Research ArticleSecurity Awareness Level of Smartphone Users: An ExploratoryCase Study

Murat Koyuncu 1 and Tolga Pusatli 2

1Information System Engineering, Atilim University, Ankara, Turkey2Department of Mathematics, Cankaya University, Ankara, Turkey

Correspondence should be addressed to Murat Koyuncu; mkoyuncu@atilim.edu.tr

Received 5 December 2018; Accepted 23 April 2019; Published 13 May 2019

Academic Editor: Marco Picone

Copyright © 2019 Murat Koyuncu and Tolga Pusatli. *is is an open access article distributed under the Creative CommonsAttribution License, which permits unrestricted use, distribution, and reproduction in anymedium, provided the original work isproperly cited.

As smartphone technology becomes more and more mature, its usage extends beyond and covers also applications that requiresecurity. However, since smartphones can contain valuable information, they normally become the target of attackers. Aphysically lost or a hacked smartphone may cause catastrophic results for its owner. To prevent such undesired events,smartphone users should be aware of existing threats and countermeasures to be taken against them.*erefore, user awareness is acritical factor for smartphone security. *is study investigates the awareness level of smartphone users for different security-related parameters and compares the awareness levels of different user groups categorized according to their demographic data. Itis based on a survey study conducted on a population with a different range of age, education level, and IT security expertise.According to the obtained results, in general, the awareness level of participants is fairly low, which needs considerable im-provement. In terms of age, the oldest group has the lowest level followed by the youngest group. Education level, in general, has apositive effect on the awareness level. Having knowledge about IT is another factor increasing the security awareness level ofsmartphone users.

1. Introduction

Proliferation of smartphones clearly shows their wideadoption by the public. Today, smartphones have evenreached to the point of addiction for many and have becomean indispensable instrument in people’s daily lives [1].Smartphones can be used for many different purposes be-sides phone calls: these include not only sending/receivinge-mails but also staying online in social media using pro-grams such as Twitter, Google+, and Facebook as well asconducting electronic financial transactions. *e flexiblestructure of smartphones gives designers and developers theability to imagine and develop new and innovative appli-cations. *erefore, today smartphone users have a largeapplication portfolio to be installed and used for differentpurposes. *e related figures can be seen from Google PlayStore and Apple App Store containing about 3.8 million and2 million applications, respectively, as of the first quarter of

2018 [2]. *e number of cumulative app downloads hasreached 178.1 billion mobile apps in 2017, which is a clearindication about smartphone usage [3]. In computer history,the market share of smartphones overtook the leadership ofdesktops in 2016, and mobiles, desktops, and tablets had52.52%, 43.63%, and 3.85% of the market share as of June2018, respectively [4].

On the one hand, there are many advantages in usingsmartphones, but on the other hand, there are many securitythreats as well [5–7]. New mobile malware threat statisticsshow not only a dramatic increase in the number of newmalwares but also an increase in sophistication and com-plexity. Symantec observed 18.4 million mobile malwaredetections in total in 2016, which is an increase of 105percent in 2015 [8].*e total count of malware detected over6months by McAfee Labs in 2016 is 37 million [9]. *enumber of threat families in the Google Play Store increasedby a whopping 30% in 2017, making even the official

HindawiMobile Information SystemsVolume 2019, Article ID 2786913, 11 pageshttps://doi.org/10.1155/2019/2786913

Android App Store a risky proposition for users according toMcAfee 2018 Q1 Mobile *reat Report [10]. *ese numbersshow clearly the level of risk formobile devices. According tothe study done by McGill and *ompson [11], users aremuch more likely to be actively protecting their homecomputer/laptop than their smartphone/tablet. Althoughmany people are still reluctant to use their mobile devices forimportant transactions such as financial activities, this usepattern is changing with youngsters who are no longer soreluctant to use mobile devices for such transactions.*erefore, mobile devices are more likely to be at risk than ahome computer. Although smartphones are generallyconsidered as private devices, they can also be used fororganizational tasks in the scope of the “bring your owndevice” (BYOD) concept [12]. As a result, security forsmartphones becomes crucial.

As indicated in some of the latest studies, user awarenessis a critical factor for smartphone security. For example,European Network and Information Security Agency(ENISA) highlights “lack of user awareness” as a vulnera-bility for smartphone security [13]. Similarly, Jeon et al. [6]listed user unawareness as one of the vulnerabilities forsmartphones. Watson and Zheng [14] investigate userawareness of mobile security recommendations and con-clude that especially those without strong informationtechnology familiarity tend to ignore or be unaware of manycritical security options. *erefore, they suggest to developmethods to improve awareness and adoption of mobilesecurity. Smartphones become a valuable target for attackersbecause of the information they contain. It is, therefore,critical for smartphone users to take precautionary mea-sures, including awareness of vulnerabilities and threats aswell as adoption of security controls against threats [15].Dinev and Hu [16] define technology awareness as a user’sraised consciousness of and interest in knowing abouttechnological issues and strategies to deal with them andshow the technology awareness as one of the stimuli fordetermining the attitude in their awareness-centric model.Bitton et al. [17] present a hierarchical taxonomy for securityawareness specifically designed for mobile device users inwhich a set of measurable criteria is defined and categorizedaccording to different technological focus areas and withinthe context of psychological dimensions. In this scope, thisstudy aims to investigate the levels of awareness of smart-phone users on different security-related parameters andcompare these levels based upon age, education level, andcybersecurity knowledge level.

Although there are studies investigating the securityawareness level of computer users, only a limited number ofthem have focused on smartphone security, which has adifferent user behavior pattern than normal computers[11, 17]. Also, most of the studies investigate smartphoneawareness in a restricted environment such as a universitywith students and/or faculties [14, 16, 18–21]. However, thisstudy aimed to collect data from a wide range of populationin terms of demography. In addition, smartphone pro-liferation continues, and people become more and morefamiliar with this technology.*us, there is a requirement toobserve the latest awareness level of users. Based upon this,

the authors believe that this study provides valuable in-formation to the literature to understand current awarenesslevels of smartphone users from different demographicperspectives for the purpose of developing methods toimprove it.

*e rest of the paper is organized as follows. *e nextsection presents related studies. Section 3 explains themethodology used for the study. In Section 4, the essentialstatistical analysis results are presented and discussed.Section 5 includes the conclusions, theoretical and practicalimplications, and future research recommendations.

