Cybersecurity Awareness Among College Students:

A Survey-Based Analysis of Knowledge, Threats, and Perceptions

Nitika, Abhijit, Manish, Dheeraj, Lokesh

Vivekananda Global University | Trans Disciplinary Project

Research Project in Cybersecurity Awareness | April 2026

Abstract

Growing internet dependency among college-going youth has placed cybersecurity at the forefront of digital literacy discussions. This paper reports findings from a self-administered online survey targeting undergraduate students, yielding 68 usable responses. The instrument covered twenty items spanning password hygiene, phishing identification, multi-factor authentication (MFA), ransomware awareness, and risk-related attitudes. Data show that students perform well on widely discussed concepts — nearly nine in ten answered the password-strength question correctly, and four in five demonstrated familiarity with MFA — yet accuracy drops considerably when questions probe less-publicised topics such as pharming, zero-day exploits, and the practical use of virtual private networks. The results are set alongside the work of Nair (2025), a comparable survey of 107 students in Kerala that reported low-to-moderate overall awareness, to locate our sample within the broader Indian student context. The paper closes with targeted recommendations for embedding cybersecurity education within degree programmes.

Keywords: cybersecurity awareness, college students, phishing, MFA, ransomware, password security, India

1. Introduction

College students today inhabit two parallel worlds: a physical campus and an increasingly complex digital one. They submit assignments through cloud portals, communicate on messaging platforms, transact through UPI and net banking, and consume entertainment through streaming services — all from the same device. What rarely accompanies this connectivity is an equivalent level of security awareness. Threat actors have taken notice, and attacks that once targeted corporate networks now arrive in the inboxes and social media notifications of ordinary students.

The motivation behind this research was experiential rather than purely academic. As college students ourselves, we have watched peers respond to suspicious links out of curiosity, reuse the same password across multiple accounts, and log into personal banking portals over open café Wi-Fi without a second thought. These are not isolated incidents; they reflect a pattern of behaviour that is simultaneously common and dangerous. We wanted to move beyond anecdote and produce measurable data that captured how widespread — or otherwise — these knowledge and behaviour gaps actually are.

To that end, we conducted a primary survey using Google Forms and gathered 68 valid responses from undergraduate college students during November and December 2025. The survey was designed to test both declarative knowledge (what students know) and attitudinal tendencies (how they think about risk). Our analysis references the empirical work of Nair (2025), which examined a comparable student population in Thiruvananthapuram, Kerala, and provides a useful benchmark against which to read our own data.

This paper is structured as follows: a review of the existing literature on student cybersecurity awareness; a description of our methodology; a presentation of demographic and survey results; a comparative discussion drawing on prior research; and a concluding section with actionable recommendations.

2. Literature  Review

Scholarly attention to cybersecurity awareness among students has grown substantially over the past five years, driven partly by the acceleration of online education during the pandemic and partly by a rise in student-targeted scams and credential theft. Across this body of work, a recurring theme emerges: knowing about threats does not automatically lead to safer behaviour.

Nair (2025) conducted a quantitative survey among college students studying in Thiruvananthapuram District, collecting data from 107 participants. Her findings revealed that while most respondents had some familiarity with common threats, defensive behaviours were inconsistent. Students were, for instance, largely confident about not sharing personal information but struggled to articulate how they would handle a potential attack. Two-factor authentication was endorsed in principle by 54.2% of participants, yet awareness of more advanced concepts remained thin. Social media was identified as the primary gateway through which students encountered cybersecurity content — a finding with significant implications for the quality and reliability of information reaching them.

Research beyond the Indian context reaches similar conclusions. Erendor and Yildirim (2022) studied cybersecurity awareness specifically within online learning environments and reported widespread gaps, particularly among students who used personal devices and home networks to access academic systems. Mutunhu et al. (2022), writing about university students in Zimbabwe, concluded that participants understood the conceptual importance of cybersecurity but did not translate that understanding into consistent protective action. Their recommendation was for universities to develop structured, institution-level awareness programmes rather than relying on incidental learning.

Zwilling et al. (2022) added an important cross-national dimension by surveying internet users across multiple countries. They observed that higher cybersecurity knowledge scores correlated positively with awareness levels, but that even knowledgeable users tended to adopt only minimal precautions — a disconnect that points to psychological and behavioural barriers beyond mere ignorance. Bhatnagar and Pry (2020) examined the specific context of social media and found that students who acknowledged privacy risks often felt ill-equipped to address them, suggesting a gap between perceived threat and perceived self-efficacy. Alqahtani (2022) demonstrated that competencies in three specific areas — browser security, social media privacy, and password management — are particularly strong predictors of broader cybersecurity awareness, which has direct implications for curriculum design.

