To read this content please select one of the options below:

Factors in an end user security expertise instrument

Prashanth Rajivan (Social and Decision Sciences, Carnegie Mellon University, Pittsburgh, Pennsylvania, USA)
Pablo Moriano (School of Computing and Informatics, Indiana University Bloomington, Bloomington, Indiana, USA)
Timothy Kelley (Psychological and Brain Sciences, Indiana University Bloomington, Indiana, USA)
L. Jean Camp (School of Computing and Informatics, Indiana University Bloomington, Bloomington, Indiana, USA)

Information and Computer Security

ISSN: 2056-4961

Article publication date: 12 June 2017




The purpose of this study is to identify factors that determine computer and security expertise in end users. They can be significant determinants of human behaviour and interactions in the security and privacy context. Standardized, externally valid instruments for measuring end-user security expertise are non-existent.


A questionnaire encompassing skills and knowledge-based questions was developed to identify critical factors that constitute expertise in end users. Exploratory factor analysis was applied on the results from 898 participants from a wide range of populations. Cluster analysis was applied to characterize the relationship between computer and security expertise. Ordered logistic regression models were applied to measure efficacy of the proposed security and computing factors in predicting user comprehension of security concepts: phishing and certificates.


There are levels to peoples’ computer and security expertise that could be reasonably measured and operationalized. Four factors that constitute computer security-related skills and knowledge are, namely, basic computer skills, advanced computer skills, security knowledge and advanced security skills, and these are identified as determinants of computer expertise.

Practical implications

Findings from this work can be used to guide the design of security interfaces such that it caters to people with different expertise levels and does not force users to exercise more cognitive processes than required.


This work identified four factors that constitute security expertise in end users. Findings from this work were integrated to propose a framework called Security SRK for guiding further research on security expertise. This work posits that security expertise instrument for end user should measure three cognitive dimensions: security skills, rules and knowledge.



This research was sponsored by the Army Research Laboratory and was accomplished under Cooperative Agreement Number W911NF-13-2-0045 (ARL Cyber Security CRA). The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Army Research Laboratory or the US Government. The US Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation hereon. The authors would also like to acknowledge Dr Cleotilde Gonzalez for her support and guidance.


Rajivan, P., Moriano, P., Kelley, T. and Camp, L.J. (2017), "Factors in an end user security expertise instrument", Information and Computer Security, Vol. 25 No. 2, pp. 190-205.



Emerald Publishing Limited

Copyright © 2017, Emerald Publishing Limited

Related articles