don’t know 2.95 1.002
Others 3.54 .602
Threat Appraisal
iOS 3.39 .842 2.772 .026
Android 3.44 .773
Windows 3.39 1.056
Don’t know 3.36 .966
Others 2.67 .898
Coping Appraisal
iOS 3.55 .760 3.083 .016
Android 3.48 .741
Windows 3.40 1.108
Don’t know 3.13 .772
Others 3.23 .896
Behavioural Motivation
iOS 3.61 .738 8.564 .000
Android 3.55 .752
Windows 3.52 .747
Don’t know 2.88 1.031
Others 3.22 .874
Protection Behaviour
iOS 3.73 .717 4.836 .001
Android 3.60 .713
Windows 3.58 .877
Don’t know 3.20 1.008
Others 3.50 .677
X
176
Post Hoc for Phone Operating System
Variable n
Operating System
iOS Android Windows Don’t
know
Perceived
Severity 720 3.85
iOS 259 3.87 -
Android 382 3.86 .01 (.982)
Windows 26 3.60 .27 (.089) .26 (.086)
Don’t know 40 3.88 -.01 (.945) -.02 (.935) -.28 (.151)
Others 13 3.62 -25 (.242) .24 (.241) -.02 (.960) .26 (.280)
Perceived Vulnerability
720 3.58
iOS 259 3.58 -
Android 382 3.65 -.07 (.272)
Windows 26 3.62 -.04 (.811) .03 (.846)
Don’t know 40 3.22 .36* (.010) .43* (.002) .40 (.053)
Others 13 2.64 .94* (.000) 1.01* (.000) .98* (.000) .58* (.027)
Social Influence 720 3.34
iOS 259 3.43 -
Android 382 3.35 .08 (.206)
Windows 26 3.07 .36* (.035) .28 (.101)
Don’t know 40 2.88 .55* (.000) .47* (.001) .19 (.381)
Others 13 2.94 .49* (.041) .41 (.089) .13 (.663) -.06 (.821)
Response Effectiveness
720 3.57
iOS 259 3.59 -
Android 382 3.59 .00 (.978)
Windows 26 3.82 -.23 (.150) -.23 (.141)
Don’t know 40 3.13 .46* (.001) .46* (.000) .69* (.000)
Others 13 3.21 .38 (.081) .38 (.080) .61* (.020) -.08 (.772)
X
177
Variable n
Operating System
iOS Android Windows Don’t
know
Self-efficacy 720 3.55
iOS 259 3.65 -
Android 382 3.56 .09 (.158)
Windows 26 3.38 .27 (.120) .18 (.308)
Don’t know 40 2.95 .70* (.000) .61* (.000) .43* (.037)
Others 13 3.54 .11 (.639) .02 (.941) -.16* (.026) -.59* (.026)
Threat
Appraisal 720 3.40
iOS 259 3.39 -
Android 382 3.44 -.05 (.458)
Windows 26 3.39 .00 (.971) .05 (.797)
Don’t know 40 3.36 .03 (.820) .08 (.554) .03 (.855)
Others 13 2.67 .72* (.002) .77* (.001) .72* (.010) .69* (.010)
Coping
Appraisal 720 3.48
iOS 259 3.55 -
Android 382 3.48 .07 (.255)
Windows 26 3.40 .15 (.336) .08 (.600)
Don’t know 40 3.13 .42* (.001) .35* (.006) .27 (.160)
Others 13 3.23 .32 (.145) .25 (.252) .17 (.523) -.10 (.666)
Behavioural Motivation
720 3.53
iOS 259 3.61 -
Android 382 3.55 .06 (.340)
Windows 26 3.52 .09 (.539) .03 (.807)
Don’t know 40 2.88 .73* (.000) .67* (.000) .64* (.001)
Others 13 3.22 .39 (.069) .33 (.119) .30 (.250) -.34 (.171)
X
178
Variable n
Operating System
iOS Android Windows Don’t
know
Protection Behaviour
720 3.62
iOS 259 3.73 -
Android 382 3.60 .13* (.028)
Windows 26 3.58 .15 (.316) .02 (.884)
Don’t know 40 3.20 .53* (.000) .40* (.001) .38* (.043)
Others 13 3.50 .23 (.275) .10 (.636) .08 (.760) -.30 (.204)
* Statistically Significant at .05 level
X
179
9. Phone Lost
Independent Samples t-test
Equality of Variances
t-test for Equality of Means
F Sig. t df
Sig. (2-
tailed)
Mean Diff.
Std. Error Diff.
Perceived Severity
- Equal variances assumed
.287 .592 -.584 718 .559 -.03733 .06392
- Equal variances not assumed
-.562 306.980 .574 -.03733 .06639
Perceived Vulnerability
- Equal variances assumed
.339 .561 -.814 718 .416 -.05728 .07035
- Equal variances not assumed
-.801 318.276 .424 -.05728 .07155
Social Influence
- Equal variances assumed
.128 .721 .745 718 .456 .05394 .07237
- Equal variances not assumed
.743 325.859 .458 .05394 .07264
Response Effectiveness
- Equal variances assumed
.875 .350 .111 718 .912 .00739 .06649
- Equal variances not assumed
.109 317.845 .913 .00739 .06767
Self-efficacy
- Equal variances assumed
.056 .814 -1.770 718 .077 -.12584 .07110
- Equal variances not assumed
-1.776 330.037 .077 -.12584 .07087
Threat Appraisal
180
Independent Samples t-test
Equality of Variances
t-test for Equality of Means
F Sig. t df
Sig. (2-
tailed)
Mean Diff.
Std. Error Diff.
