Comparing Three Countries’ Higher Education Students’ Cyber Related Perceptions and Behaviours during COVID-19

Abstract

In 2020, a global pandemic led to lockdowns, and subsequent social and business restrictions. These required overnight implementation of emergency measures to permit continued functioning of vital industries. Digital technologies and platforms made this switch feasible, but it also introduced several cyber related vulnerabilities, which students might not have known how to mitigate. For this study, the Global Cyber Security Index and the Cyber Risk literacy and education index were used to provide a cyber security context for each country. This research project—an international, cross-university, comparative, quantitative project—aimed to explore the risk attitudes and concerns, as well as protective behaviours adopted by, students at a South African, a Welsh and a Hungarian University, during the pandemic. This study’s findings align with the relative rankings of the Oliver Wyman Risk Literacy and Education Index for the countries in which the universities reside. This study revealed significant differences between the student behaviours of students within these universities. The most important differences were identified between students’ risk attitudes and concerns. It was also discovered that South African students reported having changed their protective online behaviours to the greatest extent, since the pandemic commenced. Recommendations are made suggesting that cyber security training and education, as well as improving the digital trust and confidence in digital platforms, are critical.

1. Introduction

In 2020/2021, the World Health Organisation (WHO) declared a global pandemic, and many countries instituted unprecedented measures to contain the spread of the virus, restricting social interactions, closing non-critical businesses, and requiring remote working. This forced universities to switch to exclusive use of remote educational platforms, not necessarily designed for universities: “While these platforms allowed institutions to fill an urgent need, they caused novel and well-publicized security and privacy problems” [1] (p. 653).

As a consequence, remote learning, working and socialising became the new normal. Reliance on digital technologies grew exponentially, impacting health service delivery, the economy, and the higher education community [2]. A heavy reliance on personal digital technologies led to a greater vulnerability in the cyber domain [2]. Mee, Brandenburg and Lin [3] (p. 4) suggest that “cyber security and the management of cyber risk by individuals, already a major issue before the COVID-19 pandemic, has become much more pressing overnight as enterprises around the world experiment with work from home arrangements”. Lallie et al. [4] discovered that 86% of the cyber-attacks globally during COVID-19 involved phishing and smishing. They also found that COVID-19 related malware was the second largest attack vector, appearing in 65% of cases. A recent study that considered the period from the 31 December 2019–14 April 2020, suggests that a 51% increase in cyber-attacks occurred during the pandemic, with 30,000 of these being COVID-19 related cyber-attacks [5]. Of these, 17% were globally directed, with 14% specifically directed at the UK, 14% at the USA, and 25% at China, with 30% being directed at other countries such as Japan, Singapore, Italy, Spain, etc. (see Figure 1) [4]. Hence, by April 2020, most cyber-attacks targeted the whole world, specifically focusing on tax rebates due to COVID-19 or contact tracing phishing messages [4].

This study involved students from a university in each of three countries: United Kingdom (Wales), South Africa, and Hungary. All experienced lockdowns. In the United Kingdom (UK), the first lockdown ordered people to ‘stay at home’, with the legal lockdown measures coming into force on the 26 March 2020. In South Africa, the first lockdown measures also came into effect on the 26 March 2020, and Hungary commenced lockdown on the 28 March 2020. Virtual learning replaced face-to-face delivery at all educational levels [6]. Usually, such a switch to virtual delivery would be instituted with a great deal of preparation and after a period of reflection [7]. However, the lockdowns necessitated a sudden switch, and neither educators nor students were prepared for this seismic shift.

2. Background

The core online risk terms used in this paper are defined in Section 2.1 and Section 2.2 the country differences are discussed to provide the necessary conceptual and contextual background for this paper.

2.1. Cyber Terms

To inform the subsequent discussion, rigorous definitions of all the key cyber related terms used in this paper from the research literature are now provided.

Craigen, Diakun-Thibault, and Purse [8] (p. 1) define cyber security as: “the organization and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from de facto property rights”. This definition makes it clear that cyber security applies to the protection of information and devices, specifically the confidentiality, integrity and availability thereof [9]. It does not apply specifically to the protection of the humans using such devices. Their wellbeing is related to cyber safety, as defined next.

