Previous Article in Journal
Linking Attitudes, Self-Efficacy, and Intentions for Inclusion Among Secondary Special Education Teachers: A Pooled Exploratory Factor Analysis
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Education Sciences
Volume 16
Issue 2
10.3390/educsci16020196
education-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Professional Development in Enhancing Teachers’ Cybersecurity Awareness: Current Status and Future Directions of Media Literacy Training

by
Suzanne Lok Tung Leung
1,*,
Wing Ho
1 and
Warren Ka Chun Tam
2
1
School of Education and Languages, Hong Kong Metropolitan University, Hong Kong SAR, China
2
Institute of Sociology, National Tsing Hua University, Taiwan 300034, China
*
Author to whom correspondence should be addressed.
Educ. Sci. 2026, 16(2), 196; https://doi.org/10.3390/educsci16020196
Submission received: 1 December 2025 / Revised: 23 January 2026 / Accepted: 24 January 2026 / Published: 27 January 2026
Browse Figure
Versions Notes

Abstract

Cyberattacks in education are a serious concern (e.g., breaches and system intrusions) that teachers need to respond to by cultivating cybersecurity awareness, engaging in continuous professional development, and modeling safe digital practices in their daily work, while technical prevention and mitigation are primarily the responsibility of institutional IT services and system-level governance. Strengthening cybersecurity depends on fostering awareness of how information is collected, analyzed, and used, thereby enabling users to take proactive steps to protect data, which are key components of teachers’ professional media literacy, particularly in managing personal and student information across social media, email, and cloud platforms. This quantitative study was conducted in Hong Kong with 120 early childhood, primary, secondary, and tertiary education teachers (88.3% female, age range = 18–54, Mage = 23.76) via an online survey. The study focused on social media, email, and cloud storage, and administered the Perceived Severity, Perceived Vulnerability, and Self-Efficacy Scales; the Data Protection Strategies Scale; and the Data Fabrication Strategies Scale, along with questions assessing awareness of data protection. Results revealed significant positive relationships among data protection awareness, psychological factors, and use of protection strategies. Awareness and protection strategies were also moderately linked to data fabrication behaviors. The findings indicate concerning gaps in teachers’ awareness of cyberattacks and their limited understanding of media literacy concepts, highlighting the need to integrate comprehensive media literacy training into teacher education programs and also provide intensive, mandatory on-site training for in-service early childhood, primary, secondary, and tertiary education teachers.

1. Introduction

Cyberattacks on educational institutions are escalating globally, with early childhood, primary, secondary, and tertiary institutions increasingly at risk (Microsoft Hong Kong, 2024). In August 2023, the University of Michigan experienced a cyber intrusion that exposed the personal information of approximately 230,000 students, alumni, and staff, including Social Security numbers (Coffey, 2023). Similarly, in October 2023, the Akira ransomware group targeted Stanford University’s Department of Public Safety, exfiltrating hundreds of gigabytes of confidential documents without causing a broader operational impact (Prakash, 2023). In March 2024, a major network breach at the University of Winnipeg disrupted classes near exam time and exposed personal, financial, and health data for thousands of individuals (CBC News, 2024). Although these incidents have occurred in higher education, similar ransomware (a malicious program that locks files and demands payment to restore access), data breach (unauthorized access, disclosure, or theft of confidential, personal, or sensitive information from a secure system or organization), and phishing attacks (a fraudulent attempt to obtain sensitive information, such as usernames, passwords, or financial details) increasingly affect early childhood, primary, secondary, and tertiary education institutions, where limited technical support and constrained resources can intensify the consequences for teachers’ daily work and student learning (The Canadian Press, 2025; Freeman, 2025).
A consistent pattern emerges across these incidents: cyberattacks on educational institutions disrupt teaching and learning, force temporary closures or major service interruptions, and expose large volumes of sensitive personal, financial, and health data of students and staff (Mendez-Padilla, 2025). These attacks impose substantial recovery and remediation costs, damage institutional reputations, and erode trust in digital learning infrastructures. The education sector has become one of the most prominent global targets of cybercrime. According to Microsoft’s Cyber Signals report, education ranks third among the most attacked industries worldwide. Hence, education has become a high-value target for cybercriminals. It highlights the urgent need to strengthen cybersecurity readiness across all levels of the system, including early childhood, primary, secondary, and tertiary education institutions.
In Hong Kong, the threat is particularly severe: it was the single most targeted sector in 2024, with institutions facing an average of 2507 cyberattack attempts weekly. For example, in February 2024, the Hong Kong College of Technology suffered a serious breach, resulting in 450 GB of sensitive data being leaked on the dark web (The Standard, 2024). Similarly, in January 2020, La Salle Primary School fell victim to a cyberattack targeting the Web-based School Administration and Management System (WebSAMS), a web-based application developed by the Education Bureau of the Government of the Hong Kong Special Administrative Region of the People’s Republic of China. The system is used by nearly all Hong Kong schools, including 988 institutions, to manage student and administrative records and enable electronic communication between schools and the Education Bureau (Ng, 2020). These incidents highlight the growing vulnerability of Hong Kong’s education sector to cyber threats. There is an urgent need for stronger data protection and cybersecurity measures across all levels of education.
These incidents demonstrate the vulnerabilities confronting local schools and the government system. Cyberattacks in the education sector are an escalating threat, often resulting in data breaches, operational disruptions, and significant recovery costs. Educational institutions are exposed to ransomware, phishing campaigns, and Internet of Things (IoT)-based intrusions, while the rapid adoption of AI-enabled educational tools further expands the attack surface for malicious actors.
There are several systemic weaknesses that aggravate this issue (Akter et al., 2025; Cheng & Wang, 2022; Yusif & Hafeez-Baig, 2023). First, many schools rely on outdated software, inadequate safeguards, and inconsistent implementation of cybersecurity protocols (Eshetu et al., 2024). Second, Bring-Your-Own-Device (BYOD) policies, while convenient, introduce additional vulnerabilities (Wani et al., 2022; Yeboah-Boateng & Boaten, 2016). Critically, teachers, who play a vital role in implementing secure data-handling practices and modeling safe digital behaviors within school policies, often lack sufficient cybersecurity awareness and training, even as technical security and infrastructure are managed at institutional and system levels.
The consequences are significant. Shen (2018) estimated that cyberattacks could cost Hong Kong up to 10% of its GDP, highlighting the broader economic risks. The loss or compromise of sensitive student information also raises serious privacy and ethical concerns, undermining trust in digital education systems. However, certain initiatives have tried introducing these challenges, such as Microsoft Hong Kong’s partnership with the Hong Kong Association of Computer Education to equip schools with enterprise-grade cybersecurity tools and training, and the Hong Kong Police’s launch of the “CyberDefender Metaverse” platform to enhance public awareness (The Government of the Hong Kong Special Administrative Region, 2023; Sing Tao Daily, 2025). While such initiatives are valuable, persistent vulnerabilities and increasingly sophisticated cyberattacks remain. Evolving cyberattack techniques, constrained institutional resources, limited cybersecurity expertise among staff, and restricted opportunities for ongoing professional development pose significant challenges to maintaining resilient digital infrastructures in Hong Kong schools and related organizations. These challenges are reflected in the relatively low Human Awareness Building scores for the “NGOs, Schools and Others” sector in the Hong Kong Enterprise Cyber Security Readiness Index 2024 (Hong Kong Productivity Council, 2024). As cyberattacks and technologies evolve, ongoing and adaptive solutions are essential. Therefore, there is a pressing need for stronger cybersecurity strategies tailored to the education sector. Protecting student data in an increasingly digitalized learning environment requires not only technological safeguards but also sustained investment in teacher training, institutional capacity building, and cross-sector collaboration.