2. Related Studies

While ease-of-use and speed are tempting to users, there areconsiderable risks associated with these advantages. Studiesincluding the one by Androulidakis [22] have drawn at-tention to the threats in mobile telephones due to lack ofawareness in security and privacy. Mylonas et al. [23] ex-plore the security awareness of smartphone users, whodownload applications from official application repositories.*eir survey findings show that the majority of users trustthe app repository, security controls are not enabled or notadded, and users disregard security during application se-lection and installation. McIlwraith [24] explains securityawareness as a concept having two parts: the first part is thepractice of making people aware of the issues relating toinformation security; the second part involves encouragingthem to act in a way that is appropriate to the value of theinformation they handle as part of their everyday workactivities. Markelj and Bernik [21] state that safety in cy-berspace depends on the users’ knowledge of threats andtheir appropriate response to them. To achieve this, userawareness should be raised, and users should be informed ofthreats and undergo suitable education on work safety incyberspace.

From the given studies above, it is clear that awarenessabout smartphone security threats and mechanisms to beused against these threats is important. In this scope, weneed to reveal the parameters that users should be aware of.In other words, on the basis of smartphones, what are theimportant issues for users in terms of security?

Harris et al. [25] explore the factors that influence aconsumer before installing a mobile application and con-clude that consumers look more at security when de-termining risks. Perceiving less risk leads to more trust,which then leads to more intent to install apps. EuropeanNetwork and Information Security Agency (ENISA) high-lights “lack of user awareness” as a vulnerability forsmartphone security [13] and recommends not to installapplications unless the source is well known and trusted.Unawareness of risks related to installing applications fromuntrusted sources is shown as one of the vulnerabilities byJeon et al. [6], asserting that, at the first step, “being aware ofdevelopers of the applications and their repositories” is oneof the parameters that smartphone users should consider.

In order to benefit from the installed applications, a usershould accept to share private information that the installedapplication asks or allow the application to access different

2 Mobile Information Systems

resources [6]. Despite these concerns, a work reported byFelt et al. [26] finds that a majority of the users tested doesnot pay attention to warnings while installing applications.Harris et al. [19] investigate the installation of apps askingfor excessive permissions with the assumption that excessivepermissions can increase security risk. In the ENISA’sguidance [13], users are recommended to be aware of whatinstalled applications can access, run, and activate on mobilephones. On the other hand, developers add mostly an end-user license agreement (EULA) document to inform and getconsent from users about the application activities. How-ever, this does not guarantee that the user reads and un-derstands the content. According to a study conducted byChin et al. [27], “participants do not greatly consider existingsecurity indicators like privacy policies and EULAs. Instead,they rely on user reviews and popularity to signal the qualityand safety of applications.” While developers cannot forceusers to read and understand the content, at least, they doask the user to click the “I agree” button. However, howmany users really know what they agree is open to dis-cussion. As a consequence, “being aware of EULA and re-sources that an application can access” is another parameterto be investigated in user awareness.

In Benenson et al. [28], the authors try to establish amental model of IT security for mobile devices. Accordingto their findings, users of mobile devices can be divided intotwo categories: those who consider their devices as a phoneare associated with a lower security awareness and seethemselves not responsible for the security of their devices;on the other hand, those who consider their devices as asmartphone are more aware of mobile security risks andalso consider themselves more responsible to provide se-curity for their devices. Information security is an issue forwhich multiple players should take responsibilities; theseinclude state, service provider, organization (in case theworkplace is included), and the individuals themselves[29, 30]. For instance, states should make laws and es-tablish, or encourage, supporting organizations such asCERT [31]. Technologies such as cloud computing makethe responsibilities more complicated and force the partiesto act together [32]. Unfortunately, a considerable findinghas revealed in Zaaba et al. [33] that employees using IT attheir work places claim “I do not care whether I have theantivirus or not as I believe it’s not my responsibility. It’smy company’s asset anyway.” Concerning this literature,we evaluate that “being aware of smartphone user re-sponsibilities (not considering security as a third-partyresponsibility)” should be another parameter to beinvestigated.

An attacker may deploy a rogue network access point,and users may connect to it.*en, the attacker may interceptthe user communication to carry out further attacks such asphishing [13]. Gkioulos et al. [18] investigate securityawareness of the digital natives, who are university students,for mobile devices. Network access focusing on the usage offree unsecured Wi-Fi connection is one of the investigatedissues for awareness in the study. Attackers can corrupt,block, or modify information on the wireless network bysniffing, spoofing, or eavesdropping [6]. Because of that

untrusted networks may become a nightmare for unawaresmartphone users. Furthermore, a malware in a smartphonecan communicate for different purposes such as leaking outinformation at unexpected times. *erefore, keepingsmartphone always connected to the Internet increases risks.In the scope of these resources, “being aware of risks ofuncontrolled Internet connections” is taken as anotherparameter to be investigated in this study.

According to ENISA, the amount of personal data,sensitive documents, and credentials stored and processedby smartphones makes them an appealing target for at-tackers [13]. Smartphones may be infected with malwarespecifically designed for stealing credit card numbers andonline banking credentials. However, these devices havesmaller interfaces which make entering some informationmore difficult compared to PCs. *erefore, users prefer tostore credentials on smartphones for easiness. As a conse-quence, management of credentials and use of protectiontechnologies is one of the parameters investigated by re-searchers for awareness [18]. In the light of this literature,“being aware of risks of storing credentials on smartphones”is also selected as one of the parameters to be investigated tomeasure the security awareness level of smartphone users.

Li and Clark [34] focus on malware targeting mobilephones and how dangerous they can be. When a user installsan application on a mobile device, he or she can only knowwhat the application can do from the explanations providedby the developer. Even applications installed from GooglePlay Store and Apple App Store may have security breaches.Hence, hackers are tempted by this advantage to spreadingmalware. According to Markelj and Bernik [21], theknowledge of threats that the users of mobile devices mayface and the use of security measures are essential. *at is,users should be aware of security threats and security so-lutions to be applied against these threats [15]. In this scope,“being aware of technical measures” is another parameterthat should be investigated.

