{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,6]],"date-time":"2026-03-06T05:48:53Z","timestamp":1772776133265,"version":"3.50.1"},"reference-count":47,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2017,6,12]],"date-time":"2017-06-12T00:00:00Z","timestamp":1497225600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2017,6,12]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>The purpose of this study is  to identify factors that determine computer and security expertise in end users. They can be significant determinants of human behaviour and interactions in the security and privacy context. Standardized, externally valid instruments for measuring end-user security expertise are non-existent.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>A questionnaire encompassing skills and knowledge-based questions was developed to identify critical factors that constitute expertise in end users. Exploratory factor analysis was applied on the results from 898 participants from a wide range of populations. Cluster analysis was applied to characterize the relationship between computer and security expertise. Ordered logistic regression models were applied to measure efficacy of the proposed security and computing factors in predicting user comprehension of security concepts: phishing and certificates.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>There are levels to peoples\u2019 computer and security expertise that could be reasonably measured and operationalized. Four factors that constitute computer security-related skills and knowledge are, namely, basic computer skills, advanced computer skills, security knowledge and advanced security skills, and these are identified as determinants of computer expertise.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title>\n<jats:p>Findings from this work can be used to guide the design of security interfaces such that it caters to people with different expertise levels and does not force users to exercise more cognitive processes than required.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This work identified four factors that constitute security expertise in end users. Findings from this work were integrated to propose a framework called Security SRK for guiding further research on security expertise. This work posits that security expertise instrument for end user should measure three cognitive dimensions: security skills, rules and knowledge.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-04-2017-0020","type":"journal-article","created":{"date-parts":[[2017,4,27]],"date-time":"2017-04-27T07:54:51Z","timestamp":1493279691000},"page":"190-205","source":"Crossref","is-referenced-by-count":33,"title":["Factors in an end user security expertise instrument"],"prefix":"10.1108","volume":"25","author":[{"given":"Prashanth","family":"Rajivan","sequence":"first","affiliation":[]},{"given":"Pablo","family":"Moriano","sequence":"additional","affiliation":[]},{"given":"Timothy","family":"Kelley","sequence":"additional","affiliation":[]},{"given":"L. Jean","family":"Camp","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"issue":"4","key":"key2020120710294567000_ref001","doi-asserted-by":"crossref","first-page":"276","DOI":"10.1016\/j.cose.2006.11.004","article-title":"A qualitative study of users\u2019 view on information security","volume":"26","year":"2007","journal-title":"Computers & security"},{"key":"key2020120710294567000_ref002","first-page":"113","volume-title":"Your Reputation Precedes You: History, Reputation, and Chrome Malware Warning","year":"2014"},{"key":"key2020120710294567000_ref003","first-page":"105","article-title":"Comparative eye tracking of experts and novices in web single sign-on","year":"2013"},{"key":"key2020120710294567000_ref004","first-page":"367","article-title":"Mental models of security risks","volume-title":"Financial Cryptography and Data Security","year":"2007"},{"key":"key2020120710294567000_ref005","first-page":"388","article-title":"Field studies of computer system administrators: analysis of system management tools and practices","year":"2004"},{"key":"key2020120710294567000_ref006","doi-asserted-by":"crossref","first-page":"51","DOI":"10.1016\/j.chb.2015.01.039","article-title":"Effects of cyber security knowledge on attack detection","volume":"48","year":"2015","journal-title":"Computers in Human Behavior"},{"key":"key2020120710294567000_ref007","volume-title":"Research Methods in Anthropology: Qualitative and Quantitative Approaches","year":"2011"},{"key":"key2020120710294567000_ref008","article-title":"Tracking