- Equal variances assumed
1.019 .313 -1.063 718 .288 -.07462 .07017
- Equal variances not assumed
-1.085 340.632 .279 -.07462 .06877
Coping Appraisal
- Equal variances assumed
.427 .514 .556 718 .578 .03649 .06557
- Equal variances not assumed
.547 317.859 .585 .03649 .06673
Behavioural Motivation
- Equal variances assumed
.832 .362 -.955 718 .340 -.06344 .06644
- Equal variances not assumed
-.982 345.742 .327 -.06344 .06462
Protection Behaviour
- Equal variances assumed
2.068 .151 -.167 718 .868 -.01057 .06345
- Equal variances not assumed
-.160 304.594 .873 -.01057 .06621
181
10. Virus
Independent Samples t-test
Equality of Variances
t-test for Equality of Means
F Sig. t df
Sig. (2-
tailed)
Mean Diff.
Std. Error Diff.
Perceived Severity
- Equal variances assumed
2.864 .091 .676 718 .499 .04094 .06057
- Equal variances not assumed
.648 392.706 .517 .04094 .06317
Perceived Vulnerability
- Equal variances assumed
.840 .360 -2.292 718 .022 -.15232 .06645
- Equal variances not assumed
-2.321 446.792 .021 -.15232 .06562
Social Influence
- Equal variances assumed
.154 .695 -.387 718 .699 -.02657 .06860
- Equal variances not assumed
-.391 444.632 .696 -.02657 .06787
Response Effectiveness
- Equal variances assumed
.676 .411 .440 718 .660 .02774 .06300
- Equal variances not assumed
.437 426.470 .662 .02774 .06342
Self-efficacy
- Equal variances assumed
.105 .747 -1.021 718 .308 -.06889 .06747
- Equal variances not assumed
-1.023 435.441 .307 -.06889 .06734
Threat Appraisal
- Equal variances assumed
.246 .620 -2.767 718 .006 -.18313 .06619
- Equal variances not assumed
-2.767 433.605 .006 -.18313 .06617
Coping Appraisal
- Equal variances assumed
.503 .478 -.202 718 .840 -.01253 .06215
- Equal variances not assumed
-.199 418.870 .843 -.01253 .06303
Behavioural Motivation
182
Independent Samples t-test
Equality of Variances
t-test for Equality of Means
F Sig. t df
Sig. (2-
tailed)
Mean Diff.
Std. Error Diff.
- Equal variances assumed
6.440 .011 -1.791 718 .074 -.11257 .06286
- Equal variances not assumed
-1.902 503.826 .058 -.11257 .05918
Protection Behaviour
- Equal variances assumed
.000 .988 -.348 718 .728 -.02091 .06013
- Equal variances not assumed
-.347 430.286 .729 -.02091 .06030
183
11. Free Public Wi-Fi Connection
Variable Mean and S.D. Different Test
S.D. F p
Perceived Severity
Never 3.79 .767 2.260 .105
Sometimes 3.92 .698
Always 3.81 .868
Perceived Vulnerability
Never 3.51 .824 2.724 .066
Sometimes 3.66 .791
Always 3.52 .941
Social Influence
Never 3.31 .917 .441 .644
Sometimes 3.37 .801
Always 3.30 .835
Response Effectiveness
Never 3.54 .813 4.146 .016
Sometimes 3.64 .723
Always 3.40 .859
Self-efficacy
Never 3.37 .851 13.411 .000
Sometimes 3.71 .768
Always 3.51 .925
Threat Appraisal
Never 3.39 .856 .073 .930
Sometimes 3.41 .800
Always 3.39 .838
Coping Appraisal
Never 3.40 .783 3.183 .042
Sometimes 3.55 .740
Always 3.46 .830
Behavioural Motivation
Never 3.42 .843 6.742 .001
Sometimes 3.64 .694
X
184
Variable Mean and S.D. Different Test
S.D. F p
Always 3.47 .838
Protection Behaviour
Never 3.51 .769 9.195 .000
Sometimes 3.75 .694
Always 3.51 .795
Post Hoc for Free Public Wi-Fi Connection
Variable n Public Wi-Fi Connection
Never Sometimes Perceived Severity 720 3.85
Never 284 3.79 -
Sometimes 333 3.92 -.13* (.044)
Always 103 3.81 -.02 (.886) .11 (.194)
Perceived
Vulnerability 720 3.58
Never 284 3.51 -
Sometimes 333 3.66 -.15* (.028)
Always 103 3.52 -.01 (.893) .14 (.149)
Social Influence 720 3.34
Never 284 3.31 -
Sometimes 333 3.37 -.06 (.406)
Always 103 3.30 .01 (.928) .07 (.492)
Response Effectiveness 720 3.57
Never 284 3.54 -
Sometimes 333 3.64 -.10 (.099)
Always 103 3.40 .14 (.120) .24* (.006)
Self-efficacy 720 3.55
Never 284 3.37 -
Sometimes 333 3.71 -.34* (.000)
Always 103 3.51 -.14 (.143) .20* (.028)
X
X
185
Variable n Public Wi-Fi Connection
Never Sometimes Threat Appraisal 720 3.40
Never 284 3.39 -
Sometimes 333 3.41 -.02 (.710)
Always 103 3.39 .00 (.951) .02 (.839)
Coping Appraisal 720 3.48
Never 284 3.40 -
Sometimes 333 3.55 -.16* (.012)
Always 103 3.46 -.06 (.501) .09 (.268)
Behavioural
Motivation 720 3.53
Never 284 3.42 -
Sometimes 333 3.64 -.22* (.000)
Always 103 3.47 -.05 (.530) .17 (.054)
