Search
Close
Search
Advanced Search
Search Menu

Abstract

This research examined the lives of Australian employees who moved to work from home during COVID-19. Taking a unique approach to cybersecurity, we sought to gain insights into the intermingling of individuals’ personal lives and technology to inform policies and educational programmes. The study employed interpretative phenomenological analysis to understand 27 participants’ lived experiences under lockdown. We found that psychological (e.g. stress, anxiety, confidence, motivation) and sociological (e.g. sharing physical spaces, digital divide) factors impacted employees’ likelihood and ability to engage in effective cybersecurity practices. So did new ways of using technology (e.g. teaching via Zoom), which elucidated unexpected but significant security concerns (e.g. naked children in virtual classrooms). We suggest that cyber educators and policymakers take a Vygotskian approach, which considers that social interaction is central to learning. This assumption means that personal factors must be considered instead of a ‘one-size-fits-all approach’. We argue that organizations should think about approaches that consider the employees’ psychological state before training (and perhaps find ways to reduce anxiety), helping employees redesign their home workspaces to ensure privacy and concentration, and updating employees’ digital devices. Practitioners and scholars can also apply these results post-COVID-19, especially if the ‘new working normal’ provides options for employees to work from home.

Introduction

In March 2020, the World Health Organization declared that the COVID-19 outbreak was a pandemic. In a short period, many people’s lives globally dramatically changed. One of those changes included moving most of the workforce from the office to work from home [1]. This change led to a mingling of personal (e.g. home schooling, multiple household members at home, etc.) and work lives under often highly stressful circumstances. Before the pandemic, employees’ cybersecurity practices were not ideal, and methods to improve cyber hygiene were unsuccessful [2]. This paper seeks to gain insights into the lives of Australian employees who moved to work from home during the pandemic and examines the new challenges of adopting effective cybersecurity practices during these unusual circumstances. It also considers how these findings might be used to inform better practice and policy post-COVID-19. Notably, the research does not seek to separate humans from technology but instead examines how psychology and sociology might inform and reconsider cybersecurity practice and policy.

Pre-COVID cybersecurity practices in the workforce

Before COVID, it was well known that organizations and employees were threatened by numerous types of harm due to employees’ poor cybersecurity practices [3, 4]. Agrafiotis et al. [5] developed a taxonomy of cyber harms that organizations might be exposed to, including physical or digital harm, economic harm, psychological harm, reputational harm, and societal harm. Technical solutions, such as intrusion-detection and intrusion-prevention systems, help prevent these harms; however, they are not able to discover and prevent zero-day attacks (i.e. future/new attacks), as well as advanced persistent threats [6]. Therefore, humans need to play a significant role in adapting technical cyber solutions, protecting systems, and understanding malicious and legitimate behaviours to reduce cyber risk. Effective cybersecurity practices (often referred to as cyber hygiene) could include using firewalls, and antivirus software, employing privacy settings, complex passwords, a virtual private network (VPN), and avoiding clicking on suspicious links [7, 8].

Organizations conduct awareness-raising and training programmes to ensure employees engage in good cybersecurity practices. There are, however, many problems with these programmes. For example, even with good cyber awareness, individuals may apply minimal protective measures [9]. Moreover, when personnel are well trained, hackers are still successful at cyberattacks, stealing sensitive information important to organizations [10]. Calvin [11] argues that managers’ understanding of the human factor problem regarding cybersecurity is too narrow in scope and is much more than a training problem.

Research before COVID-19 found that many organizations had less than optimal cybersecurity implementation. It has been found that ∼38% of organizations have a dedicated cybersecurity policy [12] and that ∼75% of businesses have no explicit cybersecurity-framed rules that staff are expected to follow when working at home [13]. Georgiadou et al. [14] found that one out of four employees was unable to work remotely, one out of three employees had no collaboration mechanism in place for teleworking, and almost half of the hardware assets used for working were not required to comply with strict security rules or minimal security policies.

Despite the background of academic literature highlighting the problems with employees’ cybersecurity practices, many employers, including IT experts, do not believe that their company might be vulnerable to cybercrimes [15, 16]. Research has also elucidated that while governments and industries criticize employees for lacking cyber hygiene, they often do not delineate the cybersecurity behaviours expected of their employees [2]. Furthermore, research has found that organizations hold differing views on the cybersecurity behaviours they believe their employees should be practising [17].

Cyber risks and cybersecurity during the COVID-19 pandemic

Given the background of research before COVID-19, it is unsurprising that researchers have found that employees were not prepared to work securely at home at the height of the pandemic. Notably, 53% of employees in Georgiadou et al.’s [14] study reported not receiving any security guidelines from their employers regarding working from home during this crisis. Moreover, in addition to being unprepared, new cyberthreats emerged during COVID-19.

Cyber risks increased due to new forms of attack and because employees were more exposed to threats when working at home. Specific risks during this time included COVID-19-themed attacks [18] and zero-day exploits [6]. In the COVID-19-themed attacks, such as COVID-19-based phishing, spear phishing, and scams, criminals would steal personal information, such as credit card details, leading to financial fraud. In the zero-day exploits, several cyber risks occurred. For instance, botnet and Distributed Denial of Service (DDoS) attacks (e.g. IoT Mirai variants) disrupted online services and caused high financial risks to organizations and end users. Video conference attacks (e.g. Zoom bombing) injected offensive images and hateful messages, leading to violating users’ privacy and financial risks [19]. Ransomware attacks render users’ data inaccessible, leading to the publication of sensitive information online and the request for expensive ransoms [20].

Understanding the human and cybersecurity

Psychologists and social scientists have examined whether individual differences play a role in predicting cybersecurity behaviours. In addition, researchers have explored the types of factors, including psychological factors, that predict cybersecurity behaviour [21, 22]. For example, conscientiousness, agreeableness, and openness predict self-reported cybersecurity behaviours [23]. Interestingly, those with less trust in technical controls typically score higher on measures of information security awareness [24]. While it is important to understand the role of personality and the likelihood of adopting cybersecurity practices, individuals’ subjective experiences and understandings of cybersecurity are less known.

COVID-19 presented organizations with new challenges by having their workforce move suddenly and on mass to work at home. Arguably, even organizations well versed in cybersecurity could not easily predict how likely their employees would carry out the expected cybersecurity behaviours. Even more challenging would have been having a clear view of the personal challenges that employees might have encountered when attempting to carry out effective cybersecurity practices while simultaneously dealing with a highly stressful event.

Theoretical lens: employing Vygotsky’s theory of learning

This paper is novel in its attempt to gain insights into employees’ subjective experiences when working from home and adopting cybersecurity practices. Rather than survey the adopted behaviours, we wanted to learn how cybersecurity fits into individuals’ lives and how they might learn appropriate cybersecurity behaviours. This approach provides a new lens into understanding why employees might not behave optimally to protect organizations’ assets. Furthermore, it offers new insights for policymakers and cybersecurity educators.

This paper uses a social constructionist lens to consider individuals’ adoption of effective cybersecurity practices. Social constructionists argue that humans create subjective interpretations of their social reality. Learning theories, such as the theory devised by Vygotsky (drawn from in this paper), in line with social constructivism, emphasize the importance of the interaction of culture and cognitive abilities in learning. Uniquely, Vygotsky theorized that understanding cognition requires a grasp of ‘how’ it is processed rather than ‘where’ it is located [25]. The ‘how’ involves the interaction of others in society.

Vygotsky posited that human development is a socially mediated process. Children, he argued, learn through collaborative dialogues with more knowledgeable members of society. He is well known for his concept of the zone of proximal development (ZPD), which he defined as: ‘the distance between the actual developmental level as determined by independent problem solving and the level of potential development as determined through problem solving under adult guidance, or in collaboration with more capable peers’ [26, p. 86].

