Online Security Behaviors as Predictors of Susceptibility to Simulated Phishing Attacks: A Quantitative Study among Computer Studies Students at Quezon City University
Article Sidebar
Main Article Content
This study examined the relationship between online security behaviors and phishing susceptibility among students of Quezon City University using a quantitative descriptive-correlational research design. The study assessed the respondents’ technical verification behavior, visual trust behavior, reporting behavior, and general cybersecurity awareness and practices, while phishing susceptibility was measured through a simulated phishing campaign utilizing the Gophish framework. A total of 100 students equally distributed across the 1st, 2nd, 3rd, and 4th year levels participated in the study through convenience sampling. Data were collected using a structured survey questionnaire and a phishing simulation that measured email opening, link clicking, credential submission, and reporting behavior. Descriptive statistics, weighted mean, Pearson Product-Moment Correlation Coefficient, and One-Way Analysis of Variance (ANOVA) were employed to analyze the gathered data. The findings revealed that respondents generally demonstrated positive online security behaviors and high levels of cybersecurity awareness, particularly in technical verification practices and general cybersecurity awareness and practices. However, the phishing simulation showed that 21.0% of the respondents clicked the phishing link, while 9.0% submitted sensitive information, indicating that phishing susceptibility remained present despite high self-reported awareness levels. Notably, none of the respondents reported the phishing email during the simulation. The ANOVA results further revealed a significant difference in phishing susceptibility across year levels, with 1st Year students demonstrating the highest level of susceptibility compared to other groups. Meanwhile, Pearson r correlation analysis indicated no statistically significant relationship between online security behaviors and phishing susceptibility. The findings suggest the presence of an awareness–behavior gap, wherein students possess theoretical cybersecurity knowledge but may fail to consistently apply such knowledge in realistic phishing situations. The study concludes that cybersecurity awareness alone is insufficient to fully prevent phishing susceptibility and highlights the importance of continuous simulation-based cybersecurity education, phishing detection training, and practical incident reporting activities to strengthen students’ real-world cybersecurity response capabilities.
Downloads
References
A. Almansoori, M. Al-Emran, and K. Shaalan, “Exploring the frontiers of cybersecurity behavior: A systematic review of studies and theories,” Applied Sciences, vol. 13, no. 9, p. 5700, 2023. https://www.mdpi.com/2076-3417/13/9/5700
M. M. Ariola, Principles and Methods of Research. Manila: Rex Book Store, 2006.
A. H. Asfoor, F. A. Rahim, and S. Yussof, “Identifying factors that influence security behaviors relating to phishing attacks susceptibility: A systematic literature review,” Journal of Theoretical and Applied Information Technology, vol. 98, no. 15, pp. 3127–3161, 2020.
J. W. Best and J. V. Kahn, Research in Education, 10th ed. Upper Saddle River, NJ: Pearson Education, 2006.
L. P. Calmorin and M. A. Calmorin, Research Methods and Thesis Writing, 2nd ed. Manila: Rex Book Store, 2007.
CICC warns public vs. SIM suspension scam, Philippine News Agency, Sep. 26, 2024. https://www.pna.gov.ph/articles/1234236
J. Cohen, P. Cohen, S. G. West, and L. S. Aiken, Applied Multiple Regression/Correlation Analysis for the Behavioral Sciences, 3rd ed. Mahwah, NJ: Lawrence Erlbaum Associates, 2003.
A. Diaz, A. T. Sherman, and A. Joshi, “Phishing in an academic community: A study of user susceptibility and behavior,” Cryptologia, vol. 44, no. 1, pp. 53–67, 2020. https://doi.org/10.1080/01611194.2019.1623343
A. P. Diman and R. T.K.A., “Examining individual tendency to respond to phishing e-mails from the perspective of Protection Motivation Theory,” Journal of Education and Social Sciences, vol. 25, no. 1, pp. 40–51, 2023.
J. Du, A. J. Kalafut, and G. Schymik, “The health belief model and phishing: Determinants of preventative security behaviors,” Journal of Cybersecurity, vol. 10, Art. no. tyae012, 2024. https://doi.org/10.1093/cybsec/tyae012
Z. Fan, W. Li, K. B. Laskey, and K.-C. Chang, “Investigation of phishing susceptibility with explainable artificial intelligence,” Future Internet, vol. 16, no. 1, Art. no. 31, 2024. https://doi.org/10.3390/fi16010031