In addition to the parameters given above, password/pattern usage, PIN usage, application update behaviors ofusers, which are also considered as security-related activities,are included in this study. Although it is possible to addother parameters, we have decided to limit this study in thisscope since it will provide enough information to measureand evaluate the security awareness level of smartphoneusers.

3. Method

To determine the security awareness level of smartphoneusers, a survey is prepared and conducted as detailed in thefollowing subsections.

3.1. Participants. *e prepared survey is printed out anddelivered to a pollster after pretesting by a limited number ofparticipants. *e survey is conducted in a popular shoppingcenter in Ankara by the pollster in a week’s period insummer 2018. In this way, we aimed to include a wide rangeof participants for demographic variables as it is possible to

Mobile Information Systems 3

find people from different ages, education level, and pro-fessions in such a location. Volunteer participants filled outthe survey forms with the help of the pollster. *e totalnumber of participants is 155 (N� 155).

3.2. Measures. *e participants are asked questions dividedinto three parts: the first part includes questions to de-termine demographic features including gender, age, level ofeducation, and IT security knowledge, and the second parthas six questions about smartphone usage by participantsincluding duration, purpose, operating system, applicationupdate method, password, and PIN usage. As the result ofthe literature survey summarized earlier, the authors havedecided to investigate awareness of smartphone users on sixparameters and developed questions to measure theirawareness levels, as shown in Table 1. For each parameter,two or three questions are developed as seen in Table 1. Inconnection with that, the third part of the survey includesthese 13 questions prepared in 5-point Likert scale tomeasure user preferences, starting with 1 (strongly disagree)and gradually ending with 5 (strongly agree).

Internal consistency of the data is checked usingCronbach’s alpha. All values are above 0.7 meaning that thereliability of the data is at an acceptable level.

4. Results and Discussion

4.1. Descriptive Statistics. *e population’s demography issummarized in Table 2. *e number of female participants ishigher than the males with a percentage of 58.1%. *e age ofthe participants is divided into five categories, and the mostpopulated category is the 21–30-year range with 36.1%. *eage distribution shows that we have participants from a widerange of ages. *e employment status of the participants isshown under the employment/sector section of Table 2. 19.4%and 50.3% of the participants work for public and privatesectors, respectively. 25.8% are students and 4.5%, which iscategorized as “others” includes the unemployed, housewives,and the retired. *e education level is also determined with aquestion. Effort is made to include participants from differenteducational backgrounds, as seen in Table 2. *e highestportion (41.9%) has a bachelor degree, while high schooldiploma is in the second order (27.1%) including also uni-versity students who are not graduates yet.

Table 3 gives some descriptive statistics about smart-phone usage in the population. About half of the re-spondents had been using smartphones for more than6 years. As the operating system of the smartphone, Androidand IOS are dominant platforms with 60% and 36.1% usagerates, respectively. *e next three items in the table areimportant for applying the least and basic security coun-termeasures. *e first item is related to updating operatingsystems and applications. 65.8% of participants use theautomatic update option, while 17.4% prefer manual up-dates. *e rest either do not know or do not update ap-plications in their smartphones. 76.8% and 67.7% declarethat they use regularly password/pattern to access theirphone and PIN to access their SIM cards, respectively.

*e figures obtained in the current study for updates andpassword usage are rather similar to the numbers reportedby Benenson et al. [28]. *e rate of the participants who donot know or do not care about updates is 16.7% in this studyand 15% in their study. *e rate for password usage is 17.4%in this study and 23% in theirs. *e ratio of updatingsmartphones automatically or manually is 83.3%. Gkiouloset al. [18] report 79.5%, 81.3%, and 88.6% regular updateratios for three different competence groups. In the studycarried out by McGill and *ompson [11], the ratio ofsmartphone users using the automatic update option iscalculated as 54.4%, while it is 65.8% in the present study.Interestingly, the ratios are rather similar.

Figure 1 shows the application types used by the par-ticipants in percentage. Accordingly, social media, image/video, and mapping applications occupy the first threemostly used types in the list. From the security point of view,a critical issue is that smartphones are used for onlineshopping and banking activities and their usage rates are37.4 and 47.1% among the participants of the present study.*is type of application usage is a clear indication whysmartphone security awareness is important for users.

4.2. Security Awareness Level. *e security awareness levelsof all participants for the six parameters are given in Table 4.*e mean values between 1 and 5 are seen in the table.Higher values are better, implying 5 represents the maxi-mum awareness level and 1 represents the minimum. Avalue greater than 3 is considered as a “positive indication,”while a value less than 3 is considered as a “negative in-dication” in terms of smartphone security awareness. Ourfindings confirm several prior research results, as well as addsome new insights as follows.

4.2.1. Being Aware of Developers of the Applications and*eirRepositories. *e obtained results show that, althoughusers generally install applications from well-known re-positories such as Google Play and App Store, there areusers downloading and installing applications from othersources. However, a vast majority prefers to downloadapplications from official platforms with a mean value of3.97. *e percentage of downloading applications onlyfrom official repositories is 74.84% (marked “agree” and“strongly agree” in the questionnaire), while Parker et al.[15] report 96.9% and Chin et al. [27] report 85% for thesame parameter. Although the given numbers are dif-ferent, they clearly show that, in general, users preferofficial repositories for application downloading. Weunderstand that 17.42% of participants also install ap-plications from other sources, while 29.6% and 19.8% arereported by Parker et al. [15] and Watson and Zheng [14],respectively. According to the findings of Mylonas et al.[23], users believe that downloading apps from such re-positories is secure. Although there is no full guarantee tohave secure apps, we know that applications shared bysuch repositories are passed through serious controls. Forexample, Google declares that it vets every app and de-veloper in Google Play and suspends those who violate

4 Mobile Information Systems

their policies. *erefore, we evaluate that downloading andinstalling apps from official repositories is more secure thandownloading and installing from unknown sources (for ex-ample, there are sites providing pirated software). Further-more, the developer of an application can be a good indicationin terms of security; therefore, reviewing available in-formation about developers is considered a good precaution[19]. According to our results, a minority of users check the

developers of applications only to a certain extent, and theobtained result is not very high with a mean value of 3.23.Harris et al. [19] reports that only 26% of users investigate thedevelopers when they install applications. Although ourfinding is much better with 48%, it is still not at a satisfactorylevel. Overall, “being aware of developers of the applicationsand their repositories” gives the highest level among themeasured parameters with a value of 3.60, which is the av-erage of the measured two questions. However, this value isnot as high as expected for a satisfactory awareness level,which is supposed to be greater than 4.00.