His theory has also been applied to adult learning [27]. According to Vygotsky [26]:

The level of actual development is the level of development that the learner has already reached, and is the level at which the learner is capable of solving problems independently. The level of potential development (the ‘zone of proximal development’) is the level of development that the learner is capable of reaching under the guidance of teachers or in collaboration with peers. The learner is capable of solving problems and understanding material at this level that they are not capable of solving or understanding at their level of actual development; the level of potential development is the level at which learning takes place. It comprises cognitive structures that are still in the process of maturing, but which can only mature under the guidance of or in collaboration with others. (p. 85).

Illustrated below is the model of the ZPD (Fig. 1). In the model, the centre circle represents what the learner already knows. The middle circle represents the ZPD, which is the learning potential. Learning, however, will only take place with the support of others rather than independent learning. Applying this to cybersecurity, the learner might be guided by educators in an organization, running cybersecurity educational programmes, peers that might help co-workers, and technology and tools (e.g. alerts on a computer to patch, phishing education games).

Zone of proximal development.
Figure 1.

Zone of proximal development.

Open in new tabDownload slide

As a further point, Vygotsky believed that language was an essential component of the human experience [25]. As Vasileva and Balyasnikova [25] explained, Vygotsky [26] argued that ‘words were a tool similar to physical tools used by children in joint activity with others, as they advance in their development. Importantly, the activity processes are first mastered with an adult and later internalized at the mental level…Consequently, Vygotsky devoted much attention to the concept of “inner speech” as a special type of psychological activity and suggests that speech develops first in the social environment and later becomes internalized into mental processes’ (p. 9).

Applying Vygotsky’s understanding of language to cybersecurity, we may learn that some adults have not grasped this language. Without this ‘inner speech’ understanding, cybersecurity best practices may be challenging for some employees.

Research problem

This research’s overarching objective was to learn what cybersecurity meant for participants rather than simply focusing on the technical approaches that participants employed. We wanted to understand participants’ ‘lived experiences’ of cybersecurity and how they managed or struggled to understand ‘good cyber hygiene’ and adopt these practices while working from home during a pandemic. Drawing from a Vygotskyian lens, we were interested in ‘how’ employees learned and understood good cybersecurity practices during sudden lockdowns and how they adopted these practices at home. Notably, via this theoretical lens, we wanted to gain insights into the culture of work and cybersecurity while working from home during a pandemic. Also, important to us was to gain insights into any obstacles to performing ideal cybersecurity practices and misunderstandings and gaps in cybersecurity knowledge.

This work answers the following research questions:

  • RQ1: What were participants’ lived experiences when transitioning from the office to home, and how did these impact cybersecurity learning and behaviours?

  • RQ2: What did cybersecurity mean for participants when working from home?

  • RQ3: How did participants learn about cybersecurity when working from home?

  • RQ4: What recommendations might we give to organizations based on our findings?

Methods

The study employed interpretative phenomenological analysis (IPA), a method psychologists use to understand individuals’ ‘lived experience’ [28]. IPA focuses on how participants make sense of their world and what that experience means for them. The main structure of the analysis using IPA is as follows: (i) the thorough re-reading of interview texts and making initial notes on the left-hand margin of the paper; (ii) the notation of the emerging themes in the right-hand margin of the paper; (iii) recognizing how the themes cluster together; and (iv) the production of a table of themes, which highlight both the superordinate and emergent themes. Each stage requires working closely with the text to develop the themes that will extract the core meaning of the individuals’ experience.

The process takes a hermeneutic approach, which requires continually returning to the data to ground the interpretation of the themes. The hermeneutic approach was originally developed to interpret biblical texts; however, this approach was later adopted by phenomenologists (e.g. Husserl, Heidegger, and later Ricoeur and Taylor) interested in uncovering the human experience as it is lived. This approach involves a new understanding not based on founded beliefs but achieved through renewed interpretive analysis. Given our interest in understanding the interaction of culture and cognition and the learning process, this approach was deemed appropriate for our study.

Participants

This study did not require a large sample size, as this method focuses on sense-making rather than generalizations. The interviews were with 27 Australian employees across each of the States in Australia. The ages ranged from 25 to 72 years, with 67% men and 34% women. The participants’ occupations varied: educators, IT services, public relations, sales, public services, consulting, food manufacturer, scientist, marketing, fundraising, solicitor, administrator, travel agent, and a financial planner. All participants had been working in an office environment before the pandemic and were required in a short amount of time to move to work from home.

Procedure

Prior to commencing the study, ethics clearance was gained from the University’s Ethics Committee. Next, the participants were recruited from Qualtrics, a panel often used by academic researchers to recruit participants for their studies. The researchers instructed the panel to invite Australian employees over 18 years of age who had been sent to work from home in the first lockdown in Australia. Interested participants then contacted the researchers, who, with their consent, were interviewed. Participants were financially compensated for participating ($50).

The interview involved a semistructured interview that invited participants to discuss their experiences of adopting cybersecurity practices during their lockdown. The interview duration ranged from 30 to 40 min. With the participants’ permission, the interviews were recorded and later transcribed.

For IPA, inter-rater reliability is not relevant. As Braun and Clarke [29] explain, according to IPA, coding is personal and intuitive, demanding contemplation and imagination. In contrast to thematic or content analysis, coding using an IPA approach is not about assigning the ‘right code’ but rather a code that characterizes the essence of a sentence or segment of text. In addition, the coders must bracket preexisting theories and allow the participants’ data to suggest the themes. In this analysis, two coders went independently through steps 1 and 2, detailed above. They next worked together on steps 3 and 4. This process allows one to capture themes that one coder might have missed [30].

Materials

The researchers for this study constructed a semistructured interview schedule. In these types of interviews, the researcher does not strictly follow a set of questions but instead has a guide of open-ended questions. This type of interviewing creates opportunities for the researcher to tap into participants’ experiences.

As highlighted in our ‘Introduction’ section, we drew from Vygotsky’s theory of education to help us understand ‘how’ employees learnt about or struggled to learn about and adopt effective cybersecurity practices. We wanted to gain significant insights into the culture of learning cybersecurity practices while moving to a new environment and how the pandemic may have impinged on that learning.

The chosen method of IPA was ideal for this research given that this approach is not attempting to generalize but instead attempts to understand unique experiences.

The set of questions developed to guide the interview included the following:

  • How did the participants experience the transition from the office to working from home?

  • What does ‘effective cybersecurity behaviour’ mean for participants, especially when working from home?

  • Did participants experience any threats or attacks, and how did they deal with them?

  • What type of advice/information (if any) was given to them to work securely at home?

  • How did participants interpret the advice, and how easy or difficult was it to implement?

These questions focus on ‘how’ learning is acquired, considering the interaction of culture and cognition. They differ from asking what is known about cybersecurity practices, which is more consistent with a traditional approach to understanding cybersecurity hygiene.

Results

An IPA is like a thematic analysis; however, as explained in the ‘Methods’ section, intercoder reliability is irrelevant. Comparing frequencies across themes is also not relevant as an IPA approach does not account for the number of participants who experienced the same event but rather identifies individuals’ experiences [28]. Moreover, IPA recognizes the subjectivity of the coder. When conducting an IPA, the researchers bracket preexisting theories and consider the individuals’ interpretation and understanding of their lived experiences.

Five superordinate themes emerged through the analysis of these data. These themes and their emergent themes are summarized in Table 1. They are also described in more detail below, with verbatim quotes to illustrate these themes.

Table 1.
Open in new tab

Table of superordinate and emergent themes.