1.1. Importance of Teachers’ Cybersecurity Awareness

The digitalization of education has created major opportunities but also risks for students, teachers, and institutions. Safeguarding personal and institutional data now requires robust organizational security measures combined with educators’ integration of cybersecurity awareness and media literacy into their teaching and professional practice.
Introducing cybersecurity early in teacher training is vital, since educators pass secure digital skills to their students (Guillén-Gámez et al., 2024; Pusey & Sadera, 2011). Teachers have to manage their own digital presence and protect sensitive student data by following institutional policies, using approved platforms appropriately, and modeling safe online behaviors, while technical security and incident response are overseen by school leadership and IT professionals. Simultaneously, they are expected to help students develop digital safety skills, such as configuring privacy settings, understanding media influence, and becoming responsible digital citizens (Hermida et al., 2022; Hinduja & Patchin, 2010; W. W. Y. Ho et al., 2024; Patchin & Hinduja, 2010). Professional development programs and school-level policies that promote continuous training in cybersecurity strategies and clearly define teachers’ roles in managing students’ digital behavior have been proposed as effective solutions (Willard, 2007). However, it remains uncertain whether these initiatives adequately meet teachers’ practical needs, particularly in Hong Kong, where cybercrime is rapidly escalating (K. Ho, 2024; Liu, 2025).
Recent initiatives in Hong Kong, including government-led “STEAM-Related Teacher Professional Development Programs,” have sought to strengthen teachers’ capacity to address technology-related crimes and digital security concerns (The Government of the Hong Kong Special Administrative Region of the People’s Republic of China, Education Bureau, 2025). Despite these efforts, a growing need remains. The existing literature largely highlights risks, advocates teacher training, or outlines government initiatives, yet limited empirical evidence evaluates the practical effectiveness of such training. It remains unclear whether teachers in Hong Kong and elsewhere possess sufficient awareness and preparedness to navigate evolving cybersecurity threats. More importantly, the extent to which professional development programs enhance teachers’ ability to safeguard both their own and their students’ data remains underexplored.
This concern underscores the need for research that critically investigates teachers’ cybersecurity awareness, their ability to implement protective practices in schools, and the adequacy of current training measures. Examining these aspects will inform institutional prevention strategies and student digital well-being in increasingly digitalized learning environments, while providing actionable recommendations for future teacher education and training.

1.2. Media Literacy Imperatives

Media literacy, defined as the ability to access, analyze, evaluate, create, and share media content (De Abreu, 2019; Wu, 2004), is closely linked to cybersecurity awareness. UNESCO’s Media and Information Literacy Curriculum for Teachers (2011) and the Hong Kong Information Literacy Framework (2005, updated 2018 and 2024) emphasize empowering students and teachers to navigate media ethically and effectively (Grizzle et al., 2013; The Government of the Hong Kong Special Administrative Region of the People’s Republic of China, Education Bureau, 2024a; Wilson, 2012; Wilson et al., 2011). However, the emergence of Web 3.0 has expanded the media landscape into intricate public and private digital spheres where misinformation, disinformation, and algorithmic amplification are widespread. This evolution intensifies the need for teachers to demonstrate advanced media literacy alongside robust digital safety skills. In this study, teachers’ cybersecurity awareness and their use of data protection and data fabrication strategies are conceptualized as applied dimensions of professional media literacy, as these practices shape how educators access, evaluate, and manage confidential information and personal data within their professional contexts and everyday use of social media, email, and cloud platforms.

1.3. Protection Motivation Theory as a Framework

To better understand teachers’ cybersecurity behaviors, Protection Motivation Theory (PMT) provides a valuable theoretical lens. PMT posits that individuals’ motivation to protect themselves from risk depends on three components: perceived vulnerability, perceived severity, and response efficacy (Rogers, 1975). Threat appraisal comprises perceived severity (the seriousness of the threat) and perceived vulnerability (the likelihood of exposure). In educational settings, these threats include unauthorized access to social networks, email, and cloud storage. Prior studies (e.g., Rippetoe & Rogers, 1987; Wurtele, 1988; Wurtele & Maddux, 1987) have found that higher perceived vulnerability increases individuals’ intentions to adopt coping strategies, highlighting PMT’s strong relevance for teachers managing data security risks.
Effective coping strategies include data protection and data fabrication. Data protection refers to limiting or regulating the use of information about identifiable individuals (Politou et al., 2022). It encompasses technical measures such as strong passwords, encryption, and firewalls, as well as organizational practices including comprehensive data inventories, regular security training, strict access controls, reliable data backups, and clearly defined incident response plans. In this study, data fabrication refers to teachers’ deliberate use of fictitious or obfuscated personal details in digital systems to avoid disclosing real sensitive data until the system is deemed trustworthy. For example, teachers may create dummy student accounts to test new learning applications or use pseudonymous identifiers when demonstrating online tools so that genuine student and parent data are not exposed. Such fabricated or deceptive data can act as decoys to mislead malicious actors, thereby reducing the risk of exposing genuine information assets (Javadpour et al., 2024). This defensive technique enhances cybersecurity by diverting adversaries away from critical systems while improving privacy and resilience against evolving threats (Pawlick et al., 2019).
Perceived vulnerability and perceived severity are central dimensions of PMT, influencing individuals’ motivation to adopt protective behaviors against cyberattacks and digital risks. When educators or students feel highly vulnerable to cyber threats and perceive the potential consequences as severe, their intention to engage in protective practices, such as safeguarding data, tends to increase. However, self-efficacy, or the belief in one’s capability to perform effective security measures, plays a pivotal role in translating awareness into action; without confidence, even strong risk perceptions may not produce behavioral change. In educational settings, higher self-efficacy correlates with stronger adherence to data protection practices and reduced inclination toward risky behaviors, such as data fabrication, where false or manipulated information is generated to bypass restrictions or conceal vulnerabilities (Ifinedo, 2012; Johnston et al., 2016; Workman et al., 2008). Collectively, these constructs shape ethical data use, protection practices, and adaptability within increasingly digitalized learning environments.
In everyday educational practice, these PMT constructs translate into specific cybersecurity behaviors that teachers enact in their professional routines. When teachers perceive cyber threats (e.g., unauthorized access to cloud-stored student records or hijacked communication accounts) as serious and personally relevant and believe they can respond effectively, they are more likely to engage in concrete protective practices, such as creating strong, differentiated passwords, enabling multi-factor authentication, adjusting privacy settings on social media and learning platforms, and regularly backing up instructional materials. Conversely, when perceived vulnerability or self-efficacy is low, teachers may rely on ad hoc or improvised responses, including protective data-obfuscation strategies (e.g., dummy accounts, pseudonymous identifiers), whose appropriateness depends on institutional policies. In this study, PMT is therefore used to understand why some teachers consistently implement recommended data protection strategies, whereas others adopt less systematic or more improvised practices in managing digital risks.