Byron [10] suggests that online harms, which are related to Grey’s [11] definition of cyber safety, can be categorised into one of the three C’s: content, conduct and contact. Grey explains that cyber safety is thus related to upsetting information (content), responsible use of information and communication technologies (conduct), and safeguarding against individuals who contact others with ill intentions (contact).

Brandeis and Warren [12] was one of the first publications to attempt to delineate privacy. They refer to privacy as “the right to be left alone”. Westin [13] (p. 7) defines privacy as “the claim of individuals, groups or institutions to determine when, how and to what extent information about them is communicated to others”. This more nuanced definition resonates with individuals having a sense of control over their own information, whereas Brandeis and Warren’s perspective, while still eliciting an intuitive sense of privacy, also seems to be closer to cyber safety’s “contact” dimension in the physical domain, than being related to information privacy, which is a concern in the cyber realm. Hence, Westin’s conceptualisation is equally relevant in the cyber era as it was in 1968, and it shall be used to delineate privacy in this research study.

All these cyber terms are related to risk management. If people do not perceive these risks to be significant, they are unlikely to act to mitigate them. Pidgeon et al. [14] (p. 89) suggest that risk perception can be defined as “people’s beliefs, attitudes, judgments and feelings, as well as the wider social or cultural values and dispositions that people adopt, towards hazards and their benefits”.

Risk perceptions lead to protective behaviours. The kinds of behaviours people can engage in are related to [15,16]: (1) starting to use protective measures or using security tools (e.g., using a VPN), (2) desisting from unwise behaviours (e.g., choosing weak passwords), or (3) proactively looking out for possible attacks (e.g., not clicking on a Phishing message, which could compromise accounts).

Figure 2 depicts the core aspects of these four key concepts, and the protective behaviours they lead to, which is relied on for the rest of this paper.

2.2. Country Differences

The universities in each of the countries are not homogenous entities, being heterogenous in nature. Students studying at each of these universities come from diverse cultures, backgrounds and countries. Yet, as groups of residential students, they were equally impacted by the way their specific country supported their higher education institutions and the participating students during the transition to online learning, and all along its duration. As such, it is important to describe the context for each country’s cyber environment, given our focus on cyber related risks.

The following published country cyber indices are relevant: The Global Cyber Security Index (GCI)—launched in 2015 by the International Telecommunication Union (ITU)—is based on a complex set of indicators to monitor the level of cyber security commitment of 150 participating countries (according to five pillars); Another framework is the Oliver Wyman Forum’s Cyber Risk Literacy and Education Index—this framework measures literacy at the population level and thus allows countries to discover best global practices and to focus their attention and investments on areas of weakness. The aim is to keep the risky online world—an increasingly digitized and interconnected space—properly secured from fast paced embryonic cyber risks [3].

The Wyman Index is based on five key drivers and nine related pillars. For all the five drivers in Figure 3 it should be noted that the UK outperforms Hungary and South Africa.

The five drivers represent items that measure trends or changes in each country’s average cyber literacy level. Public motivation—measures the population’s commitment to practicing cyber security, with metrics for adherence to safe cyber practices, Government policy—evaluates government policies to enhance the cyber risk literacy and education, with metrics for the geography’s national cyber security strategy, Educational system—measures whether cyber risk instruction is encouraged or mandated, with metrics to assess primary and secondary school curricula, assessing formal education, and labour upskilling, Labour Market—measures the employers demand for cyber-security literacy skills, with metrics for the increase in cyber security related roles and the number of cyber security start-ups, and Population inclusivity—measures equitable access to digital technologies and formal education in a geography, with Internet access and school completion rate metrics [3,17].

For each driver in the Wyman Index, relevant pillars, contributing to the measure and ranking of that driver, is given. Figure 4 depicts the three countries considered in this study, in terms of five of the Wyman Index pillars related to higher education: Cyber risk awareness and motivation (Public Motivation), Formal education (Educational System), Skill demand from employer expectations (Labour Market), Technological inclusivity and educational inclusivity (Population Inclusivity).