Superordinate themeEmergent theme
1. Transition from the office to homeStressful
Little time to prepare/transition was very abrupt
Nature of the work changed/adjustments
Not a dramatic change
Enjoyed working from home
2. Working space at homeNot an ideal space
Difficulties separating work and home life
Ideal workspace at home
3. Understanding of cybersecurityBehaviours and policy
Common sense
Cybersecurity expectations—overkill
Not personally relevant to them/organization’s responsibility
Security issues that arose during the pandemic
Enigma
Trade-off between convenience and security
4. Awareness and educationLittle training available/left to their own devices
Cybersecurity training is dull/unmotivated to learn
Guardians—friends/family and not work
Confident in cybersecurity knowledge
5. Digital limitationsOld equipment
Problems with the Internet
Sharing digital devices/personal usage
Superordinate themeEmergent theme
1. Transition from the office to homeStressful
Little time to prepare/transition was very abrupt
Nature of the work changed/adjustments
Not a dramatic change
Enjoyed working from home
2. Working space at homeNot an ideal space
Difficulties separating work and home life
Ideal workspace at home
3. Understanding of cybersecurityBehaviours and policy
Common sense
Cybersecurity expectations—overkill
Not personally relevant to them/organization’s responsibility
Security issues that arose during the pandemic
Enigma
Trade-off between convenience and security
4. Awareness and educationLittle training available/left to their own devices
Cybersecurity training is dull/unmotivated to learn
Guardians—friends/family and not work
Confident in cybersecurity knowledge
5. Digital limitationsOld equipment
Problems with the Internet
Sharing digital devices/personal usage
Table 1.
Open in new tab

Table of superordinate and emergent themes.

Superordinate themeEmergent theme
1. Transition from the office to homeStressful
Little time to prepare/transition was very abrupt
Nature of the work changed/adjustments
Not a dramatic change
Enjoyed working from home
2. Working space at homeNot an ideal space
Difficulties separating work and home life
Ideal workspace at home
3. Understanding of cybersecurityBehaviours and policy
Common sense
Cybersecurity expectations—overkill
Not personally relevant to them/organization’s responsibility
Security issues that arose during the pandemic
Enigma
Trade-off between convenience and security
4. Awareness and educationLittle training available/left to their own devices
Cybersecurity training is dull/unmotivated to learn
Guardians—friends/family and not work
Confident in cybersecurity knowledge
5. Digital limitationsOld equipment
Problems with the Internet
Sharing digital devices/personal usage
Superordinate themeEmergent theme
1. Transition from the office to homeStressful
Little time to prepare/transition was very abrupt
Nature of the work changed/adjustments
Not a dramatic change
Enjoyed working from home
2. Working space at homeNot an ideal space
Difficulties separating work and home life
Ideal workspace at home
3. Understanding of cybersecurityBehaviours and policy
Common sense
Cybersecurity expectations—overkill
Not personally relevant to them/organization’s responsibility
Security issues that arose during the pandemic
Enigma
Trade-off between convenience and security
4. Awareness and educationLittle training available/left to their own devices
Cybersecurity training is dull/unmotivated to learn
Guardians—friends/family and not work
Confident in cybersecurity knowledge
5. Digital limitationsOld equipment
Problems with the Internet
Sharing digital devices/personal usage

Theme 1: transition from the office to home

This superordinate theme focused on how participants experienced the sudden transition from an office to a home environment. It focuses on their experiences of coping with a pandemic while simultaneously being expected to deal with a new way of working. Participants’ experiences of moving to work from home varied for each participant. Many found this to be stressful because of the unknown and fear of becoming seriously ill or dying. In contrast, some of our participants believed there were few changes for them as they had partially worked from home before COVID-19 or that the change was very positive (e.g. saving time on travel).

Relating this theory to Vygotsky’s learning theory, this theme elucidates the ‘culture’ the employees were working in during the pandemic. If we consider how employees might learn new cybersecurity practices in the ‘zone of proximal development’, support activities provided by the educator may need to consider the new surroundings and the stressful environment experienced by some workers.

These findings are still relevant after a pandemic, given that working from home may be a novel ‘culture’ for some. Some of the cyber skills taught to employees differ from those needed in the office (e.g. teaching and sales work), but so is the culture where these are acquired. No longer are competent peers (as described in Vygotsky’s theory) necessary for support present in the home environment. Therefore, ‘scaffolding’ (support activities) may need to be different (e.g. virtual peers technology might be used to support and educate). The subthemes are described below:

Stressful

Some participants described increased stress levels and believed that work pressures differed from working in an office. Others reflected on the stress levels of everyone in the organization—having to do their best in a stressful, difficult situation. The stress experienced by participants made it challenging to adopt new behaviours. For example, in the case of Participant 19 below, when he accidentally downloaded a virus on his computer, because he felt isolated and preoccupied with other stressors, he did little to deal with the threat.

Honestly speaking, it is never—I mean, it is still tricky because it is hard to getting used to it. It is more like the amount of work pressure that—because working remotely. Not just me. The entire company is working remotely, so that amount of work pressure is different. Like previously, it was like everybody is in one space, in one building. So, a lot of the issue doesn’t really come up because they’re working in one place, but now, everybody is scattered, the number of issues actually has raised dramatically. (Participant 19)

The stress felt by participants was not exclusively about working from home. One participant mentioned that his anxieties continued beyond lockdown when he returned to work in the office. In this person’s case, they may be showing symptoms of post-traumatic stress. Trauma may well affect individuals at work long after the pandemic, leading to problems in learning and decision-making, thereby making it difficult to learn new cybersecurity practices.

Yeah. Look, I have a little anxiety issue, but I was very hesitant at going back into the office because I think a lot of things have changed. I thought that a lot of people—I thought—you know how you get that feeling—you may have experienced it too—that you think that people who you thought cared about you didn’t really care about you, and they didn’t think of you the same way as you thought about them…it took me a fair bit to get back into that office and I did got for a day, but I only lasted like an hour, and I had to go back home. (Participant 5)

Little time to prepare/transition was very abrupt

Participants believed the move to work remotely occurred so quickly that there was little time to prepare—bringing equipment home, productivity, and cybersecurity expectations. Workers did not all learn from employers that they would be working remotely, with some receiving this information via the media. For example, one of our participants explained they learnt these details first from the Prime Minister in a press conference:

The Prime Minister would come and speak on a Sunday, and we were pretty much getting our information from the media first. Then we just had one day where they made an announcement 10 minutes before the end of the day that we weren’t coming in tomorrow. So, in terms of getting ready, it was just, it wasn’t sort of well-prepared. I guess we were doing some stuff where we were trying to get resources together and have things that we could access from home. (Participant 1)

Nature of the work changed/adjustments

The nature of the work also changed for some of our participants. For example, school teachers were required to communicate using technologies they were not accustomed to using for teaching. Salespeople could no longer travel, moving to desk work and communication via digital devices. Some employees had to learn to use new technologies quickly and learn effective communication skills.

Since COVID, where previously it was a high degree of travel and face-to-face meetings that I’d normally undertake…for years, you’ve been having a certain hands-on approach, and being able to meet face-to-face and interact in that way to now being completely virtual, so by phone or by many of the platforms like Zoom, Skype… So I suppose it’s more now being a lot more phone calls and organising a lot more virtual meetings. I suppose, overall, it’s just probably me being more active to stay connected with our stakeholders. So that’s been probably more than usual, I suppose, in the way of phone calls and emails, and as I said, pre-COVID, we only ever did internal… using Microsoft Teams or whatever the platform that we used only internally that we actually used a virtual platform and since COVID, that has now been the norm for external stakeholders. (Participant 3)

Not a dramatic change

Not all participants experienced the transition as a dramatic change. One participant had previously worked from home part-time because many of his colleagues were located globally. Notably, besides an increase in virtual meetings, there were few differences for this individual.