risky behavior on the web: distinguishing between what users","year":"2015"},{"key":"key2020120710294567000_ref010","first-page":"27","article-title":"The privacy-utility tradeoff for remotely teleoperated robots","year":"2015"},{"key":"key2020120710294567000_ref011","article-title":"Beyond concern: understanding net users\u2019 attitudes about online privacy","year":"2000"},{"key":"key2020120710294567000_ref012","year":"2009"},{"key":"key2020120710294567000_ref013","first-page":"2873","article-title":"Scaling the security wall: developing a Security Behavior Intentions Scale (SeBIS)","year":"2015"},{"key":"key2020120710294567000_ref014","first-page":"5257","article-title":"Behavior ever follows intention? A validation of the Security Behavior Intentions Scale (SeBIS)","year":"2016"},{"key":"key2020120710294567000_ref015","first-page":"1","article-title":"Study on e-government information misuse based on General Deterrence Theory","year":"2011"},{"issue":"3","key":"key2020120710294567000_ref016","doi-asserted-by":"crossref","first-page":"127","DOI":"10.1016\/0378-7206(91)90059-B","article-title":"Security-related behavior of PC users in organizations","volume":"21","year":"1991","journal-title":"Information & Management"},{"issue":"1","key":"key2020120710294567000_ref017","doi-asserted-by":"crossref","first-page":"27","DOI":"10.1016\/j.cose.2005.12.004","article-title":"The challenges of understanding and using security: a survey of end-users","volume":"25","year":"2006","journal-title":"Computers & Security"},{"issue":"2","key":"key2020120710294567000_ref018","first-page":"166","article-title":"Risk communication design for older adults","volume":"11","year":"2012","journal-title":"Gerontechnology"},{"issue":"1\/2","key":"key2020120710294567000_ref019","first-page":"75","article-title":"Privacy concerns in assisted living technologies","volume":"69","year":"2014","journal-title":"Annals of Telecommunications"},{"key":"key2020120710294567000_ref020","article-title":"The garden of forking paths: Why multiple comparisons can be a problem, even when there is no \u2018fishing expedition\u2019 or \u2018p-hacking\u2019 and the research hypothesis was posited ahead of time","year":"2013"},{"key":"key2020120710294567000_ref021","first-page":"342","article-title":"I know my network: collaboration and expertise in intrusion detection","year":"2004"},{"issue":"2","key":"key2020120710294567000_ref022","first-page":"154","article-title":"Encouraging information security behaviors in organizations: role of penalties, pressures & perceived effectiveness","volume":"47","year":"2009","journal-title":"DSS"},{"key":"key2020120710294567000_ref023","first-page":"327","article-title":"\u2026no one can hack my mind: comparing expert and non-expert security practices","year":"2015"},{"key":"key2020120710294567000_ref024","doi-asserted-by":"crossref","first-page":"103","DOI":"10.1007\/978-1-4419-1742-3_4","article-title":"Maximum likelihood techniques: an overview","volume-title":"Logistic Regression","year":"2010"},{"key":"key2020120710294567000_ref025","volume-title":"An Easy Guide to Factor Analysis","year":"2014"},{"issue":"4","key":"key2020120710294567000_ref026","doi-asserted-by":"crossref","first-page":"289","DOI":"10.1016\/j.cose.2006.02.008","article-title":"A prototype for assessing information security awareness","volume":"25","year":"2006","journal-title":"Computers & Security"},{"key":"key2020120710294567000_ref027","first-page":"105","article-title":"Task complexity in work situations","volume-title":"Tasks, Errors, and Mental Models","year":"1988"},{"key":"key2020120710294567000_ref030","article-title":"Test-retest reliability and internal consistency of the Human Aspects of Information Security Questionnaire (HAIS-Q)","year":"2016"},{"issue":"4","key":"key2020120710294567000_ref028","doi-asserted-by":"crossref","first-page":"336","DOI":"10.1287\/isre.1040.0032","article-title":"Internet users\u2019 information privacy concerns (IUIPC)","volume":"15","year":"2004","journal-title":"Information Systems Research"},{"issue":"1","key":"key2020120710294567000_ref029","first-page":"25","article-title":"Improving user-interface dependability through mitigation of human error","volume":"63","year":"2005","journal-title":"International Journal of Human-computer Studies"},{"key":"key2020120710294567000_ref031","volume-title":"Scaling Procedures: Issues and Applications","year":"2003"},{"issue":"4","key":"key2020120710294567000_ref032","doi-asserted-by":"crossref","first-page":"815","DOI":"10.1016\/j.dss.2008.11.010","article-title":"Studying