Abstract Despite advancements in technical defenses, phishing attacks persist due to end-user vulnerabilities and behaviors, including shadow security behaviors like bypassing established protocols. Traditional cybersecurity awareness programs often fail to change behavior effectively because they adopt generic approaches, overlooking the psychological and behavioral factors influencing security practices. To address this, the emerging field of behavioral cybersecurity aims to understand and influence human behavior in cybersecurity contexts. In particular, the Health Belief Model (HBM), traditionally applied in health contexts, has shown promise in predicting cybersecurity behaviors. This study applied an adapted HBM to examine factors influencing university students' security behaviors in response to email phishing attacks. Self-reported data were collected from 569 university students at Universitas Atma Jaya Yogyakarta, Indonesia, using convenience sampling. Confirmatory factor analysis and covariance-based structural equation modeling were employed for data analysis. The results revealed that perceived severity, perceived importance, self-efficacy, and cues to action were statistically significant predictors of security behavior. Students who perceived phishing attacks as severe, recognized the importance of security measures, responded to cues to action, and felt confident in their ability to protect themselves were more likely to engage in security behaviors. However, perceived susceptibility to phishing attacks and perceived barriers to adopting security measures did not show significant relationships with security behavior. However, due to the inherent limitations of self-reported data, the terms “security behavior” and “student security behavior” should be understood as reflective of perceived or intended actions, rather than actual observed behaviors. Despite these limitations, this study provides valuable insights into human-related cybersecurity vulnerabilities by identifying key psychological and behavioral factors influencing security behavior. In doing so, it responds to calls for studies that apply psychological frameworks and models to better understand how individuals respond to security threats and develop more effective protection strategies. Thus, the findings remain relevant and will support the creation of tailored security awareness programs designed to meet the specific needs and characteristics of the studied demographics, ultimately contributing meaningfully to the enhancement of cybersecurity resilience.
Anderson Kevin Gwenhure (Wed,) studied this question.