Content area
Purpose
The purpose of this paper is to investigate the cyber hygiene practices of remote workers.
Design/methodology/approach
This paper used two instruments: first, the Cyber Hygiene Inventory scale, which measures users’ information and computer security behaviors; second, the Recsem Inventory, developed within this paper’s context, to evaluate the cybersecurity measures adopted by organizations for remote workers. It was conducted on remote workers to examine their information security practices. The instrument was administered to a sample of 442 employees reached via the LinkedIn platform. Analyses were performed with SPSS v26, Python programming language and Seaborn library.
Findings
The findings indicate a significant correlation between the security measures implemented by companies and their employees’ cyber hygiene practices. A sector comparison revealed a significant difference in cyber hygiene levels between public and private sector workers.
Research limitations/implications
This paper aims to provide policymakers with suggestions for enhancing the cyber hygiene of remote workers to facilitate compliance with corporate security protocols.
Originality/value
This paper’s conclusions highlight the importance of companies increasing their cybersecurity investments as remote work becomes more prevalent. This should consider not only corporate-level factors but also employees' information and computer security behaviors.
1. Introduction
The growing number of remote workers has coincided with a surge in cyber threats, prompting institutions to launch awareness campaigns to educate their members about protection strategies (Enisa, 2020; Interpol, 2020; Kumar et al., 2022). This trend underscores the need for companies to invest in cybersecurity measures and ensure employee adherence to best practices for information and computer security.
The widespread adoption of remote work policies has presented both organizations and their employees with numerous cybersecurity challenges. This shift has exposed new vulnerabilities that must be addressed (Reciprocity, 2021; Yeoh et al., 2022). In addition, the lack of adequate support and resources for remote employees, coupled with the use of potentially less secure home networks, has introduced further risks. Home networks and personal devices are generally more susceptible to cyberattacks than corporate networks, making remote workers prime targets for attackers (Lallie et al., 2021; Ramadan et al., 2021).
The increasing reliance on digital technologies for business operations, partly fueled by the COVID-19 pandemic (Battisti et al., 2022; Caligiuri et al., 2020; Como et al., 2021), necessitates the use of online communication and digital tools. As businesses handle sensitive data digitally, they become potential targets for cyberattacks. To mitigate cybersecurity risks, institutions, particularly those with numerous remote workers, must implement various cybersecurity measures, such as developing official policies, offering employee training and securing networks and devices (Yang et al., 2013; Baraković and Baraković Husić, 2023). However, cybersecurity investments and measures alone are insufficient. Addressing cybersecurity effectively requires considering both system security and individual user behavior.
Human factors often constitute the weakest link in a security system (Schneier, 2004). Studies have shown that noncompliance with security practices by individuals is the primary cause of security breaches (Donalds and Osei-Bryson, 2020). A considerable amount of research has focused on the impact of employee behavior on an organization’s information security (Shropshire et al., 2015; McCormac et al., 2017). For example, Global Technology Services (IBM, 2015) found that over 95% of security breaches were due to human error (IBM, 2015, p. 7). Further research indicates that improving employee behavior can reduce the risk of security breaches by 45%–70% (Aberdeen Group and Wombat Security, 2015).
Cyber hygiene practices of end users often contribute significantly to cybersecurity breaches (Cain et al., 2018). There are many factors that affect the degree of cyber hygiene of information system users. One of these factors is cultural differences. It is necessary to include intercultural differences to understand the social and subjective norms that affect cyber hygiene behaviors, because there are striking differences in the level of cyber hygiene awareness between Western and Eastern countries (Alowais et al., 2023). For example, one study investigated the level of cybersecurity awareness in Saudi Arabia. It has been revealed that more than 50% of the participants do not have enough knowledge about password security and types of cyberattacks (Alzubaidi, 2021). Another study examined the level of cyber security awareness in the USA. In this study, it was revealed that the majority of the participants had significant knowledge about password security and types of cyberattacks (Moallem, 2019). In a study, it was revealed that cyber security is affected by culture and varies from country to country (Onumo et al., 2017). Consequently, it is essential to adopt measures of cyber hygiene behaviors across various cultures. In this study, we used the scale developed by Vishwanath et al. (2020) and adapted to Turkish by the Authors (2020) as the Turkish Cyber Hygiene Inventory (Tr-CHI).
The aim of this paper is to examine the cyber hygiene behaviors of individuals who worked remotely. Using the Tr-CHI, we investigated the impact of corporate cybersecurity measures, demographic characteristics, employment industry and working in public or private sector on individuals’ cyber hygiene behavior.
This paper offers significant theoretical and practical contributions to emerging work styles, such as hybrid and remote work, where individual behavior plays a critical role. First, it expands the literature on the relatively novel concept of cyber hygiene by examining its implementation in remote work environments. Second, the paper enhances the reliability and validity of the model. Third, it distinguishes itself from existing research by adopting a comprehensive approach to individual cyber hygiene behaviors in the context of cybersecurity measures. Moreover, this paper provides valuable guidance for policymakers aiming to raise cybersecurity awareness among remote workers. It assists managers in aligning individual behaviors with corporate security policies. To mitigate the risks posed by cyberattacks, organizations and decision-makers should invest in advanced cybersecurity measures. We recommend adopting new-generation tools and techniques, such as incident management training, educational booklets and cybersecurity protocols, for coordinating and managing incidents. These efforts will help improve employees’ cyber hygiene behaviors.