Table 3: Statistics for smartphone usages.

Frequency PercentageHistory (in years)<6 75 48.46–10 49 31.6>10 31 20.0

Operating systemAndroid 93 60.0IOS 56 36.1Others 6 3.9

UpdatesAutomatic 102 65.8Manual 27 17.4Not known 19 12.3No update 7 4.5

Password/patternYes 119 76.8Sometimes 9 5.8No 27 17.4

PINYes 105 67.7Sometimes 3 1.9No 46 29.7

Table 1: Issues to be investigated and survey questions.

Parameters Questions

(1) Being aware of developers of the applications andtheir repositories

I check the developers of the applications I installI install applications only from official repositories

such as App Store and Play Store

(2) Being aware of EULA and resources that anapplication can access

I read the end-user license agreement (EULA) of myapplications

I pay attention to what my applications can access,run, and activate on my mobile

(3) Being aware of smartphone user responsibilities

In case of an unpermitted use, it is enough to say“someone else has done it”

*e government protects me, I do not have to takeany additional precautions

*e service provider is responsible for cybersecurity(4) Being aware of risks of uncontrolled internetconnections

My GSM data connection is not always onI do not use open Wi-Fi connections in public places

(5) Being aware of risks of storing credentials onsmartphones

I do not store my credentials on the smartphone forfinancial applications (I have to enter my credentials

each time I use the application)My social media accounts are not always on (I have to

enter my PW each time I get connected)

(6) Being aware of technical measures I encrypt my files stored on smartphonesI use antivirus programs

Table 2: Demographic structure of the population.

Frequency PercentageGenderMale 65 41.9Female 90 58.1

Total 155 100.0Age<21 36 23.221–30 56 36.131–40 32 20.641–50 24 15.5>50 7 4.5

Total 155 100.0Employment/sectorPublic 30 19.4Private 78 50.3Student 40 25.8Others 7 4.5

Total 155 100.0Education<High school 8 5.2High school 42 27.1Bachelor 65 41.9Master 19 12.3PhD 21 13.5

Total 155 100.0

Mobile Information Systems 5

4.2.2. Being Aware of EULA and Resources that an Appli-cation Can Access. It is measured with two questions: thefirst for EULA and the second for access permissions, andtheir means are 2.65 and 3.66, respectively. According to theresults, only 29.03% of the participants read EULA. Inanother study, Parker et al. [15] found that 82 percent ofrespondents do not read the license agreement. Chin et al.[27] found that participants do not greatly consider existingsecurity indicators, such as privacy policies and EULAs.*ese results clearly show that smartphone users are notaware of the importance of EULA for security. An installedapplication can do an activity which is risky for the user. *einteresting point is that, in general, such activities are written

in the EULA, and the application requires user consent tothis EULA during installation. As a consequence, approvingEULA without reading it may cause serious securityproblems later. On the other hand, most of the participantspay attention to what the installed applications can access,run, and activate on their mobiles. 63.87% of the participantsdeclare that they read the permission requests upon initialinstallation of an application, which is a very close number(58.8) to that of reported by Parker et al. [15]. According tothe results obtained by Mylonas et al. [23], the percentage ofusers who always view security messages is 38.6%, while48.3% examine them only sometimes. Especially, when anapplication requests more than the minimum required per-missions, it may lead to risk of information theft and remoteattacks [19]. Although the majority of users declare that theycontrol permission requests of applications, still there is asignificant number of those who do not control it.*at meansan important number of users are often unaware of theimplications when granting permissions to applications. Onaverage, the “being aware of EULA and resources that anapplication can access” parameter is slightly higher than 3,which means users are not very cautious in this regard.

4.2.3. Being Aware of Smartphone User Responsibilities.*is parameter aims to measure whether users are aware oftheir responsibilities or consider smartphone security as athird-party responsibility. *e average of the three questionsis 3.29, which shows a positive but low awareness level.Notice that the questions of this parameter are reversescored since the questions imply negativity in terms of se-curity. Benenson et al. [28] report that 36% of smartphoneusers see themselves responsible for the security of theirdevices and the rest consider it as the responsibility ofproducers. Interestingly, we have obtained the same number(36%) representing the ratio of users who do not accept thesecurity as the responsibility of only service providers. *atis, they consider that they are also responsible for it. *ereare many smartphone users having the tendency to considersmartphone security as the responsibility of third-parties,such as the service provider and the government. Such usersare not likely to take enough measures to protect theirsmartphones against threats. According to Lie et al. [29], endusers are in a key position as they install technical safeguardsfor IT security at the most basic level. *erefore, their basiccybersecurity awareness should be improved with thesupport of the government and the private sector.

4.2.4. Being Aware of Risks of Uncontrolled InternetConnections. For this parameter, we checked whether theparticipants are always connected to the Internet via GSMdata connection and also whether they connect to free Wi-Fiin public places such as coffee shops, malls, and restaurants,and the obtained mean values are 2.66 and 2.97, respectively.From these numbers, we first understand that most of theparticipants prefer to be always online and connect to Wi-Fiaccess points in public places. Only 34.84% marked “agree”and “strongly agree” options, which shows a controlledconnection to the Internet. *at is, they connect to the

Table 4: Awareness levels.

Mean SDBeing aware of developers of the applications and theirrepositories 3.60 1.30

I check the developers of the applications I install 3.23 1.37I install applications only from official repositoriessuch as App Store and Play Store 3.97 1.22

Being aware of EULA and resources that anapplication can access 3.16 1.36

I read the end-user license agreement (EULA) of myapplications 2.65 1.42

I pay attention to what my applications can access,run, and activate on my mobile 3.66 1.31

Being aware of smartphone user responsibilities 3.29 1.28In case of an unpermitted use, it is enough to say“someone else has done it” 2.67 1.26

*e government protects me, I do not have to takeany additional precaution 2.58 1.21

*e service provider is responsible for cybersecurity 2.88 1.37Being aware of risks of uncontrolled Internetconnections 2.82 1.48

My GSM data connection is not always on 2.66 1.45I do not use openWi-Fi connections in public places 2.97 1.51Being aware of risks of storing credentials onsmartphones 3.08 1.49

I do not store my credentials on the smartphone forfinancial applications (I have to enter my credentialseach time I use the application)

3.55 1.47

My social media accounts are not always on (I haveto enter my PW each time I get connected) 2.61 1.51

Being aware of technical measures 3.07 1.42I encrypt my files stored on smartphones 2.88 1.34I use antivirus programs 3.27 1.49

0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0Image/video

MapGameMusic

Social mediaNews

Bank/financeShopping

eBookWeather/traffics

Figure 1: Used application types.