Very little [changed] because we already used that because I was working from home a lot, as the nature of the job. Things would tend to fall over 5 or 6 o’clock at night, so it’s not use me commuting. So, I’d go to work, come home just after lunchtime, and then start work again when I got home. So, working at home full time, there’s very little difference. (Participant 2)

Positive

Some experienced working from home as preferable to the office—giving them extra time for leisure activities. Some discussed working a set number of days at home post-COVID-19 lockdowns.

Just that I am working from home, which has turned out to be really great. Initially, there were some teething problems with so many people working from home because we are a very large organization, but it has worked beautifully for me… I liked the idea of separating home from work but when I started this and just the extra hour each morning and afternoon and not having to pay public transport, so there is a saving in the extra time at home and a bit of a sleep in and afternoons there is actually jobs I can do in my garden… (Participant 6)

Theme 2: working space at home

This superordinate theme focused on understanding their available spaces to work from home and how this impacted their performance. Participants discussed creating a workspace on the dining room table, bedrooms, kitchen benches, and hallways. Some participants stated that their new working space affected their enjoyment and increased stress levels. Participants’ privacy was often compromised. Notably, for some, home spaces were not ideal for working in or learning new skills, including effective cybersecurity behaviours.

This theme may just be as relevant to learning after the pandemic should organizations allow employees to work from home. Considering Vygotsky’s understanding of the culture of learning, organizations might need to consider how to help employees create an ideal space in their homes (noting the restrictions of space for many) for learning about cybersecurity practices and enabling more ideal security environments (e.g. ensuring privacy is maintained).

Not an ideal space

Spaces in the home used for other purposes (e.g. bedrooms, dining rooms, living rooms, and desks) needed to be converted into working areas. These participants described their home space as challenging due to needing to share it, which meant that sometimes their workspace was noisy and lacked privacy.

It’s really hard because I’ve got a dog, and then sometimes … right now, he’s okay. I don’t think he’s making any noise, but if he hears me talking to people, he’ll come to the door, and he’ll howl, and he’ll paw, and he’ll want to come in. Yeah, that’s a bit of a hassle when I have meetings because I feel a bit weird. Then he’ll want to see people… I did say sometimes I do experience some neck and back pain from working from home because, technically speaking, I’m not ergonomically set up. Even now, my laptop is just put on top of boxes because otherwise, it would be very low, and I would have to be like this, and then sometimes I have to strain my neck. So, I do find the setup is not quite ideal. (Participant 16)

Yeah, I just basically have my desktop computer here, my Apple computer, and one of the hard parts of it all is the TV is so close [laughs]. You get distracted, and my bed is actually in the same room. (Participant 5)

Yeah, so I actually was working from my bedroom for many months, so working on a tiny desk because, at the time when everyone was trying to get desks, you just had no choice whatsoever…So, I was able to get one very small desk that I didn’t have an office space in my house, and I was sharing with a housemate, who also worked in very pointy end family violence, crisis, so I’d be sitting in my room. I could hear stuff through the walls. (Participant 15)

Difficulties separating work and home life

Participants also described difficulties in separating personal and working lives. This difficulty might have been due to having children home with home schooling, sharing the care of a baby, or simply negotiating personal time with one’s partner.

But it was a bit too much at times. It felt like there was no division of you know like house/work or—so that’s what I have been unable to try to learn to divide and conquer both. (Participant 13)

Ideal space for working at home

In contrast to those who experienced difficulties, some participants had, what they believed, to be an ideal space to work from at home—private and out of the way from household members. As a result, these individuals tended to prefer working remotely.

I have a separate man cave type of thing, we have a high-set house, so we have a room downstairs which was my sort of library—I have got all these antique books, well I know they are probably not antique yet but—so, sort of my man cave with all my books and I have a desk. Actually, it is my uni desk from 40, 50 years ago—oh boy—yes, 40 years ago. (Participant 6)

Theme 3: understanding of cybersecurity

This superordinate theme focused on the cybersecurity practices participants believed they should adopt and their understanding of policies when working from home. Not all participants thought they ought to engage in cybersecurity practices. Some participants believed it was the responsibility of their organization to protect them. Moreover, there was variability in participants’ confidence in knowledge and self-efficacy in adopting appropriate cybersecurity practices. There were also known security breaches during this time that participants did not anticipate. For example, two of the participants, who were school teachers, experienced an unexpected issue with privacy breaches involving children. While some participants knew that cybersecurity is an issue, they openly admitted they did not understand what it entailed. For them, cybersecurity was an enigma. In contrast, those with more knowledge about cybersecurity comprehended this as a complex problem and considered the trade-offs between convenience and security. Their organizations also do not anticipate these security issues, and so have not given any advice or developed policy to deal with these security breaches.

Notably, although the issues raised under this theme may be relevant to working at home during lockdowns (e.g. concerns about privacy issues involving teaching children in ‘virtual environments’), this theme is also applicable to most cybersecurity education programmes and policies. Drawing from Vygotsky’s theory, this theme highlights that for some, cybersecurity is a different language—and some employees do not have an inner dialogue regarding cybersecurity. Understanding this language may be one of the central challenges of any cybersecurity education programme.

Behaviours and policy

For some, it was a list of actions they believed they needed to do, such as using a VPN. Participants, especially those who worked in IT, gave a detailed list and were cognizant of workplace policy. However, many participants’ understandings of effective cybersecurity were rudimental and inconsistent. Many were unaware of particular policies, with others unaware that any policies around cybersecurity practices existed. If workplaces had policies, this research demonstrates that they were not effectively communicated to employees.

Well, having some sort of—well, like we have got—internet security application on your machine, that is for sure. Also, we have virus protection. That is to me, from a personal point of view—I don’t know about—even work has its own virus tool—application, sorry—and, you know, the old thing of not sharing passwords at all and trying to keep them complex. (Participant 6)

So, I know this is about security and stuff. We’re allowed to use USB sticks and copy things on there and take them offsite and do things like that, so that’s what we could have done. We have a portal that’s used for all administration, and all schools use a similar system, I think. You can log in from that anywhere. (Participant 1)

Yes. Well, I guess for companies just to make sure they do everything they can do to make their platforms secure, and I guess from employees’ side if possible use a VPN, get a good antivirus, make sure you keep it updated, run malware checks and all that kind of stuff on your computer and—I don’t know—try to do two point backup for whatever platforms you’re using. (Participant 14)

I don’t know of any policy. My boss didn’t mention anything about it. (Participant 24).

Common sense

Not all participants could provide a list of actions but instead gave a glib response, commenting it was simply ‘common sense’. Unfortunately, as illustrated in the quote below, ‘common sense’ did not always keep them secure.

Just common sense, I suppose. Don’t open anything, I mean, any emails you get that you don’t know or any link or anything like that, don’t open them. And the way they test us at work is they’ll send us an email which appears to be legitimate. And they tell you to click on this link to do something, and once you click on it, you get a dirty message back saying, you should not have clicked on this. This could have been malware; it could have been a virus. You never click on things—they test you like that. So, we all know now that every now and then, we’ll get an email like that, and very few of us will get sucked in. (Participant 22)

Cybersecurity expectations—overkill

Others described some cybersecurity expectations as a step too far, describing some practices as overkill.

In terms of the amount of passwords and things that we have on—I’m not going to say I’m unhappy with those, I think it’s overkill. (Participant 1)

Not personally relevant to them/organization’s responsibility

Although some participants recognized that cybersecurity was a concern, they did not believe it was their problem. Instead, it was perceived as unproblematic because participants did not think they would ever be affected or felt it was their organizations’ responsibility. Many naively believed that they would not be a target and that criminals would be uninterested in causing them harm.