The remainder of the paper is organized as follows. In Section 2, we review the literature that informs our research. In Section 3, we explain the research methodology and research question. In Section 4, we discuss the research findings. Finally, we conclude with theoretical and practical implications, as well as suggestions for future research in Section 5.
2. Literature review
Cyber hygiene
Cyber hygiene refers to a set of cybersecurity practices that online users should adopt to safeguard the security and integrity of their personal information on internet-connected devices against potential cyber threats (Vishwanath et al., 2020). As a fundamental principle of information security, cyber hygiene comprises simple, routine measures that mitigate the risk of cyber threats. Adopting cyber hygiene practices can foster a more secure environment for businesses and reduce specific risks (ENISA, 2016).
Cyber hygiene encompasses knowledge and behaviors aimed at minimizing risky online activities that expose an individual’s social, financial and personal information (Neigel et al., 2020). It involves adhering to security guidelines that promote a safe environment for both devices and personal information (Ncubukezi et al., 2020). This includes implementing data security and privacy policies, procedures and controls that minimize potential harm and decrease the likelihood of data security breaches (Kirkpatrick, 2015). By implementing these policies, procedures and controls, businesses can better protect assets such as hardware devices, personnel and software applications in cyberspace (Ncubukezi et al., 2020).
Human error constitutes the primary factor behind cybersecurity breaches, and end users’ cyber hygiene levels often play a significant role in these security incidents (Wiederhold, 2014). Consequently, there is a need for a novel approach to better understand user differences concerning good and poor cyber hygiene practices and to motivate users to maintain high hygiene standards. Individuals with good cyber hygiene adhere to best practices for security and safeguard their personal information (Cain et al., 2018). From an organizational standpoint, employees who practice good cyber hygiene exhibit protective behaviors that help secure the organization’s critical data.
Users must adhere to a set of rules and develop certain habits to safeguard their personal, financial and social information from cyberattacks. Cyber hygiene addresses the creation and maintenance of these habits. Examples include routinely checking computers for cyber threats or attack attempts, using strong passwords, changing passwords regularly and avoiding password reuse, updating antivirus software, securely storing online information and conducting appropriate security scans. As awareness and implementation of these cyber hygiene practices increase, so do the protection levels for individuals and institutions against potential cybersecurity breaches. For instance, users who promptly update their software can better withstand major attacks. Consequently, cyber hygiene is a critical prerequisite for ensuring cybersecurity, and its development is essential for enhancing cybersecurity (Kalhoro et al., 2021; Neigel et al., 2020). In summary, cyber hygiene encompasses the set of security behaviors that users adopt to protect their devices and personal data from cyber threats.
Recent studies on cyber hygiene
When Table 1 is examined, it is seen that cyber hygiene studies in the literature are generally carried out on students and employees. Cyber hygiene knowledge and behaviors were found to differ according to culture. In addition, some studies found gender-related differences in cyber hygiene knowledge and behavior. Furthermore, all studies highlight the significance of maintaining good cyber hygiene to reduce the risk of cybercrimes and data breaches.
Upon reviewing Table 1, it becomes evident that there is a notable gap in the existing literature, namely, the absence of research dedicated to investigating the cyber hygiene practices of remote workers. This gap is of considerable concern, given that remote workers typically carry out their work using potentially less secure home networks, thereby subjecting themselves and their organizations to heightened (cybersecurity) risks. Therefore, it is imperative for organizations in both the public and private sectors, across various industries, to examine the cyber hygiene of individuals working remotely.
Cybersecurity practices during remote work
The digital transformation compels businesses to adopt advanced technological solutions, increasing their dependence on the internet, online communication and digital tools. Consequently, businesses generate and process substantial data, potentially containing sensitive information such as intellectual property, financial data or personal information. Transmitting this information over networks makes businesses vulnerable to hackers. With the growth in volume and complexity of cyberattacks, companies, especially those handling national security, health or financial records, must safeguard their data and enhance their security posture (Yang et al., 2013).
The surge in remote work has amplified cybersecurity risks, necessitating the implementation of cybersecurity measures to fortify corporate security and mitigate threats. These measures encompass procedures, policies and controls that protect electronic information and systems from unauthorized access or theft (Reciprocity, 2021). However, public and private sector organizations do not take adequate measures to periodically test, analyze, scan, update, maintain and back up computer networks, hardware, software, communication equipment and storage devices. In addition, they are insufficient in training and raising awareness to improve the cyber hygiene of its employees (Bloom, 2014). Therefore, organizations frequently encounter security breaches because of their inability to take, plan and finance cybersecurity measures for remote working.