6 Mobile Information Systems

Internet when they need it. 54.84% of them prefer to bealways online with their GSM connections on. Anotherinteresting point is that a major portion of the participants(44.52%) declare that they connect to free Wi-Fi in publicplaces. *is number is very similar to that given by Gkiouloset al. [18], which is 43.6%, for the non-IT-related group.Many studies show free Wi-Fi connections as a threat forsmartphones because of different security risks [6, 13]. Forexample, a smartphone user having the intention to use freeWi-Fi can accidentally connect to a rogue access point whichmay create unexpected security problems [35]. Such a devicemay be exposed to several risks including, but not limited to,man-in-the-middle attack, flooding the network with uselessdata (DoS attack), and theft of valuable information. McAfeereports that network spoofing has increased dramaticallyduring the 18months leading to the first quarter of 2018,with hackers setting up their networks in public places,waiting for users to connect, and watching the traffic forsensitive information such as banking logins and credit cardnumbers [10]. *erefore, smartphone users are expected tobe aware of such risks and, accordingly, be alert when theyconnect to a network. However, the obtained results do notshow a satisfactory level of awareness and indicate the needto increase such awareness among smartphone users.

4.2.5. Being Aware of Risks of Storing Credentials onSmartphone. *e obtained mean values are 3.55 and 2.61 forthe questions “I do not store my credentials on thesmartphone for financial applications” and “My social mediaaccounts are not always on,” respectively. *ese numbersshow that participants are more cautious toward financialapplications such as online banking. However, for socialmedia accounts they prefer to store them on the smartphonefor quick access. It is likely that they do not consider storingsocial media credentials as dangerous as storing financialapplications’ credentials. In the study of Gkioulos et al. [18],the ratios of users saving their credentials to stay logged inare 40.3%, 30.8%, and 48.6% for general, medium, and highsmartphone competency levels, respectively. Jones and Chin[20] report that 29% of participants store their credentialssuch as PIN and password in their smartphones (data from2014). In the current study, it is 29% which is exactly thesame ratio given by Jones and Chin [20] and a very closefigure to that obtained for medium competency by Gkiouloset al. [18]. McAfee [10] reports that there is an increase inmalicious banking trojans that take advantage of vulnera-bilities in the Android platform and which add cryptoransomware capabilities to smartphones among othermalicious activities. *erefore, we evaluate that there is aclear requirement to increase the awareness level on thisissue.

4.2.6. Being Aware of Technical Measures. It is measured bytwo questions asking about file encryption and antivirususage by the participants. As seen in Table 4, on average, theresult is 3.07 which indicates that this awareness level is notat a satisfactory level for “being aware of technical mea-sures.” According to the results, the usage rate of antivirus

programs is higher than file encryption. Jones and Chin [20]analyze smartphone security practices of undergraduatestudents and compare the results of 2011 and 2014.According to their 2014 results, 57% and 52% of the par-ticipants use antivirus and encryption, respectively. Ourresults show 54.19% antivirus and 37.42% encryption usagerates. Although these antivirus usage rates are close, theencryption usage rates are rather different. *e reason maybe related to the difference in the population. While theyinclude only undergraduate students, our study covers awide range of people. In another study, McGill and*ompson [11] report the usage of security software as44.6%. In a study done with university students, Markelj andBernik [21] determined 29.5% and 5.8% usage ratios forantivirus and encryption usage, respectively. All these figuresobtained from different studies do not show high usage ratesfor technical measures, such as antivirus and file encryption,which is an indication of low awareness.

4.3. Security Awareness Levels of Age Groups. First, weevaluated age groups in terms of different parameters givenin Table 3. For operating systems, age is not a distinguishingfeature. *ere are no significant differences among differentgroups for smartphone operating system preferences. ForPIN usage, the age again does not give any significant dif-ferences. However, for password/pattern usage and systemupdate, we observe major differences among groups(password/pattern: X2 � 22.95, df� 8, p< 0.05, update:X2 � 22.32, df� 12, p< 0.05). *e 21–30 age group is themost sensitive one with 87.5%, while the oldest group is theone with the lowest ratio 28.5%. On the contrary, the 31–40age group prefers to use the automatic update option with84.4%, which is the highest value.*e oldest group has againthe lowest value with 42.9%, which indicates that theirawareness level is lower than the others. Jones and Chin [20]analyzed the update behavior of users based on the agefeature, observing no significant difference. *e participantsof their study were all students. However, in the currentstudy, the age range of the participants is rather large and,therefore, significant differences are observed among the agegroups.

*e awareness levels of different age groups for themeasurements given in Table 1 are presented in Table 5. Anoverall evaluation can be done considering the averagesgiven in the last row. According to the results, the groupsyounger than 21 and older than 50 having very closenumbers are distinguishably different than the other threegroups. *e oldest group has the lowest awareness level,followed by the youngest group.*e 41–50 age group has thehighest level. Another point is that the awareness level in-creases according to age, except in the last group.

4.4. Degree of Security Awareness according to EducationLevel. Another analysis is done according to the educationlevels of participants including five categories as having PhD,MS, BS, high school, and lower than high schooldegrees(<HS). *e obtained results do not show any sig-nificant differences for operating system preferences and

Mobile Information Systems 7

password/pattern usages. However, we observe significantdifferences for PIN usage and system updates (PIN:X2 �15.78, df� 8, p< 0.05, update: X2 � 29.78, df� 12,p< 0.05). *e group having a PhD-level education has thehighest ratios for PIN usage and system updates with 90%and 95.2%, respectively. On the contrary, the group havinglower than high school education has the lowest values,which are 50% for PIN usage and 37.5% for system updates.

