A Case Study: Targeting the Stop.Think.Connect. Cybersecurity Campaign to University Campuses

Abstract

University students, faculty, and staff are among those most vulnerable to cybersecurity risks due to their reliance on modern technologies, the nature of their online activities, and the open infrastructure of institutional networks. Furthermore, cyberbullying has emerged as a public health concern by the Centers for Disease Control and Prevention (CDC), which first warned of electronic aggression in 2008, or any type of harassment or bullying that occurs via email, chat, instant messaging, websites, blogs, or text messaging. Roberto and Eden emphasized the communicative nature of cyberbullying, defining it as the “deliberate and repeated misuse of communication technology by an individual or group to threaten or harm others” in 2010 (p. 201). In response to serious cybersecurity concerns and growing evidence of cyberbullying behavior, the national Stop.Think.Connect. (STC) campaign was developed to educate Americans on cybersecurity risks and equip citizens with tools for safe, respectful, and appropriate online behavior; however, it lacks targeted messaging for those on university campuses. Formative research is needed to ascertain the specific cybersecurity risks and challenges identified by those living and working on large university campuses. Research by Noar in 2006 demonstrates that formative evaluation leads to more successful campaigns. The process involves learning about target populations, discovering communicative determinants of behavior change, and testing message concepts. To that end, this case study is a first step in targeting STC campaign messages to university students, faculty, and staff. Specifically, we sought to identify the distinct cybersecurity needs faced by university students and personnel, their perceptions of the saliency of the problem, and potential motives for increasing their cybersecurity-enhancing behaviors. These activities are needed to implement the campaign on college campuses and to increase the likelihood of any future outcome evaluation efforts that yield evidence of campaign effectiveness. Currently, we are unaware of any outcome evaluation. Focus group methodology was conducted to examine the target audiences’ knowledge, interests, needs, and attitudes regarding the management of cybersecurity threats. Additionally, practical recommendations for enhancing STC campaign implementation on university campuses were ascertained. Results emphasized key ways to improve the theoretical underpinnings of the campaign using the Integrated Behavioral Model (IBM). We identified how determinants of behavior change can be utilized to strengthen campaign messaging. Students displayed laissez-faire attitudes toward cybersecurity, while faculty and staff attitudes demonstrated a much higher level of concern. Social norms for personal cybersecurity action taking were notably low among students as well as faculty and staff. Students displayed limited personal agency in regards to enacting cybersecurity measures, while faculty and staff had greater knowledge of steps they could take, but little faith that these actions would be efficacious. Finally, thematic recommendations for implementing an effective cybersecurity campaign on a university campus were identified.