Yeah. I’m not protecting politicians or health or anything like that. So, I’m not much of a target… (Participant 2)

I’m not really concerned about it. I haven’t really given much thought into it. I just use my own Wi-Fi, which I think, if that makes sense by myself or my partner. That’s pretty much all I know about it. I haven’t really given much thought about it. I guess I wouldn’t or haven’t used my laptop on a different Wi-Fi. I haven’t gone out to a café or anything and worked from there or anything. (Participant 7)

…I’ve never been hacked or had identity theft or anything like that happen to me, so I’m probably a bit more relaxed and probably not paying as much attention as I should, and assuming the organization is going to take care of things. I mean, I imagine if the SA [South Australian] government have a large-scale hacking attack, it would probably be fairly catastrophic, and I suspect…I’m probably hoping they take the right precautions to stop that. Realistically, if any of the data I had got stolen, it’d be like, "Well, you’ve just stolen a whole heap of data that probably less than a hundred people in the world know how to analyse and what to do with it anyway. It’s not going to be of any value to anybody except the people that I’m collecting it for. (Participant 12)

Security issues that arose during the pandemic

Some participants were personally impacted during the lockdown by security attacks or unexpected breaches. For example, participants reported that naked children unexpectedly appeared in Zoom meetings when delivering a class. Although Zoom bombings may have been a concern for organizations, the concern seemed to be more about hijacking a meeting rather than placing children at risk.

They rang my phone, and they said you got to put $500 into the account, into our account, because the tax department will be on you. And I did, I didn’t know what was going through, so I lost $500. (Participant 26)

…one of the boys was doing a Zoom lesson, or a boy in a school somewhere interstate or the country, and his naked little sister came running past and jumped on her bed. Like a little kid that doesn’t understand, you know, the innocence of nakedness. So, she was like naked and jumping around on the bed, so it was basically almost child pornography. So, it was be aware of your environment, so there was that… (Participant 11)

…we’re from…, and we’ve been advised that you’ve got a technical issue or someone’s been hacked into it, and then—then you say, are you really from …? Are you really from …? And then either they hang up, or they will put me on hold, and they’ll put me onto another person, and then sometimes they’ll ring up and say yeah, this person has been trying to hack in and they want to know all my details… (Participant 5)

An enigma

Some participants spoke about cybersecurity as an enigma. They found it challenging to visualize how cybersecurity worked.

But I think that’s more to do with the antivirus software. So, I don’t know if that’s out of date. I’ve mentioned that to my employer, and I don’t know how they do it because I think it’s up to them because normally, they say IT does updates and puts fixes, and what do you call it? I don’t know if they’ve made it a priority or not. I mean, so far, we haven’t…there hasn’t been any mention of any serious hacking as such, workwise as least. (Participant 16)

Trade-off between convenience and security

Some participants could recognize that cybersecurity was not a simple choice of a set of behaviours but instead required a consideration between security and convenience. This was an interesting subtheme as it highlighted the practicality of employing workplace policies and the need for more consideration of organizations around the limits of digital technologies in the home.

Well, there’s always that balance between security and convenience. So especially in a company, they always, you know, the convenience is demanded. So that’s always a challenge for cyber security person because yes, that’s a big one, and you know, you’d love to put in systems that are completely inconvenient but totally secure. But in practice, you could probably do it at the router level and put on some PSD or something like that on the, but yeah, again, you wouldn’t get away with doing it in a larger company. And so yeah, there’s always been a trade-off with security versus convenience. (Participant 4)

Theme 4: awareness and education

Participants had varied opportunities for cybersecurity awareness training and education in their organizations—both before and during the onset of the pandemic. They described little preparation for cybersecurity as they moved abruptly to work at home, with many left alone to understand cybersecurity challenges. Some explained being unmotivated to learn about cybersecurity or training not being conveniently scheduled. In contrast, a few participants felt confident and believed they had all the necessary knowledge to protect themselves from cyberthreats.

This theme has relevance beyond a pandemic for employees working from home. Drawing again from Vygotsky’s theory, this theme highlights the importance of competent peers to promote learning. Notably, some participants independently sought help from guardians (friends/family) rather than work colleagues. Moreover, this study found that leaving employees to educate themselves about cybersecurity practices was unhelpful. In line with Vygotsky’s theory, these findings suggest that a cybersecurity education programme may consider including guardians to help support learning.

Little training available/left to their own devices

Although, as mentioned earlier in our paper, effective cybersecurity requires different actions than those needed in the office, many of our participants stated there was little training available as they moved to work from home. For some, if there was any training, they noted that they believed they retained the information.

I feel like there was probably some training module on that, but it’s not very memorable. It wasn’t that explicit. I didn’t feel like it was that big a deal. I mean, they have very secure systems in a way where every day we have to log in through multiple screens just to do our job. That’s tedious for a lot of teachers. So, I know that they obviously have a lot of resources in that area, but just in terms of giving general advice—I mean, we did do—so we do training modules online sometimes. There was one on cybersecurity. I just don’t remember it very well. (Participant 1)

Yeah. I think everyone was just struggling at the beginning because it felt very much like, “Okay, we’ve got to put some things in stone very quickly. You’ve just got to get out of the office.” So, I think the first couple of weeks was very much just set around the adjustment. Even now, I don’t feel like we have a lot of guidance… (Participant 15)

Cybersecurity training is dull/unmotivated to learn

Some participants admitted that they were unmotivated to engage in cybersecurity training even if available at their workplaces.

We get the occasional email, but I think it’s really up to you how much time you have to engage with it. There hasn’t been anything mandatory that’s been placed upon us…So I’ve probably been quite bad in that perhaps there has been stuff that’s been sent out, but it just hasn’t come to my attention whatsoever, and I would say in this very time-poor profession, that’s probably what everyone is experiencing. You don’t actually do anything or engage with anything unless it’s a priority, and you have to sign a form and get it back on time. (Participant 15)

Guardians—friends/family and not work

Some participants admitted that they would seek cybersecurity advice/knowledge from friends and family regarding their organization.

No. I probably wouldn’t go to my organization. I’d probably ask a friend or a family member who is more knowledgeable on network security. Then I’d go to my organization if they say something is up. (Participant 7)

Confident in cybersecurity knowledge

Not all participants believed they had been left in the dark. A few felt confident they knew what effective cybersecurity entails and described being trained by their organizations.

I’m very confident. Even something that remotely looks suspicious it’s just a click on your mouse to send it off to IT to look at it. So, I’d rather look at it and assess it whether it’s malicious or not. We’d rather do that. That’s pretty much the go-to for us. If in doubt, if you have any suspicion, any doubt about this email that you’ve received, irrespective of who you think it came from—whether it’s Australia Post or whatever—not to immediately trust it and if you are suspicious about it being genuine, it’s just an easy click on the mouse to send it off to IT for them to look at it. So, we very much do take a very safety-first approach. (Participant 3).

Theme 5: digital limitations

Participants also spoke about having outdated equipment that was too old to patch. They also discussed using work equipment for personal use. Many understood that these are limitations to achieving effective cybersecurity but were unable or unmotivated to change their practices. Some also spoke about the poor Internet connection they received at home, which would slow down productivity. Further, some participants discussed sharing devices with family members and acknowledged this was not ideal.

Again, this theme highlights the importance of understanding the background in which learning may occur and the bigger picture concerning change behaviour. For example, if organizations expect employees to ‘patch’ and employ VPN without consideration of the limitations of equipment, then no amount of education/awareness will change this behaviour. Moreover, understanding the reality of how equipment is used in the home is critical to the development of an education programme.

