An Assessment of Employee Knowledge, Awareness, Attitude towards Organizational Cybersecurity in Cameroon

In our increasingly digitized and interconnected society, people are poorly protected against cyberthreats, with the main reason being user behavior. Human behavior and actions are unpredictable in nature and this make human an important element and enabler of cybersecurity. The objective of the study is promotion of adoption of non-technical countermeasures (such as user awareness) for a comprehensive and holistic way to manage cyber security in organizations in Cameroon. We conducted a subjective study to measure the level of employees’ knowledge and general awareness, risky behavior they engage in, and attitude toward various aspects of cybersecurity and cyberthreats to show the need for user education, training, and awareness. For the study described in this paper, a self-report questionnaire was developed and data were collected from 214 participants. The results of a descriptive statistic percentage indicated that less than 50% of respondents have completed or has regular training program. We find that over 61% of the participants do not have sufficient knowledge of their organization cyber security policies. Among other findings, the over 60% of employees’ mistakes or violations of security policy are not disciplined or penalized is a demonstration of lack of legal status of cyber-attacks. Cyber resilience in any organization is a responsibility shared by both management and employees. Proactive human management element that can actively hunt for malicious activity and indicators of compromise is recommended.


Introduction
Cybersecurity has become crucial topic in Cameroon because cyber threats have become a very common occurrence in everyday life. Cybersecurity can be defined as the efforts organizations take to protect and defend their information assets, regardless of the form in which those assets exist, from threats internal and external to the organization (Dalal, Howard, & Bennett. 2021). Cybersecurity threat is becoming more frequent and the threat according to Pollini, Callari, and Tedeschi (2021) include: online fraud, distributed denial of service, drive by download, and social engineering attacks. The changing nature of cybersecurity is exploiting instances of human error or negligence along with system vulnerabilities. Organizational cybersecirity requires more than just the latest technology. All employees of an organization must act together to reduce risk and secure the organization. Research by Badie and Lashkari (2012) categorized the two most important factors affecting the security of computing systems as: (i) human factor and, (ii) organization factor. According to Jeimy and Cano (2019), humans represent a mystery to be deciphered by cybersecurity experts because their behaviors, attitudes, beliefs, rituals and decisions (the general characteristics that define a culture) constitute a little-understood universe for executives and their heads of security. In their study, Dreyer et al (2018) concluded that despite all the technical efforts and security procedures, people are highly likely to expose organizations to vulnerabilities. Insider threat from human behavior is one of the most difficult aspects of cybersecurity to control. Humans are the dominant security decision-makers in the face of cyber-attacks.
Employee's negligence and/or carelessness surrounding information security are the main of data breaches (Kessler et al 2020). Building a culture of cybersecurity within an organization guides employee behavior and increases cyber resilience (Huang & Pearlson, 2019). To be cyber resilient, organizations must have committed well informed, vibrant, sustainability-minded, and engaged employees. As Maalem, Caulkins, and Mohapatra (2020) summarized, employees have to be knowledgeable of the risks, and differentiate desired from undesired behaviors. Cybersecurity is a leading national security challenge facing Cameroon today. Taking into account the high turbulence and considerable pressure on the employees in the country to be effective performers within the current stressful environment, understanding their knowledge and general awareness, risky behavior and attitude towards cybersecurity is considered important. Measurement of cybersecurity awareness and attitude of employees in Cameroon has not received sufficient attention. Cybersecurity culture is difficult to identify, build and quantify. A critical first step in achieving this and enhancing cybersecurity readiness is to understand what the employees currently know and their attitude towards the concept. Every employee must act in ways that keep the organization cybersecure. Accordingly, this study performs an empirical assessment of attitude, knowledge and risk taking behavior towards cybersecurity among selected employees in selected Cameroonian organizations, focusing on the following research questions 'What is the employees' self-reported level of cyber security awareness and knowledge of cyber threats and cybersecurity?, What is the employees' self-reported level of exposure or risk taking behavior towards cybercrime activities?, and What is the employees' self-reported level of attitude towards cybersecurity?' The remainder of this paper is organized as follows: Section 2 discusses the related works, and Section 3 presents the methodology used to assess the cybersecurity awareness level. Section 4 describes the analysis results based on the dataset collected in this study. Section 5 concludes the paper.

