Finding the weakest links in the weakest link: How well do undergraduate students make cybersecurity judgment?

It has been widely recognized in the psychology of cybersecurity literature that ordinary users rather than technology systems are the weakest link in cybersecurity. The present study focused on assessing the cybersecurity judgment of 462 college students as a specific group of ordinary users in order to further identify specific weakest links of the weakest link. It was found that (1) the average percentage correct for cybersecurity judgement among the 462 students was 65%, (2) 104 (23%) students showed the lowest correct judgements (below 50%), (3) two of 16 cybersecurity items received the lowest correct judgement (below 50%), and (4) students' correct rational judgment (64%) was not significantly higher than their correct intuitive judgement (66%). These results not only empirically quantify the weakest link in cybersecurity judgement in general but also further specify the weakest links within the weakest link in particular, and thus have generated the earliest benchmarking data of the weakest link phenomenon and can help design effective cybersecurity prevention and intervention programs for ordinary users.