3. Research methodology
Main research question and subquestions
This paper investigates the nature of cyber hygiene practices among remote workers. In this direction, the main research question is “what is the nature of cyber hygiene practices among individuals working remotely?” has been determined. To provide a comprehensive understanding, we address the primary research question by examining the following subquestions:
We used the Tr-CHI, adapted from Vishwanath et al. (2020), to measure individuals’ cyber hygiene behaviors. The 17-item scale uses a five-point Likert scale. In addition, we developed the Remote Working Cyber Security Measures Inventory (see Appendix – Recsem Inventory) to evaluate the cybersecurity measures implemented by organizations.
Research sample
We used purposeful sampling to recruit 442 remote workers from various industries (information technology [IT], defense industry, telecommunication, banking and finance, production, tourism, retail, automotive, health, service and food) in Turkey. The rationale behind using this sampling method was to ensure that the selected individuals possessed relevant experience and knowledge concerning remote work and cyber hygiene practices. Participants were reached through channels such as social media (LinkedIn) and (bulk e-mails sent through) public and private sector institutions. Participation was voluntary and anonymous, and data collection was conducted from February to April 2022 using Google Forms.
Cyber hygiene inventory
Vishwanath et al. (2020) devised a comprehensive five-dimensional inventory to assess cyber hygiene practices among computer and internet users. This inventory encompasses questions grouped into five distinct factors: storage and device, authentication and credential, social media, transmission and email and messaging hygiene (see Table 2).
These five cyber hygiene categories provide a comprehensive framework for understanding and evaluating the security practices of computer and internet users. By addressing each of these areas, individuals can take proactive steps to protect their digital information and maintain a secure online presence.
Remote work cyber security measures inventory
The study introduced the Remote Work Cyber Security Measures Inventory, abbreviated as “Recsem,” which was purposefully crafted to evaluate the cybersecurity measures implemented by organizations in the context of remote work. The inventory’s development involved collaboration with Turkish professionals with experience in remote work, and it also incorporated expert insights from both industry and academia. This process resulted in a comprehensive 14-item inventory. The scale’s high reliability was affirmed through the calculation of Cronbach’s alpha, yielding a score of 0.868. Respondents provided binary (yes or no) responses, and these responses were subsequently transformed into normalized Recsem scores, ranging from 0 to 100, for comprehensive evaluation.
Withing the scope of this paper, quantitative data analysis was used to examine cyber hygiene behaviors and cybersecurity. Data collection was conducted using Google Forms, and data management and analysis were performed with SPSS v26. Python programming language and Seaborn library were used to generate figures and graphics visualizing the data analysis results.
4. Findings
Descriptive statistics
The study’s sample size consists of 442 participants, with 37.8% female and 62.2% male, reflecting similar gender ratios to TURKSTAT’s (2021) employment data. In terms of age distribution, 27.8% are aged 18–24, 45.5% are 25–34 and 19.2% are 35–44, with the majority (92%) being of active working age. Regarding educational attainment, 52.3% hold a bachelor’s degree, 19.5% a master’s and 19% a PhD (see Table 3).
In total, 32.8% of participants are public sector employees, whereas 67.2% work in the private sector. This closely aligns with TURKSTAT’s (2021) data and the Presidency of the Republic of Turkey Strategy and Budget Presidency’s report on Public Employment, which indicate a workforce composition of 28% public and 72% private sector employees (TURKSTAT, 2022; SBB, 2023).
Confirmatory factor analysis and reliability analysis
Factor analysis is performed in cases where the estimations are insufficient or little in terms of which variables explain a factor (Decoster and Hall, 1998). Therefore, confirmatory factor analysis was deemed appropriate in this study. The data set’s suitability for factor analysis was assessed using the Kaiser–Meyer–Olkin (KMO) and Bartlett’s tests. With a KMO coefficient of 0.858, the sample size was deemed appropriate for factor analysis. Bartlett’s test of sphericity confirmed the correlation between items was suitable for factor analysis [χ2(442) = 2500.347; df = 136; p < 0.001]. The measuring tool’s internal consistency was tested using Cronbach’s alpha coefficient, yielding a reliability coefficient of 0.85, indicating high reliability. The factor analysis results for the Tr-CHI scale, comprising 17 statements, revealed a total variance explanation level of 63.5%. The factor distribution can be found in Table 4.
Research subquestions
RQ1: How do demographic factors (gender, education and age) affect cyber hygiene behaviors?
Gender and cyber hygiene.
A t-test was conducted to examine the differences in cyber hygiene levels between female and male participants. The results revealed a significant difference between the two groups (p < 0.001), with men having a higher average cyber hygiene score (M = 3.61, SD = 0.67) than women (M = 3.45, SD = 0.60) (Table 5). This indicates that men are more cautious than women regarding computer security.
Eta-squared (η2) values, calculated from the association analysis to measure the direction and strength of one variable’s effect on another, were interpreted using Cohen’s effect size indices. The eta-squared value for the gender variable (η2 = 0.015) suggests a small effect of gender on cyber hygiene behavior. This finding implies that although there is a significant difference between men and women in terms of cyber hygiene, the impact of gender is relatively modest.