Old equipment

My laptop’s about five or six years old, but it does the job, but it’s getting a bit old, but I was kind of, when they just said go home, see you later and go do your best, we weren’t given really any instructions or any equipment. (Participant 11)

Problems with the Internet

There were just dropouts and then slow, being very slow—that’s right—in the early days, one day everything was just so slow…it wasn’t my machine that was the problem—my connection—it was just the network that I was sharing with my colleagues. Maybe it was in the street, I am not sure the technicalities of NBN with—I used to have a cable modem, and it depended on time of day and how quickly that was because you only had one pipe, so to speak, and it was shared between the people living there. (Participant 6)

Sharing digital devices/personal usage

Honestly speaking, the only thing really actually which already happened. Like because I had to replace my personal PC with my work PC, so I have to sometimes do my personal stuff in the same PC. So, every time I don’t log into VPN so when I do my normal home stuff, and obviously you know there are a lot of [strange websites], so once actually one virus got downloaded into my work PC and when I logged into it…(Participant 19)

I’m sure there’s things in there that you can accidentally click that could cause issues. That’s probably one of those areas, I don’t know how to stop that. You’re not going to be able to tell a ten-year-old… To train them up in cybersecurity, so whether it’s maybe most households having to get some sort of more diligent set up than just antivirus and stuff. I’m not sure what the best solution would be. It’s concerning though. (Participant 27)

Discussion

We began our paper highlighting that working remotely requires additional cybersecurity practices not necessarily needed in the office space. We also noted the background literature demonstrates that employees do not always engage in good ‘cyber hygiene’ and that cybersecurity awareness programmes are often ineffective. During the early onset of the pandemic, organizations had to relocate their workforce swiftly, with little warning, to work from home. As a result, organizations needed to be agile in reorganizing their workforce and developing effective cybersecurity policies to protect their organizations and employees. As research demonstrates, perhaps unsurprisingly, cyberattacks increased during the height of the pandemic [12, 31 ]. This was most likely due to individuals’ increased use of digital technologies [32].

Our research uniquely examined individuals’ lived experiences during this time. Drawing from Vygotsky, we were interested in ‘how’ people learnt, considering their subjective experiences. Some of our employees were more distracted by other stressful events, found the rapid transition from home to work challenging, and were not given adequate support to adopt effective cybersecurity when working from home. Moreover, the blur between home and work life/and digital devices added cyber risks. Our findings, therefore, provide insights that may guide cybersecurity policymakers in how individuals might better protect themselves when working from home. Moreover, they demonstrate how these policies need to consider employees’ psychological states (especially when in a crisis—which could involve dealing with a cyberattack or a telco outage). In addition, the work here provides suggestions on how education programmes might be improved when considering the phenomenological experiences of their employees well beyond the pandemic.

Many of our participants expressed feeling stressed and discombobulated. Some explicitly stated that they felt anxious and emotional. Even with the best of policies, expecting people to learn new behaviours during extreme stress is unrealistic. Many psychological studies have shown that stress affects learning and memory abilities [30]. This current research shows how critical it is to understand the psychological state of a workforce. Even with the most straightforward and well-set policies, many employees may not have focused on learning these new skills and practices and/or retain this information. Organizations may well have reduced risk and prevented attacks by first focusing on the psychological state of their workforce—finding ways to reduce stress (and, of course, this is relevant well beyond the pandemic).

In addition to understanding the psychological state of employees, this study demonstrated the importance of understanding the environment in which people learn. We learnt that home setups were not always ideal for employees. This finding is not a trivial point. Besides the obvious concerns of privacy with clients and other fellow employees combined with family/flatmates in a shared space, there is the issue of an ideal space to be productive and learn new practices, such as effective cybersecurity practices. Environmental psychologists have researched the ideal physical environments for learning [33]. Sociologists have examined how to develop boundaries between work and personal life when working from home—including temporal and physical space [34]. Advice on creating a workspace from home conducive to learning and mental well-being is not a unique concern related to the pandemic. As workforces evolve, and potentially, due to the COVID-19 pandemic, organizations might move to a ‘new normal’ of providing options for employees to work from home. Notably, some of our participants voiced their preference for working from home. Therefore, providing the best advice on creating an ideal working space at home may help improve effective cybersecurity practices.

Our study revealed that our participants varied in their knowledge of cybersecurity risks and practices and their motivation to learn. Some participants felt confident in their ability (although not always correct), and others felt that training was boring. Others turned to family and friends for advice. Researchers who have examined the effectiveness of cybersecurity training have highlighted the challenge of motivating employees to learn [35]. This current study reinforces the notion that ‘one size does not fit all’ in cybersecurity training. Not only do training programmes need to consider psychological differences, but also the psychological state and readiness of employees. None of our participants experienced any tailored-made cybersecurity training, yet our findings suggest this may be critical in protecting organizations and their employees.

Another fundamental concern raised in this study was using outdated work digital devices and sharing devices in the home. Researchers have examined how new technologies have brought about a new digital divide for school pupils [36, 37]. However, there is a dearth of research on the ‘digital divide’ for employees and how outdated equipment may impact productivity and cybersecurity protection. This current study suggests that policies on strengthening an organizations’ defences may need to consider employees’ access to appropriate digital devices.

Our introduction noted the importance of employing Vygotsky’s learning theory to help shape and design this study. Taking a social constructivist approach affords the researcher with a different understanding of the phenomenon under investigation. This study revealed, perhaps radically, that improving the resilience of an organization and the cybersecurity practices of employees needs much more than an understanding of which behaviours require changing or what actions need to be taught. (Table 2). This guidance is just as relevant post pandemic.

Table 2.
Open in new tab

Recommendations according to theme.

1.A need to understand your workforces’ psychological state. (Theme 1)
2.Consider employees’ home settings and advise them to create environments within constraints to promote cyber-secure behaviours. (Theme 2)
3.A need to understand your workforces’ level of cybersecurity knowledge and the correct language to use to help educate your workforce. (Theme 3)
4.Use peers to help guide/educate some staff. (Theme 4)
5.There is a need to rethink how to educate and motivate your workforce to improve cybersecurity practices—this might need to be pitched at different levels rather than a one-size-fits-all approach. (Theme 4)
6.Be mindful of technology limitations and how this might be resolved—updating devices or setting limits to how these devices are utilized. (Theme 5)
7.Consider cybersecurity as more than a technical education—the examples in this project of what might be accidentally viewed in home settings elucidates a new challenge for cybersecurity policymakers and trainers. (Theme 5)
8.Avoidance of blaming end users. (Theme 5)
1.A need to understand your workforces’ psychological state. (Theme 1)
2.Consider employees’ home settings and advise them to create environments within constraints to promote cyber-secure behaviours. (Theme 2)
3.A need to understand your workforces’ level of cybersecurity knowledge and the correct language to use to help educate your workforce. (Theme 3)
4.Use peers to help guide/educate some staff. (Theme 4)
5.There is a need to rethink how to educate and motivate your workforce to improve cybersecurity practices—this might need to be pitched at different levels rather than a one-size-fits-all approach. (Theme 4)
6.Be mindful of technology limitations and how this might be resolved—updating devices or setting limits to how these devices are utilized. (Theme 5)
7.Consider cybersecurity as more than a technical education—the examples in this project of what might be accidentally viewed in home settings elucidates a new challenge for cybersecurity policymakers and trainers. (Theme 5)
8.Avoidance of blaming end users. (Theme 5)
Table 2.
Open in new tab

Recommendations according to theme.