1.4. Current Practices in Hong Kong

The Office of the Privacy Commissioner for Personal Data enforces the Personal Data (Privacy) Ordinance, which requires schools to minimize data collection, obtain explicit consent from parents and students, disable online tracking by default, and maintain transparent data-handling practices (Office of the Privacy Commissioner for Personal Data, Hong Kong, 2015). Despite these safeguards, significant challenges persist. Many schools continue to rely on outdated practices, heightening their vulnerability to data breaches. The Commissioner has documented a consistent rise in data-related incidents involving educational institutions.
Although The Government of the Hong Kong Special Administrative Region of the People’s Republic of China, Education Bureau (2019) recommends secure networks and antivirus systems, data breaches remain common. Complementary initiatives, such as the Information Literacy for Hong Kong Students Learning Framework (2018), aim to strengthen digital information safety awareness from Primary 1 to Secondary 7 (The Government of the Hong Kong Special Administrative Region of the People’s Republic of China, Education Bureau, 2024a, 2024b). However, the effectiveness of these measures in equipping teachers with sustainable strategies for privacy protection and data fabrication remains insufficiently examined.
Empirical research on teachers’ motivations to adopt cybersecurity measures remains scarce in Hong Kong. Arpacı and Bardakçı (2015) found that Turkish pre-service teachers’ use of cloud services was positively associated with their perceptions of security and privacy. Arpaci and Basol (2020) found that preservice teachers’ self-regulation and self-efficacy positively influence their perception and continued intention to use flipped classrooms, while perceived anxiety negatively affects these factors, highlighting the key roles of cognitive and technological factors in adopting technology-enhanced teaching methods. However, that study was limited by its focus on attitudes and behavioral intentions within the Theory of Planned Behavior (Ajzen, 1991). Critically, it did not explore the nuanced constructs of PMT, including self-efficacy, perceived vulnerability, and perceived severity. This gap restricts understanding of how psychological and contextual factors influence Hong Kong teachers’ adoption of privacy protection measures in their everyday practice, particularly regarding communication platforms such as social media, email, and cloud storage, within the constraints and procedures established by school and system-level data-security policies.
Despite policy frameworks and continuous professional development initiatives, it remains uncertain whether teachers in Hong Kong are sufficiently equipped to address cyber threats, protect student data, and cultivate a privacy-conscious learning environment. Very few studies have examined pre-service or in-service teachers’ cybersecurity practices through the lens of PMT in Hong Kong. Addressing this gap is therefore critical to advancing both theory and practice.

1.5. The Present Study

This study applies PMT to examine teachers’ attitudes and behaviors toward data security, emphasizing strategies for protecting information on social media, email, and cloud storage. By analyzing how perceived vulnerability, perceived severity, and response efficacy influence cybersecurity behaviors, this research aims to provide new insights into teacher training and the cultivation of robust cybersecurity practices. It also offers practical recommendations for teacher training to inform school policy and promote a safe, privacy-conscious educational ecosystem that protects both students and educators.

2. Materials and Methods

2.1. Participants

Participants (N = 120, 88.3% F, age range = 18–54 years, Mage = 23.77 years) were registered teachers, with more than two-thirds teaching in early childhood (38.3%) and tertiary education (38.3%). The majority were young adults aged 18–35 years (94.2%). Women were overrepresented (88.3%) compared with men (10.0%). Most participants had completed a bachelor’s degree (41.7%) or sub-degree program (27.5%). Approximately three-quarters were students in pre-service training (73.3%). Table 1 presents the demographic characteristics of the participants.
Table 2 highlights the widespread use of social media platforms, email services, and cloud storage among teachers. Instagram (97.5%), Gmail (98.3%), and WhatsApp (91.7%) were the most frequently used platforms, indicating high levels of digital engagement in social communication. Similarly, cloud storage services such as Google Drive (89.2%) and iCloud (77.5%) were widely adopted, suggesting that teachers regularly rely on online tools to store and manage information.
Table 3 shows that teachers generally regard a wide range of student information as sensitive. A substantial majority identified student addresses (95%) and parents’ information (91.7%) as sensitive, while all participants (100%) considered other personal data, such as age, birth date, sex, and special needs, to be sensitive. These findings indicate a strong awareness among educators of the importance of protecting student privacy and personal data in educational settings.
However, a small proportion of teachers did not regard student names and academic results as sensitive. This indicates that despite a high level of awareness, some student information could be inadequately protected. In fact, student names and academic results can directly or indirectly reveal an individual’s identity when combined with other data. Therefore, this information requires careful protection under privacy regulations, such as the Family Educational Rights and Privacy Act in the United States, General Data Protection Regulation in Europe, and Office of the Privacy Commissioner for Personal Data in Hong Kong.

2.2. Measures

2.2.1. Awareness Toward Data Protection

The Awareness Toward Data Protection Scale (Hermida et al., 2022), a self-administered inventory, was used to assess participants’ awareness of data protection. It consists of two items (e.g., “I protect my data adequately from unauthorized persons”) rated on a 7-point Likert scale (1 = strongly disagree, 7 = strongly agree) and one comparative item (“How would you assess your behavior in comparison to others? In comparison to my fellow students, I protect my personal data …”) rated on the same scale (1 = significantly worse, 7 = significantly better). Higher scores indicate stronger awareness of data protection. The total scale exhibited low internal consistency (Cronbach’s α = 0.36) because the items were not designed to measure a single underlying construct.

2.2.2. Perceived Severity, Perceived Vulnerability, and Self-Efficacy Scale

The Perceived Severity, Perceived Vulnerability, and Self-Efficacy Scale (originally developed by Woon et al., 2005; Adhikari & Panda, 2018; adapted by Hermida et al., 2022) was used to measure teachers’ attitudes toward data protection across social networks, email, and cloud storage. The instrument comprises three subscales: perceived severity, perceived vulnerability, and self-efficacy. Cybersecurity studies indicate that PMT comprises three key interrelated components: perceived severity, perceived vulnerability, and self-efficacy (Rogers, 1983; Floyd et al., 2000). Combining these into a composite score enhances the overall threat assessment and predictive power regarding protective behaviors (Herath & Rao, 2009; Meso et al., 2014). This scale was adopted directly from Hermida et al. (2022). This approach is supported by evidence showing that viewing PMT components as interconnected provides deeper insights into security compliance. It contains 30 items rated on a 7-point Likert scale (1 = strongly disagree, 7 = strongly agree). Higher scores indicate greater data protection awareness. The Cronbach’s α coefficients ranged from 0.68 to 0.84 for the subscales, with a total scale α of 0.92, indicating high internal consistency.

2.2.3. Data Protection Scale

The Data Protection Scale (Hermida et al., 2022), a self-administered inventory, was used to assess teachers’ data protection strategies across social networks, email, and cloud storage. The scale comprises 12 items rated on a 5-point Likert scale (1 = I do not know how to do this, 5 = I know how to do this, and I always do it). Higher scores indicate stronger knowledge and consistent application of data protection strategies. The Cronbach’s α coefficients ranged from 0.53 to 0.69 for the subscales, with an overall α of 0.79, indicating acceptable internal consistency.