Education and cyber hygiene.
The ANOVA test results reveal significant differences in cyber hygiene levels among individuals based on their education levels. The eta-squared value (η2 = 0.069) suggests a moderate effect of education on cyber hygiene behavior. An ANOVA with a Bonferroni post hoc test suggested that CHI differed significantly across the education categories. Specifically, significant differences were found between PhD degree (M = 3.26, SD = 0.72) and vocational school participants (M = 3.81, SD = 0.54), (p = 0.002, d = 0.86). Significant differences were also found between PhD degree and bachelor’s participants (M = 3.66, SD = 0.60), (p = 0.000, d = 0.60). An examination of the analysis results by education categories shows that vocational school individuals exhibit higher cyber hygiene averages than other education levels. Conversely, the lowest cyber hygiene level is observed among individuals with a PhD degree (Table 6).
Age – cyber hygiene.
The ANOVA test findings reveal significant differences in cyber hygiene levels across age categories. With an eta-squared value (η2 = 0.069) for the age variable, age has a moderate effect on cyber hygiene behavior. An ANOVA with a Tamhane’s T2 post hoc test suggested that CHI differed significantly across the age groups. Specifically, significant differences were found between the 18 and 24 age group (M = 3.72, SD = 0.56) when compared with those aged 35–44 (M = 3.24, SD = 0.64), (p = 0.000, d = 0.80). Significant differences were also found between the 35 and 44 age group (M = 3.24, SD = 0.64) and 25–34 (p = 0.001, d = 0.55) participants. The analysis results indicate that the 18–24 age group has higher cyber hygiene averages compared with other age groups, whereas the lowest cyber hygiene is observed in the 55–64 age group (see Table 7).
RQ2: How do institutional cybersecurity measures influence individuals’ cyber hygiene behavior?
The results obtained from the regression analysis offer compelling evidence of a statistically significant relationship between individual cyber hygiene behavior and the cybersecurity measures implemented by companies (R = 0.43; p < 0.001). This implies that as organizations strengthen their cybersecurity measures, there is a corresponding improvement in the cyber hygiene practices of individuals. This section underscores a positive correlation, affirming that the strength of implemented cybersecurity measures directly influences individual cybersecurity behaviors.
Notably, a substantial disparity in Recsem scores was identified between public sector employees (averaging 24.67) and their private sector counterparts (averaging 57.08). This contrast suggests that the cybersecurity measures in the public sector may be insufficient, potentially contributing to the lower levels of cyber hygiene observed among its employees, with an average score of 3.325, in comparison to the private sector’s average score of 3.656.
RQ3: How do sectoral differences (public–private) impact cyber hygiene behaviors?
The T-test results indicate a statistically significant difference in cyber hygiene levels between individuals employed in public and private sectors (Table 8; p < 0.001). With an eta squared value (η2 = 0.057), the sector variable has a moderate impact on cyber hygiene behavior. Table 8 reveals that private sector remote workers exhibit better cyber hygiene behavior than their public sector counterparts. This is consistent across all cyber hygiene subdimensions (Figure 1).
E-mail and messaging hygiene is the highest subdimension for both sectors, requiring a high level of awareness to prevent cyberattacks like phishing and e-fraud (Vishwanath et al., 2020). Participants demonstrated caution and strong cyber hygiene in this area, which is crucial given remote employees’ reliance on e-mail and messaging platforms (e.g. Slack and Discord) for communication. Maintaining caution and high awareness is vital for preventing social engineering frauds and phishing attacks, ensuring a secure remote working environment.
Conversely, transmission and browsing hygiene was the lowest subdimension for public sector employees (Figure 1). This subdimension measures individuals’ engagement in risky practices, such as connecting to unsecured networks and visiting websites without SSL security certificates. In the context of remote work, prioritizing network security is crucial, especially for employees handling sensitive, job-related data.
Public sector employees often manage confidential information of strategic importance to their institution and country. However, their inadequate cyber hygiene behavior may jeopardize the safety and integrity of this critical data.
RQ4: Is there a significant difference in cyber hygiene levels across industry branches?
The ANOVA test indicates significant differences in cyber hygiene levels among individuals across various industry branches. With an eta-squared value (η2) of 0.135 for the industry branches variable, the industry type moderately affects cyber hygiene behavior (see Table 8).
The analysis shows that individuals in defense, IT, telecommunications, banking and finance exhibit higher cyber hygiene levels compared with other industries. Conversely, the lowest levels were observed among those in the food, service and health industries (Figure 3).
An analysis of cyber security measures in Turkey companies during the remote working period reveals that the defense, banking and finance industries have the highest levels of protection. In contrast, tourism, construction, health and service industries demonstrate low cyber security measures based on Recsem ratings (Figure 2).
Employees in construction, health and service industries exhibit below-average cyber hygiene behaviors, coinciding with their industries’ low cyber security measures (Figure 2). However, despite their institutions’ weak security measures, tourism industry employees maintain an average level of cyber hygiene.