We observe two trends in the results, as seen in Table 6,for the third part of the questionnaire. Most of the pa-rameters have increasing trends such that awareness levelincreases with the education level. *at is, the group havingPhD degrees has the highest value. However, for the secondand sixth parameters, level values increase up to the BSdegree and then decline. One reason for that may be the agefactor. If we consider the levels given for ages, the oldestgroup has the lowest level. *e participants having PhDdegrees probably are older than the others. *erefore, forsome parameters, even though the education level is high,the awareness levels are lower compared to other groups.When we look at the overall picture, the group having PhDdegrees has the highest awareness level, followed by BS andMS groups. As a whole, the awareness level of the partici-pants having BS or higher education degrees is better thanthe other groups. Our finding related to the education levelconfirms the result of Ogutçu et al. [36] who state that thehigher the education level, the more their information se-curity awareness is. Based on these results, we can state thatthe education level has a positive effect on the degree ofsecurity awareness among smartphone users.

4.5. Security Awareness Level according to CybersecurityKnowledge. Another comparison is made considering thecybersecurity knowledge level of participants.*e first groupincludes those who have taken at least one course about ITsecurity at their university education or special trainingprograms. *e second group represents the ones havingsome knowledge about ITsecurity although they do not havea formal training about it. *e last group consists of thosewho have no idea about IT security.

*ere are no significant differences among differentgroups for operating system preferences, password/patternusage, PIN usage, and system update options. *e obtainedresults are given in Table 7 for the third part of the

questionnaire. Except the last parameter, the awarenesslevels of the first group—having ITsecurity training—are thehighest. On average, the first group again has the highestvalue followed by the second group. Mylonas et al. [23]report that users with excellent IT skills tend to be aware ofsmartphone malware, as well as smartphone security soft-ware. Watson and Zheng [14] state that, especially thosewithout strong information technology familiarity tend toignore or be unaware of many critical security options.Benenson et al. [28] conclude that users with good securityknowledge often use additional technical protection means.*ese results are considered as a clear indication for theimportance of training on IT (including IT security) toimprove the awareness level of users.

On the contrary, for “being aware of technical mea-sures,” although the difference is not substantial, the firstgroup has a low value. *e reason for this may be related tousers trusting themselves as regards IT security knowledge.*at is, since they know how to use smartphones securely ingeneral, they do not encrypt the files on their smartphones orinstall antivirus programs. Gkioulos et al. [18] state thatspecific areas are not significantly affected by their securityawareness or background. *at is, although the high-security competence group is expected to have higherawareness due to their specialized education, they could notsee any difference compared to other groups for some se-curity measures. In addition, according to Kang et al. [37],technically oriented individuals who had their education inthe IT domain did not in general take additional steps toprotect their information, in comparison with the othergroup consisting of people from different domains in theirstudy. Although they know more and express higherawareness for other issues, the usage behavior of technicalmeasures such as encryption and antivirus programs is notvery different. Mylonas et al. [23] conclude that users havinghigh IT skills tend not to encrypt their data. Interestingly,different studies, including the present one, report similarbehavior for users having higher IT skills, requiring furtherinvestigation to understand the reasons behind it.

5. Conclusions and Implications

5.1. Conclusions. *is study aimed to investigate theawareness level of smartphone users from different per-spectives including age, education level, and cybersecurity

Table 5: Awareness levels according to age.

Ages <21 21–30 31–40 41–50 >50Being aware of developers of the applications andtheir repositories 3.50 3.69 3.67 3.65 3.15

Being aware of EULA and resources that anapplication can access 2.99 3.34 3.38 3.00 2.02

Being aware of smartphone user responsibilities 3.16 3.17 3.29 3.59 3.28Being aware of risks of uncontrolled Internetconnections 2.67 2.76 2.74 3.04 3.58

Being aware of risks of storing credentials onsmartphones 2.87 2.80 3.21 3.83 3.22

Being aware of technical measures 2.92 3.19 3.08 3.07 2.72Averages 3.02 3.16 3.22 3.36 2.99

8 Mobile Information Systems

training. *e awareness levels of users are measured fordifferent parameters, which are considered important for ITsecurity. *e reached conclusions of the study can besummarized as follows:

(i) *e overall awareness level of the participants is notat a satisfactory level and needs improvement.

(ii) In terms of age, the oldest group (>50) has thelowest awareness level followed by the youngestgroup (<21).

(iii) *e group having BS or higher education degreeshas a better awareness level, which can be consid-ered as an indication of the importance of educationfor cybersecurity.

(iv) *e group having IT security training has thehighest awareness level, which is another indicationfor the importance of training for cybersecurity.

(v) Studies done in previous years pointed out lowsecurity awareness levels among smartphone users[20, 21, 23]. *e results of the current study indicatethat risky behavior among users continues, andthere is no clear improvement on their securityawareness level.

5.2. *eoretical Implications. *e current study makesseveral contributions to the literature. First, this study ex-amines the security awareness level of smartphone usersfrom different perspectives including age, education level,and security training. *e existing studies prove that

smartphone users have a different behavior than normalcomputer users [11, 17]. *erefore, those investigatingcomputer users cannot necessarily be regarded as a directindicator for smartphone use. On the contrary, there is verylimited research focusing on the measurement of thesmartphone security awareness level. As such, this study cancontribute to the domain.

Second, the present study addresses the securityawareness level of users from a wide range of demography.Although there are several studies investigating the securityawareness level of smartphone users, most of them wereconducted in universities with the participation of studentsand faculties [14, 16, 18–21]. *ere is a clear requirement toconduct studies to include different segments of the generalpublic to generalize the derived conclusions. In line withthis, the present work has been realized with the partici-pation of people from a wide range of age, education level,and cybersecurity training.

*ird, it provides valuable information to the literatureto understand current awareness levels of smartphone users.Current statistics show that smartphone usage increaseswhile security risks increase as well drastically. Such risksmay cause severe loss for those involved. *us, there is arequirement to observe the latest awareness level of usersand share this information.

Fourth, it is also useful to see and understand similaritiesand differences between countries in terms of security be-havior as different nationalities may have different aware-ness levels and behavior depending on various factors, thusnecessitating further studies in this regard.

Table 7: Awareness levels according to cybersecurity knowledge.