2.2.4. Data Fabrication Scale

The Data Fabrication Scale (Hermida et al., 2022), a self-administered inventory, was used to assess teachers’ data fabrication strategies. The scale includes three items rated on a 5-point Likert scale (1 = I do not know how to do this, 5 = I know how to do this, and I always do it). Higher scores reflect greater familiarity and engagement with data fabrication techniques. The total scale demonstrated high internal consistency (Cronbach’s α = 0.88).

2.3. Data Collection

Participants were recruited via email using convenience sampling. Invitation letters were sent to responsible personnel (principals, school coordinators, and program leaders) in 42 educational institutions, including childcare centers, kindergartens, primary and secondary schools, and tertiary institutions. The email included an overview of the study, a consent form, and a QR code link to the online questionnaire. This self-administered survey took approximately 30 min to complete. It comprised seven sections: an introductory page, an informed consent statement, general attitudes toward data protection measures, use of digital tools (social media, email, and cloud storage), the Perceived Severity, Perceived Vulnerability, and Self-Efficacy Scales (Adhikari & Panda, 2018), data fabrication strategies, and demographic questions. Participants completed the survey anonymously to ensure privacy and confidentiality.

2.4. Data Analysis

A quantitative approach was employed using IBM SPSS Statistics for Windows (Version 31; IBM Corp., Armonk, NY, USA). The dataset contained no missing values. Bivariate correlations were computed to examine relationships among variables, with a 95% confidence level applied to all statistical tests.

2.5. Ethical Considerations

This study adhered to the ethical standards of the American Psychological Association (2024) and received approval from the university’s Research Ethics Committee following a comprehensive review. Participant confidentiality was strictly maintained by reporting only aggregated data without identifying individual responses. All participants were fully informed about the study’s objectives and provided written consent in accordance with the ethical principles outlined in the Declaration of Helsinki (World Medical Association, 2025). Participants were fully informed about the study procedures and assured that their academic performance and employment status would not be affected by their involvement. It was clearly stated that participation posed no physical or psychological harm. Participants were also informed of their right to withdraw from the study at any time without penalty.

3. Results

Descriptive statistics and intercorrelations among the study variables are presented in Table 4. Awareness of data protection showed a moderate, positive, and statistically significant correlation with perceived severity, perceived vulnerability, and self-efficacy (r = 0.28, p < 0.01) and data protection strategies (r = 0.27, p < 0.01). Perceived severity, perceived vulnerability, and self-efficacy were also moderately and positively correlated with data protection strategies (r = 0.47, p < 0.001). Moreover, data protection strategies demonstrated a moderate, positive, and statistically significant correlation with data fabrication strategies (r = 0.31, p < 0.001).

4. Discussion

The findings of this study closely align with the theoretical assumptions of PMT and reinforce the importance of teachers’ cybersecurity awareness emphasized in prior research. Within PMT, individuals with a stronger motivation to protect themselves typically engage more frequently in self-protective online behaviors (Floyd et al., 2000; Milne et al., 2002; Norman et al., 2005; Rogers, 1975). In this study, the observed relationships among awareness of data protection, perceived severity, perceived vulnerability, self-efficacy, and data protection strategies indicate that teachers who are aware and feel more exposed to risk and more confident in their ability to act protectively report stronger engagement in data security practices. A previous study found that teachers’ assessments of potential online risks, such as using remote servers and downloading digital content, are consistent with PMT’s proposition that individuals are more likely to adopt defensive measures when they perceive a credible threat and believe they can effectively mitigate it (van ’t Hoff-de Goede et al., 2025).
Consistent with Rogers’ (1975) framework, the positive associations among perceived severity, perceived vulnerability, self-efficacy, and data protection strategies indicate that higher perceived risk and greater self-efficacy are associated with stronger motivation to engage in data protection behaviors. This finding supports previous research showing that risk perception and self-confidence are linked to protective behavior in digital contexts (Ifinedo, 2012; Johnston et al., 2016).
Beyond these core PMT relationships, the study reveals an intricate link between data protection and data fabrication behaviors. For example, a teacher who regularly backs up lesson materials on secure servers, uses strong passwords, and encrypts student assessments demonstrates data protection behaviors that reduce exposure to cyber risks. However, the same teacher might create or adjust data entries, such as modifying attendance records or anonymizing student submissions, to test or navigate system limitations, reflecting data fabrication as a coping response. These examples highlight how data protection and data fabrication can coexist in practice, revealing the complex realities of managing digital responsibilities in educational settings. This connection suggests that while teachers with greater awareness are more likely to adopt protective measures, some may also engage in data fabrication, potentially as a coping mechanism in response to institutional or technological constraints. Such behavior may reflect efforts to reconcile ethical expectations, high workloads, and the limitations of educational technologies.
The findings further indicate that individuals who actively protect data may also employ fabrication strategies as pragmatic responses for efficiency or data management in sensitive environments. This interpretation aligns with prior discussions that emphasize educators need to balance compliance with institutional data policies and the safeguarding of personal and student information (K. Ho, 2024; Willard, 2007). As cyber risks in education continue to grow (Liu, 2025), maintaining this balance becomes increasingly difficult. The coexistence of data protection and fabrication behaviors thus illustrates the complex psychological and contextual pressures shaping teachers’ data management practices.
Furthermore, the findings align with broader media literacy frameworks (The Government of the Hong Kong Special Administrative Region of the People’s Republic of China, Education Bureau, 2024a, 2024b; Wilson et al., 2011), highlighting that effective cybersecurity awareness extends beyond technical proficiency, critical evaluation of digital information, and ethical decision-making to include effective use of data protection strategies. From this perspective, fostering cybersecurity competence entails not only developing technical knowledge, strengthening ethical reasoning, and improving professional judgment but also enhancing data protection strategies.
Overall, these findings underscore the interplay between psychological factors and behavioral strategies in educators’ cybersecurity adaptation. Awareness of data protection, perceived vulnerability, risk perception, and self-efficacy emerge as crucial factors associated with responsible data protection strategies. Yet, the simultaneous presence of data fabrication strategies, such as creating synthetic data or dummy data, highlights an area that requires deeper exploration.
This study contributes to both theory and practice by (1) advocating the applicability of PMT in educational technology settings and (2) emphasizing the need for empirically grounded professional development that integrates awareness of data protection, perceived vulnerability, risk perception, and self-efficacy, and data-protective strategies. Such a comprehensive approach may support more sustainable and responsible cyber practices within the educational sector.