Given the national security implications and sensitivity of the defense industry, it displays the most robust cyber security measures during remote work. Employees in this sector also demonstrate the highest level of cyber hygiene. Similarly, the banking and finance industry have implemented extensive cyber security measures, with employees exhibiting above-average cyber hygiene.
IT industry employees rank second in cyber hygiene, following defense industry workers. Despite their above-average cyber security measures during remote work, the IT industry ranks seventh compared with other branches. IT employees, having the most access to IT assets and valuable information (Torten et al., 2018), are frequently targeted by cyber attackers, followed by banking and finance employees (Greengard, 2016). Consequently, it is crucial for organizations to ensure IT employees maintain a high level of cyber hygiene awareness.
Examining cyber hygiene subdimensions across industry branches reveals that email and messaging hygiene is the strongest area, reflecting users’ ability to identify social engineering scams and phishing attacks, particularly crucial in remote work environments. However, transmission hygiene – encompassing secure internet networks and website usage for daily and financial transactions – is low in many industries, including banking and finance, whereas being high in defense, IT and telecommunications.
When comparing social media hygiene across various industries, defense industry workers exhibited the highest levels. This can be attributed to the strict information security and confidentiality requirements in their field.
High authentication and credential hygiene, which involve using complex usernames and passwords, changing defaults and enabling multifactor authentication, are observed in the IT, defense, automotive and manufacturing industries. In contrast, the food, service and construction industries demonstrate the lowest levels. As user information and passwords are frequently targeted by hackers (Torten et al., 2018), maintaining high cyber hygiene is crucial for all internet users.
Storage and device hygiene, encompassing secure data storage (both physical and cloud-based), up-to-date antivirus software and regular virus scans, is more prevalent in the defense and production industries, whereas it lags in the food and health sectors.
5. Discussion and conclusion
This paper aimed to investigate the information and computer security behaviors of remote workers. We used the Tr-CHI inventory, adapted to Turkish by the Authors (2020), and the Recsem Inventory, developed specifically for this research, to examine these behaviors.
The primary research question was: “What is the nature of cyber hygiene practices among individuals working remotely?” In this context, we addressed the following subquestions. By answering these subquestions, we provide insight into the main research problem.
Answering main research question and subquestions
RQ1: How do demographic factors (gender, education and age) affect cyber hygiene behaviors?
T-tests and ANOVA tests were used to investigate the research question (Tables 5, 9 and 10). The findings reveal that men exhibit better cyber hygiene than women, corroborating existing literature (Gratian et al., 2018; Anwar et al., 2017; Cain et al., 2018). Another investigation of cyber hygiene among university students discovered that males displayed greater trust in technology than females, and that intrinsic motivation was a more crucial factor in predicting females’ attitudes toward cyber hygiene (Neigel et al., 2020). A separate study assessed university students’ knowledge and awareness of cyber hygiene, concluding that students generally had a low level of cyber hygiene knowledge, with male students exhibiting a higher level than female students (Baraković and Baraković Husić, 2022). As cyber hygiene varies by gender, behavioral improvement efforts should account for demographic characteristics, such as offering additional training to female employees.
The analysis indicates significant differences in cyber hygiene levels based on participants’ education levels. Contrary to expectations, higher education levels do not necessarily correspond to better cyber hygiene. These findings align with Fatokun et al. (2019), suggesting that cyber hygiene improvement initiatives should be tailored to different educational levels.
The ANOVA analysis reveals that the highest cyber hygiene levels were observed among participants aged 18–24 and 25–34. This is attributed to their familiarity with technology and greater knowledge about it (Grimes et al., 2010). Literature supports age as a crucial factor influencing cyber hygiene behaviors (Whitty et al., 2015; Georgiadou et al., 2022). Consequently, it is recommended that older workers receive more focused training in information and computer security, with specialized and simplified content tailored to their comprehension capabilities.
RQ2: How do institutional cybersecurity measures influence individuals’ cyber hygiene behavior?
The findings derived from the regression analysis between an institution’s cyber security measures and an individual’s cyber hygiene behaviors offer insights into the relationship between organizational cybersecurity measures and the cyber hygiene practices of employees, unveiling a significant and impactful connection between the two factors. In essence, as organizations improve (strengthen) their cybersecurity measures, there is a corresponding increase in the level of cyber hygiene exhibited by employees.
This aligns with prior research conducted by Li et al. (2014), which reinforces the notion that the establishment and enforcement of cybersecurity policies have a positive influence on employee security behaviors. Such policies, when integrated into a comprehensive suite of cybersecurity measures, play an important role in enhancing cyber hygiene behaviors, transcending the boundaries of the workplace and extending their positive effects into employees’ remote work environments and personal cyber practices. This underlines the significance of proactive cybersecurity policies and measures in cultivating a culture of cybersecurity vigilance and responsibility among employees.
RQ3: How do sectoral differences (public–private) impact cyber hygiene behaviors?