Protection Behaviour 720 3.62
Never 284 3.51 -
Sometimes 333 3.75 -.24* (.000)
Always 103 3.51 .00 (.975) .24* (.004)
* Statistically significant at .05 level
X
186
12. Transferring Money via Phone
Variable Mean and S.D. Different Test
S.D. F p
Perceived Severity
Never 3.82 .742 1.344 .262
Sometimes 3.92 .757
Always 3.84 .791
Perceived Vulnerability
Never 3.52 .815 6.911 .001
Sometimes 3.74 .814
Always 3.41 .882
Social Influence
Never 3.24 .880 6.524 .002
Sometimes 3.50 .813
Always 3.37 .753
Response Effectiveness
Never 3.51 .787 7.600 .001
Sometimes 3.73 .756
Always 3.41 .770
Self-efficacy
Never 3.40 .838 16.952 .000
Sometimes 3.79 .766
Always 3.66 .873
Threat Appraisal
Never 3.36 .811 7.280 .001
Sometimes 3.56 .814
Always 3.19 .880
Coping Appraisal
Never 3.40 .765 6.476 .002
Sometimes 3.63 .754
Always 3.48 .806
Behavioural Motivation
Never 3.40 .783 14.283 .000
Sometimes 3.74 .744
X
187
Variable Mean and S.D. Different Test
S.D. F p
Always 3.62 .763
Protection Behaviour
Never 3.55 .771 5.259 .005
Sometimes 3.75 .689
Always 3.62 .735
Post Hoc Test for Transferring Money via Phone
Variable n E-Payment
Never Sometimes Perceived Severity 720 3.85
Never 419 3.82 -
Sometimes 219 3.92 -.10 (.104)
Always 82 3.84 -.02 (.836) .08 (.392)
Perceived
Vulnerability 720 3.58
Never 419 3.52 -
Sometimes 219 3.74 -.22* (.001)
Always 82 3.41 .11 (.270) .33* (.002)
Social Influence 720 3.34
Never 419 3.24 -
Sometimes 219 3.50 -.26* (.000)
Always 82 3.37 -.13 (.209) .13 (.256)
Response Effectiveness 720 3.57
Never 419 3.51 -
Sometimes 219 3.73 -.22* (.001)
Always 82 3.41 .10 (.263) .32* (.001)
Self-efficacy 720 3.55
Never 419 3.40 -
Sometimes 219 3.79 -.39* (.000)
Always 82 3.66 -.26* (.009) .13 (.228)
Threat Appraisal 720 3.40
X
X
188
Variable n E-Payment
Never Sometimes Never 419 3.36 -
Sometimes 219 3.56 -.20* (.003)
Always 82 3.19 .17 (.095) .37* (.001)
Coping Appraisal 720 3.48
Never 419 3.40 -
Sometimes 219 3.63 -.23* (.000)
Always 82 3.48 -.08 (.406) .15 (.124)
Behavioural
Motivation 720 3.53
Never 419 3.40 -
Sometimes 219 3.74 -.34* (.000)
Always 82 3.62 -.22* (.022) .12 (.222)
Protection Behaviour 720 3.62
Never 419 3.55 -
Sometimes 219 3.75 -.20* (.001)
Always 82 3.62 -.07 (.460) .13 (.162)
* Statistically significant at .05 level
X
189
APPENDIX D
CONFIRMATORY FACTOR ANALYSIS
190
Rotated Component Matrix
Component
1 2 3 4 5 6 7 8 9 q17 .796
q16 .792
q15 .774
q14 .756
q26 .788
q25 .787
q27 .699
q28 .693
q13 .741
q11 .720
q12 .699
q10 .654
q31 .767
q32 .718
q30 .648
q33 .643
q18 .832
q19 .828
q21 .772
q20 .639
q2 .856
q1 .794
Component
1 2 3 4 5 6 7 8 9 q3 .766
q5 .825
q6 .802
q4 .707
q8 .816
q9 .786
q7 .544
q22 .705
q23 .692
q24 .494
q29 .452
191
APPENDIX E
STRUCTURAL EQUATION MODELING ANALYSIS
192
1. Test Model Fitness for Measurement Model
193
Notes for Group (Group number 1)
The model is recursive. Sample size = 729
Parameter Summary (Group number 1)
Weights Covariances Variances Means Intercepts Total
Fixed 38 0 0 0 0 38
Labeled 0 0 0 0 0 0
Unlabeled 20 46 38 0 0 104
Total 58 46 38 0 0 142
Assessment of normality (Group number 1)
Variable min max skew c.r. kurtosis c.r.
q32 1.000 5.000 -.604 -6.661 .149 .819
q28 1.000 5.000 -.637 -7.018 .498 2.747
q13 1.000 5.000 -.527 -5.807 -.211 -1.164
q17 1.000 5.000 -.648 -7.139 .058 .322
q14 1.000 5.000 -.585 -6.444 -.035 -.192
q15 1.000 5.000 -.516 -5.693 -.136 -.751
q16 1.000 5.000 -.601 -6.630 -.061 -.338
q7 1.000 5.000 -.664 -7.320 .001 .008
q8 1.000 5.000 -.424 -4.677 -.023 -.128
q9 1.000 5.000 -.479 -5.282 .141 .778
q29 1.000 5.000 -.693 -7.638 .045 .248
q30 1.000 5.000 -.601 -6.628 -.238 -1.313
q31 1.000 5.000 -.551 -6.069 .060 .329
q22 1.000 5.000 -.718 -7.917 .420 2.317
q23 1.000 5.000 -.390 -4.294 -.023 -.129
q25 1.000 5.000 -.904 -9.961 .946 5.215
q26 1.000 5.000 -.678 -7.472 .581 3.202
q27 1.000 5.000 -.561 -6.183 .232 1.280
q10 1.000 5.000 -.613 -6.752 -.101 -.559
q11 1.000 5.000 -.590 -6.501 .039 .216
q12 1.000 5.000 -.559 -6.166 -.126 -.697
q18 1.000 5.000 -.458 -5.049 -.421 -2.318
q19 1.000 5.000 -.251 -2.765 -.469 -2.587
q1 1.000 5.000 -.792 -8.728 .645 3.557
q2 1.000 5.000 -.840 -9.262 .736 4.057
q3 1.000 5.000 -.788 -8.685 .663 3.656
194
Variable min max skew c.r. kurtosis c.r.
