In our user survey, we used the following questionnaire to evaluate user perception of awareness measures and decisions under risk. All questions, excluding the consent form and open-ended questions (which can be left blank), offer an "I prefer not to answer" option we omitted here for readability and space-saving. If not stated otherwise, we used the following answer options (AO): 5 point Likert scales (5PL), single-choice (SC), multiple choice (MC) Yes or No (Y/N), or open-ended answer (OE) options.
Block I Q1: Can you imagine anything under the following measures? Live Hacking, Phishing Campaign, Seminar/course/workshop, eLearning. AO: 5PL from 1: "Not at all" to 5: "Yes, totally"
Q2: Do you know of any other cybersecurity awareness measures, if so which? AO: OE
Q3: In how many of these measures have you already participated? AO: SC between 0, 1--2, 3--5, >5
Block IIa Q4: You have indicated that you have not yet participated in any cybersecurity measures. Have you been offered such measures in a professional or private context? AO: Y/N
Q5: Which reasons contributed to the fact that you did not participate in any measure (multiple selection possible)? AO: SC between "Company did not offer cybersecurity measures", "No interest in cybersecurity", "Cybersecurity awareness measures are too expensive as a private individual", Other
Q6: What would have to change for you to voluntarily participate in a cybersecurity awareness effort? AO: OE
Q7: How interested would you be in a cybersecurity awareness offer provided by your employer? AO: 5PL from 1: "Not interested at all" to 5: "Very interested"
Q8: Which of the following statements, in relation to cybersecurity awareness offerings, would you agree with (multiple selection possible)? AO: SC between "I cannot learn much", "I find it difficult to motivate myself for IT security", "I am not interested in further cybersecurity awareness", "Digital threats do not concern me"
Q9: How would you rate you basic interest in cybersecurity? AO: 5PL from 1: "No interest at all" to 5: "Very high interest"
Q10: How good do you consider your company's cybersecurity to be? AO: 5PL from 1: "Very bad" to 5: "Very good"
Q11: Did you ever click on a mail that was malicious or fraudulent? AO: 5PL from 1: "No, never" to 5: "Yes, definitely"
Q12: How stressed are you when you use the internet privately? AO: 5PL from 1: "Not stressed" to 5: "Very stressed"
Q13: How stressed are you when you use the internet in a work context? AO: 1: "Not stressed" to 5: "Very stressed"
A14a: Imagine the following situation: You receive a mail which looks like it is from your bank. There is a link in it. You click on the link and see a website which looks familiar. It asks you to type username and password. Your primary goal is to check your balance. What do you do? AO: SC between "Do not enter username and password" or "Enter username and password and take a 35% risk that the data is stolen immediately"
Q14b: Imagine the following situation: You receive a mail which looks like it is from your bank. There is a link in it. You click on the link and see a website which looks familiar. It asks you to type username and password. Your primary goal is to check your balance. What do you do? AO: SC between "Do not enter username and password and do not check balance" and "Enter username and password and take a 65% chance that the data is not stolen"
Q15a: Imagine the following situation: You work in an HR department and receive a mail with an application attached. If you do not open it you risk to fold on a candidate that applied to the company and face repercussions because you failed as HR representative. Your productivity is mainly evaluated on the number of candidates that reach the second step of the HR-process. AO: SC "Do not open the attachment" or "Open the attachment and take a 25% risk that the attachment will compromise your workstation at a later point in time"
Q15b: Imagine the following situation: You work in an HR department and receive a mail with an application attached. If you do not open it you risk to fold on a candidate that applied to the company and face repercussions because you failed as HR representative. Your productivity is mainly evaluated on the number of candidates that reach the second step of the HR-process. AO: SC between "Do not open the mail" and "Open the attachment and take a 75% chance that the attachment will not compromise your workstation at a later point in time"
Block IIb Q16: How long has it been since you last participated in a cybersecurity awareness activity? AO: SC between <1 month, 1--3 months, 3--6 months, >6 months