It is worth noting that the Cyber Risk Literacy and Education Index rankings includes countries that are considered developed or “are economically influential enough for cyber risk literacy to be a topic relevant for their populations” [17] (p. 12). A lower score does not imply that a country’s population is not ready to understand cyber related risks, but rather that other challenges, such as developing infrastructure or investment in basic digital education and rolling out ubiquitous Internet access, might be a higher priority [17].

During the COVID-19 pandemic, several research studies were conducted and continues to be conducted around the impact of COVID-19 on society [6,7,18,19]. To the best of our knowledge, comparative research on countries with such vastly different economic and social backgrounds is limited. Some noteworthy studies are worth mentioning: Two researchers carried out a comparative study on cyber security awareness on smartphone usage in Hungary and Vietnam [20]; Zwilling et al. [21] conducted a comparative research study of four countries—Israel, Slovenia, Poland and Turkey—with different economic, educational and cultural backgrounds; A comparative research study between the countries of the Middle East and North Africa (MENA) was conducted by Mawgoud et al., focuses its attention on this region and highlights its high volatility and vulnerability to cyber threats and attacks [22]; A study by Lesjak et al. compared student cyber security awareness between Israelis and Slovenians and found significant differences in levels of cyber security awareness which called for enhanced cyber education practices [23].

The three participating universities are situated within three countries, which offer a rich opportunity for comparison–one being ranked high, one at the bottom and one in-between: Wales (the UK) is the 3rd country in the Oliver Wyman index, indicating a high population level cyber risk literacy and education. South Africa is 50th on the list, while Hungary is 39th. With respect to the educational system’s contribution to the countries’ overall score, the UK is 2nd, Hungary 35th and South Africa 44th. Based on these published literacy levels, we could expect to see the highest levels of risk perception and changed behaviour during COVID-19 in the Welsh University students, the least from the South African students and the Hungarian students somewhere in-between.

In comparing the risk perceptions and cyber related behaviours of the three countries’ students, the focus is on: (1) their online risk perceptions (their attitude and concerns towards online risks), and (2) risk management behaviours (which protective behaviours they engage in). Within ‘risk perception’, attitudes and concerns were considered to be influenced by each country’s responses during the COVID-19 pandemic. ‘Values’ and ‘dispositions’, were not tested as these are individual characteristics which could be expected to have similar variability across all student bodies and are less likely to be affected by country context as much as the other two.

The following research questions were posed:

RQ1. [Risk perceptions] What are the attitudes and concerns of participating students of the cyber related risks of the online environment?

RQ1a. [Attitudes] What are the attitudes to cyber related risks?

RQ1b. [Concerns] Which online concerns do they have?

RQ2. [Behaviours] Did the students report changing their protective behaviours with the shift to online learning?

3. Methods

This research study is part of a larger study on the eLearning perspectives of students and staff during the COVID-19 pandemic. For this paper, the focus is on the concerns and perceptions of cyber related risks and the protective behaviours reported by the participating students.

The survey questionnaire (see Appendix A for the full questionnaire) included 14 questions on cyber related issues. The survey was piloted with approximately 10 students at each university and at different levels of study to test the survey for clarity and to afford refinement.

3.1. Ethics

The researchers received permission to disseminate the questionnaire to the student population of the participating universities. Ethical approval was obtained from ethical review boards. Students were not remunerated and answered the questions anonymously.

3.2. Recruiting and Data Collection

The main study respondents were recruited by means of a link distributed to all students at each university by email. The questionnaire could be completed in English (which is the language of instruction at both the Welsh and South African Universities) or in Hungarian.

Online questionnaires were administered using Qualtrics. This presented the most feasible way of consulting the three countries’ students during the pandemic [24]. Data was collected from October to November 2020 and collected separately at the three universities. The three databases were collated and analyse as one dataset.

3.3. Analysis

To confirm the validity of the identified categories, factor analysis was carried out using the principal component method with a varimax rotation. Based on the determined categories, comparative statistical analyses were carried out using the Chi² test to answer the two research questions.