q4 1.000 5.000 -.591 -6.517 .070 .386
q5 1.000 5.000 -.724 -7.977 .177 .975
q6 1.000 5.000 -.559 -6.159 -.010 -.057
Multivariate 272.200 86.662
Regression Weights: (Group number 1 - Default model)
Estimate S.E. C.R. P Label
q6 <--- PerVul 1.000
q5 <--- PerVul .979 .049 19.873 ***
q4 <--- PerVul .853 .047 18.281 ***
q3 <--- PerSev 1.000
q2 <--- PerSev 1.043 .057 18.289 ***
q1 <--- PerSev 1.051 .058 18.044 ***
q19 <--- TheApp 1.000
q18 <--- TheApp .992 .058 17.012 ***
q12 <--- SelEff 1.000
q11 <--- SelEff .891 .041 21.509 ***
q10 <--- SelEff 1.018 .048 21.250 ***
q27 <--- BehMot 1.000
q26 <--- BehMot .926 .048 19.280 ***
q25 <--- BehMot .925 .049 19.052 ***
q23 <--- CopApp .841 .049 17.249 ***
q22 <--- CopApp 1.000
195
Estimate S.E. C.R. P Label
q31 <--- ProBeh 1.000
q30 <--- ProBeh 1.112 .073 15.167 ***
q29 <--- ProBeh 1.349 .081 16.589 ***
q9 <--- ResEff 1.000
q8 <--- ResEff .943 .059 16.117 ***
q7 <--- ResEff 1.193 .090 13.279 ***
q16 <--- SocInf 1.000
q15 <--- SocInf 1.215 .058 21.081 ***
q14 <--- SocInf 1.165 .057 20.493 ***
q17 <--- SocInf .975 .045 21.897 ***
q13 <--- SelEff .834 .046 18.130 ***
q28 <--- BehMot .908 .047 19.163 ***
q32 <--- ProBeh 1.069 .053 20.169 ***
Standardized Direct Effects (Group number 1 - Default model)
SocInf ResEff ProBeh CopApp BehMot SelEff TheApp PerSev PerVul
q32 .000 .000 .663 .000 .000 .000 .000 .000 .000
q28 .000 .000 .000 .000 .740 .000 .000 .000 .000
q13 .000 .000 .000 .000 .000 .674 .000 .000 .000
q17 .703 .000 .000 .000 .000 .000 .000 .000 .000
q14 .837 .000 .000 .000 .000 .000 .000 .000 .000
q15 .879 .000 .000 .000 .000 .000 .000 .000 .000
q16 .708 .000 .000 .000 .000 .000 .000 .000 .000
q7 .000 .708 .000 .000 .000 .000 .000 .000 .000
q8 .000 .622 .000 .000 .000 .000 .000 .000 .000
q9 .000 .649 .000 .000 .000 .000 .000 .000 .000
q29 .000 .000 .781 .000 .000 .000 .000 .000 .000
q30 .000 .000 .593 .000 .000 .000 .000 .000 .000
q31 .000 .000 .627 .000 .000 .000 .000 .000 .000
q22 .000 .000 .000 .847 .000 .000 .000 .000 .000
q23 .000 .000 .000 .681 .000 .000 .000 .000 .000
q25 .000 .000 .000 .000 .753 .000 .000 .000 .000
q26 .000 .000 .000 .000 .761 .000 .000 .000 .000
q27 .000 .000 .000 .000 .772 .000 .000 .000 .000
q10 .000 .000 .000 .000 .000 .830 .000 .000 .000
q11 .000 .000 .000 .000 .000 .774 .000 .000 .000
q12 .000 .000 .000 .000 .000 .815 .000 .000 .000
q18 .000 .000 .000 .000 .000 .000 .851 .000 .000
q19 .000 .000 .000 .000 .000 .000 .870 .000 .000
q1 .000 .000 .000 .000 .000 .000 .000 .774 .000
196
SocInf ResEff ProBeh CopApp BehMot SelEff TheApp PerSev PerVul
q2 .000 .000 .000 .000 .000 .000 .000 .799 .000
q3 .000 .000 .000 .000 .000 .000 .000 .732 .000
q4 .000 .000 .000 .000 .000 .000 .000 .000 .729
q5 .000 .000 .000 .000 .000 .000 .000 .000 .838
q6 .000 .000 .000 .000 .000 .000 .000 .000 .845
Standardized Indirect Effects (Group number 1 - Default model)
SocInf ResEff ProBeh CopApp BehMot SelEff TheApp PerSev PerVul
q32 .000 .000 .000 .000 .000 .000 .000 .000 .000
q28 .000 .000 .000 .000 .000 .000 .000 .000 .000
q13 .000 .000 .000 .000 .000 .000 .000 .000 .000
q17 .000 .000 .000 .000 .000 .000 .000 .000 .000
q14 .000 .000 .000 .000 .000 .000 .000 .000 .000
q15 .000 .000 .000 .000 .000 .000 .000 .000 .000
q16 .000 .000 .000 .000 .000 .000 .000 .000 .000
q7 .000 .000 .000 .000 .000 .000 .000 .000 .000
q8 .000 .000 .000 .000 .000 .000 .000 .000 .000
q9 .000 .000 .000 .000 .000 .000 .000 .000 .000
q29 .000 .000 .000 .000 .000 .000 .000 .000 .000
q30 .000 .000 .000 .000 .000 .000 .000 .000 .000
q31 .000 .000 .000 .000 .000 .000 .000 .000 .000
q22 .000 .000 .000 .000 .000 .000 .000 .000 .000
q23 .000 .000 .000 .000 .000 .000 .000 .000 .000
q25 .000 .000 .000 .000 .000 .000 .000 .000 .000
q26 .000 .000 .000 .000 .000 .000 .000 .000 .000
q27 .000 .000 .000 .000 .000 .000 .000 .000 .000
q10 .000 .000 .000 .000 .000 .000 .000 .000 .000