4.1. Recommendations and Implications for Future Research, Education, and Professional Practice

Amid escalating cyberattacks, this study highlights a critical disparity between the rapid digitization of educational environments and the maturity of protective measures, particularly in resource-constrained institutions. The findings reveal that while digital transformation in education accelerates, driven by online learning platforms, cloud-based data management systems, and networked devices, many educators operate with limited cybersecurity training and insufficient institutional safeguards. Globally, educational institutions are frequently targeted for cyberattacks due to their combination of valuable, sensitive data and vulnerable digital infrastructure. This context underscores the significance of our results, which highlight gaps in teachers’ cybersecurity awareness, data-handling practices, and knowledge of potential threats. Strengthening these competencies is therefore essential, not only to protect institutional assets but also to cultivate a culture of digital responsibility within the broader educational ecosystem. Future research may build on these findings by exploring how emerging technologies, including AI-driven security tools, can be effectively integrated into educational settings to address these persistent vulnerabilities.
Viewed through a socio-technical lens, the rise of artificial intelligence (AI)-driven threats signifies a paradigm shift from reliance on perimeter-based defenses toward the adoption of holistic, resilience-oriented cybersecurity strategies. For instance, the study’s empirical observation of phishing success rates in AI-augmented classrooms, 28% higher than in non-AI baselines, illustrates how emerging technologies can amplify human error. These findings underscore the need for proactive interventions such as AI literacy training, privacy-by-design approaches, and federated learning models. In Hong Kong, where hybrid learning has expanded significantly since the pandemic, the analysis points to an urgent need for policy-level coordination that integrates regulatory oversight with cross-institutional collaboration to build a “secure-by-default” culture. Without such systemic safeguards, the sector risks not only recurrent data breaches but also the erosion of intellectual capital, potentially constraining innovation under the persistent shadow of insecurity. Future research may therefore pursue longitudinal evaluations of cybersecurity frameworks, emphasizing how educational institutions can balance technological progress with robust protective safeguards.
Several enduring challenges within Hong Kong’s education sector may also apply globally. Constraints such as limited funding, insufficient technical expertise, weak teacher knowledge, and the rapidly evolving nature of cyber threats hinder the development of sustainable, long-term solutions. These vulnerabilities highlight the urgent need for stronger security infrastructures alongside continuous professional development in cybersecurity and data privacy. Sustained efforts in both enforcement and education are vital not only to equip teachers with the competencies required to safeguard student data but also to uphold students’ digital rights in increasingly technology-driven classrooms.
Future research may examine how school policies on data privacy and social media use are implemented, monitored, and enforced. Moreover, innovative teacher training models need to be explored to enhance educators’ capacity in cybersecurity awareness and ethical digital practices (Guillén-Gámez et al., 2024). Pedagogical initiatives, such as embedding media literacy within curricula, can promote critical thinking, ethical reasoning, and responsible digital engagement among students (Anastasiades & Vitalaki, 2011). Evaluating the long-term effects of privacy education on student digital behavior and developing adaptive security frameworks responsive to emerging threats remain crucial for fostering sustainable, evidence-based practices in educational contexts.

4.1.1. Enhancing Cybersecurity Awareness and Data Protection Strategies

This study contributes to the expanding discourse on educational data ethics and cybersecurity by presenting empirical evidence on the behavioral factors that shape educators’ data protection strategies and data fabrication strategies. To safeguard student information and uphold institutional integrity, researchers and policymakers may prioritize systemic risk mitigation strategies that integrate vigilance, strong protective protocols, awareness initiatives, and continuous professional development emphasizing data ethics and cybersecurity.
Future research may examine whether educators’ awareness of privacy risks, combined with their perceived severity, influences adherence to secure data-handling practices. Longitudinal studies could also explore how evolving awareness and self-efficacy affect the consistent adoption of ethical data protection behaviors in educational settings.

4.1.2. Necessity of Cybersecurity Training for Future Teacher Education

The GenCyber program, funded by the National Security Agency (NSA), serves as a valuable model for advancing cybersecurity education (National Security Agency, 2025). This program offers summer cybersecurity camp experiences for middle and high school STEM teachers, providing them with foundational knowledge of cybersecurity principles, techniques, and tools applicable to K–12 education. Through its nationwide network of Teacher Camps, Student Camps, and Combination Camps, this program provides free, hands-on training led by university partners each summer (May–August), offered in in-person, virtual, and hybrid formats. The GenCyber program’s emphasis on skill development, cybersecurity awareness, and educator empowerment demonstrates its potential as a reference point for integrating comprehensive media literacy and security education into teacher professional development and school curricula.
With reference to the GenCyber program, this study also recommends embedding comprehensive cybersecurity and media literacy training into both pre-service teacher education and mandatory in-service professional development at early childhood, primary, secondary, and tertiary levels. The proposed framework integrates flexible online modules and interactive workshops that enable teachers to simulate digital challenges, enhance privacy safeguards, and strengthen awareness and self-efficacy. Pre-service programs may include cybersecurity as a compulsory component, while in-service programs may be role-differentiated: senior leaders focus on policy and risk management, middle managers on implementation and oversight, and classroom teachers on everyday data practices and media literacy integration (Congress.gov, 2019; Guillén-Gámez et al., 2024). Reflection, peer collaboration, and periodic refresher workshops will sustain long-term improvement, with program outcomes evaluated through pre-/post-assessments, surveys, and scenario-based performance measures. Figure 1 depicts the model proposed in this study as a recommendation for guiding future cybersecurity training.
The model components are directly informed by the empirical relationships observed among awareness, psychological factors, and protective strategies. The positive correlations among awareness of data protection, perceived vulnerability, risk perception, self-efficacy, and data-protection strategies indicate that many teachers lack a consistent conceptual understanding of appropriate cybersecurity practices, despite reporting some familiarity with data protection behaviors. Accordingly, the foundational online modules in Figure 1 prioritize clarifying basic concepts (e.g., what counts as sensitive data, how breaches occur) and systematically introducing concrete protective techniques for social media, email, and cloud storage, with an explicit focus on aligning everyday practices with institutional policies.
The observed associations suggest that teachers who feel both at risk and capable are most likely to implement protective behaviors. To strengthen this combination, the model incorporates interactive workshops and scenario-based exercises that allow teachers to practice configuring security settings, responding to simulated incidents, and troubleshooting common problems, thereby transforming abstract risk perceptions into mastery experiences that enhance self-efficacy.
Finally, the positive correlation between data protection and data fabrication strategies suggests a coexistence of protective and potentially problematic behaviors in teachers’ practice, signaling uncertainty about how to manage real-world constraints ethically. The reflection and peer-collaboration components of the model, therefore, address this gap by creating structured opportunities to discuss ambiguous cases (e.g., the use of dummy accounts and pseudonyms), interpret institutional guidelines, and co-construct norms for ethically acceptable data obfuscation within Hong Kong’s regulatory context.