A. P. Field, Discovering Statistics Using IBM SPSS Statistics, 4th ed. London: SAGE Publications, 2013.
H. Flores, “DICT: Scammers adapt to SIM Registration Act,” Philstar.com, May 17, 2023. https://www.philstar.com/headlines/2023/05/17/2266888/dict-scammers-adapt-sim-registration-act
C. L. Gan, Y. Y. Lee, and T. Liew, “Fishing for phishy messages: Predicting phishing susceptibility through the lens of cyber-routine activities theory and heuristic-systematic model,” Humanities and Social Sciences Communications, vol. 11, 2024. https://doi.org/10.1057/s41599-024-04083-1
J. Green, “Cybersecurity challenges in the digital age,” International Multidisciplinary Journal of Science, Technology & Business, vol. 1, no. 4, pp. 19–23, 2022. https://imjstb.com/index.php/Journal/article/view/22
F. L. Greitzer, W. Li, K. B. Laskey, J. Lee, and J. Purl, “Experimental investigation of technical and human factors related to phishing susceptibility,” ACM Transactions on Social Computing, vol. 4, 2021. https://doi.org/10.1145/3461672
A. K. Gwenhure, “University students’ security behavior against email phishing attacks: Insights from the health belief model,” Journal of Cybersecurity, vol. 11, no. 1, Art. no. tyaf034, 2025. https://doi.org/10.1093/cybsec/tyaf034
B. Harrison, E. Svetieva, and A. Vishwanath, “Individual processing of phishing emails: How attention and elaboration protect against phishing,” Online Information Review, vol. 40, no. 2, pp. 265–281, 2016. https://doi.org/10.1108/OIR-04-2015-0106
A. Jayatilaka, N. Asanka, G. Arachchilage, and M. A. Babar, “Why people still fall for phishing emails: An empirical investigation into how users make email response decisions,” Internet Society, 2024. https://arxiv.org/pdf/2401.13199
T. Kelley, M. J. Amon, and B. Bertenthal, “Statistical models for predicting threat detection from human behavior,” Frontiers in Psychology, vol. 9, 2018. https://doi.org/10.3389/fpsyg.2018.00466
N. Kshetri, Vasudha, and D. Hoxha, “knowCC: Knowledge, awareness of computer & cyber ethics between CS/non-CS university students,” arXiv, 2023. https://arxiv.org/abs/2310.12684
D. J. Lemay, R. B. Basnet, and T. Doleck, “Examining the relationship between threat and coping appraisal in phishing detection among college students,” Journal of Information Systems and Information Security, vol. 10, no. 1, pp. 1–15, 2020.
C. León-Mantero, J. C. Casas-Rosal, C. Pedrosa-Jesús, and A. Maz-Machado, “Measuring attitude towards mathematics using Likert scale surveys: The weighted average,” PLOS ONE, vol. 15, no. 10, e0239626, 2020. https://doi.org/10.1371/journal.pone.0239626
National Privacy Commission, “NPC issues cease and desist order against GCash over unauthorized transactions,” Press release, Nov. 13, 2024. https://www.privacy.gov.ph
C. D. Omorog and R. P. Medina, “Internet security awareness of Filipinos: A survey paper,” arXiv, 2020. https://arxiv.org/abs/2012.03669
G. Ong, “DICT to propose amendments to SIM registration law,” Philstar.com, Sep. 12, 2024. https://qa.philstar.com/headlines/2024/09/12/2384626/dict-propose-amendments-sim-registration-law
F. P. E. Putra, A. Zulfikri, G. Arifin, and R. M. Ilhamsyah, “Analysis of phishing attack trends, impacts and prevention methods: Literature study,” Brilliance: Research of Artificial Intelligence, vol. 4, no. 1, pp. 413–421, 2024. https://itscience-indexing.com/jurnal/index.php/brilliance/article/view/4357
K. Senthilkumar, S. Easwaramoorthy, S. Chatchalermpun, and T. Daengsi, “Improving cybersecurity awareness using phishing attack simulation,” IOP Conference Series: Materials Science and Engineering, vol. 1088, no. 1, 012015, 2021. https://doi.org/10.1088/1757-899X/1088/1/012015
H. Shahbaznezhad, F. Kolini, and M. Rashidirad, “Employees’ behavior in phishing attacks: What individual, organizational, and technological factors matter?,” Journal of Computer Information Systems, vol. 61, 2020. https://doi.org/10.1080/08874417.2020.1812134
SIM Registration Law not a ‘silver bullet’ vs scams, says NTC, GMA News Online, Jun. 18, 2024. https://www.gmanetwork.com/news/topstories/nation/910387/sim-registration-law-silver-bullet-ntc/story/
L. Stalans, E. Chan-Tin, A. Hart, M. Moran, and S. Kennison, “Predicting phishing victimization: Comparing prior victimization, cognitive and emotional styles, and vulnerable or protective email strategies,” International Journal of Cyber Criminology, vol. 17, no. 1, pp. 45–67, 2023. https://doi.org/10.1080/15564886.2023.2218369
T. Sutter, A. S. Bozkir, B. Gehring, and P. Berlich, “Avoiding the hook: Influential factors of phishing awareness training on click-rates and a data-driven approach to predict email difficulty perception,” IEEE Access, vol. 10, 2022. https://doi.org/10.1109/ACCESS.2022.3207272
J. W. Tukey, “Comparing individual means in the analysis of variance,” Biometrics, vol. 5, no. 2, pp. 99–114, 1949. https://doi.org/10.2307/3001913
M. M. Usita, “Patterns of mobile awareness and security practices: A clustering analysis on college faculty and students,” Asian Journal of Research in Computer Science, vol. 18, no. 12, pp. 81–96, 2025. https://doi.org/10.9734/ajrcos/2025/v18i12792
A. Vishwanath, B. Harrison, and Y. J. Ng, “Suspicion, cognition, and automaticity model of phishing susceptibility,” Communication Research, vol. 45, no. 8, pp. 1146–1166, 2016. https://doi.org/10.1177/0093650215627483
This work is licensed under a Creative Commons Attribution 4.0 International License.
All articles published in our journal are licensed under CC-BY 4.0, which permits authors to retain copyright of their work. This license allows for unrestricted use, sharing, and reproduction of the articles, provided that proper credit is given to the original authors and the source.