After data was collected, it was analysed to reveal the similarities and differences in the cyber related risk perceptions (attitudes and concerns) and protective behaviours of the students. The statistical programmes Statistical Analysis System (SAS) version 9.4 and Statistical Package for the Social Sciences (SPSS) version 25 were used to support the analysis.

4. Results

4.1. Student Demographics

A total number of 559 questionnaires were completed by the participating students. The data was cleaned, removing incomplete responses. A total of 512 data entries remained to support the analysis: 240 from Hungary, 141 from Wales and 131 from South Africa (see Figure 5).

The students who were studying at these three universities were from 46 different countries (Angola, Azerbaijan, British, China, Congo, Ethiopia, France, Ghana, Greece, Hong Kong, Hungary, Indonesia, Ireland, Japan, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Libya, Lithuania, Malaysia, Mexico, Moldovia, Mongolia, Morocco, Lesotho, Namibia, Nigeria, Norway, Poland, Portugal, Romania, Russia, Rwanda, Saudi Arabia, Slovakia, South Africa, Spain, Thailand, Turkey, Vietnam, Yemen, Zambia, Zimbabwe). This confirms the heterogeneity of student demographics across these universities.

Most participants were undergraduates (95%) from various degree programmes, across a range of subjects from within social and other sciences. In this case, 27% of the respondents were in their first year of study, 20% in the second year, 29% in their third year, 21% were in their fourth year. Very few (4.1%) of the students were pursuing postgraduate studies (see Figure 6). Although all the universities had students from other countries the Welsh participating university had the most international students. Slightly more males (54%) than females (45%) answered the questionnaire with 1% not identifying as either of the genders.

Almost all respondents (95%) were in their 20’s, with a few outliers. Most students remained in the country where they were studying during lock-down.

4.2. Reliability of the Cyber Related Categories

The internal reliability of the cyber related questions was tested using the Cronbach’s Alpha reliability test. According to Taber [25] different qualitative descriptors are assigned to different Cronbach’s alpha throughout research papers. Based on their results, Cronbach’s alpha values ranging between 0.76 and 0.95 are considered fairly high, high and good [25]. The overall reliability of this study’s questions equalled 0.789 (on the standardized question this value was 0.759)—a Cronbach Alpha scale of over 0.7 means that the questions are reliable, see

Table 1. Factor loadings and item reliability of the three categories.

Categories and Questions in Terms of Cyber Related Security, Privacy and Safety	Factor	Item Reliability
	Analysis	Cronbach’s Alpha
Category 1: Risk perception: attitudes
Social networking (Safety and Privacy)	0.670	0.770
Public Wi-Fi (Security and Privacy)	0.749	0.763
Online banking (Security)	0.780	0.758
COVID-19 tracking (Privacy)	0.678	0.777
Online shopping (Security)	0.772	0.762
Video conferencing and online meetings (Privacy)	0.720	0.773
Learning Management Systems (for example Canvas, Blackboard, KMOOC, Moodle, iKamva, etc.) (Security)	0.681	0.775
Category 2: Risk perception: concerns
I am concerned about issues of security when engaging in digital learning	0.873	0.778
I am concerned about issues of privacy when engaging in digital learning	0.866	0.774
I am concerned about issues of malware when engaging in digital learning	0.835	0.774
I am concerned about issues of fraud when engaging in digital learning	0.826	0.774
I am more aware of cyber security issues since the pandemic and the shift to online teaching and learning (enhanced risk concerns)	0.615	0.782
Category 3: Protective behaviours
I have changed my online security and safety behaviour due to COVID-19	0.729	0.802
I use a VPN when I go online (Security and Privacy)	0.664	0.792

[26].

In the case of cyber related ‘attitudes’ the Cronbach Alpha was 0.845. While each question’s individual Cronbach Alpha was greater than 0.76. The questions of the cyber related ‘concerns’ showed high internal reliability with a Cronbach Alpha equal to 0.831. Each question’s individual Cronbach Alpha was greater than 0.77 whereas the ‘Protective behaviours during COVID-19′ were close to 0.8.