1.A need to understand your workforces’ psychological state. (Theme 1)
2.Consider employees’ home settings and advise them to create environments within constraints to promote cyber-secure behaviours. (Theme 2)
3.A need to understand your workforces’ level of cybersecurity knowledge and the correct language to use to help educate your workforce. (Theme 3)
4.Use peers to help guide/educate some staff. (Theme 4)
5.There is a need to rethink how to educate and motivate your workforce to improve cybersecurity practices—this might need to be pitched at different levels rather than a one-size-fits-all approach. (Theme 4)
6.Be mindful of technology limitations and how this might be resolved—updating devices or setting limits to how these devices are utilized. (Theme 5)
7.Consider cybersecurity as more than a technical education—the examples in this project of what might be accidentally viewed in home settings elucidates a new challenge for cybersecurity policymakers and trainers. (Theme 5)
8.Avoidance of blaming end users. (Theme 5)
1.A need to understand your workforces’ psychological state. (Theme 1)
2.Consider employees’ home settings and advise them to create environments within constraints to promote cyber-secure behaviours. (Theme 2)
3.A need to understand your workforces’ level of cybersecurity knowledge and the correct language to use to help educate your workforce. (Theme 3)
4.Use peers to help guide/educate some staff. (Theme 4)
5.There is a need to rethink how to educate and motivate your workforce to improve cybersecurity practices—this might need to be pitched at different levels rather than a one-size-fits-all approach. (Theme 4)
6.Be mindful of technology limitations and how this might be resolved—updating devices or setting limits to how these devices are utilized. (Theme 5)
7.Consider cybersecurity as more than a technical education—the examples in this project of what might be accidentally viewed in home settings elucidates a new challenge for cybersecurity policymakers and trainers. (Theme 5)
8.Avoidance of blaming end users. (Theme 5)

From the first theme, we recommend that employers understand their workforce’s psychological state, in particular, their levels of stress and anxiety. Psychological states may dramatically alter in crises, such as environmental crises (flood and fires), a cyberattack, an outage, conflict, and so forth. This study demonstrates that attempting to educate complex cybersecurity behaviours and practices needs to be taught well before any crises (as it is very difficult to learn new practices under these conditions). Moreover, organizations may consider developing playbooks on how to act under potential scenarios.

The second theme generated a recommendation to consider the diversity and limitations of home settings to be used as places of work. This may involve the types of digital devices given to employees and recommendations on how to set up a workspace given constraints (e.g. size, proximity to others, noise). As Vygotsky’s theory posits, it is crucial to understand the ‘how’ of learning and how culture interacts with cognition. Guidance might include how to create a private space in small spaces, using headphones to ensure privacy and block out noise, and privacy screens on computers to prevent family members from being exposed to work content.

Our third recommendation draws from Theme 3, where we learned that for some, the language of cybersecurity is foreign. Again, this is akin to Vygotsky’s understanding of learning and the need to create an inner dialogue. This would require chief information security officers and other technical people to bracket their everyday security language and translate security messages for other less technical people to comprehend.

Drawing from Theme 4, we highlight the recommendation to avoid a one-size-fits-all approach. Policy guidance recommendations 4 and 5 are based on the assumption that users are not a homogeneous group or are not at the same level of readiness to comprehend cybersecurity. Taking the lead from Vygotsky, this might be educating some staff who may act as mentors or support to those at a lower level of readiness. These recommendations also consider that a one-programme approach is inappropriate, but programmes need to be more tailor-made.

Finally, drawing from Theme 5, we recommend that organizations be mindful of technological limitations and develop policies accordingly. Recommendations 6–8 suggest that organizations could rethink cyber as a holistic approach rather than purely a technical issue. This would involve understanding the limits of technological devices as well as how users socially interact with them. Moreover, in doing so, we ask that organizations take heed of Adam’s and Sasse’s request not to treat ‘users as the enemy’ [38]. Rather than rationing blame, there needs to be a recognition that humans are the last line of defence, and as a consequence, effective training and support are needed for users if we are to successfully protect organizations.

In conclusion, we recommend that organizations take a more holistic view of cybersecurity. Over the years, much discussion has been conducted about ‘humans being the weakest link’. However, solutions rarely consider humans’ frailty and how organizations might improve cybersecurity practices by improving the psychological state of their workforce and the workforce’s physical environments. Therefore, we urge organizations to rethink their approach to cybersecurity. We argue organizations should consider how they might enable and improve the working life of end users to reach a more optimal state to learning effective cybersecurity practices.

Author contributions

Monica T. Whitty (Conceptualization [lead], Formal analysis [lead], Funding acquisition [lead], Investigation [lead], Methodology [lead], Project administration [lead], Writing – original draft [lead], Writing – review & editing [lead]), Nour Moustafa (Formal analysis [supporting], Funding acquisition [supporting], Writing – original draft [supporting]), and Marthie Grobler (Writing – original draft [supporting])

Conflict of interest

None declared.

Funding

This work was supported by the Cyber Security Research Centre Limited, whose activities are partially funded by the Australian Government’s Cooperative Research Centres Programme.

References

1.

International Labour Organization (ILO)
.
ILO Monitor: COVID-19 and the World of Work
. 2nd edn.
International Labour Organization (ILO)
,
2020
;
Switzerland

Google Scholar

OpenURL Placeholder Text

 
2.

Vishnwanath
 
A
,
Neo
 
LS
,
Goh
 
P
  et al.  
Cyber hygiene: the concept, its measure, and its initial tests
.
Decis Support Syst
.
2020
;
128
:
113160
.

Google Scholar

Crossref
Search ADS

 
3.

Borrett
 
M
,
Carter
 
R
,
Wespi
 
A
.
How is cyber threat evolving and what do organizations need to consider?
.
J Bus Contin Emer Plan
.
2014
;
7
:
163
71
.

Google Scholar

Crossref
Search ADS

 
4.

Whitty
 
MT
.
Developing a conceptual model for insider threat
.
J Manag Organ
.
2018
;
27
(
5
):
1
19
.

Google Scholar

OpenURL Placeholder Text

 
5.

Agrafiotis
 
I
,
Nurse
 
JRC
,
Goldsmith
 
M
  et al.  
A taxonomy of cyber-harms: defining the impacts of cyber-attacks and understanding how they propagate
.
J Cybersecur
.
2018
;
4
:
1
15
.

Google Scholar

Crossref
Search ADS

 
6.

Moustafa
 
N
,
Keshk
 
M
,
Choo
 
KR
  et al.  
DAD: a Distributed Anomaly Detection system using ensemble one-class statistical learning in edge networks
.
Future Gener Comput Syst
.
2021
;
118
:
240
51
.

Google Scholar

Crossref
Search ADS

 
7.

Cain
 
AA
,
Edwards
 
ME
,
Still
 
JD
.
An exploratory study of cyber hygiene behaviors and knowledge
.
J Inf Secur Appl
.
2018
;
42
:
36
45
.

Google Scholar

OpenURL Placeholder Text

 
8.

Such
 
JM
,
Ciholas
 
P
,
Rashid
 
A
  et al.  
Basic cyber hygiene: does it work?
.
Computer
.
2019
;
52
:
21
31
.

Google Scholar

Crossref
Search ADS

 
9.

Zwilling
 
M
,
Klien
 
G
,
Lesjak
 
D
  et al.  
Cyber security awareness, knowledge and behavior: a comparative study
.
J Comput Inf Syst
.
2022
;
26
(
1
):
1
16
.

Google Scholar

OpenURL Placeholder Text

 
10.

Aldawood
 
H
,
Skinner
 
G
.
Reviewing cyber security social engineering training and awareness programs—pitfalls and ongoing issues
.
Future Internet
.
2019
;
11
:
73
.

Google Scholar

Crossref
Search ADS

 
11.

Calvin
 
N
.
Botching human factors in cybersecurity in business organizations
.
HOLISTICA—J Bus Public Admin
.
2018
;
9
:
71
88
.

Google Scholar

OpenURL Placeholder Text

 
12.

Pranggono
 
B
,
Arabo
 
A
.
COVID-19 pandemic cybersecurity issues
.
Internet Technol Lett
.
2021
;
4
:
e247
.