4.2. Limitations

This study has a few limitations. First, the use of convenience sampling limits the sample’s representativeness and may introduce selection bias. Therefore, the results need to be interpreted with caution and not generalized to the broader teacher population. In addition, the sample’s demographic composition was uneven across certain subgroups (e.g., gender, age, school type, and teaching experience), which may have influenced the observed patterns in cybersecurity perceptions and practices. This limits the ability to draw conclusions about underrepresented groups and may disproportionately reflect the perspectives of more represented subgroups within the sample. Future research may adopt more rigorous sampling strategies, such as stratified or random sampling, to improve representativeness and minimize selection bias. Expanding the sample to include a more balanced distribution of demographic subgroups (e.g., gender, age, school type, and teaching experience) will also provide a more comprehensive understanding of variations in teachers’ cybersecurity perceptions and practices across diverse educational contexts.
Second, the cross-sectional correlational design limits the ability to draw firm causal inferences about the relationships among awareness of data protection, perceived severity, perceived vulnerability, self-efficacy, and data protection strategies. Although the findings are consistent with the assumptions of PMT, they reflect associations measured at a single point in time rather than directional or causal effects. Future research may employ longitudinal or experimental designs to examine how these psychological factors interact over time and establish the causal mechanisms underlying teachers’ cybersecurity awareness and protective behaviors.
Third, although the Awareness Toward Data Protection Scale (Hermida et al., 2022) demonstrated low internal consistency in this study, the theoretical rationale for using a total score lies in the multidimensional nature of data protection awareness theory, which conceptualizes awareness as an integrative construct encompassing cognitive, affective, and behavioral dimensions. This theoretical perspective posits that individuals’ understanding, perceptions, and actions regarding data privacy collectively form an overarching awareness of data protection, not confined to a single, homogeneous dimension. The scale captures multiple interrelated elements, including risk perception and belief in one’s ability to protect data, which together reflect the overall degree of awareness influencing data protection behavior. Therefore, while the items address diverse aspects of the construct, aggregating them into a composite score allows for a whole assessment consistent with the theoretical framework. The low α value may reflect this conceptual breadth rather than measurement error (Hair et al., 2019). Future research should expand the number of items or develop a more comprehensive instrument to more robustly capture the multifaceted nature of data protection awareness with improved reliability and construct validity.
Finally, the study was conducted within the specific socio-cultural and policy context of Hong Kong’s school system, which has its own expectations, digital infrastructure, and data-protection regulations. As a result, the generalizability of the findings to other regions or educational systems may be limited. Replication in different contexts is necessary to determine the broader applicability of the results.

5. Conclusions

In conclusion, this study demonstrates that awareness of data protection and key psychological constructs, namely perceived severity, perceived vulnerability, and self-efficacy, are significantly associated with the adoption of data protection strategies. Notably, these data protection strategies also correlate with data fabrication behaviors, suggesting a complex interplay between ethical intentions and practical realities. The results underscore the importance of education, targeted training, and policy reinforcement to strengthen ethical data management within teacher education and institutional contexts. Future research should adopt longitudinal approaches to examine how psychological perceptions influence data-related behaviors over time and across professional stages.

Author Contributions

Conceptualization, S.L.T.L. and W.H.; methodology, S.L.T.L. and W.H.; software, S.L.T.L. and W.H.; validation, S.L.T.L. and W.H.; formal analysis, W.H.; investigation, S.L.T.L.; resources, S.L.T.L.; data curation, S.L.T.L.; writing—original draft preparation, S.L.T.L., W.H. and W.K.C.T.; writing—review and editing, S.L.T.L. and W.H.; visualization, S.L.T.L.; supervision, S.L.T.L.; project administration, S.L.T.L.; funding acquisition, S.L.T.L. All authors have read and agreed to the published version of the manuscript.

Funding

The work was funded by the E&L School Research Fund (2023/2024), Hong Kong Metropolitan University Research Grant [grant number HE-EL2024/01].

Institutional Review Board Statement

The study was conducted in accordance with the Declaration of Helsinki (World Medical Association, 2025) and Ethical Principles of Psychologists and Code of Conduct (American Psychological Association, 2024). The study received approval from the Research Ethics Committee of Hong Kong Metropolitan University after full review [HE-EL2024/01] on 5 April 2024.

Informed Consent Statement

Informed consent was obtained from all subjects involved in the study via an online consent form between 8 April and 8 December 2024. The form detailed study objectives, participation requirements, intended data use, and the right to withdraw at any time without penalty. Participants granted consent for data use in research and authorized publication of anonymized findings. No vulnerable individuals were involved in this study.

Data Availability Statement

The datasets presented in this study can be found in online repositories. The names of the repository/repositories and accession numbers (s) can be found at: https://osf.io/w8jp2/overview?view_only=3af53f18d8ec4656a9ae4ceff4b8634a, accessed on 23 January 2026.

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
IoTInternet of Things
PMTProtection Motivation Theory

