Article Review #02: University students’ security behavior against email phishing attacks:
Insights from the Health Belief Model

Introduction / BLUF

The article discussed the findings of a study that was conducted to examine the
relationship between the Health Belief Model (HBM) and cyber security behavior of university
students. The context used to test various hypotheses was email phishing attacks. The bottom
line up front, based on the results is that “individuals who perceive phishing attacks as severe,
recognize the importance of proactive measures, respond to action cues, and have confidence in
their abilities are more likely to engage in security behaviors” (Anderson, K. 2025).

Relation/Connection to Social Science Principles

The 7 principles of social sciences (determinism, skepticism, empiricism, objectivity,
parsimony, relativity and ethical neutrality) govern the way researchers conduct scientific
research and determine the validity of findings. Each principle gives a different guideline
regarding how data should be collected, hypothesized, verified, interpreted and accepted as
scientific facts. The researchers in the article demonstrated ethical neutrality and objectivity
when they collected unbiased quantitative survey data in a safe and ethical manner from
voluntary participants. They also used the principles of empiricism by using scientifically
measurable survey data about security habits to test their hypotheses and parsimony by reporting
the data and findings in a clear and simple manner, opting for tables and plain language text.

Research Question /Hypothesis/ Independent Variable/Dependent Variable

• The main research questions the article addresses is: How does the HBM affect the security behavior of individual students when faced with email phishing attacks?
• Hypothesis: Anderson stated 6 hypotheses derived from the HBM research model where perceived susceptibility to phishing attacks, perceived importance of proactive measures, perceived severity (seriousness and consequences of attacks), self-efficacy (ability to protect oneself) and cues to action (alerts or warnings) will all demonstrate a statistically significant positive correlation with security behavior, while perceived barriers (inconvenience or challenges in security measures) will demonstrate a statistically significant negative correlation with security behavior (2025).
• The independent variables studied were the concepts from the HBM model; perceived susceptibility, perceived severity, perceived importance, self-efficacy, cues to action and perceived barriers of the students.
• The dependent variable was the behavior of the students examined.

Types of Research Methods used

The research methodology employed in the study was quantitative. Researchers used a
close-ended questionnaire based on previous HBM studies. A student cybersecurity awareness
survey was administered to volunteer participants in Indonesia, using English / Bahasa
interpreters. Anderson reported that a sample size of 12 students was used for the pilot
questionnaire (10% of the recommended target population). When the survey was revised and
finalized, it was administered via QR code to all participants by an in-person teacher (2025). The
actual number of participants was 535.

Types of Data Analysis used

The survey data collected was analyzed using various statistic software applications.
Participants gave responses based on their demographic information as well as personal
experiences with phishing and previous cyber awareness knowledge. The survey was structured
with a five point likert scale measuring degrees of agreement from 1 (strongly disagree) to 5
(strongly agree) The data was then analyzed using the Statistical Package for the Social Sciences
version 27 (SPSS 27 and the Analysis of Moment Structures version 23 (AMOS 23) (Anderson,
2025). The software analyzed the relationship between the responses and the variables in the
model to evaluate the hypotheses.

Connections to other Course Concepts

This study connects course concepts such as victim precipitation, human error, and
personality theory. The victim precipitation concept refers to the victims’ behavior or activities
that inadvertently contribute to their susceptibility to phishing attacks. This may include
unsecure accounts, lack of cyber awareness or negligence. Studies have shown that human errors
account for the highest number of cyber incidents. In the case of this study, erroneous clicking of
malware injected links can lead to successful phishing scams. Personality theory describes a
situation where a student’s personality traits like agreeableness can lead to them giving out
sensitive information to seemingly trustworthy parties or conscientiousness which makes them
more careful and competent, reducing the likelihood of victimization. The study reinforced these
concepts, highlighting the fact that more cyber aware students were less susceptible to the
attacks.

Connections to the Concerns or Contributions of Marginalized Groups

The study did not address any marginalized groups per se, but the findings can apply to
groups such as impoverished communities and rural populations who may not have access to
cyber awareness training. These groups, without proper education, may be unaware of the threats
present in phishing scams and therefore may not use preventative security habits. They are also faced with underfunded and under equipped law enforcement As a result, marginalized communities are often targeted by cyber criminals as easy targets.

Overall Societal Contributions of the Study/Conclusion

In conclusion, the study helped to highlight the psychological factors in cybersecurity and
the importance of the social sciences when developing a human-centered approach to phishing
attack mitigation. The results of study accepted 4 of the 6 hypotheses. There was a positive
statistical significance in the correlation between security behavior and perceived importance,
perceived severity, cues to action and self-efficacy, but a negative correlation between perceived
susceptibility and barriers, and security behaviors (Anderson, 2025). What this means for society
is that by training citizens to recognize the potential severity of phishing attacks, the importance
of safety measures, the need to follow action cues like warnings, and build confidence in
themselves, we can improve their security habits.

Reference

Anderson Kevin Gwenhure, University students’ security behavior against email phishing
attacks: insights from the health belief model, Journal of Cybersecurity, Volume 11,
Issue 1, 2025, tyaf034, https://doi.org/10.1093/cybsec/tyaf034