The average cyber hygiene behaviors of remote workers reveal that private sector employees exhibit better practices than their public sector counterparts. This suggests that private sector workers are more attuned to information and computer security concerns. Upon examining the subdimensions of cyber hygiene, public sector employees demonstrate lower cyber hygiene behavior across all aspects compared with private sector employees. Many public sector workers handle devices requiring privacy and store information crucial to national strategic goals; however, their inadequate digital security practices place this vital data at risk.
Our research findings suggest that the low level of cyber hygiene behavior among public sector employees can be attributed to the insufficient cyber security measures in place for remote workers in this sector. To mitigate this risk and improve employees’ cyber hygiene, it is essential to strengthen cyber security measures within the public sector’s remote work systems. In addition, it is advisable to educate and train employees on cyber hygiene to cultivate a cyber security culture within organizations. Developing cyber security policies for remote work systems is recommended for both public and private institutions to enhance cyber hygiene (Li et al., 2019).
RQ4: Is there a significant difference in cyber hygiene levels across industry branches?
The findings reveal significant differences in cyber hygiene levels across various industry branches. Individuals in defense, informatics, telecommunications, banking and finance exhibited higher cyber hygiene levels, whereas those in food, service and health displayed the lowest (Figure 3). A closer look at cybersecurity measures adopted by these industries shows that defense, banking and finance have implemented the most rigorous measures for remote work. In contrast, tourism, construction, health and service industries lag behind. It is crucial to enhance cybersecurity measures in these industries to secure their operations in cyberspace.
An analysis of cyber hygiene subdimensions by industry reveals that e-mail and messaging hygiene is generally the highest, whereas transmission and browsing hygiene is the lowest for many industries. Employees in defense, IT and telecommunications demonstrate higher transmission and browsing hygiene, likely due to their work with critical data and high digital literacy. Surprisingly, banking and finance employees exhibit low transmission and browsing hygiene, a concern that requires attention.
Social media hygiene is highest among defense industry employees, whereas authentication and credential hygiene is high in IT, defense, automotive and production industries. Conversely, food, service and construction workers display lower levels of user authentication and credential hygiene. Defense and production employees exhibit high storage and device hygiene, whereas these standards are low in food and health industries. Health data, classified as personal and confidential, is subject to privacy protection regulations enforced by Turkey’s Personal Data Protection Authority (KVKK, 2023). Thus, health-care professionals are expected to maintain higher storage and device hygiene standards, necessitating targeted training programs to improve their cyber hygiene.
Based on the research findings, organizations should use innovative cybersecurity training to increase cyber hygiene awareness and enhance overall cybersecurity effectiveness. Managers should assess employees’ cyber hygiene levels and tailor training programs accordingly, rather than mandating uniform, complex training for the entire organization. For example, administrative assistants should receive different training than IT personnel.
Establishing cybersecurity inspection programs can help evaluate employees’ cybersecurity and cyber hygiene knowledge, enabling the development of customized training programs aligned with organizational and individual needs. Although many organizations possess the tools and solutions for efficient remote work systems, their effectiveness depends on rigorous cybersecurity measures and fostering cyber hygiene awareness among employees (Borkovich and Skovira, 2020).
Main research question: What is the nature of cyber hygiene practices among individuals working remotely?
The cyber hygiene behaviors of remote workers vary based on demographic characteristics and the industries in which they work. When analyzed demographically, men exhibit better cyber hygiene behaviors than women. However, no clear relationship was found between cyber hygiene behaviors and education level, possibly because of an insufficient sample size. Future studies should consider using equal sample sizes for each educational level. Regarding age, younger individuals exhibit higher levels of cyber hygiene, consistent with the literature, as elderly individuals tend to have less technological familiarity and knowledge (Grimes et al., 2010).
In the context of employment sectors, private sector employees demonstrate better security behaviors than their public sector counterparts. A significant relationship was found between cyber hygiene and the cybersecurity measures implemented by organizations. Our results indicate that institutional cybersecurity measures influence employees’ cyber hygiene behaviors, which vary across industry branches.
Comparisons among industry branches reveal that individuals in defense, IT, telecommunications, banking and finance exhibit the highest levels of cyber hygiene, whereas those in food, service and health industries have the lowest. Implementing cybersecurity measures enhances an organization’s resilience against cyber risks. Repairing damage from a cyberattack is time-consuming and costly, as is restoring the organization’s reputation to a trusted state. Consequently, this article aims to raise proactive awareness among managers and decision-makers regarding the importance of improving employees’ cyber hygiene behaviors. By doing so, organizations can not only protect their sensitive information and systems but also maintain their credibility and trustworthiness in the eyes of stakeholders. Developing comprehensive training programs, raising awareness and implementing effective policies and procedures can contribute to fostering a culture of strong cyber hygiene within organizations. This will help minimize potential risks associated with remote work and ensure the security of digital assets.