Factor analysis confirmed that the identified cyber related category items are related and give a reliable framework for the evaluation of the data. It must be noted that the questionnaire was designed by the researchers and was not a standardized questionnaire. The factor analysis employing the Principal Component method with Varimax rotation and Cronbach Alpha confirmed the three categories.

The factoring Kaiser-Meyer-Olkin (KMO) measure of sampling adequacy equated 0.855, while the Bartlett’s Test of Sphericity proved to be significant (p = 0.000). Both imply that the data are appropriate for factor analysis.

When presenting the factor analysis results it can be seen how the questions group into the three categories. There was a certain redundancy between the variables hence, the existence of the three categories is valid (see Figure 7).

4.3. Bi-Variate Analysis

In

Table 2. Country comparisons of individual questions.

Categories and Questions	Chi2	p-Value
Categories 1: Risk perceptions: attitudes
Social networking (Safety and Privacy)	23.66	0.0026 *
Public Wi-Fi (Security and Privacy)	24.45	0.0019 *
Online banking (Security)	24.94	0.0016 *
COVID-19 tracking (Privacy)	13.85	0.0858
Online shopping (Security)	23.01	0.0034 *
Video conferencing and online meetings (Privacy)	14.88	0.0616
Learning Management Systems (for example Canvas, Blackboard, KMOOC, Moodle, iKamva, etc.) (Security)	14.14	0.0782
Categories 2: Risk perceptions: concerns
I am concerned about issues of security when engaging in digital learning	41.11	<0.0001 *
I am concerned about issues of privacy when engaging in digital learning	36.42	<0.0001 *
I am concerned about issues of malware when engaging in digital learning	88.23	<0.0001 *
I am concerned about issues of fraud when engaging in digital learning	65.89	<0.0001 *
I am more aware of cyber security issues since the pandemic and the shift to online teaching and learning (enhanced risk awareness)	74.49	<0.0001 *
Categories 3: Protective behaviours
I have changed my online security and safety behaviour due to COVID-19	18.76	<0.0001 *
I use a VPN when I go online (Security and Privacy)	57.92	<0.0001 *

* Indicating p-value < 0.05.

the country comparison of all the questions is summarised with an asterisk indicating significant differences.

4.3.1. Risk Perception of Cyber Security and Cyber Safety

Attitudes

Differences were found in risk perceptions between the different countries’ students (see Table 2). In all countries, over 60% considered social networking usage to be risky, in terms of both cyber security and cyber safety (Chi² = 23.66 and p = 0.0026) (see Figure 8).

The majority felt similarly about using public Wi-Fi. However, Hungarian and Welsh students considered this more of a cyber security issue, while the South African students’ (22%) did not (Chi² = 24.45 and p = 0.0019). The majority of students felt that online banking had cyber security and cyber safety implications (see Figure 9), with some Hungarian and Welsh students considering it merely a cyber security issue, whereas 15% of the South African students indicated that they did not know whether online Internet banking posed any cyber related risk (Chi² = 24.94 and p = 0.0016).

The participating students were undecided about the cyber security, cyber safety and privacy implications of COVID-19 tracking apps (Chi² = 13.85 and p = 0.0858) as well as video conferencing applications (Chi² = 14.88 and p = 0.0616) and learning management systems (Chi² = 14.14 and p = 0.0782). The majority of students across all universities were aware of potential cyber security and cyber safety implications when undertaking online shopping. Hungarian and Welsh students were more aware of these cyber security related risks (Chi² = 23.01 and p = 0.0034).

Concerns

In order to gain insight into student’s cyber related perceptions (and given that feelings/concerns are part of this—see Figure 2, a sentiment analysis was conducted based on their responses, and it was found that the answers were distributed almost evenly for disagree, neutral and agree. In this case, 39% of the respondents were concerned about privacy issues while 30% were concerned about cyber security issues when engaging in digital learning.

