Study Shows the Basic Security Steps Students Forget
Awareness isn't enough; password reuse and missed updates still expose students to hacks, researchers warn
A new peer-reviewed paper in TEM Journal assesses how well today’s digital-native students actually protect themselves online. Researchers Ivan Dunđer, Sanja Seljan, and Marko Odak surveyed 111 undergraduates in the Information Sciences bachelor’s program at the University of Mostar, Bosnia and Herzegovina. The study, published in May 2025, came to a startling conclusion. It revealed that students were seriously lacking in their cybersecurity awareness, leaving them vulnerable to data breaches, attacks, and malware.
Antivirus use is widespread
On the surface, basic protection looked solid: 76.5% of students said they run antivirus software on their computers. The study dug deeper, though, and the story changed. Only 37% bothered to keep those tools up to date, leaving dozens of devices one missed patch away from infection. Firewall usage is even thinner. Just 55 respondents, or about 50%, had an active firewall, and barely two dozen could confidently configure one.
Password habits remain the weakest link
Password management is where convenience still trumps caution. More than half the group admitted to re-using the same password across multiple services, and 17 confessed to writing credentials on paper near their computers. Encouragingly, 70 students said they follow length-and-complexity guidelines when creating new logins, yet only 10 rely on dedicated password-manager apps. An additional 27 simply let the browser remember everything, exposing credentials to local compromise and increasing their risk of cyber threats.
Phishing awareness: bright spots and blind spots
Students showed stronger instincts against classic email scams. 66 students said they delete suspicious messages unopened, and 78 avoid clicking links or attachments from unknown senders. Still, fewer than half (46) consistently scrutinize URLs before visiting a site, leaving them one slip away from a credential-harvesting clone page. Twenty-one respondents have already fallen victim to some form of cybercrime. Another 11 “weren’t sure,” suggesting many incidents go unrecognized.
The awareness gap of knowledge vs. practice
Overall, 73 students felt familiar with key security concepts, and roughly 70% expressed interest in further workshops or webinars. That enthusiasm underscores a central finding: awareness alone doesn’t guarantee safe behavior. Students know passwords should be long and unique, yet many still reuse them. They install antivirus software, yet neglect updates, and distrust shady emails while skipping URL checks.
Why it matters for universities everywhere
Higher-education networks are prime targets for ransomware crews and credential-harvesting campaigns, and student devices often act as entry points. By spotlighting specific weak spots, like out-of-date antivirus, lax firewall use, and password reuse, this study gives IT departments a checklist for the next semester’s training push. Offering discounted password-manager subscriptions, embedding URL-verification drills into coursework, bundling automatic ransomware protections, and making software-update prompts unavoidable are all practical takeaways the authors recommend.
The road ahead
The authors acknowledge limits: the sample is modest and comes from a single program at one university. Still, the patterns mirror findings from larger surveys in Poland, Jordan, China, and India cited in the paper, suggesting the “awareness-practice gap” is not unique to Mostar.
Larger, multi-campus studies—and follow-ups that track behavior after training—could reveal which interventions truly stick. Until then, the message is clear: students may know the rules of cyber-hygiene, but universities must still integrate network security habits into daily academic life if they want these measures to stick.