q11 .000 .000 .000 .000 .000 .000 .000 .000 .000
q12 .000 .000 .000 .000 .000 .000 .000 .000 .000
q18 .000 .000 .000 .000 .000 .000 .000 .000 .000
q19 .000 .000 .000 .000 .000 .000 .000 .000 .000
q1 .000 .000 .000 .000 .000 .000 .000 .000 .000
q2 .000 .000 .000 .000 .000 .000 .000 .000 .000
q3 .000 .000 .000 .000 .000 .000 .000 .000 .000
q4 .000 .000 .000 .000 .000 .000 .000 .000 .000
q5 .000 .000 .000 .000 .000 .000 .000 .000 .000
q6 .000 .000 .000 .000 .000 .000 .000 .000 .000
197
Model Fit for Measurement Model
CMIN
Model NPAR CMIN DF P CMIN/DF
Default model 104 882.427 331 .000 2.666
Saturated model 435 .000 0
Independence model 29 11345.125 406 .000 27.944
RMR, GFI
Model RMR GFI AGFI PGFI
Default model .037 .917 .891 .698
Saturated model .000 1.000
Independence model .303 .249 .195 .232
Baseline Comparisons
Model NFI
Delta1 RFI
rho1 IFI
Delta2 TLI
rho2 CFI
Default model .922 .905 .950 .938 .950
Saturated model 1.000 1.000 1.000
Independence model .000 .000 .000 .000 .000
Parsimony-Adjusted Measures
Model PRATIO PNFI PCFI
Default model .815 .752 .774
Saturated model .000 .000 .000
Independence model 1.000 .000 .000
NCP
Model NCP LO 90 HI 90
Default model 551.427 467.137 643.373
Saturated model .000 .000 .000
Independence model 10939.125 10595.061 11289.543
FMIN
Model FMIN F0 LO 90 HI 90
Default model 1.212 .757 .642 .884
Saturated model .000 .000 .000 .000
Independence model 15.584 15.026 14.554 15.508
198
RMSEA
Model RMSEA LO 90 HI 90 PCLOSE
Default model .048 .044 .052 .821
Independence model .192 .189 .195 .000
AIC
Model AIC BCC BIC CAIC
Default model 1090.427 1099.367 1567.961 1671.961
Saturated model 870.000 907.393 2867.378 3302.378
Independence model 11403.125 11405.617 11536.283 11565.283
ECVI
Model ECVI LO 90 HI 90 MECVI
Default model 1.498 1.382 1.624 1.510
Saturated model 1.195 1.195 1.195 1.246
Independence model 15.664 15.191 16.145 15.667
HOELTER
Model HOELTER
.05 HOELTER
.01
Default model 309 325
Independence model 30 31
199
2. Test Model Fitness for Structural Equation Model
Parameter Summary (Group number 1)
Weights Covariances Variances Means Intercepts Total
Fixed 40 0 0 0 0 40
Labeled 0 0 0 0 0 0
Unlabeled 27 22 36 0 0 85
Total 67 22 36 0 0 125
200
Assessment of normality (Group number 1)
Variable min max skew c.r. kurtosis c.r.
q32 1.000 5.000 -.604 -6.661 .149 .819
q25 1.000 5.000 -.904 -9.961 .946 5.215
q13 1.000 5.000 -.527 -5.807 -.211 -1.164
q17 1.000 5.000 -.648 -7.139 .058 .322
q14 1.000 5.000 -.585 -6.444 -.035 -.192
q15 1.000 5.000 -.516 -5.693 -.136 -.751
q16 1.000 5.000 -.601 -6.630 -.061 -.338
q8 1.000 5.000 -.424 -4.677 -.023 -.128
q9 1.000 5.000 -.479 -5.282 .141 .778
q30 1.000 5.000 -.601 -6.628 -.238 -1.313
q31 1.000 5.000 -.551 -6.069 .060 .329
q22 1.000 5.000 -.718 -7.917 .420 2.317
q23 1.000 5.000 -.390 -4.294 -.023 -.129
q28 1.000 5.000 -.637 -7.018 .498 2.747
q27 1.000 5.000 -.561 -6.183 .232 1.280
q26 1.000 5.000 -.678 -7.472 .581 3.202
q10 1.000 5.000 -.613 -6.752 -.101 -.559
q11 1.000 5.000 -.590 -6.501 .039 .216
q12 1.000 5.000 -.559 -6.166 -.126 -.697
q18 1.000 5.000 -.458 -5.049 -.421 -2.318
q19 1.000 5.000 -.251 -2.765 -.469 -2.587
q1 1.000 5.000 -.792 -8.728 .645 3.557
q2 1.000 5.000 -.840 -9.262 .736 4.057
q3 1.000 5.000 -.788 -8.685 .663 3.656
q4 1.000 5.000 -.591 -6.517 .070 .386
q5 1.000 5.000 -.724 -7.977 .177 .975
q6 1.000 5.000 -.559 -6.159 -.010 -.057
Multivariate 234.346 79.946
201
Regression Weights: (Group number 1 - Default model)
Estimate S.E. C.R. P Label
TheApp <--- PerSev .043 .060 .714 .475
TheApp <--- PerVul .359 .056 6.382 ***
TheApp <--- SocInf .289 .043 6.680 ***
CopApp <--- SocInf .178 .045 3.907 ***
CopApp <--- ResEff .054 .127 .429 .668
CopApp <--- SelEff .546 .057 9.543 ***
BehMot <--- TheApp .049 .027 1.812 .070
BehMot <--- CopApp .861 .061 14.210 ***
ProBeh <--- BehMot 1.021 .078 13.161 ***