On conducting a country comparison, significant differences were detected. More of the South Africans expressed concerns about cyber security issues (52%) (Chi² = 62.72 and p < 0.0001), privacy issues (62%) (Chi² = 65.78 and p < 0.0001), and in particular cyber security fraud issues (63%) (Chi² = 88.22 and p < 0.0001) and cyber security malware issues (70%) (Chi² = 101.72 and p < 0.0001) when engaging in digital learning since the pandemic than students at the Welsh or the Hungarian students (see Figure 10).

Figure 11 shows that the participating students from the universities within the three countries responded significantly different (Chi² = 74.49, p = 0.0001) to the shift to digital online learning. The students from the South African university (61%) were more aware of the cyber security issues resulting from the shift to online teaching. Fewer of the Welsh university’s students (37%), and even fewer of the Hungarian university’s students (16%) were aware.

4.3.2. Protective Behaviours during the COVID-19 Pandemic

The reported protective behaviour category comprised two questions. The first concerns the use of virtual private networks (VPN) and the second considers the change in online behaviours. Hungarian-(40%) and Welsh students (43%) sometimes used the university’s VPN, whereas South Africans (45%) did not know how to use VPNs (Chi² = 57.92 and p < 0.0001) (see Figure 12).

Half of the South Africans reported having adapted their online behaviours since digital learning commenced, whereas only 30% of the Welsh and 24% of the Hungarians indicated that they had achieved likewise (Chi² = 18.76 and p < 0.0001) (see Figure 13).

5. Discussion

The research aimed to investigate and understand the impact of COVID-19, on the risk perceptions—in terms of cyber security and cyber safety—of higher education students, during the first and second wave of the pandemic. In addition, it was investigated, whether these students—due to the shift to a single mode of learning—exhibited any change in their online behaviour as a consequence of the COVID-19 pandemic. Two primary research questions were posed, and these will be revisited and then discussed.

RQ1. [Risk perceptions] What are the attitudes and concerns of participating students of the cyber related risks of the online environment?

RQ1a. [Attitudes] What are the attitudes to cyber related risks?

RQ1b. [Concerns] Which online concerns do they have?

RQ2. [Behaviours] Did the students report changing their protective behaviours with the shift to online learning?

When revisiting the research questions the following was noted:

Attitudes

A large majority of all respondents, from all participating universities, acknowledged the cyber related implications of digital applications and platforms. However, they were unclear as to whether there were cyber security and/or cyber safety implications related to: (1) COVID-19 tracking applications, (2) video conferencing applications, and (3) learning management systems. Alexei and Alexei [27] (p. 1) contend that learning management systems do indeed have several technical and human vulnerabilities. Furthermore, since cloud computing, eLearning platforms and video conferencing applications have become the primary modalities for facilitating eLearning, the risks of distributed denial-of-service (DDoS) attacks/denial-of-service (DoS) attacks, cross-site scripting, spoofing, unauthorized data access and infection with malicious programs, but also the theft of personal data, has increased dramatically [27]. It must be noted that the students themselves were unable to mitigate these particular vulnerabilities, since they were required to use their university’s learning management systems. Similarly, since video conferencing applications were the main form of communication and delivery of online classes.

The Cyber Risk Literacy and Education Index [17] does not rank South Africa lowest when comparing the participating countries for the pillar ‘cyber risk awareness and motivation’ (see Figure 4) [17]. In 2017, Shabe et al. [28] explored the state of cyber security concerns among mobile phone users living in Rocklands Township, South Africa. Shabe’s study, using the scorecard approach, revealed that individual mobile phone users are more exposed to cyber-attacks due to their lack of cyber concerns. Dlamini et al. reported that African countries, mostly developing countries, can raise cyber awareness only if the countries collaborate and step up jointly against cyber-attacks, prepare cooperative cross-border educational and training programmes throughout the African continent [29]. The authors take examples from developed countries with highly cyber-preparedness (USA, UK, Estonia and Korea) and point out the urgency of actions to be taken, such as bridging the digital divide, improving digital literacy, the dominant use of mobile devices and wireless networks. Hence, despite the high levels of awareness demonstrated by our South African participants, there is still a clear need for cyber related risk awareness training given the region’s high volatility and vulnerability to cyber-attacks [22].

