RSAM: A Questionnaire for Ransomware Security Awareness Measurement

Document Type : Research Article


1 Faculty of Computer Engineering University of Isfahan Isfahan, Iran.

2 Faculty of IT Engineering Sheikh Bahaei University Isfahan, Iran.


Today ransomware is a significant security threat to both organizations and humans in the e-commerce and digital era. Poor human security awareness is a critical vulnerability that increases the risk of ransomware attacks. To protect against ransomware, an established and effective strategy is to improve the security awareness of employees and users about ransomware. To implement this strategy, in the first step, it is vital to measure the ransomware awareness of the users and, next, try to enhance the level of awareness through education, training, and knowledge sharing about the attack. To our best knowledge, there does not exist any questionnaire specially designed to assess ransomware awareness. In this paper, a novel questionnaire development process is presented and applied to produce a questionnaire for measuring security awareness about ransomware called RSAM. The Persian version of the questionnaire (RSAM-P) is developed and validated using a sample of 216 participants completing the questionnaire. The reliability and validity testing of the RSAM-P indicate that the questionnaire consisting of 21 questions is effective and reliable in assessing ransomware awareness. Moreover, in this paper, RSAM-E, the English version of the RSAM, is presented.


[1] S. M. Kerner. Ransomware trends, statistics and facts in 2021., Date Accessed: 2021. [ bib ]
[2] D. Braue. Global Ransomware Damage Costs Predicted To Exceed $265 Billion By 2031., Date Accessed: 2021. [ bib ]
[3] C. Beaman, A. Barkworth, T. D. Akande, S. Hakak, and M. K. Khan. Ransomware: Recent advances, analysis, challenges and future research directions. Computers & Security, 111:102490, 2021. [ bib | DOI ]
[4] T. McIntosh, A. Kayes, Y. Chen, A. Ng, and P. Watters. Ransomware Mitigation in the Modern Era: A Comprehensive Review, Research Challenges, and Future Directions. ACM Computing Surveys (CSUR), 54(9):1–36, 2021. [ bib | DOI ]
[5] K. Khando, S. Gao, S. M. Islam, and A. Salman. Enhancing employees information security awareness in private and public organisations: A systematic literature review. Computers & security, 106:102267, 2021. [ bib | DOI ]
[6] M. Chung. Why employees matter in the fight against ransomware. Computers & security, 2019(8), 2021. [ bib | DOI ]
[7] J. Thomas. Individual Cyber Security: Empowering Employees to Resist Spear Phishing to Prevent Identity Theft and Ransomware Attacks. Thomas, JE (2018). Individual cyber security: Empowering employees to resist spear phishing to prevent identity theft and ransomware attacks. International Journal of Business Management, 12(3):1--23, 2018. [ bib | DOI ]
[8] Ransomware protection: how to keep your data safe in 2021., Date Accessed: 12-Dec-2021. [ bib ]
[9] Information Security User Awareness Assessment. Available:, Date Accessed: 12-Oct-2021. [ bib ]
[10] J. Hammarstrand and T. Fu. Information security awareness and behaviour: of trained and untrained home users in sweden., 2015. [ bib ]
[11] J. Thomas. Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q). Thomas, JE (2018). Individual cyber security: Empowering employees to resist spear phishing to prevent identity theft and ransomware attacks. International Journal of Business Management, 12(3):1--23, 2018. [ bib | DOI ]
[12] A. McCormac, D. Calic, M. Butavicius, K. Parsons, T. Zwaans, and M. Pattinson. A Reliable Measure of Information Security Awareness and the Identification of Bias in Responses. Australasian Journal of Information Systems, 21, 2017. [ bib | DOI ]
[13] T. Alharbi and A. Tassaddiq. Assessment of Cybersecurity Awareness among Students of Majmaah University. Big Data and Cognitive Computing, 5(2), 2021. [ bib | DOI ]
[14] A. Kusumawati. Information Security Awareness: Study on a Government Agency. In 2018 International Conference on Sustainable Information Engineering and Technology (SIET), pages 224--229. IEEE, 2018. [ bib | DOI ]