users\u2019 computer security behavior: a health belief perspective","volume":"46","year":"2009","journal-title":"Decision Support Systems"},{"key":"key2020120710294567000_B33a","unstructured":"Nielsen, J. (2016), The Distribution of Users\u2019 Computer Skills: Worse Than You Think, available at: www.nngroup.com\/articles\/computer-skill-levels\/"},{"key":"key2020120710294567000_ref033","doi-asserted-by":"crossref","DOI":"10.1787\/9789264258051-en","volume-title":"Skills Matter: Further Results from the Survey of Adult Skills","author":"OECD","year":"2016"},{"key":"key2020120710294567000_ref034","article-title":"The reflective expert and the prenovice: notes on skill-, rule-and knowledge-based performance in the setting of instruction and training","volume-title":"Developing Skills with Information Technology","year":"1989"},{"key":"key2020120710294567000_ref035","doi-asserted-by":"crossref","first-page":"165","DOI":"10.1016\/j.cose.2013.12.003","article-title":"Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q)","volume":"42","year":"2014","journal-title":"Computers & Security"},{"issue":"3","key":"key2020120710294567000_ref036","first-page":"257","article-title":"Skills, rules, and knowledge; signals, signs, & symbols, and other distinctions in human perfrm. models","year":"1983","journal-title":"IEEE Transactions on Systems, Man and Cybernetics"},{"key":"key2020120710294567000_ref037","first-page":"41","article-title":"Mental models and the control of action in complex environments","volume-title":"Mental Models and Human-Computer Interaction","year":"1990"},{"issue":"5","key":"key2020120710294567000_ref038","doi-asserted-by":"crossref","first-page":"517","DOI":"10.1016\/0020-7373(89)90014-X","article-title":"Coping with human errors through system design: implications for ecological interface design","volume":"31","year":"1989","journal-title":"International Journal of Man-Machine Studies"},{"key":"key2020120710294567000_ref039","volume-title":"Human Error","year":"1990"},{"key":"key2020120710294567000_ref040","volume-title":"Cognition: Exploring the Science of the Mind","year":"1997"},{"key":"key2020120710294567000_ref041","first-page":"21","article-title":"The skills, rules and knowledge classification: a discussion of its emergence and nature","volume-title":"Tasks, Errors, and Mental Models","year":"1988"},{"key":"key2020120710294567000_ref042","first-page":"373","article-title":"Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions","year":"2010"},{"key":"key2020120710294567000_ref043","first-page":"3","volume-title":"On the Challenges in Usable Security Lab Studies: Lessons Learned From Replicating A Study on SSL Warnings","year":"2011"},{"issue":"2","key":"key2020120710294567000_ref044","doi-asserted-by":"crossref","first-page":"124","DOI":"10.1016\/j.cose.2004.07.001","article-title":"Analysis of end user security behaviors","volume":"24","year":"2005","journal-title":"Computers & Security"},{"key":"key2020120710294567000_ref045","unstructured":"Stephanou, A. (2009), \u201cThe impact of information security awareness training on information security behaviour\u201d, Doctoral dissertation, University of the Witwatersrand, Johannesburg."},{"issue":"4","key":"key2020120710294567000_ref046","doi-asserted-by":"crossref","first-page":"589","DOI":"10.1109\/21.156574","article-title":"Ecological interface design: theoretical foundations","volume":"22","year":"1992","journal-title":"IEEE Transactions on Systems, Man, and Cybernetics"},{"issue":"2","key":"key2020120710294567000_ref047","doi-asserted-by":"crossref","first-page":"157","DOI":"10.1002\/asi.20459","article-title":"Development of measures of online privacy concern and protection for use on the Internet","volume":"58","year":"2007","journal-title":"Journal of the American Society for Information Science and Technology"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-04-2017-0020\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-04-2017-0020\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:50Z","timestamp":1753406570000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/25\/2\/190-205\/111010"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,6,12]]},"references-count":47,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2017,6,12]]}},"alternative-id":["10.1108\/ICS-04-2017-0020"],"URL":"https:\/\/doi.org\/10.1108\/ics-04-2017-0020","relation":{},"ISSN":["2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2017,6,12]]}}}