Taken as a whole, the literature consistently points toward the same conclusion: students are not starting from zero, but the knowledge they hold is uneven, often surface-level, and rarely sufficient to counter the sophistication of contemporary attacks. Closing this gap will require deliberate educational intervention rather than passive exposure.

3. Methodology

3.1 Research Design

This study adopted a descriptive, quantitative research design with a supplementary qualitative component drawn from open-ended survey responses. The primary objective was to document cybersecurity awareness levels across a sample of college students, capturing both factual knowledge and attitudinal dispositions.

3.2 Survey Construction

The questionnaire was built in Google Forms and organised into five thematic sections:

•        Section A — Basic Knowledge: password strength, phishing, HTTPS, and MFA.

•        Section B — Behavioural Practices: update frequency, response to unknown attachments, and public Wi-Fi usage.

•        Section C — Threat Recognition: ransomware, spoofing, pharming, and social engineering.

•        Section D — Risk Perceptions: Likert-style ratings of security practices.

•        Section E — Open-Ended Responses: four free-text questions inviting students to define phishing, comment on system security myths, and describe their own protective habits.

The open-ended component served a diagnostic purpose: it helped identify conceptual misunderstandings that might not surface in multiple-choice formats.

3.3 Sampling and Data Collection

Participants were recruited through convenience sampling. The survey link was shared via class WhatsApp groups, institutional email lists, and social media platforms over a six-week period from late November to late December 2025. There were no demographic restrictions — any current college student could respond. A total of 68 complete responses were retained for analysis. All participation was voluntary and anonymous.

3.4 Data Analysis

Quantitative responses were tabulated in Google Sheets. Each multiple-choice item was coded as correct or incorrect, and response frequencies were converted to percentages. Likert and rating scale items were averaged. Open-ended responses were read and categorised thematically to identify recurring patterns. Given the sample size, no inferential statistics were calculated; results are reported descriptively.

3.5 Ethical Considerations and Limitations

No personally identifiable information was collected. Participation was entirely voluntary. As a non-probability sample, the findings cannot be extrapolated to the wider student population. Self-report instruments are also susceptible to social desirability effects, meaning some respondents may have reported more cautious behaviour than they actually practice.

4. Respondent Profile

Table 1 presents the demographic characteristics of the 68 respondents. Males constituted a slight majority at 58.8%, while females accounted for the remaining 41.2%. Students aged 18 to 20 represented the largest segment (63.2%), which is consistent with a first- or second-year undergraduate cohort. A sizeable majority — 57.4% — had been active internet users for over five years, and 47.1% reported spending more than four hours per day online. Both figures indicate a digitally experienced sample that nevertheless showed meaningful awareness gaps, reinforcing the point that duration of internet use alone does not guarantee security competence.

Table 1: Demographic Profile of Survey Respondents

Source: Primary Data, Survey conducted November–December 2025

5. Results and Analysis

5.1 Knowledge and Threat Recognition

Table 2 summarises correct-response rates across the seven core knowledge questions. The data reveal a clear gradient: performance is strongest on concepts that receive routine attention from technology providers and steadily declines as questions move toward specialist terminology.

Table 2: Correct-Response Rates on Knowledge Questions (n = 68)

Source: Primary Data, Survey conducted November–December 2025

Password strength emerged as the most confidently answered topic, with 89.7% selecting the correct option. This can reasonably be attributed to repeated password-creation prompts from platforms such as Google, banking apps, and university portals, which typically display real-time strength indicators and enforce character-complexity rules. Software update frequency (85.3%) and safe email attachment practices (82.4%) also scored well.

Performance dipped noticeably for phishing (73.5%) despite the topic receiving extensive media coverage. A closer look at wrong-answer choices revealed that many students mistook phishing for generic spam messages or bank security warnings rather than recognising the targeted deception that characterises genuine phishing attempts. Ransomware achieved the lowest score (70.6%): roughly three in ten respondents selected descriptions that better matched general malware or spyware, suggesting that while the word is familiar, its defining feature — the encryption of files for extortion — is less well understood.

Questions involving specific attack nomenclature produced the most scattered results. When asked to identify the technique behind fake websites that redirect traffic from legitimate URLs, responses were distributed across spoofing (45%), pharming (30%), and other options (25%), indicating surface-level familiarity without conceptual precision. Matched-definition exercises covering zero-day vulnerabilities and social engineering yielded an average accuracy rate of approximately 65%.