IT security knowledge level Have training Have some knowledge Have no knowledgeBeing aware of developers of the applications andtheir repositories 3.72 3.67 3.54

Being aware of EULA and resources that anapplication can access 3.49 3.14 2.95

Being aware of smartphone user responsibilities 3.40 3.35 3.24Being aware of risks of uncontrolled Internetconnections 3.38 2.65 2.60

Being aware of risks of storing credentials onsmartphones 3.21 3.09 2.89

Being aware of technical measures 3.04 3.24 3.02Averages 3.37 3.19 3.04

Table 6: Awareness levels according to education.

Education degree <HS High school BS MS PhDBeing aware of developers of the applications andtheir repositories 3.50 3.58 3.59 3.69 3.72

Being aware of EULA and resources that anapplication can access 2.63 3.03 3.40 3.12 2.91

Being aware of smartphone user responsibilities 3.11 3.13 3.20 3.28 3.99Being aware of risks of uncontrolled Internetconnections 2.75 2.67 2.88 2.71 3.02

Being aware of risks of storing credentials onsmartphones 2.88 2.90 2.93 3.37 3.72

Being aware of technical measures 3.00 3.12 3.19 2.94 2.89Averages 2.98 3.07 3.19 3.18 3.37

Mobile Information Systems 9

5.3. Practical Implications. With the increasing importanceof ITsecurity, the present study has three important practicalimplications. First, based on our findings, it is clear that thesecurity awareness level of smartphone users needs to beimproved. *is can be achieved by a collective effort sup-ported by governments, nongovernmental organizations,and others. *is study can provide helpful information forthem.

Second, our results can also be beneficial for hardwareand software developers, for example, by showing that theawareness levels of young and old users are comparativelylower than others.*erefore, the design and implementationof security within smartphone platforms can be made simpleand nontechnical to support old and very young users andalso those from non-IT domains.

*ird, our findings show clear evidence for the positiveeffect of education at the BS, MS, and PhD level for securityawareness. Training on IT security also has a positive effect.*erefore, governments, institutions, and the private sectorresponsible for education can benefit from this study to addcourses or modify the contents of existing courses to im-prove security awareness among individuals as a whole.

5.4. Future Work. *is study has been conducted with thehelp of 155 volunteer participants from different segments ofpopulation. *e same study can be repeated with moreparticipants to generalize the obtained results. In addition,the study can be extended with additional questions toinvestigate other issues related to smartphone security. Here,we investigate the awareness level of smartphone users basedon their usage behaviors. *e research can be extended tounderstand the reasons behind such users’ behaviors. Also,the present study was conducted based on individuals’perspectives and, hence, can be extended to include orga-nizations for the purpose of understanding the securityawareness level of users when they use their smartphones forbusiness or any other initiatives that require teamworking.

Data Availability

*e data used to support the findings of this study areavailable from the corresponding author upon request.

Conflicts of Interest

*e authors declare that there are no conflicts of interestregarding the publication of this paper.

References

[1] C. Chen, K. Z. K. Zhang, X. Gong, S. J. Zhao, M. K. O. Lee, andL. Liang, “Understanding compulsive smartphone use: anempirical test of a flow-based model,” International Journal ofInformation Management, vol. 37, no. 5, pp. 438–454, 2017.

[2] Statista, “Number of apps available in leading app stores as of1st quarter 2018,” July 2018, https://www.statista.com/statistics/276623/number-of-apps-available-in-leading-app-stores.

[3] Statista, “Number of mobile app downloads worldwide in2017, 2018 and 2022,” July 2018, https://www.statista.com/

statistics/271644/worldwide-free-and-paid-mobile-app-store-downloads.

[4] StatCounter, “Desktop vs. mobile vs. tablet market shareworldwide,” July 2018, http://gs.statcounter.com/platform-market-share/desktop-mobile-tablet/worldwide.

[5] W. He, “A survey of security risks of mobile social mediathrough blog mining and an extensive literature search,”Information Management and Computer Security, vol. 21,no. 5, pp. 381–400, 2013.

[6] W. Jeon, J. Kim, Y. Lee, and D. Won, “A practical analysis ofsmartphone security,” in Human Interface, Part I, HCII 2011,LNCS 6771, M. J. Smith and G. Salvendy, Eds., pp. 311–320,2011.

[7] M. *eoharidou, A. Mylonas, and D. Gritzalis, “A risk as-sessment method for smartphones,” in Proceedings of theInformation Security and Privacy Research (SEC), IFIP AICT,Heraklion, Greece, June 2012.

[8] Symantec Corporation, Internet Security *reat Report(ISTR), Vol. 22, Symantec Corporation, Mountain View, CA,USA, 2017.

[9] B. Snell,Mobile*reat Report: What’s on the Horizon for 2016,Intel, Santa Clara, CA, USA, 2016.

[10] McAfee, McAfee Mobile *reat Report Q1, 2018, McAfee,Santa Clara, CA, USA, 2018.

[11] T. McGill and N. *ompson, “Old risks, new challenges:exploring differences in security between home computer andmobile device use,” Behaviour and Information Technology,vol. 36, no. 11, pp. 1111–1124, 2017.

[12] P. Baillette, Y. Barlette, and A. Leclercq-Vandelannoitte,“Bring your own device in organizations: extending the re-versed IT adoption logic to security paradoxes for CEOs andend users,” International Journal of Information Management,vol. 43, pp. 76–84, 2018.

[13] G. Hogben andM. Dekker, Smartphones: Information securityrisks, opportunities and recommendations for users, ENISA,Heraklion, Greece, 2010.

[14] B. Watson and J. Zheng, “On the user awareness of mobilesecurity recommendations,” in Proceedings of ACM SE ’17,Kennesaw, GA, USA, April 2017.

[15] F. Parker, J. Ophoff, J. P. Van Belle, and R. Karia, “Securityawareness and adoption of security controls by smartphoneusers,” in Proceedings of Second International Conference onInformation Security and Cyber Forensics (InfoSec), pp. 99–104, Cape Town, South Africa, November 2015.

[16] T. Dinev and Q. Hu, “*e centrality of awareness in theformation of user behavioral intention toward protectiveinformation technologies,” Journal of the Association for In-formation Systems, vol. 8, no. 7, pp. 386–408, 2007.