Q17: In which measure did you participate recently? AO: MC between Live Hacking, Phishing Campaign, Seminar/course/workshop, eLearning or other
Q18: How educational do you consider the various measures? Live Hacking, Phishing Campaign, Seminar/course/workshop, eLearning AO: 5PL from 1: "Non-educational" to 5: "Very educational"
Q19: How entertaining do you consider the various measures? Live Hacking, Phishing Campaign, Seminar/course/workshop, eLearning AO: 5PL from 1: "Non-entertaining" to 5: "Very entertaining"
Q20: In which other cybersecurity measures would you voluntarily participate? AO: MC between Live Hacking, Phishing Campaign, Seminar / course / workshop, eLearning, Others, None
Q21: How well do you feel you would protect yourself if you always took the same action? So, for example, you only attend live hackings? AO: 5PL from 1: "Not protected" to 5: "Very protected"
Q22: How well do you feel protected yourself if you would always carry out different measures? For example, you would always switch between the 4 cybersecurity measures presented? AO: 5PL from 1: "Not protected" to 5: "Very protected"
Q23: What other sources did you use to build cybersecurity awareness in the past? AO: MC between Online Blog, News, Podcast, Magazines, Others, None
Q24: How would you rate you basic interest in cybersecurity? AO: 5PL from 1: "No interest at all" to 5: "Very high interest"
Q25: How good do you consider your company's cybersecurity to be? AO: 5PL from 1: "Very bad" to 5: "very good"
Q26: Did you ever click on a mail that was malicious or fraudulent? AO: 5PL from 1: "No, never" to 5: "Yes, definitely"
Q27: How stressed are you when you use the internet privately? AO: 5PL from 1: "Not stressed" to 5: "Very stressed"
Q28: How stressed are you when you use the internet in a work context? AO: 1: "Not stressed" to 5: "Very stressed"
Q29a: Imagine the following situation: You are offered a program that you need to connect to Twitter, LinkedIn and other social networks. If you do not install it, you will not be granted access to these sites. Your primary goal is to further have access to these social networks. AO: SC between "Do not install the program and do not access the social networks" or "Install the program and take a 25% risk that the program will be compromised at a later point in time."
Q29b: Imagine the following situation: You are offered a program that you need to connect to Twitter, LinkedIn and other social networks. If you do not install it, you will not be granted access to these sites. Your primary goal is to further have access to these social networks. AO: SC between "Do not install the program and do not access the social networks" or "Install the program and take a 75% chance that the program will be not compromised at a later point in time"
Q30a: Imagine the following situation: You work in an HR department and receive a mail with an application attached. If you do not open it you risk to fold on a candidate that applied to the company and face repercussions because you failed as HR representative. Your productivity is mainly evaluated on the number of candidates that reach the second step of the HR-process. AO: SC between "Do not open the mail" or "Open the attachment and take a 35% risk that the attachment will compromise your workstation immediately"
Q30b: Imagine the following situation: You work in an HR department and receive a mail with an application attached. If you do not open it you risk to fold on a candidate that applied to the company and face repercussions because you failed as HR representative. Your productivity is mainly evaluated on the number of candidates that reach the second step of the HR-process. AO: SC between "Do not open the mail" or "Open the attachment and take a 65% chance that the attachment will not compromise your workstation"
Block III
Q31: If you were tasked with improving cybersecurity in your professional environment (company, school etc.), what actions would you take? Live Hacking, Phishing Campaign, Seminar/course/workshop, eLearning AO: 5PL from 1: "never organize" to 5: "host multiple times/year"
Q32: What gender do you identify as? AO: SC between male, female, diverse, not specified
Q33: How old are you? AO: SC between
Q34: How much exposure do you have to IT in your job? AO: 5PL from 1: "very little" to 5: "very strong"
Q35: Where do you live? AO: SC between Asia/Pacific, Europe, Africa, North America South America, Other
Q36: Anything else you would like to tell us? AO: OE