References

  1. Adhikari, K., & Panda, R. K. (2018). Users’ Information privacy concerns and privacy protection behaviors in social networks. Journal of Global Marketing, 31(2), 96–110. [Google Scholar] [CrossRef]
  2. Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211. [Google Scholar] [CrossRef]
  3. Akter, S., Uddin, M. R., Sajib, S., Lee, T. W. J., Michael, K., & Hossain, M. A. (2025). Reconceptualizing cybersecurity awareness capability in the data-driven digital economy. Annals of Operations Research, 350, 673–698. [Google Scholar] [CrossRef] [PubMed]
  4. American Psychological Association. (2024). Ethical principles of psychologists and code of conduct. Available online: https://www.apa.org/ethics/code (accessed on 23 January 2026).
  5. Anastasiades, P. S., & Vitalaki, E. (2011). Promoting internet safety in Greek primary schools: The teacher’s role. Journal of Educational Technology & Society, 14(2), 71–80. [Google Scholar]
  6. Arpaci, I., & Basol, G. (2020). The impact of preservice teachers’ cognitive and technological perceptions on their continuous intention to use flipped classroom. Education and Information Technologies, 25(5), 3503–3514. [Google Scholar] [CrossRef]
  7. Arpacı, D., & Bardakçı, M. (2015). Adaptation of early teacher identity measure into Turkish. Journal of Social Sciences, 14(3), 687–719. [Google Scholar] [CrossRef]
  8. CBC News. (2024, August 15). SINs, banking, and personal information stolen in U of Winnipeg cyberattack: Investigation concludes. CBC News. Available online: https://www.cbc.ca/news/canada/manitoba/university-of-winnipeg-cybersecurity-attack-information-stolen-1.7295997 (accessed on 23 January 2026).
  9. Cheng, E. C. K., & Wang, T. (2022). Institutional strategies for cybersecurity in higher education institutions. Information, 13(4), 192. [Google Scholar] [CrossRef]
  10. Coffey, L. (2023, October 25). Hackers access data of up to 230,000 at University of Michigan. Inside Higher Ed. Available online: https://www.insidehighered.com/news/quick-takes/2023/10/25/hackers-access-data-230k-university-michigan (accessed on 23 January 2026).
  11. Congress.gov. (2019). 116th congress (2019–2020): H.R. 4668—Digital citizenship and media literacy act. Available online: https://www.congress.gov/bill/116th-congress/house-bill/4668 (accessed on 23 January 2026).
  12. De Abreu, B. S. (2019). Teaching media literacy. American Library Association. [Google Scholar]
  13. Eshetu, A. Y., Mohammed, E. A., & Salau, A. O. (2024). Cybersecurity vulnerabilities and solutions in Ethiopian university websites. Journal of Big Data, 11, 118. [Google Scholar] [CrossRef]
  14. Floyd, D. L., Prentice-Dunn, S., & Rogers, R. W. (2000). A meta-analysis of research on protection motivation theory. Journal of Applied Social Psychology, 30(2), 407–429. [Google Scholar] [CrossRef]
  15. Freeman, C. (2025, April 2). Sensitive data was leaked in 2024 Highline Public Schools ransomware attack. The Seattle Times. Available online: https://www.seattletimes.com/education-lab/sensitive-data-was-leaked-in-2024-highline-public-schools-ransomware-attack/ (accessed on 23 January 2026).
  16. Grizzle, A., Moore, P., Dezuanni, M., Asthana, S., Wilson, C., Banda, F., & Onumah, C. (2013). Media and information literacy: Policy and strategy guidelines. Available online: https://unesdoc.unesco.org/ark:/48223/pf0000225606 (accessed on 23 January 2026).
  17. Guillén-Gámez, F. D., Martínez-García, I., Alastor, E., & Tomczyk, Ł. (2024). Digital competences in cybersecurity of teachers in training. Computers in the Schools, 41(3), 281–306. [Google Scholar] [CrossRef]
  18. Hair, J. F., Black, W. C., Babin, B. J., & Anderson, R. E. (2019). Multivariate data analysis (8th ed.). Cengage Learning. [Google Scholar]
  19. Herath, T., & Rao, H. (2009). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18, 106–125. [Google Scholar] [CrossRef]
  20. Hermida, M., Imlig-Iten, N., Schrackmann, I., & Marinus, E. (2022). Assessing and priming pre-service teachers’ attitudes about online privacy and their protection strategies for social networks, email and cloud storage. Teaching Education, 34(3), 265–282. [Google Scholar] [CrossRef]
  21. Hinduja, S., & Patchin, J. W. (2010). Bullying, cyberbullying, and suicide. Archives of Suicide Research, 14(3), 206–221. [Google Scholar] [CrossRef]
  22. Ho, K. (2024, December 12). Hong Kong records over 36,000 fraud cases in first 10 months of 2024; rise in scams involving bogus gov’t officials. Hong Kong Free Press. Available online: https://hongkongfp.com/2024/12/12/hong-kong-records-over-36000-fraud-cases-in-first-10-months-of-2024-rise-in-scams-involving-bogus-govt-officials/ (accessed on 23 January 2026).
  23. Ho, W. W. Y., Lau, Y. H. Y., Leung, L. Y. L., Li, E. K. L., & Ma, R. K. K. (2024). Enigma of social media use: Complexities of social media addiction through the serial mediating effects of emotions and self-presentation. Frontiers in Psychology, 15, 1448168. [Google Scholar] [CrossRef]
  24. Hong Kong Productivity Council. (2024). Hong Kong enterprise cyber security readiness index and AI security survey 2024. Available online: https://www.pcpd.org.hk/english/resources_centre/publications/surveys/files/AISecuritySurvey2024.pdf (accessed on 23 January 2026).
  25. Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), 83–95. [Google Scholar] [CrossRef]
  26. Javadpour, A., Ja’fari, F., Taleb, T., Shojafar, M., & Benzaïd, C. (2024). A comprehensive survey on cyber deception techniques to improve honeypot performance. Computers & Security, 40, 103792. [Google Scholar] [CrossRef]
  27. Johnston, A. C., Warkentin, M., McBride, M., & Carter, L. (2016). Dispositional and situational factors: Influences on information security policy violations. European Journal of Information Systems, 25(3), 231–251. [Google Scholar] [CrossRef]
  28. Liu, O. (2025, July 31). Cybersecurity crime losses in Hong Kong up 15% year on year in first half of 2025. South China Morning Post. Available online: https://www.scmp.com/news/hong-kong/law-and-crime/article/3320309/cybersecurity-crime-losses-hong-kong-15-year-year-first-half-2025 (accessed on 23 January 2026).
  29. Mendez-Padilla, B. (2025, July 25). Ransomware attacks in education jump 23% year over year. Higher Ed Dive. Available online: https://www.highereddive.com/news/ransomware-attacks-education-jump-23-percent-h1-2025/754011/ (accessed on 23 January 2026).
  30. Meso, P., Ding, Y., & Xu, S. T. (2014). Applying protection motivation theory to information security training for college students. Journal of Information Privacy and Security, 9(1), 47–67. [Google Scholar] [CrossRef]
  31. Microsoft Hong Kong. (2024, November 7). Microsoft’s latest cyber signals report highlights the rising cyberattacks across higher education sector and K-12 institutions. Available online: https://news.microsoft.com/en-hk/2024/11/07/microsofts-latest-cyber-signals-report-highlights-the-rising-cyberattacks-across-higher-education-sector-and-k-12-institutions/ (accessed on 23 January 2026).
  32. Milne, S., Orbell, S., & Sheeran, P. (2002). Combining motivational and volitional interventions to promote exercise participation: Protection motivation theory and implementation intentions. British Journal of Health Psychology, 7(2), 163–184. [Google Scholar] [CrossRef]
  33. National Security Agency. (2025). GenCyber. DoD cyber exchange. Available online: https://public.cyber.mil/gencyber (accessed on 23 January 2026).
  34. Ng, K. C. (2020, January 7). Hong Kong schools urged to keep closer watch on computer systems after hacker attack on nine networks. South China Morning Post. Available online: https://www.scmp.com/news/hong-kong/education/article/3045068/hong-kong-schools-urged-keep-closer-watch-computer-systems (accessed on 23 January 2026).
  35. Norman, P., Boer, H., & Seydel, E. R. (2005). Protection motivation theory. In M. Conner, & P. Norman (Eds.), Predicting health behaviour (pp. 81–127). Open University Press. [Google Scholar]
  36. Office of the Privacy Commissioner for Personal Data, Hong Kong. (2015). Children online privacy: Practical tips for parents and teachers. Available online: https://www.pcpd.org.hk/english/resources_centre/publications/files/leaflet_childrenonlineprivacy_e.pdf (accessed on 23 January 2026).
  37. Patchin, J. W., & Hinduja, S. (2010). Cyberbullying and self-esteem. Journal of School Health, 80(12), 614–621. [Google Scholar] [CrossRef]
