A taxonomy of perceived information security and privacy threats among IT security students

The purpose of this study is to explore students´ perceived information security and privacy (IS&P) threats and to classify them in a way that helps in analyzing the problem, creating awareness measures and further improving students´ IS&P education. Using a qualitative research approach, a group of forty two Master´s degree IT students identified seventy five IS&P threats related to them. The identified threats were classified into fourteen categories. Further, using the affinity diagraming technique, the categories were grouped into four domains - Personnel, Devices, Intranet and Internet. In this way, we defined a taxonomy of students´ perceived IS&P threats as well as a model that highlights the domains where students consider themselves prone to IS&P threats. The proposed taxonomy and the domain model can be used as a benchmark for designing information security awareness assessment instruments as well as preparing information security awareness programs. The taxonomy can also be used for highlighting areas where students lack information security related knowledge.