5.2 Behavioural Tendencies

Safe-behaviour questions painted an encouraging picture overall, though pockets of concern remain. Four in five respondents (82.4%) stated they would delete an email from an unknown sender without opening its attachment — a sound response, and consistent with the relatively high score on that knowledge question. When it came to public Wi-Fi, 65% correctly identified banking and email access as the highest-risk activities, but roughly 15% expressed the view that social media browsing on an unsecured network carries no meaningful risk, which overlooks session-hijacking and other credential threats.

Open-ended responses provided additional nuance. Asked how they would handle a suspicious email, 75% described deleting or reporting it without engaging. Responses to the provocation "Cyber attackers cannot hack secure systems" were notably thoughtful — about 60% pushed back on the absolute framing, arguing that no digital system is fully invulnerable and that security should be understood as a continuous process rather than a static condition. These answers suggest that at least a meaningful segment of the student population is reasoning about cybersecurity rather than merely memorising rules.

5.3 Perceived Importance of Security Practices

Table 3 presents average ratings for four security practices on a four-point scale, where 1 indicates the practice is unimportant and 4 denotes it as essential.

Table 3: Importance Ratings for Selected Security Practices (1 = Not Important, 4 = Essential)

Source: Primary Data, Survey conducted November–December 2025

Two-factor authentication received the highest mean score (3.21), reflecting a growing normalisation of 2FA prompts across banking and social media platforms. Restricting the volume of personal information shared on social media followed at 2.96, and regular data backup at 2.85. VPN use on public networks scored lowest (2.65), confirming a pattern seen across multiple studies: students understand the concept of VPNs in the abstract but deprioritise their practical adoption, possibly because setup is perceived as technical or because the tool is associated with privacy activism rather than everyday safety.

Behaviour-classification questions revealed robust intuitive understanding: 90% correctly tagged automatic software updates as a security-enhancing action, 88% identified password sharing as a risk-increasing behaviour, and 85% recognised that accessing personal bank accounts from a shared public computer is inadvisable. These results indicate that students often have sound instincts when questions are framed in practical, real-world terms.

6. Discussion

Reading the data honestly, our sample occupies an intermediate position: not alarmingly uninformed, but not reliably protected either. Students demonstrate command of concepts that have been normalised through everyday platform design — password rules, update reminders, 2FA prompts — yet they encounter difficulty with anything that requires either technical vocabulary or habits not yet reinforced by technology providers.

Table 4 situates these findings alongside those of Nair (2025) for direct comparison.

Table 4: Comparative Overview — Present Study and Nair (2025)

Source: Present study (primary data) and Nair (2025)

Our sample performed somewhat above the level reported by Nair (2025), particularly on MFA awareness (80.9% vs. 54.2% expressing strong agreement in Nair's Likert format). Several factors may account for this. First, the two studies were fielded at different points in 2025, and MFA adoption has accelerated considerably as platforms have made it the default. Second, the survey design differs: our binary correct/incorrect format and Nair's degree-of-agreement scale are not directly comparable, which likely explains some of the numerical divergence. Third, our respondents were drawn from a single urban institution, which may introduce upward bias if that environment has higher-than-average digital literacy.

Despite these differences, several structural commonalities emerge. Both studies confirm that social media and informal digital channels are the dominant conduits of cybersecurity information for students — a situation that amplifies awareness of high-profile incidents while leaving technical knowledge fragmented. Both also reveal a behavioural inconsistency that the wider literature terms the 'knowledge–behaviour gap': students can state the right answer to a survey question but may not apply that answer in a moment of practical pressure. The 17.6% of respondents in our study who said they might open an email attachment from an unknown sender illustrate this precisely. The act of opening a suspicious attachment is rarely considered; it is performed reflexively, from curiosity or habit, even when the respondent theoretically knows better.

The VPN finding is also worth dwelling on. Despite near-universal access to smartphones and awareness of public Wi-Fi risks, VPN adoption remains deprioritised in both studies. This is not simply an information problem — it is a usability and trust problem. Until VPN functionality is built into devices and operating systems as a default feature (as several consumer platforms have begun doing), it will likely remain the domain of technically confident users.