Literature Review
Monitoring cyber security has gained attention lately due to the rise in cyber-attacks. Humans are considered [rightly or wrongly] the greatest vulnerability to cybersecurity. This is a position taken by different research studies looked in preparation of this study. Research by Nobles (2018) estimated that 95% of cyber and network attacks are due to human errors and inappropriate behaviors. According to Ahram and Karwowski (2019), human as the end user can be a critical backdoor into the network. As also reasoned by Mc Mahon (2020), a trope that has long dominated cyber security is the idea that humans are the weakest link.
In research by Aamir, Parul, Sangeeta, and Darshana (2020), employees are seen as the most vulnerable links, they need cyber security awareness and training to protect themselves and the company against new evolving cyber-attacks. According to numerous other authors (e.g. Arachchilage & Love, 2014;Hiller & Russell, 2013), employees' information security awareness plays a vital role in mitigating the risk associated with their behavior in organizations. Where employees are not aware of the value of a cybersecurity awareness, then employees were not able to detect any cyber security issue and also not aware of the risks that are associated with their actions. For this reason, it is critical to develop employee cyber security awareness training programs that are capable of improving the cyber security posture.
To study cyber security awareness of employees, Arquilla and Guzdial (2017) proposed a standardized questionnaire focusing on cyber security awareness and behavior of employees as the most appropriate measure. Khalid et al. (2018) noted the effect that the knowledge of cyber security had on the participants' ability to be aware of online risks during the use of the internet. Egelman and Peer (2015) develop the Security Behavior Intentions Scale (SeBIS). It comprises 16 items and includes four sub-scales addressing attitudes toward password design and applicability, digital device protection, proactive engagement and recognition, and finally software update. Another interesting study was the Human Aspects of Information Security Questionnaire (HAIS-Q), developed by Parsons et al. (2017); the authors uses a scale composed of 63 items, divided into three separated sub-areas that measure knowledge, attitudes and behaviors. This questionnaire intends to evaluate and understand the levels of information security awareness in an organization. Kennison and Chan-Tin (2020) in their research concluded that individuals' use of insecure cybersecurity behaviors, including the use of weak passwords, is a leading contributor to cybersecurity breaches. The authors stated developing profiles of individual who are likely to become victims of password hacking, phishing scams, and other types of breaches would be useful, as they could be used to identify individuals with the highest likelihood of engaging in insecure cybersecurity behaviors.
In another study, Alotaibi et al. (2016) the authors investigated the cyber security awareness, cyber security practices, incident reporting of the public people in Saudi Arabia. The results shows that the Saudi citizens had a good knowledge of IT, but they have limited awareness of the threats associated with cyber as security practices, cybercrime, and the organizations and government roles in guarantee information safety across the Internet.
In Hadlington (2018) the author measured employee's attitude towards cyber security and general awareness of cybercrime and the types of risky online behaviors they were engage in; in the United Kingdom. The results demonstrated a significant negative correlation between attitudes towards cyber security and risky cyber security behaviors, with more negative attitudes being linked to higher levels of risky behaviors.
The Abdulaziz Alzubaidi (2021) study focuses on measuring the current level of cyber-security awareness in Saudi Arabia, in terms of cyber-security practices, level of awareness, and incident reporting, by means of an online questionnaire. The results showed that 31.7% used public Wi-Fi to access the Internet, 51% used their personal information to create their passwords, 32.5% did not have any idea about phishing attacks, 21.7% had been victim of cybercrimes while only 29.2% of them reported the crime, which reflects their levels of awareness.
Cybersecurity as a public concern is receiving insufficient robust education and attention in Cameroon neither from the government nor from organizations. A 2008 law was one attempt at cyber security and consumer protection in the country but implementation is hindered. Some commentators on the country's efforts have attributed the failure to the country's so-called clientele driven government. According to (Andeme Bikoro et al 2018), in the Cameroonian public administration, young people are more concerned about the inconveniences that could result from the non-use of cyber security measures. A 2020 State Of Application Security in Enterprises study [https://gefona.org/rapports/] findings show that for the majority of organizations, cyber-attacks happen through web application and people are ignorant of most cybersecurity terms such as phishing.