q6 <--- PerVul 1.000
q5 <--- PerVul .992 .050 19.698 ***
q4 <--- PerVul .851 .047 18.209 ***
q3 <--- PerSev .951 .053 17.913 ***
q2 <--- PerSev .998 .053 18.837 ***
q1 <--- PerSev 1.000
q19 <--- TheApp 1.000
q18 <--- TheApp 1.000 .061 16.499 ***
q12 <--- SelEff 1.000
q11 <--- SelEff .899 .042 21.553 ***
q10 <--- SelEff .997 .048 20.945 ***
q26 <--- BehMot .928 .056 16.614 ***
202
Estimate S.E. C.R. P Label
q27 <--- BehMot 1.000
q28 <--- BehMot .899 .055 16.465 ***
q23 <--- CopApp .857 .051 16.684 ***
q22 <--- CopApp 1.000
q31 <--- ProBeh .943 .063 14.852 ***
q30 <--- ProBeh 1.000
q9 <--- ResEff 1.000
q8 <--- ResEff .914 .062 14.708 ***
q16 <--- SocInf .827 .039 21.117 ***
q15 <--- SocInf 1.000
q14 <--- SocInf .961 .036 26.335 ***
q17 <--- SocInf .807 .039 20.905 ***
q13 <--- SelEff .834 .046 18.054 ***
q25 <--- BehMot .936 .062 14.981 ***
q32 <--- ProBeh .973 .064 15.083 ***
Standardized Direct Effects (Group number 1 - Default model)
SocInf ResEff SelEff PerSev PerVul CopApp TheApp BehMot ProBeh
CopApp .242 .080 .721 .000 .000 .000 .000 .000 .000
TheApp .287 .000 .000 .034 .335 .000 .000 .000 .000
BehMot .000 .000 .000 .000 .000 .861 .068 .000 .000
ProBeh .000 .000 .000 .000 .000 .000 .000 .857 .000
q32 .000 .000 .000 .000 .000 .000 .000 .000 .764
q25 .000 .000 .000 .000 .000 .000 .000 .666 .000
q13 .000 .000 .674 .000 .000 .000 .000 .000 .000
q17 .705 .000 .000 .000 .000 .000 .000 .000 .000
q14 .837 .000 .000 .000 .000 .000 .000 .000 .000
q15 .877 .000 .000 .000 .000 .000 .000 .000 .000
q16 .710 .000 .000 .000 .000 .000 .000 .000 .000
q8 .000 .936 .000 .000 .000 .000 .000 .000 .000
q9 .000 1.007 .000 .000 .000 .000 .000 .000 .000
q30 .000 .000 .000 .000 .000 .000 .000 .000 .676
q31 .000 .000 .000 .000 .000 .000 .000 .000 .749
q22 .000 .000 .000 .000 .000 .708 .000 .000 .000
q23 .000 .000 .000 .000 .000 .580 .000 .000 .000
q28 .000 .000 .000 .000 .000 .000 .000 .644 .000
q27 .000 .000 .000 .000 .000 .000 .000 .675 .000
q26 .000 .000 .000 .000 .000 .000 .000 .673 .000
q10 .000 .000 .812 .000 .000 .000 .000 .000 .000
q11 .000 .000 .781 .000 .000 .000 .000 .000 .000
203
SocInf ResEff SelEff PerSev PerVul CopApp TheApp BehMot ProBeh
q12 .000 .000 .815 .000 .000 .000 .000 .000 .000
q18 .000 .000 .000 .000 .000 .000 .854 .000 .000
q19 .000 .000 .000 .000 .000 .000 .866 .000 .000
q1 .000 .000 .000 .773 .000 .000 .000 .000 .000
q2 .000 .000 .000 .802 .000 .000 .000 .000 .000
q3 .000 .000 .000 .730 .000 .000 .000 .000 .000
q4 .000 .000 .000 .000 .723 .000 .000 .000 .000
q5 .000 .000 .000 .000 .844 .000 .000 .000 .000
q6 .000 .000 .000 .000 .840 .000 .000 .000 .000
Standardized Indirect Effects (Group number 1 - Default model)
SocInf ResEff SelEff PerSev PerVul CopApp TheApp BehMot ProBeh
CopApp .000 .000 .000 .000 .000 .000 .000 .000 .000
TheApp .000 .000 .000 .000 .000 .000 .000 .000 .000
BehMot .228 .069 .621 .002 .023 .000 .000 .000 .000
ProBeh .195 .059 .532 .002 .019 .738 .058 .000 .000
q32 .149 .045 .407 .002 .015 .564 .044 .655 .000
q25 .152 .046 .414 .002 .015 .574 .045 .000 .000
q13 .000 .000 .000 .000 .000 .000 .000 .000 .000
q17 .000 .000 .000 .000 .000 .000 .000 .000 .000
q14 .000 .000 .000 .000 .000 .000 .000 .000 .000
q15 .000 .000 .000 .000 .000 .000 .000 .000 .000
q16 .000 .000 .000 .000 .000 .000 .000 .000 .000
q8 .000 .000 .000 .000 .000 .000 .000 .000 .000
q9 .000 .000 .000 .000 .000 .000 .000 .000 .000
q30 .132 .040 .360 .001 .013 .499 .039 .579 .000
q31 .146 .044 .399 .001 .015 .553 .043 .642 .000
q22 .171 .057 .510 .000 .000 .000 .000 .000 .000
q23 .140 .046 .418 .000 .000 .000 .000 .000 .000
q28 .147 .044 .400 .001 .015 .555 .044 .000 .000
q27 .154 .046 .419 .002 .015 .581 .046 .000 .000
q26 .154 .046 .418 .002 .015 .580 .046 .000 .000
q10 .000 .000 .000 .000 .000 .000 .000 .000 .000
q11 .000 .000 .000 .000 .000 .000 .000 .000 .000
q12 .000 .000 .000 .000 .000 .000 .000 .000 .000