Google Scholar

Crossref
Search ADS

 
13.

Furnell
 
S
,
Navin Shah
 
J
.
Home working and cyber security—an outbreak of unpreparedness?
.
Comput Fraud Secur
.
2020
;
8
:
6
12
.

Google Scholar

OpenURL Placeholder Text

 
14.

Georgiadou
 
A
,
Mouzakitis
 
S
,
Askounis
 
D
.
Working from home during COVID-19 crisis: a cyber security culture assessment survey
.
Secur J
.
2022
:
35
:
486
505
.

Google Scholar

Crossref
Search ADS

 
15.

AL-Mohannadi
 
H
,
Awan
 
I
,
Al Hamar
 
J
  et al.  
Understanding awareness of cyber security threat among IT employees
. In:
6th International Conference on Future Internet of Things and Cloud Workshops (FiCloudW), Barcelona, Spain
,
2018
,
188
92
.

Google Scholar

OpenURL Placeholder Text

 
16.

Clutch
 
GK
.
Improving employees’ cyber security awareness
.
Comput Fraud Secur
.
2019
:
2019
(
8
):
11
3
.

Google Scholar

OpenURL Placeholder Text

 
17.

Blythe
 
J
.
Cyber security in the workplace: understanding and promoting behaviour change
.
Proc of CHItaly 2013 Doctoral Consortium
.
2013
;
1065
:
92
101
.

Google Scholar

OpenURL Placeholder Text

 
18.

Xia
 
P
,
Nabeel
 
M
,
Khalil
 
I
  et al.  
Identifying and characterizing COVID-19 themed malicious domain campaigns
.
Proc ACM Conf Data Appl Secur Priv
.
2021
;
CODASPY '21
:
209
20
.

Google Scholar

OpenURL Placeholder Text

 
19.

Ling
 
C
,
Balcı
 
U
,
Blackburn
 
J
  et al.  
A first look at zoombombing
.
arXiv:2009.03822v1
.
2020
. https://arxiv.org/abs/2009.03822  
[last accessed Jan 20, 2024]
.

OpenURL Placeholder Text

20.

Gupta
 
R
,
Pandey
 
G
,
Chaudhary
 
P
  et al.  
Technological and analytical review of contact tracing apps for COVID-19 management
.
J Locat Based Serv
.
2021
;
15
(
3
):
198
237
.

Google Scholar

Crossref
Search ADS

 
21.

Creese
 
S
,
Hodges
 
D
,
Jamison-Powell
 
S
  et al.  
Relationships between password choices, perceptions of risk and security expertise
. In:
Marinos
 
L
,
Askoxylakis
 
I
 (eds.),
Human Aspects of Information Security, Privacy and Trust
, Vol.
8030
.
Berlin, Heidelberg
:
Springer
,
2013
,
80
9
.

Google Scholar

Crossref
Search ADS

 
22.

Whitty
 
MT
,
Doodson
 
J
,
Creese
 
S
  et al.  
Individual differences in cyber security behaviours: an examination of who’s sharing passwords
.
Cyberpsychol Behav Soc Netw
.
2015
;
18
:
3
7
.

Google Scholar

Crossref
Search ADS
PubMed

 
23.

Shappie
 
AT
,
Dawson
 
C
,
Debb
 
A
.
Personality as a predictor of cybersecurity behavior
.
Psychol Pop Media
.
2019
;
9
:
475
80
.

Google Scholar

Crossref
Search ADS

 
24.

Butavicius
 
M
,
Parsons
 
K
,
Lillie
 
M
  et al.  
When believing in technology leads to poor cyber security: development of a trust in technical controls scale
.
Comput Secur
.
2020
;
98
:
102020
.

Google Scholar

Crossref
Search ADS

 
25.

Vasileva
 
O
,
Balyasnikova
 
N
.
(Re)Introducting Vygotsky’s thought: from historical overview to contemporary psychology
.
Front Psychol
.
2019
;
10
:
1515
.

Google Scholar

Crossref
Search ADS
PubMed

 
26.

Vygotsky
 
L
.
Mind in Society
.
London
:
Harvard University Press
.
1978
.

Google Scholar

OpenURL Placeholder Text

 
27.

Huang
 
H-M
.
Toward constructivism for adult learners in online learning environments
.
Brit J Educational Tech
.
2002
;
33
:
27
37
.

Google Scholar

Crossref
Search ADS

 
28.

Smith
 
JA
.
Reflecting on the development of interpretative phenomenological analysis and its contribution to qualitative research in psychology
.
Qual Res Psychol
.
2004
;
1
:
39
54
.

Google Scholar

OpenURL Placeholder Text

 
29.

Braun
 
V
,
Clarke
 
V
.
Using thematic analysis in psychology
.
Qual Res Psychol
.
2006
;
3
:
77
101
.

Google Scholar

Crossref
Search ADS

 
30.

Callary
 
B
,
Rathwell
 
S
,
Young
 
BW
.
Insights on the process of using interpretative phenomenological analysis in a sport coaching research project
.
Qual Rep
.
2015
;
20
:
63
75
.

Google Scholar

OpenURL Placeholder Text

 
31.

Lallie
 
HS
,
Shepherd
 
LA
,
Nurse
 
JRC
  et al.  
Cyber security in the age of COVID-19: a timeline and analysis of cyber-crime and cyber attacks during the pandemic
.
Comput Secur
.
2021
;
105
:
102248
.

Google Scholar

Crossref
Search ADS
PubMed

 
32.

Whitty
 
MT
.
The human element of online consumer scams arising from the coronavirus pandemic
. In:
Smith
 
RG
,
Sarre
 
R
,
Chang
 
LY-C
,
Lau
 
LY-C
 (eds.),
Cybercrime in the Pandemic Digital Age and Beyond
.
2022
,
57
85
.
Palgrave Macmillan
 
Switzerland

Google Scholar

Crossref
Search ADS

 
33.

Lupien
 
SJ
,
Fiocco
 
A
,
Wan
 
N
  et al.  
Stress hormones and human memory function across the lifespan
.
Psychoneuroendocrinology
.
2005
;
30
:
225
42
.

Google Scholar

Crossref
Search ADS
PubMed

 
34.

Ellis
 
RA
,
Goodyear
 
P
.
Models of learning space: integrating research on space, place and learning in higher education
.
Rev Educ
.
2016
;
4
:
149
91
.

Google Scholar

Crossref
Search ADS

 
35.

Nippert-Eng
 
CE
.
Home and Work: Negotiating Boundaries Through Everyday Life
.
London
:
The University of Chicago Press
,
1995
.

Google Scholar

OpenURL Placeholder Text

 
36.

Kam
 
H-J
,
Menard
 
P
,
Ormond
 
D
,
Crossler
 
RE
.
Cultivating cybersecurity learning: an integration of self-determination and flow
.
Comput Secur
.
2020
;
96
:
101875
.

Google Scholar

Crossref
Search ADS

 
37.

Damarin
 
SK
.
The ‘digital divide’ versus digital differences: principles for equitable use of technology in education
.
Educ Technol
.
2000
;
40
:
17
22
.

Google Scholar

OpenURL Placeholder Text

 
38.

Adams
 
A
,
Sasse
 
MA
.
Users are not the enemy
.
Commun ACM
.
1999
;
42
:
40
6
.

Google Scholar

Crossref
Search ADS

 
© The Author(s) 2024. Published by Oxford University Press.
This is an Open Access article distributed under the terms of the Creative Commons Attribution Non-Commercial License (https://creativecommons.org/licenses/by-nc/4.0/), which permits non-commercial re-use, distribution, and reproduction in any medium, provided the original work is properly cited. For commercial re-use, please contact [email protected]
Issue Section:
Research Paper
Download all slides