Investigating New Zealanders' Attitudes, Behaviours and Intentions toward Cybersecurity, Privacy, Authentication and Artificial Intelligence (AI)

This PhD thesis presents a comprehensive investigation into the attitudes, behaviours, and security intentions of general population New Zealanders toward a variety of cybersecurity risks. It culminates in the development of a novel empirically derived model for understanding cybersecurity behaviour in the NZ context. Through systematic research progressing from qualitative exploration to quantitative validation, this thesis addresses critical gaps in understanding how New Zealanders conceptualise and respond to risks relating to cybersecurity, privacy, authentication and Artificial Intelligence (AI). The research began with a pilot study examining Internet of Things (IoT) cybersecurity behaviours, marking the first academic application of Protection Motivation Theory (PMT) to general population New Zealanders in this context. This initial phase revealed important patterns in how people evaluate security risks, particularly highlighting the roles of awareness, trust, and influence. A subsequent confirmatory study substantially validated these findings while expanding understanding through examination of remote working contexts during the COVID-19 pandemic, demonstrating both the applicability and limitations of existing theoretical frameworks in the NZ environment. Building on these qualitative insights, a nationally representative online survey was designed, focusing on four areas of vital importance in a contemporary Aotearoa New Zealand (NZ) context: Privacy, Authentication, AI and General Cybersecurity. Results from this survey directly informed construction of the PSCYBR Model, which attempted to extend PMT by incorporating Social Influence Theory (SIT) constructs. While this theory driven approach showed promise when restructured, empirical testing revealed the need for a more fundamental re-evaluation of how New Zealanders approach cybersecurity-related risks. During the development process, additional theoretical frameworks were examined but ultimately discounted as less suitable for explaining NZ cybersecurity behaviours compared to the empirically-derived approach. Through rigorous exploratory analysis, the DPER (Data, Password, Effort and Risk) Model was developed. The DPER Model, emerging directly from analysis of a nationally representative sample of 1,006 New Zealanders, identifies three distinct factors that shape cybersecurity behaviour: Protection of Data, Importance of Password Management, and Effort and Risk. These empirically derived factors reflect actual behavioural patterns rather than theoretical constructs, providing valuable insights for developing targeted interventions and support strategies. The model validation employed regression analysis, with findings showing that the Protection of Data factor significantly predicts variance in trust outcomes, while Importance of Password Management, and Effort and Risk, factors demonstrate weaker but meaningful associations. The model’s validation through robust statistical testing demonstrates its reliability and utility for understanding attitudes, behaviours, and intentions toward risks relating to cybersecurity in a modern Aotearoa NZ context. The research reveals unique characteristics in how New Zealanders evaluate and respond to cybersecurity-related risks, influenced by cultural values, social structures, and practical considerations specific to the NZ environment. The findings highlight the importance of developing culturally appropriate security initiatives that resonate with diverse communities, including Māori and Pasifika populations. The thesis makes substantial contributions to both theoretical understanding and practical application. Organisations working to improve cybersecurity in NZ will have access to a model that reflects how general population New Zealanders actually think about and respond to cybersecurity-related risks. The research provides evidence based guidance for developing effective security awareness programs and support strategies tailored to the NZ context. Future research directions emerging from this work include longitudinal studies to track behavioural changes over time, detailed investigation of cultural adaptations, and examination of the model’s applicability to emerging technologies such as artificial intelligence. The thesis concludes by discussing practical implications for improving cybersecurity posture across NZ society, emphasising the importance of considering both individual and community factors in cybersecurity initiatives. This research represents a significant advancement in understanding cybersecurity behaviour among general population New Zealanders, helping to enhance New Zealand’s cybersecurity posture. The empirically-derived DPER Model offers a robust framework for developing targeted interventions that align with how New Zealanders actually think about and respond to cybersecurity challenges.