Research Selected Controls
Research design aims to fulfill the objectives of the research and find the solutions for research questions. To determine which cybersecurity controls and associated cyberthreats should be included in the questionnaire, the research adopted questions from previous questions raised by Pew Research Center's cyber security quiz (Olmstead & Smith, 2017), the ISO 27002 standard (ISO27002, 2017), Security Behaviors Intentions Scale [SeBIS] (Egelman & Peer, 2015), Risky cybersecurity behaviors scale (RScB -partly based on the SeBIS developed by Egelman & Peer, 2015), Aljohani and Elfadil (2020) and Attitudes towards cybersecurity and cybercrime in business (ATC-IB) (Hadlington, 2018) and (Elbelekia, 2020).. Specific controls were selected according to the following criteria. The control 1) can be implemented at an individual level, 2) is not very context-dependent, and 3) has a clear, unambiguous description. As such, a total of 52 controls were shortlisted. After expert interviews (n = 3), 45 controls remained

Data Collection
Data was collected through a self-reported paper-based questionnaire. Self-reported measures are subject to a range of well-known biases and demand effects (Dimoka, Pavlou, & Davis, 2011), including the social desirability bias. Social desirability bias is the tendency of individuals to portray themselves and their behavior in ways that are more socially acceptable. Measuring was conducted between March and May 2021. The questionnaire design followed closely Harrell and Bradley (2009) semi structured interviews guide. Attempt was made to avoid high-tech jargon rather using plain term to better match employee's background IT knowledge. Their consent was important for us. Participants were informed that the topic of the questionnaire was 'the human side of cybersecurity', that completing the questionnaire would take approximately 30 minutes, and that all data would be processed anonymously. It was also explained that the questionnaire was about the participant's perception and opinion relating to cybersecurity. To discourage people from giving answers based on perceived social desirability, respondents were instructed to choose the option 'I don't know' if they did not know the answer or choose the option 'not applicable or do not understand' if the participants had never used the control in question.
This study used purposive sampling. An identified and willing manager at a higher level helped to distribute the questionnaire to her or his subordinates. Participants are from both private and public healthcare, education, telecommunication environments. A total of 214 valid responses were used in the final interpretation. As suggested by Osborne and Costello (2004), there are no absolute rules for the sample size needed to validate a questionnaire. However based on the Gorusch's respondent-to-item ratio ranged from 5:1 (i.e., fifty respondents for a 10-item questionnaire) (Gorusch, 1983) analysis, this research's 214 participants are judged reasonable because of the ongoing covid-19 pandemic and Anglophone crisis in Cameroon which has affected numerous data collection projects. Below are the results from the analysis, frequency tables, statistics and charts.
As presented in Table 1, the participants in the study were employees and graduate students of private education institution, private hospitals, public IT and Communication institution [government ministry and telecommunications], public financial services provider, public education institutions and collection of employees that made decision not to disclose their sector but whom we classified as public. In total, there were [66] 30.84% of respondents from the private sector and [148] 69.16% of respondents from the public sector (Table 1).  Another part of the demographic questions evaluated how often the respondents access the Internet. The answers were distributed into 68 (31.78%) accessing the Internet frequently, 112 (54.67%) once or twice a day, 11 (5.14%) accessing the Internet less frequently such as once a week, while 18 (8.41%) did not answer the question. On the question about which devices they access their networked systems and internet regularly, smartphone devices came first with a percentage of 52.4%, laptops (28.41%) while 21.65% was distributed among desktops, and tablets.
Another interesting question on this part is regarding the purpose for accessing the Internet (the user had the ability to select one or more options), and concluded that utilizing the Internet for education, social networking, online services, and communication was the most frequently selected choice, with 80 subjects (37.38%), government services and professional reasons had the lowest percentage of answers, with less than 16.36%, and the remaining percentage was distributed among education or information seeking, social media, online services, entertainment (e.g. playing games) and communication (e.g. email, Zoom, etc.).