[15] K. Parsons, D. Calic, M. Pattinson, M. Butavicius, A. McCormac, and T. Zwaans. The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies. Computers & Security, 66(2):40--51, 2017. [ bib | DOI ]
[16] K. M. Parsons, E. Young, M. A. Butavicius, A. McCormac, M. R. Pattinson, and C. Jerram. The influence of organizational information security culture on information security decision making. Journal of Cognitive Engineering and Decision Making, 9(2):117--129, 2015. [ bib | DOI ]
[17] A. Bijlsma and L. W. Rutledge. Information Security Awareness of bank employees: how differences between headquarter and branch employees affect ISA program design. Open Universiteit, 2020. [ bib | DOI ]
[18] Thomas Schmidt, Christian Nøhr, and Ross Koppel. A simple assessment of information security awareness in hospital staff across five danish regions. In Public Health and Informatics, pages 635--639. IOS Press, 2021. [ bib | DOI ]
[19] G. Papp and P. Lovaas. Assessing Small Institutions’ Cyber Security Awareness Using Human Aspects of Information Security Questionnaire (HAIS-Q). In Intelligent Computing: Proceedings of the 2021 Computing Conference, Volume 3, pages 933--948. Springer, 2021. [ bib | DOI ]
[20] MD Gaithersburg. Security and Privacy Controls for Information Systems and Organizations. , Date Accessed: Sep. 2020. [ bib ]
[21] Federal Financial Institutions Examination Council. FFIEC Cybersecurity Assessment Tool. Fed. Financ. Institutions Exam. Counc, 3506(1557):1–59, 2015. [ bib | DOI ]
[22] A. Alzubaidi. Measuring the level of cyber-security awareness for cybercrime in Saudi Arabia. Heliyon, 7(1):e06016, 2021. [ bib | DOI ]
[23] R. Bitton, K. Boymgold, R. Puzis, and A. Shabtai. Evaluating the Information Security Awareness of Smartphone Users. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, page 1–13. Springer, 2020. [ bib | DOI ]
[24] L. C. Miller. Ransomware Defense For Dummiess. 1st ed. For Dummies, 2020. [ bib ]
[25] N. A. Hassan. Ransomware Revealed: A Beginner’s Guide to Protecting and Recovering from Ransomware Attacks. Apress, 2019. [ bib ]
[26] R. A. Grimes. Ransomware Protection Playbook. Wiley, 2021. [ bib ]
[27] N. A. Hassan. Enterprise Defense Strategies Against Ransomware Attacks. Ransomware Revealed: A Beginner’s Guide to Protecting and Recovering from Ransomware Attacks, page 115–154, 2019. [ bib | DOI ]
[28] Z. Manjezi and R. A. Botha. Preventing and Mitigating Ransomware. Information Security, page 149–162, 2017. [ bib | DOI ]
[29] I. A. Chesti, M. Humayun, N. U. Sama, and N. Jhanjhi. Evolution, Mitigation, and Prevention of Ransomware. In 2020 2nd International Conference on Computer and Information Sciences (ICCIS), pages 1--6. IEEE, 2020. [ bib | DOI ]
[30] J. Jansen van Vuuren, L. Leenen, and Jansen A. van Vuuren. Don’t be Caught Unaware: A Ransomware Primer with a Specific Focus on Africa. In Human Choice and Digital by Default: Autonomy vs Digital Determination: 15th IFIP International Conference on Human Choice and Computers, HCC 2022, Tokyo, Japan, September 8--9, 2022, Proceedings, pages 115--131. Springer, 2022. [ bib | DOI ]
[31] O. A. Bolarinwa. Principles and methods of validity and reliability testing of questionnaires used in social and health science researches. Nigerian Postgraduate Medical Journal, 22(4):195--201, 2015. [ bib | DOI ]
[32] J. M. Cortina. What is coefficient alpha? An examination of theory and applications. Journal of Applied Psychology, 78(1):98–104, 1993. [ bib | DOI ]
[33] D. T. Shek and L. Yu. Use of structural equation modeling in human development research. International Journal on Disability and Human Development, 13(2):157--167, 2014. [ bib | DOI ]
[34] D. T. Shek and L. Yu. Confirmatory factor analysis using AMOS: a demonstration. International Journal on Disability and Human Development, 13(2):191--204, 2014. [ bib | DOI ]
[35] D. E. Beaton, C. Bombardier, F. Guillemin, and M. B. Ferraz. Guidelines for the process of cross-cultural adaptation of self-report measures. Spine, 25(24):3186--3191, 2000. [ bib | DOI ]
  • Receive Date: 28 August 2022
  • Revise Date: 25 December 2022
  • Accept Date: 28 December 2022
  • First Publish Date: 01 January 2023