7. Conclusion and Recommendations

This study contributes a data-grounded snapshot of cybersecurity awareness among undergraduate college students at one Indian institution. The headline finding — that foundational knowledge is reasonably solid while nuanced and practical competencies lag — is consistent with the prevailing direction of the research literature. It underscores that awareness is a necessary but insufficient condition for security: what students need, beyond information, is practice, scaffolding, and tools that reduce the friction between knowing and doing.

On the basis of the survey results and the comparative analysis, the following recommendations are offered:

•        Embed cybersecurity into the undergraduate curriculum as a compulsory module rather than an optional supplement. Evidence suggests that even brief, structured sessions can measurably shift specific competencies (Mutunhu et al., 2022).

•        Move beyond lecture-based instruction toward simulation. Controlled exercises — such as mock phishing emails sent to student inboxes, or sandboxed malware analysis sessions — create the kind of experiential learning that is far more likely to translate into lasting behaviour change.

•        Introduce students to everyday protective tools at the point of enrolment: a recommended password manager, instructions for activating 2FA on institutional accounts, and guidance on selecting a reputable VPN provider. Reducing the activation energy for these habits matters as much as explaining why they matter.

•        Leverage the social media channels students already trust. If 48.6% of students in Nair's sample — and a comparable proportion in ours — are getting cybersecurity information from social platforms, then well-designed institutional content placed on those same platforms can reach the audience more effectively than any compulsory seminar.

•        Commission a follow-up survey after any educational intervention is implemented. Single-point data captures the problem but cannot evaluate solutions; longitudinal or pre/post designs are needed to determine what actually moves the needle.

The objective need not be producing a cohort of cybersecurity specialists. It is, more modestly and more achievably, to raise baseline competence to the point where the most common and preventable attacks — phishing emails, weak passwords, insecure Wi-Fi sessions — simply stop working as reliably as they do today.

8. References

Alqahtani, M. A. (2022). Factors affecting cyber security awareness among university students. Applied Sciences, 12(5), 2589. https://doi.org/10.3390/app12052589

Bhatnagar, N., & Pry, M. (2020). Student attitudes, awareness and perceptions of personal privacy and cybersecurity in the use of social media: An initial study. Information Systems Education Journal, 18(1), 48–58.

Erendor, M. E., & Yildirim, M. (2022). Cyber security awareness in online education: A case study analysis. IEEE Access, 10, 52319–52335. https://doi.org/10.1109/ACCESS.2022.3166123

Mutunhu, B., Dube, S., Dube, N., & Sibanda, S. (2022). Cyber security awareness and education framework for Zimbabwe universities: A case of National University of Science and Technology. Proceedings of the International Conference on Industrial Engineering and Operations Management, Nsukka, Nigeria, April 2022.

Nair, R. R. (2025). Awareness, threats and perception of cyber security. International Journal of Advanced Research, 13(05), 756–763. https://doi.org/10.21474/IJAR01/20957

Zwilling, M., Klien, G., Lesjak, D., Wiechetek, L., Cetin, F., & Basim, H. N. (2022). Cyber security awareness, knowledge and behavior: A comparative study. Journal of Computer Information Systems, 62(1), 82–97. https://doi.org/10.1080/08874417.2019.1680004

Appendix — Survey Questions (Condensed Overview)

The table below lists the 20 survey items organised by thematic section.

Section A — Basic Knowledge

•        Q1: Which combination best describes a strong password?

•        Q2: Which of the following scenarios represents a phishing attempt?

•        Q3: What is multi-factor authentication and why is it used?

•        Q4: What does the letter 'S' signify in HTTPS?

Section B — Behavioural Practices

•        Q5: How often should you update your computer's operating system?

•        Q6: What would you do upon receiving an email attachment from an unfamiliar sender?

•        Q7: Which type of online activity poses the greatest risk on a public Wi-Fi network?

Section C — Threat Recognition

•        Q8: Which statement most accurately describes ransomware?

•        Q9: Redirecting users from a real website to a fraudulent copy is known as:

•        Q10: On a scale of 1 to 5, how confident are you in spotting a malicious link?

Section D — Risk Perceptions

•        Q11–Q14: Rate the importance of the following practices (backing up data; using a VPN; limiting social media exposure; enabling 2FA).

•        Q15: For each of the following actions, indicate whether it enhances or reduces your security.

Section E — Open-Ended

•        Q16: What is your view on the claim: 'Hackers cannot break into a secure system'?

•        Q17: In your own words, explain what phishing is.

•        Q18: Describe what you consider to be the strongest type of password.

•        Q19: What steps would you take after receiving a suspicious message or email?