[17] R. Bitton, A. Finkelshtein, L. Sidi, R. Puzis, L. Rokach, andA. Shabtai, “Taxonomy of mobile users’ security awareness,”Computers and Security, vol. 73, pp. 266–293, 2018.

[18] V. Gkioulos, G. Wangen, S. Katsikas, G. Kavallieratos, andP. Kotzanikolaou, “Security awareness of the digital natives,”Information, vol. 8, no. 2, p. 42, 2017.

[19] M. A. Harris, A. G. Chin, and R. Brookshire, “Mobile appinstallation: the role of precautions and desensitization,”Journal of International Technology and Information Man-agement, vol. 24, no. 4, pp. 47–62, 2015.

[20] B. H. Jones and A. G. Chin, “On the efficacy of smartphonesecurity: a critical analysis of modifications in business stu-dents’ practices over time,” International Journal of In-formation Management, vol. 35, no. 5, pp. 561–571, 2015.

10 Mobile Information Systems

[21] B. Markelj and I. Bernik, “Safe use of mobile devices arisesfrom knowing the threats,” Journal of Information Securityand Applications, vol. 20, pp. 84–89, 2015.

[22] I. I. Androulidakis, Mobile Phone Security and Forensics: APractical Approach, Springer, Berlin, Germay, 2012.

[23] A. Mylonas, A. Kastania, and D. Gritzalis, “Delegate thesmartphone user? Security awareness in smartphone plat-forms,” Computers & Security, vol. 34, pp. 47–66, 2013.

[24] A. McIlwraith, Information Security and Employee Behaviour:How to Reduce Risk through Employee Education, Trainingand Awareness, Routledge, New York, NY, USA, 2016.

[25] M. A. Harris, R. Brookshire, and A. G. Chin, “Identifyingfactors influencing consumers’ intent to install mobile ap-plications,” International Journal of Information Manage-ment, vol. 36, no. 3, pp. 441–450, 2016.

[26] A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, andD. Wagner, “Android permissions: user attention, compre-hension, and behavior,” in Proceedings of the Eighth Sym-posium on Usable Privacy and Security, Washington, DC,USA, July 2012.

[27] E. Chin, A. P. Felt, V. Sekary, andD.Wagner, “Measuring userconfidence in smartphone security and privacy,” in Pro-ceedings of the Symposium on Usable Privacy and Security(SOUPS), Washington, DC, USA, July 2012.

[28] Z. Benenson, O. Kroll-Peters, and M. Krupp, “Attitudes to ITsecurity when using a smartphone,” in Proceedings of theFederated Conference on Computer Science and InformationSystems (FedCSIS), Wrocław, Poland, September 2012.

[29] E. Lie, R. Macmillan, and R. Keck, “Cybersecurity: the role andresponsibilities of an effective regulator,” in Proceedings of the9th ITU Global Symposium for Regulators (GSR), Beirut,Lebanon, November 2009.

[30] A. Palmer, “Cyber security: the road to security begins withpersonal responsibility,” Symantec Official Blog, 2010.

[31] M. Bada, S. Creese, M. Goldsmi, C. Mitchell, and E. Phillips,Computer Security Incident Response Teams (CSIRTs): AnOverview, Oxford Martin School, University of Oxford:Global Cyber Security Capacity Centre, Oxford, UK, 2014.

[32] S. K. Sood, “A combined approach to ensure data security incloud computing,” Journal of Network and Computer Ap-plications, vol. 35, no. 6, pp. 1831–1838, 2012.

[33] Z. F. Zaaba, S. M. Furnell, and P. S. Dowland, “End-userperception and usability of information security,” in Pro-ceedings of the Fifth International Symposium on HumanAspects of Information Security and Assurance (HAISA 2011),London, UK, July 2011.

[34] Q. Li and G. Clark, “Mobile security: a look ahead,” IEEESecurity and Privacy, vol. 11, no. 1, pp. 78–81, 2013.

[35] C. Wang, X. Zheng, Y. J. Chen, and J. Yang, “Locating rogueaccess point using fine-grained channel information,” IEEETransactions on Mobile Computing, vol. 16, no. 9, pp. 2560–2573, 2017.

[36] G. Ogutçu, O. M. Testik, and O. Chouseinoglou, “Analysis ofpersonal information security behavior and awareness,”Computers and Security, vol. 56, pp. 83–93, 2016.

[37] R. Kang, L. Dabbish, N. Fruchter, and S. Kiesler, “My data justgoes everywhere: user mental models of the Internet andimplications for privacy and security,” in Proceedings of theEleventh Symposium on Usable Privacy and Security, pp. 39–52, Ottawa, Canada, July 2015.

Mobile Information Systems 11

Computer Games Technology

International Journal of

Hindawiwww.hindawi.com Volume 2018

Hindawiwww.hindawi.com

Journal ofEngineeringVolume 2018

Advances in

FuzzySystems

Hindawiwww.hindawi.com

Volume 2018

International Journal of

ReconfigurableComputing

Hindawiwww.hindawi.com Volume 2018

Hindawiwww.hindawi.com Volume 2018

Applied Computational Intelligence and Soft Computing

 Advances in 

 Artificial Intelligence

Hindawiwww.hindawi.com Volume 2018

Hindawiwww.hindawi.com Volume 2018

Civil EngineeringAdvances in

Hindawiwww.hindawi.com Volume 2018

Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications

Hindawiwww.hindawi.com Volume 2018

Hindawi

www.hindawi.com Volume 2018

Advances in

Multimedia

International Journal of

Biomedical Imaging

Hindawiwww.hindawi.com Volume 2018

Hindawiwww.hindawi.com Volume 2018

Engineering Mathematics

International Journal of

RoboticsJournal of

Hindawiwww.hindawi.com Volume 2018

Hindawiwww.hindawi.com Volume 2018

Computational Intelligence and Neuroscience

Hindawiwww.hindawi.com Volume 2018

Mathematical Problems in Engineering

Modelling &Simulationin EngineeringHindawiwww.hindawi.com Volume 2018

Hindawi Publishing Corporation http://www.hindawi.com Volume 2013Hindawiwww.hindawi.com

The Scientific World Journal

Volume 2018

Hindawiwww.hindawi.com Volume 2018

Human-ComputerInteraction

Advances in

Hindawiwww.hindawi.com Volume 2018

Scienti�c Programming

Submit your manuscripts atwww.hindawi.com