q18 .245 .000 .000 .029 .286 .000 .000 .000 .000
q19 .249 .000 .000 .030 .291 .000 .000 .000 .000
q1 .000 .000 .000 .000 .000 .000 .000 .000 .000
q2 .000 .000 .000 .000 .000 .000 .000 .000 .000
q3 .000 .000 .000 .000 .000 .000 .000 .000 .000
204
SocInf ResEff SelEff PerSev PerVul CopApp TheApp BehMot ProBeh
q4 .000 .000 .000 .000 .000 .000 .000 .000 .000
q5 .000 .000 .000 .000 .000 .000 .000 .000 .000
q6 .000 .000 .000 .000 .000 .000 .000 .000 .000
Regression Weights: (Group number 1 - Default model)
M.I. Par Change
CopApp <--- PerSev 4.474 .061
ProBeh <--- SocInf 19.397 .131
ProBeh <--- ResEff 7.909 .067
ProBeh <--- TheApp 4.294 .062
q32 <--- q13 6.403 .059
q32 <--- q12 4.240 .049
q32 <--- q18 4.139 -.048
q32 <--- q2 4.405 .059
q25 <--- SocInf 5.914 -.065
q25 <--- PerSev 8.421 .100
q25 <--- q13 9.351 .065
q25 <--- q17 8.648 -.065
q25 <--- q15 8.830 -.066
q25 <--- q9 4.671 -.051
q25 <--- q30 4.011 -.039
q25 <--- q31 10.233 -.074
q25 <--- q27 13.872 .087
q25 <--- q1 5.479 .057
q25 <--- q2 13.754 .093
q13 <--- q25 6.589 .087
q13 <--- q23 8.397 -.093
q17 <--- ResEff 6.081 .061
q17 <--- PerVul 4.283 .068
q17 <--- q9 6.863 .071
q17 <--- q5 4.503 .056
q14 <--- q26 7.263 -.072
q14 <--- q12 5.709 -.054
q15 <--- PerVul 5.761 -.069
q15 <--- q25 4.860 -.055
q15 <--- q22 4.091 -.050
q15 <--- q4 6.363 -.058
q15 <--- q5 4.140 -.047
q16 <--- SelEff 4.975 .071
q16 <--- q25 4.250 .059
205
M.I. Par Change
q16 <--- q13 4.434 .052
q16 <--- q22 5.739 .068
q16 <--- q27 4.630 .058
q16 <--- q12 6.086 .061
q16 <--- q2 4.161 .060
q16 <--- q4 4.576 .057
q9 <--- q31 6.831 .071
q30 <--- SocInf 14.733 .157
q30 <--- ResEff 7.167 -.087
q30 <--- PerSev 16.213 -.211
q30 <--- q17 9.003 .101
q30 <--- q14 13.003 .121
q30 <--- q15 16.864 .139
q30 <--- q16 8.446 .096
q30 <--- q8 4.788 -.080
q30 <--- q9 4.608 -.077
q30 <--- q19 5.163 .075
q30 <--- q1 19.272 -.162
q30 <--- q2 9.669 -.119
q30 <--- q3 9.944 -.115
q31 <--- ResEff 14.142 .090
q31 <--- TheApp 6.969 .079
q31 <--- q25 4.385 -.057
q31 <--- q8 5.262 .061
q31 <--- q9 14.896 .101
q31 <--- q22 4.662 -.058
q31 <--- q18 8.543 .070
q31 <--- q19 4.692 .052
q22 <--- ResEff 4.623 -.050
q22 <--- PerSev 13.429 .137
q22 <--- q15 7.391 -.065
q22 <--- q9 4.357 -.053
q22 <--- q30 5.285 -.049
q22 <--- q31 8.088 -.071
q22 <--- q10 16.236 .093
q22 <--- q1 6.461 .067
q22 <--- q2 13.966 .102
q22 <--- q3 9.951 .082
q23 <--- SocInf 7.583 .093
q23 <--- PerSev 10.783 -.142
q23 <--- PerVul 8.182 -.103
206
M.I. Par Change
q23 <--- TheApp 6.154 .084
q23 <--- q13 10.147 -.084
q23 <--- q17 4.983 .062
q23 <--- q14 4.089 .056
q23 <--- q15 12.117 .097
q23 <--- q31 5.955 .071
q23 <--- q27 4.271 .060
q23 <--- q10 8.488 -.078
q23 <--- q19 9.414 .084
q23 <--- q2 14.400 -.120
q23 <--- q4 7.927 -.081
q23 <--- q5 6.817 -.075
q23 <--- q6 7.346 -.077
q28 <--- q17 6.890 .065
q27 <--- SocInf 6.575 -.081
q27 <--- ResEff 5.715 -.061
q27 <--- q25 18.027 .123
q27 <--- q13 6.701 -.064
q27 <--- q17 16.850 -.107
q27 <--- q15 6.211 -.065
q27 <--- q9 8.710 -.082
q27 <--- q26 4.009 .059
q27 <--- q10 5.670 -.060
q27 <--- q11 4.398 -.056
q26 <--- ResEff 8.783 .061
q26 <--- q9 10.779 .074
q26 <--- q2 4.259 -.049
q10 <--- q32 5.134 -.062
q10 <--- q31 9.415 -.085
q10 <--- q22 12.791 .106
q10 <--- q28 5.025 -.067
q10 <--- q27 5.873 -.068
q10 <--- q19 5.480 -.062
q10 <--- q5 4.325 .057
q11 <--- TheApp 7.875 .084
q11 <--- q31 12.710 .091
q11 <--- q18 5.980 .058
q11 <--- q19 10.015 .076
q12 <--- q14 5.861 -.063
q12 <--- q3 6.250 -.071
q18 <--- q30 5.952 -.055
207
M.I. Par Change
q18 <--- q4 4.654 .056
q19 <--- q30 9.773 .069
q19 <--- q23 7.498 .072
q19 <--- q11 4.198 .052
q2 <--- ResEff 4.125 -.046
q2 <--- PerVul 6.819 -.079
q2 <--- q9 5.231 -.057
q2 <--- q4 4.432 -.051
q2 <--- q5 8.186 -.069
q2 <--- q6 4.050 -.048
q3 <--- q5 7.026 .071
q4 <--- TheApp 5.809 .082
q4 <--- q13 4.555 .057
q4 <--- q16 4.047 .055