Earlier research at a Hungarian university revealed that students behave differently when using eLearning systems [30,31]. Furthermore, cyber related risk awareness needs to be improved. Universities’ participation in improving student cyber related awareness becomes more important as online education is embraced. Universities should inform students of protective behaviours they can engage in related to cyber security and cyber safety [32]. This is especially important as they use the mandated online learning environments. The authors take examples from developed countries with highly cyber-preparedness (USA, UK, Estonia and Korea) and point out the urgency of actions to be taken, such as bridging the digital divide, improving digital literacy, the dominant use of mobile devices and wireless networks.

A study conducted in 2020, considering smart phone security awareness and practices of students at a Welsh University, indicated that the level of cybersecurity awareness, in general could be improved [33]. This current study suggests that the students do indeed have a measure of cyber related risk perceptions (attitudes), although the country comparisons revealed significant differences. There is therefore still a clear need for cyber related skills training.

Concerns

Sentiment analysis revealed that the cyber security, safety, and privacy concerns were evenly spread. Some of the respondents were concerned about privacy while others were concerned about cyber security when engaging in digital eLearning. In general, South Africans were more concerned about privacy, cyber security (fraud, malware etc.), as compared to the Welsh and Hungarian students. According to the NCSI National Cyber Security Index which measures country’s cyber security capacity [15], the UK ranks 18th with a score of 77.92, Hungary ranks 32nd, and has a score of 64.92, while South Africa ranks 83rd, and has a score of 36.36 (see

Table 3. National Cyber Security Index (NCSI) [15].

Country	National Cyber Security Index (NCSI)	Rank NCSI	Digital Development Level (DDL)	Rank (DDL)	Difference (NCSI-DLL)
South Africa	36.36	83	47.43	85	−11.07
Hungary	64.94	32	64.68	42	0.26
United Kingdom	77.92	18	81.39	7	−3.47

). Comparing all the countries’ National Cyber Security Index (NCSI) and Digital Development Level (DDL), a strong relationship was found using Spearman’s rank correlation (ϱ = 0.709, p = 0.000), suggesting that the higher a country’s digital development level, the higher its cyber security index.

The difference between the Digital Development Level (DDL)—the average fulfilment of ICT development and networked readiness—and the NCSI explains the difference between technology development and implementation and the governments’ ability to protect as well as train and motivate its citizens. For example, for South Africa the DDL is relatively high, however, students do not trust their cyber security capacity, which is reflected in the National Cyber Security Index. Cohney et al. [1] recommends strengthening regulatory mechanisms to provide appropriate baseline privacy and security protections. Students from Hungary and the United Kingdom were less concerned with cyber security issues, which is also reflected in the higher National Cyber Security Indices of both countries.

Changes in Protective Behaviours

The researchers wanted to determine whether students had changed their online behaviours during the COVID-19 pandemic lockdowns. Half of the South African students reported having adapted their online behaviours, while only a third of the Welsh and Hungarians had achieved likewise. This confirms the Wyman’s Cyber Security and Education Index rankings, given that the United Kingdom is ranked 4th for the formal education pillar, implying that their cybersecurity education is much better than Hungary (ranked 28th) and South Africa (ranked 48th). This digital development level of the countries is reflected in the behaviour of the different university’s students.

South African students did not know how to use Virtual Private Networks (VPNs) perhaps because they were not given the opportunity to do so or because it is costly. However, South African students had to adapt to the greatest extent to using the digital learning environment since the outbreak of COVID-19 because most had accessed the university’s online environment from university facilities. This was not the case for the Hungarian and Welsh students. Respondents from Hungary and Wales were clearly digitally more prepared for an exclusively online learning environment than the South African Students. Previous research shows that South African students struggle to afford online access [34] and this might explain the difference. Yet, during the pandemic, all South African students were given computers and data bundles to facilitate access to university resources from their mobile phones. On the other hand, no such accommodation was made for the Welsh and Hungarian students. Even so, it is likely that most of these students had broadband at home in Hungary [31] and in Wales [2].