Implications
This paper offers significant theoretical and practical contributions to emerging work styles, such as hybrid and remote work, where individual behavior plays a critical role. First, it expands the literature on the relatively novel concept of cyber hygiene by examining its implementation in remote work environments. Second, the study enhances the reliability and validity of the model. Third, it distinguishes itself from existing research by adopting a comprehensive approach to individual cyber hygiene behaviors in the context of cybersecurity measures. Moreover, this study provides valuable guidance for policymakers aiming to raise cybersecurity awareness among remote workers. Finally, it assists managers in aligning individual behaviors with corporate security policies.
To mitigate the risks posed by cyberattacks, organizations and decision-makers should invest in advanced cybersecurity measures. We recommend adopting new-generation tools and techniques, such as incident management training, educational booklets and cybersecurity protocols for coordinating and managing incidents. These efforts will help improve employees’ cyber hygiene behaviors.
Study limitations
This study has certain limitations. First, the sample was drawn from Turkey, with data collected in Turkish. Second, a cross-sectional survey technique was used for data collection. Finally, participants worked in 12 different industries across both private and public sectors. Including more or different industries could expand the findings.
Future research directions
Future studies should administer the cyber hygiene inventory to individuals from different countries and cultures to enhance validity. An exploratory study could identify cultural differences in information and computer security behaviors. Because the data is cross-sectional, cyber hygiene behaviors were only assessed during a limited time frame. Thus, it is recommended to use diverse methodologies, such as longitudinal studies, to better understand the behavioral aspects of cyber hygiene. Qualitative approaches, like the Delphi method, could also be used to deepen research on information and computer security behavior and enrich findings. Moreover, future research could compare and analyze cyber hygiene behaviors of remote, hybrid and in-office workers.
Figure 1.Cyber hygiene subdimensions average by sector comparison
Figure 2.Cyber hygiene and cyber security measures by industry branches
Figure 3.Cyber hygiene subdimensions by industry branches comparison
Table 1.
Differences and similarities of recent studies on cyber hygiene
| Study | Domain | Main findings | Differences | Similarities |
|---|---|---|---|---|
| Wiederhold (2014) | Role of human error in cyber security breaches | The paper discusses the role of psychology in enhancing cybersecurity. It highlights the importance of understanding human behavior in cyberspace and how it can be used to mitigate the risk of cybercrime | Focused on the role of human error in cyber security breaches | Highlights the importance of good cyber hygiene in mitigating the risk of cybercrime |
| Cain et al. (2018) | General users’ knowledge and behavior | Most users create complex passwords (at least eight characters long, and with upper and lowercase letters). Age, gender, victim history, perceived expertise and training impact cyber hygiene | Focused on general users and self-proclaimed “cybersecurity experts” | Found that males have more knowledge about cyber hygiene than females |
| Ncubukezi et al. (2020) | SMEs’ cyber hygiene status | Cybersecurity hygiene in SMBs varies from one business sector to the other. The absence of detailed rules, standards, procedures and guidelines to promote good cybersecurity hygiene leads to poor cyber hygiene in SMBs | Focused on SMEs and their cyber hygiene status | Emphasizes the importance of maintaining good cyber hygiene to avoid data corruption, loss and breaches |
| Neigel et al. (2020) | University students’ attitudes | Several factors, such as information handling, incident reporting and password management were associated with better cyber hygiene. Trust in technology and intrinsic motivation were predictive of improved cyber hygiene | Focused on university students and their attitudes towards cyber hygiene | Found significant gender differences in cyber hygiene-related knowledge, attitudes and behaviors. Also identified differences across academic majors |
| Ncubukezi and Mwansa (2021) | Best practices in business sectors | The study reports the best practices used by different business sectors to maintain cyber hygiene, which include device hygiene, network hygiene and information hygiene. The paper recommends using Cyber Essentials as a guideline to mitigate cyber risks | Focused on best practices in different business sectors | Emphasizes the importance of maintaining good cyber hygiene |
| Alowais et al. (2022) | Impact of national culture on cyber hygiene practices | National culture moderates the effect of individuals' perceived expectancy and value on their motivation towards adhering to cyber hygiene practices. Cyber hygiene practices may need to be approached differently in different cultural contexts | Focused on the impact of national culture on cyber hygiene practices | Emphasizes the importance of maintaining good cyber hygiene |
| Baraković and Baraković Husić (2022) | University students' knowledge and awareness | Students have acceptable cyber hygiene behavior, but their awareness is not satisfactory, and their knowledge is quite low. There are relations between gender and current education level and cyber hygiene knowledge, awareness and behavior | Focused on university students and their knowledge and awareness of cyber hygiene | Found that males have more knowledge about cyber hygiene than females |
| Ugwu et al. (2023) | Employees and students of the University of Nigeria, Nsukka (UNN) | There is a need for improvement in cyber hygiene practices among the participants. There was a significant association between gender, employment status and academic discipline with cyber hygiene culture. Females, academic staff and students in the Faculty of Engineering had a higher level of cyber hygiene culture. No significant differences in cyber hygiene behavior between males and females | Focused on employees and students of UNN | Highlights the importance of good cyber hygiene. Also, academic discipline was found to be associated with cyber hygiene culture |
Source: Created by authors
Table 2.