q4 <--- q31 5.471 .068
q4 <--- q28 4.201 .064
q4 <--- q11 4.657 .062
q4 <--- q18 9.880 .085
q6 <--- q13 6.071 -.058
q6 <--- q23 5.433 -.061
208
Model Fit Summary for Structural Equation Model
CMIN
Model NPAR CMIN DF P CMIN/DF
Default model 85 795.971 293 .000 2.717
Saturated model 378 .000 0
Independence model 27 10309.979 351 .000 29.373
RMR, GFI
Model RMR GFI AGFI PGFI
Default model .040 .923 .900 .715
Saturated model .000 1.000
Independence model .296 .267 .211 .248
Baseline Comparisons
Model NFI
Delta1 RFI
rho1 IFI
Delta2 TLI
rho2 CFI
Default model .923 .908 .950 .939 .949
Saturated model 1.000 1.000 1.000
Independence model .000 .000 .000 .000 .000
Parsimony-Adjusted Measures
Model PRATIO PNFI PCFI
Default model .835 .770 .793
Saturated model .000 .000 .000
Independence model 1.000 .000 .000
NCP
Model NCP LO 90 HI 90
Default model 502.971 422.923 590.668
Saturated model .000 .000 .000
Independence model 9958.979 9630.988 10293.321
FMIN
Model FMIN F0 LO 90 HI 90
Default model 1.093 .691 .581 .811
Saturated model .000 .000 .000 .000
Independence model 14.162 13.680 13.229 14.139
209
RMSEA
Model RMSEA LO 90 HI 90 PCLOSE
Default model .049 .045 .053 .715
Independence model .197 .194 .201 .000
AIC
Model AIC BCC BIC CAIC
Default model 965.971 972.771 1356.263 1441.263
Saturated model 756.000 786.240 2491.653 2869.653
Independence model 10363.979 10366.139 10487.954 10514.954
ECVI
Model ECVI LO 90 HI 90 MECVI
Default model 1.327 1.217 1.447 1.336
Saturated model 1.038 1.038 1.038 1.080
Independence model 14.236 13.786 14.695 14.239
HOELTER
Model HOELTER
.05 HOELTER
.01
Default model 306 323
Independence model 28 30
210
APPENDIX F
EXAMPLES OF INCREASING SELF-EFFICACY AND SOCIAL
INFLUENCE FOR SMARTPHONE USERS (DEVELOPED BY
CANDIDATE IN RELATED PROJECTS)
211
The followings are examples for increasing smartphone users’ self-efficacies for
smartphone users:
1. Educating Smartphone Users through Booklet and Handbook
Figure F1: Booklet about Cybersecurity
Source: NBTC
212
Figure F2: Handbook for Increasing Cybersecurity
Source: NBTC
213
2. Infographic for Raising Cybersecurity Awareness
Providing information on how to configure smartphone to the highest safe mode via
infographic poster. The following infographic, as shown in Figure 3, was created to
raised cyber threat awareness to public.
Figure F3: Infographic for Configuring the Phone to the Highest Safe Mode
Source: NBTC
214
3. Educate Smartphone Users via Activity Booth
Organizing activity booth for educating people on how to protect their phones from
threats. The following photos, as shown in Figure 4, show activities booth organized at
many universities to raise cyber threat awareness.
Figure F4: Activity Booth for Dispersing Cybersecurity Information to Public
Source: NBTC
215
4. Educating Smartphone Users via Software Application
Providing people with software for educating about cyber threat and security. The
followings are some useful examples:
4.1) Phone Security Checker “1-Secure.” This mobile application, as shown
in Figure 5 and 6, is useful for checking user existing configuration and maps it to a
risk profile. The software will make a recommendation on how to lower users’ risk
profiles through configuration changes and on-screen guideline.
Figure F5: Front End of 1-Secure Application for Android Phone
Source: NBTC
216
Figure F6: Menu of 1-Secure Application
Source: NBTC
4.2) Using Simulation for Increasing Cybersecurity Awareness. The initial
pilot study, by Fung, C.C., Khera, V., Depickere, A. and Tantatsanawong P. (2007),
was to test the participants cybersecurity learning effectiveness by comparing
traditional class-room approach versus using simulation software, the result shows
significant increase of awareness in the group exposed to simulation compared to
traditional class-room learning environment.