Measuring Employee's Cybersecurity Concepts, Knowledge and Awareness
According to Bloom et al (1956), knowledge can be defined as 'remembering specific and general issues, remembering methods or processes or remembering patterns, structures or contexts'. Knowledge Rasmussen said is a precondition for adopting correct behavior in a given situation (Rasmussen, 1983). In the field of cybersecurity this involves recognizing and knowing about cyberthreats (Ben-Asher & Gonzalez, 2015), understanding their potential impact, and being conscious of the measures that can be taken against them (Siponen, 2001;Du Plessis & Von Solms, 2002). In another view, cybersecurity research, knowledge can be measured using an option where a statement is given and the respondent has to evaluate whether this statement is correct or not. In this type of question, the answer options are the same for each question, for example 'true/false' (Parsons, McCormac, Pattinson, Butavicius, & Jerram, 2013). These types of statement were used in the research detailed here. Also measured is the respondent's awareness. The difference is that knowledge consists of knowing the facts, but awareness means being cautious because of the facts. Knowledge also refers to the detailed understanding of cyber security, while awareness warrants taking necessary actions to prevent cyber-attacks without needing that deep understanding. However, assessing the knowledge of the participant is also a significant means of measuring awareness. Table 3, which is a numerical representation, shows the results of all 214 participants, percent and our analysis/comments of their answer. There is good awareness and knowledge of cybercrime. Cyber security education has two elements: first people need to become aware of the need to take precautions, and then teachers need to impart the skills they require to take the required precautions. Each must be cultivated to be of high priority in Cameroon Research by Moustafa, Bello and Maurushat (2021) said that complying with security policies is one key behavior to protect computer and network systems. A score of 73.43% of the total participants not having sufficient information about their cyber security policies and procedures and 69.16% with no knowledge or understanding if punishment for failing to comply with security policies are same for everyone in their organization is a profound matter of concern. The results also indicate that 50.47% of the participants think that software is updated automatically. This is a serious human error and according to (Rajivan, Aharonov-Majar, & Gonzalez, 2020), it is one common error underlying cybersecurity behaviors. Research by San Nicolas, Schooley, and Spears (2014) found that the best outcome to increase compliance with security policy is to provide opportunity to employees to participate in the development of the information security awareness and training programs. This is one strong option available to organizations in Cameroon; there is not much available evidence that organizations are strongly investing in such practices.

Understanding Employees Exposure & Risk taking behaviors to Cybersecurity Activities
Risk is generally defined as engaging in a behavior with an uncertain outcome, usually for the benefit of gaining more (Saleme et al., 2018). According to King et al., computer system users who are high in risk taking may be more likely to fall victims to cybercrimes (Henshel et al., 2015;King et al., 2018). According to Greitzer and Hohimer (2011) the only way to be proactive in the cyber domain is to take behavioral data into account. Human can be tricked and manipulated, are sometimes ignorant, often make mistakes, and suffer lapses in judgment, therefore understanding employees' feedback on their exposure to activities that constitute cybercrimes should increase security behaviors [see Table 4]. People will continue to be primary targets of cyber-attack. Phishing remain a major threat for many organizations.
The results from this study are mixed. About 36% of the subjects clicked on the link or opens an attachment from a known or unknown source and 31% always gladly gave their password. Phishing is a serious global issue. Data released from the U.K.'s Information Commissioner's Office (ICO) cyber breach data from 2017 -2019 shows the majority of data breaches began with a phishing attack. Every day 156 million phishing emails are sent and 16 million of these get through security filters into inboxes. What's more, 8 million phishing emails are opened and 800,000 malicious links in those emails are clicked.
With 57% of the participants admitting to not using password/passcode to unlock their laptop is a significant lack of non-compliance of cybersecurity policy if well defined. Developing in-depth knowledge and awareness among every employee through continual robust education would again make the difference on the numbers recorded.
Research by Moustafa et al (2021) said, a lack of complying with security policies is risky as the benefit is not doing any additional work, such as software update (which is rewarding), but the risk is falling victim to cybercrimes and phishing.