Cyber hygiene categories
| Cyber hygiene type | Definition/scope | Example(s) |
|---|---|---|
| Storage and device hygiene | It refers to security measures and behaviors related to the configuration settings of digital devices | Conducting virus scans on any storage device, backing up important files and keeping the device’s virus protection and device software up to date |
| Transmission hygiene | It refers to computer users’ behaviors when connecting to an unknown or insecure wireless network | Checking the quality of the SSL certificate and the lock icon in the Web browser |
| Social media hygiene | It refers to the user’s computer security behaviors during the general use of social media | Evaluating the authenticity of friend requests on social media, being aware of who you are friends with on social media, and managing privacy settings |
| Authentication and credential hygiene | It refers to user’s computer security behaviors related to the use of passwords and authentications | Changing default usernames and passwords, creating complex usernames and passwords and enabling multifactor authentication |
| Email and messaging hygiene | It refers to user’s computer security behaviors related to e-mails usage and messaging | Checking the subject of an incoming email, checking the email domain name of the sender and checking the spelling and grammar of email requests |
Source: Created by authors
Table 3.
Descriptive statistics
| % | |
|---|---|
| Gender | |
| Male | 62.2 |
| Female | 37.8 |
| Age | |
| 18–24 | 27.8 |
| 25–34 | 45.5 |
| 35–44 | 19.2 |
| 45+ | 7.5 |
| Sector | |
| Public | 32.8 |
| Private | 67.2 |
| Education | |
| Bachelor’s | 52.3 |
| Master’s | 19.5 |
| PhD | 19 |
| Other | 9.2 |
Source: Created by authors
Table 4.
Confirmatory factor analysis
| Nu | Code | Dimension | Factor weight |
|---|---|---|---|
| 1 | SH1 | F1 | 0.762 |
| 2 | SH2 | F1 | 0.643 |
| 3 | SH3 | F1 | 0.667 |
| 4 | TH1 | F2 | 0.828 |
| 5 | TH2 | F2 | 0.856 |
| 6 | TH3 | F2 | 0.601 |
| 7 | SM1 | F3 | 0.619 |
| 8 | SM2 | F3 | 0.837 |
| 9 | SM3 | F3 | 0.809 |
| 10 | SM4 | F3 | 0.743 |
| 11 | AH1 | F4 | 0.717 |
| 12 | AH2 | F4 | 0.795 |
| 13 | AH3 | F4 | 0.814 |
| 14 | AH4 | F4 | 0.467 |
| 15 | EH1 | F5 | 0.767 |
| 16 | EH2 | F5 | 0.781 |
| 17 | EH3 | F5 | 0.710 |
Notes:F1 = storage and device hygiene (SH); F2 = transmission hygiene (TH); F3 = social media hygiene (SM); F4 = authentication and credential hygiene (AH); F5 = email and messaging hygiene (EH)
Source: Created by authors
Table 5.
Relationship between gender and cyber hygiene (T-test)
| Gender | N | Mean | SD | t |
|---|---|---|---|---|
| Female | 167 | 3.4463 | 0.59641 | −2.564 |
| Male | 275 | 3.6092 | 0.67676 | −2.644 |
Source: Created by authors
Table 6.
Relationship between age and cyber hygiene (ANOVA test)
| Sum of squares | df | Mean square | F | Sig. | |
|---|---|---|---|---|---|
| Between groups | 12.936 | 5 | 2.587 | 6.469 | 0.000** |
| Within groups | 174.360 | 436 | 0.400 |
Source: Created by authors
Table 7.
Cyber hygiene means comparison by sector (public–private)
| Sector | N | Mean | SD | T |
|---|---|---|---|---|
| Public | 145 | 3.3258 | 0.65117 | −5.144 |
| Private | 297 | 3.6560 | 0.62497 | −5.072 |
Source: Created by authors
Table 8.
Industry branches and cyber hygiene relationship (ANOVA test)
| Sum of squares | df | Mean square | F | Sig. | |
|---|---|---|---|---|---|
| Between groups | 25.275 | 11 | 2.298 | 6.098 | 0.000** |
| Within groups | 162.021 | 430 | 0.377 | – | – |
Source: Created by authors
Table 9.
Relationship between education and cyber hygiene (ANOVA test)
| Sum of squares | df | Mean square | F | Sig. | |
|---|---|---|---|---|---|
| Between Groups | 12.970 | 5 | 2.594 | 6.488 | 0.000** |
| Within Groups | 174.326 | 436 | 0.400 | – | – |
Source: Created by authors
Table 10.
Relationship between cyber hygiene and cybersecurity measures (T-test)
| Model | R | R square | Adjusted R square | Std. Er. of the estimate | Durbin–Watson |
|---|---|---|---|---|---|
| 1 | 0.430 | 0.185 | 0.183 | 0.58904 | 1.782 |
Source: Created by authors
© Emerald Publishing Limited.