6. Contributions

In this paper, we make the following contributions:

We contribute to the body of knowledge of cyber security and cyber safety behaviour, and in particular the cyber security and safety risk perceptions -attitudes and concerns—as well as student behavioural changed in online learning environment during COVID-19 lockdown.

We undertook an original, international (three countries, both developed and developing/developed), comparative, quantitative research project which has revealed significant differences between the participating universities, with the most important differences being risk perception attitude and concerns, followed by changed behaviour. The differences between student cyber-related risk perception attitude, concerns as well as changed behaviour can be attributed to the differing cyber security awareness, digital development level, and furthermore, different level of cyber security literacy and education of the participating countries: South Africa, Wales, and Hungary.

Based on the results from this study, several suggestions are made to influence future pedagogical approaches to university cyber-related training.

7. Limitations and Future Research

The research focused on one university in each of the three countries. Further research will need to be conducted to include more universities to gain greater insights. All findings rely on self-reporting, which has undeniable shortcomings. However, given that the study was carried out during the pandemic, this was considered the best way to reach all the students studying remotely. Only two questions were included to reveal behavioural changes, which might not have uncovered all possible changes and/or behaviours. Even so, these questions served to provide evidence of changes triggered by heightened risk perceptions and the switch to online learning.

8. Conclusions and Recommendations

Based on these published literacy levels, it would be expected to see the highest levels of risk perception and changed behaviour during COVID-19 in the Welsh University students, the least from the South African students and the Hungarian students somewhere in-between.

This study sought to compare, and contrast risk perceptions and protective behaviours engaged in by students in three countries with very different levels of cyber risk literacy. While all students had to switch to remote learning overnight, each student’s context was different, and would have influenced their risk perceptions and behaviours.

The following can be concluded:

Attitudes: This study suggests that students have a measure of cyber related risk perceptions (attitudes). However, due to the significant differences between countries, there is a clear need for cyber related skill training, especially in South Africa. The Oliver Wyman Index suggests that the cyber risk literacy of the Welsh students ought to have been the highest, with the South Africans having the lowest levels. Our studies aligned with this index, confirming the need for South Africa to invest more resources into raising cyber awareness across their society. If students are insufficiently aware, it is unlikely that the rest of the population will be any more literate.

Concerns: All students demonstrated a measure of concern about privacy and cyber security while engaging with digital eLearning. Students in South Africa, in particular, did not trust the cybersecurity capability of their digital provisions, reflected in the National Cyber Security Index, despite the relatively high digital development level.

Changes in protective behaviours: The switch to online learning was more drastic for a larger proportion of the South African university’s students, since many did not engage with a learning management system from home, before the lockdown. Despite this, the South African university supported their students by providing them with mobile data as well as computers and the necessary resources to ensure that they were able to continue learning. The other two countries’ students were not given this advantage. The fact that South African university’s students changed their protective behaviours to the greatest extent, is probably attributable to these factors.

Country similarities and differences: The only similarity that was found between the cyber security risk perception (attitudes) of students was related to the COVID-19 tracking systems. All other comparisons related to risk perception (attitudes), reflected significant differences. The same was found for the risk perceptions (concerns). Students from the South African university indicated that they were more aware of cybersecurity issues since the pandemic and shift to online learning. In the case of the Hungarian university’s students, the responses were distributed between ‘disagree’ and ‘neutral’, while very few agreed with the statement. The Welsh university’s student responses were more evenly distributed. In terms of changed online cybersecurity behaviour, the study suggests that the South African university’s’ students’ behaviour changed to the greatest extent.

Recommendations: The pandemic ushered in unprecedented challenges for everyone who experienced a lockdown, but for students it was acutely challenging. Our study highlighted the need for targeted and sustained efforts to be engaged in to ensure that those who are now conducting their learning online have an accurate awareness of cyber risk perceptions and know how to protect themselves and their information online. There is a need to foster digital trust to build confidence across society, with South Africa demonstrating the greatest need. There is a clear need to do more in terms of cybersecurity training and education, and universities should focus on addressing this need [35].