Measuring Employees' Attitudes towards Cyber security and Cybercrime
According to Dwyer (1993), despite some objections, a fast and user-friendly way to measure attitudes in a larger group is through self-reporting based on a series of statements in a questionnaire. Questionnaire is the best method to measure attitude effectively and it is what is reported here. The main problem with self-reporting is that there is a chance that people will provide an answer motivated by social desirability. To prevent respondents from giving socially desirable answers, the instructions emphasize that the study gains most from sincere answers. To allow for the possibility that people may not have an opinion on a given question, the option 'not applicable/no opinion' was added. Answers could be provided along a five-point Likert scale ranging from 'Strongly disagree' (1) to 'Strongly agree' (5), and also the options 'I don't know' and 'not applicable'. The responses to the items are presented in Table 5. nct.ccsenet.org Network and Communication Technologies Vol. 7, No. 1;  The results indicate highlight a failure to fully understand the risks of cyber security both in mindset and in practice by the respondents. People also had a positive attitude towards cybersecurity questions asked. Complying with security policies is one key behavior to protect computer and network systems. Many of the employees do not see cyber security as their primary concern. For instance on the question: I don't think that reporting a cyber-attack on the company is my responsibility [30.84% of the participants strongly agree with the comment and Agree -45.79% of them Agree]. This is an indication that many of the Cameroon employees are devolving a responsibility for their cyber security to technical interventions and senior management. On the statement: I think that it's the management that has the responsibility to ensure our organization is protected from cybercrime; 30.84% of the participants strongly agree and 41.12% said Agree]. A total of 63.55% of the employees Agree to the statement that I think cyber security is a public safety issue that should be handled by a wider authority. This would nicely fit into a risk compensation framework (Hadlington & Parsons, 2017), where an individual who believes they are protected by technical interventions provided by their host organization may in turn engage in more risky cyber security behaviors. Research by Maqbool, Aggarwal, Pammi, and Dutt (2020) had argued that penalizing individuals not in compliance with security policies should increase security behaviors.

Conclusion
Organizations and their employees made decisions that influenced attitudes, beliefs and values around cybersecurity. For cybersecurity resilience, organizations in Cameroon must act to minimize human behaviors that create cybersecurity vulnerability and increase behaviors that protect their organizations. Creating and communicating cybersecurity awareness and security best practices culture is imperative in the fight against malicious intent. Protection and defense of analogue and digital electronic devices, their communications channels, their processing and control logic and algorithms stands better to improve in Cameroon when organizations begin to proactively adopt a user-centered perspective. According to Pollini et al. (2021), better cyber-security culture does not always correspond with more rule compliant behavior; conflicts among cybersecurity rules and procedures may even trigger human vulnerabilities.
The human factor is the underlying reason why many attacks on institutions systems are successful because the uninformed user is the weakest link targeted by cyber criminals but yet people are the most important element of a cybersecurity solution strategy. This paper recommends that organization in Cameroon invest in cybersecurity education for her employees focusing on communication, engagement, collaboration, and social engineering. We also recommend prioritization of creation and implementation of a cybersecurity strategy, on which policies and other security efforts could be based. A wider study of cyber security culture (attitudes, knowledge, assumptions, norms and values of the workforce of an organization with respect to cyber security) in many Cameroon based IT users is suggested. Developing profiles of employees who are likely to become victims of password hacking, phishing scams and other types of breaches by organizations is advocated. This would be useful as such profiles could be used to identify individuals with the highest likelihood of engaging in insecure cybersecurity behaviors. Organizations must deploy a variety of cybersecurity measures and techniques to match the complexity of a blended or single attack. It should be noted that the opinions of stakeholders from the North West Region, sampled for this study do not represent the entire country. Due to limited resources and time constraints, we were unable to sample all 10 regions in the country. Thus, a major limitation of this study is the fact that we interviewed a small convenient sample in one Region.