Taxonomy of mobile users’ security awareness

Ron Bitton, Andrey Finkelshtein, Lior Sidi, Rami Puzis, Lior Rokach, Asaf Shabtai

Research output: Contribution to journalArticlepeer-review


The popularity of smartphones, coupled with the amount of valuable and private information they hold, make them attractive to attackers interested in exploiting the devices to harvest sensitive information. Exploiting human vulnerabilities (i.e., social engineering) is an approach widely used to achieve this goal. Improving the security awareness of users is an effective method for mitigating social engineering attacks. However, while in the domain of personal computers (PCs) the security awareness of users is relatively high, previous studies have shown that for the mobile platform, the security awareness level is significantly lower. The skills required from a mobile user to interact safely with his/her smartphone are different from those that are required for safe and responsible PC use. Therefore, the awareness of mobile users to security risks is an important aspect of information security. An essential and challenging requirement of assessing security awareness is the definition of measureable criteria for a security aware user. In this paper, we present a hierarchical taxonomy for security awareness, specifically designed for mobile device users. The taxonomy defines a set of measurable criteria that are categorized according to different technological focus areas (e.g., applications and browsing) and within the context of psychological dimensions (e.g., knowledge, attitude, and behavior). We demonstrate the applicability of the proposed taxonomy by introducing an expert-based procedure for deriving mobile security awareness models for different attack classes (each class is an aggregation of social engineering attacks that exploit a similar set of human vulnerabilities). Each model reflects the contribution (weight) of each criterion to the mitigation of the corresponding attack class. Application of the proposed procedure, based on the input of 17 security experts, to derive mobile security awareness models of four different attack classes, confirms that the skills required from a smartphone user to mitigate an attack are different for different attack classes.

Original languageAmerican English
Pages (from-to)266-293
Number of pages28
JournalComputers and Security
StatePublished - 1 Mar 2018


  • Analytic hierarchy process
  • Mobile devices
  • Security awareness
  • Social engineering
  • Taxonomy

All Science Journal Classification (ASJC) codes

  • General Computer Science
  • Law


Dive into the research topics of 'Taxonomy of mobile users’ security awareness'. Together they form a unique fingerprint.

Cite this