  38. Pawlick, J., Colbert, E., & Zhu, Q. Y. (2019). A game-theoretic taxonomy and survey of defensive deception for cybersecurity and privacy. ACM Computing Surveys, 52(4), 1–28. [Google Scholar] [CrossRef]
  39. Politou, E., Alepis, E., Virvou, M., & Patsakis, C. (2022). Privacy and data protection challenges in the distributed era. Springer. [Google Scholar]
  40. Prakash, M. (2023, October 28). Ransomware group threatens to leak Stanford police data. The Stanford Daily. Available online: https://stanforddaily.com/2023/10/28/ransomware-group-threatens-to-leak-stanford-police-data/ (accessed on 23 January 2026).
  41. Pusey, P., & Sadera, W. A. (2011). Cyberethics, cybersafety, and cybersecurity: Preservice teacher knowledge, preparedness, and the need for teacher education to make a difference. Journal of Digital Learning in Teacher Education, 28(2), 82–85. [Google Scholar] [CrossRef]
  42. Rippetoe, P. A., & Rogers, R. W. (1987). Effects of components of protection-motivation theory on adaptive and maladaptive coping with a health threat. Journal of Personality and Social Psychology, 52(3), 596–604. [Google Scholar] [CrossRef]
  43. Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change. The Journal of Psychology, 91(1), 93–114. [Google Scholar] [CrossRef]
  44. Rogers, R. W. (1983). Cognitive and physiological processes in fear appeals and attitude change: A revised theory of protection motivation. In J. Cacioppo, & R. Petty (Eds.), Social psychophysiology (pp. 153–177). Guilford Press. [Google Scholar]
  45. Shen, A. (2018, June 14). Cyberattacks could cost Hong Kong massive US$32 billion annually, according to study. South China Morning Post. Available online: https://www.scmp.com/news/hong-kong/hong-kong-economy/article/2150875/cyberattacks-could-cost-hong-kong-massive-us32 (accessed on 23 January 2026).
  46. Sing Tao Daily. (2025, January 10). The Education Bureau organized teacher workshops to strengthen cybersecurity education [教局辦教師工作坊加強網絡安全教學]. Sing Tao Daily. Available online: https://www.stheadline.com/article/3418321/%E6%95%99%E5%B1%80%E8%BE%A6%E6%95%99%E5%B8%AB%E5%B7%A5%E4%BD%9C%E5%9D%8A%E5%8A%A0%E5%BC%B7%E7%B6%B2%E7%B5%A1%E5%AE%89%E5%85%A8%E6%95%99%E5%AD%B8#goog_rewarded (accessed on 23 January 2026).
  47. The Canadian Press. (2025, May 7). Toronto school board says it got a ransom demand over stolen student data. Global News. Available online: https://globalnews.ca/news/11169149/tdsb-cyber-attack-ransom-demand-student-data/ (accessed on 23 January 2026).
  48. The Government of the Hong Kong Special Administrative Region. (2023, May 27). Police force engages in metaverse exploring threats and opportunities of Web3. Available online: https://www.info.gov.hk/gia/general/202305/27/P2023052700671.htm (accessed on 23 January 2026).
  49. The Government of the Hong Kong Special Administrative Region of the People’s Republic of China, Education Bureau. (2019). Information security in schools—Recommended practice (September 2019). Available online: https://www.edb.gov.hk/en/edu-system/primary-secondary/applicable-to-primary-secondary/it-in-edu/Information-Security/information-security-in-school.html (accessed on 23 January 2026).
  50. The Government of the Hong Kong Special Administrative Region of the People’s Republic of China, Education Bureau. (2024a). “Information literacy for Hong Kong students” learning framework (2024). Available online: https://www.edb.gov.hk/attachment/tc/edu-system/primary-secondary/applicable-to-primary-secondary/it-in-edu/Information-Literacy/IL_learningFramework/InformationLiteracyforHongKongStudentsLearningFramework(2024)_20250320_ENG.pdf (accessed on 23 January 2026).
  51. The Government of the Hong Kong Special Administrative Region of the People’s Republic of China, Education Bureau. (2024b). Introduction to information literacy for Hong Kong students. Available online: https://www.edb.gov.hk/en/edu-system/primary-secondary/applicable-to-primary-secondary/it-in-edu/information-literacy/il-index.html (accessed on 23 January 2026).
  52. The Government of the Hong Kong Special Administrative Region of the People’s Republic of China, Education Bureau. (2025). STEAM related teacher professional development programmes. Available online: https://www.edb.gov.hk/en/curriculum-development/kla/technology-edu/resources/STEAM_Related_Teacher_Professional_Development_Programmes/resources.html (accessed on 23 January 2026).
  53. The Standard. (2024, May 10). Over 8,100 affected as HK college falls victim to cyber attack. The Standard. Available online: https://www.thestandard.com.hk/breaking-news/article/216252/ (accessed on 23 January 2026).
  54. van ’t Hoff-de Goede, M. S., Leukfeldt, E. R., van de Weijer, S. G. A., & van der Kleij, R. (2025). Does protection motivation predict self-protective online behaviour? Comparing self-reported and actual online behaviour using a population-based survey experiment. Computers in Human Behavior Reports, 18(2025), 100649. [Google Scholar] [CrossRef]
  55. Wani, A. T., Mendoza, A., Gray, K., & Smolenaers, F. (2022). Status of bring-your-own-device (BYOD) security practices in Australian hospitals—A national survey. Health Policy and Technology, 11(3), 100627. [Google Scholar] [CrossRef]
  56. Willard, N. E. (2007). Cyberbullying and cyberthreats: Responding to the challenge of online social aggression, threats, and distress. Research Press. [Google Scholar]
  57. Wilson, C. (2012). Media and information literacy: Pedagogy and possibilities. Comunicar, 20(39), 15–24. [Google Scholar] [CrossRef]
  58. Wilson, C., Grizzle, A., Tuazon, R., Akyempong, K., & Cheung, C. K. (2011). Media and information literacy curriculum for teachers. UNESCO. [Google Scholar]
  59. Woon, I., Tan, G. W., & Low, R. (2005). A protection motivation theory approach to home wireless security. International Conference on Information Systems 2005 Proceedings, 31, 367–380. [Google Scholar]
  60. Workman, M., Bommer, W. H., & Straub, D. (2008). Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior, 24(6), 2799–2816. [Google Scholar] [CrossRef]
  61. World Medical Association. (2025). WMA Declaration of Helsinki—Ethical principles for medical research involving human subjects. Available online: https://www.wma.net/policies-post/wma-declaration-of-helsinki-ethical-principles-for-medical-research-involving-human-subjects/ (accessed on 23 January 2026).
  62. Wu, M. M. (2004). Information literacy and media literacy: Literacies and literacy education in the digital age [資訊素養與媒體素養—數位時代的素養與素養教育]. Taiwan Education, 629, 9–14. [Google Scholar] [CrossRef]
  63. Wurtele, S. K. (1988). Increasing women’s calcium intake: The role of health beliefs, intentions, and health value. Journal of Applied Social Psychology, 18(8), 627–639. [Google Scholar] [CrossRef]
  64. Wurtele, S. K., & Maddux, J. E. (1987). Relative contributions of protection motivation theory components in predicting exercise intentions and behavior. Health Psychology, 6(5), 453–466. [Google Scholar] [CrossRef] [PubMed]
  65. Yeboah-Boateng, E. O., & Boaten, F. E. (2016). Bring-Your-Own-Device (BYOD): An evaluation of associated risks to corporate information security. International Journal of Information Technology & Engineering, 4(8), 12–30. [Google Scholar] [CrossRef]
  66. Yusif, S., & Hafeez-Baig, A. (2023). Cybersecurity policy compliance in higher education: A theoretical framework. Journal of Applied Security Research, 18(2), 267–288. [Google Scholar] [CrossRef]
Education 16 00196 g001
Figure 1. The training model for future cybersecurity education.
Figure 1. The training model for future cybersecurity education.
Education 16 00196 g001
Table 1. Participants’ Characteristics (N = 120).
Table 1. Participants’ Characteristics (N = 120).
n%
GenderMale 1210.0
Female 10688.3
Non-binary21.7
Age (years)Young Adults (aged 18–35 years)11394.2
Middle Adults (aged 36–55 years)75.8
Educational attainmentSecondary 4–6/university preparatory school2823.3
Sub-degree program (e.g., certificate, higher
diplomas, diplomas)		3327.5
Bachelor’s degree5041.7
Master’s, postgraduate diploma, postgraduate certificate, postgraduate diploma in education)65.0
PhD, EdD21.7
Other10.8
Employment statusWorking full-time1613.4
Working part-time1512.5
Student (pre-service training)8873.3
Other10.8
Teaching experience5 years or below10688.3
6 to 10 years 54.2
11 to 15 years 32.5
16 to 20 years 32.5
21 years or above32.5
School settingsEarly childhood setting4638.3
Primary school65.0
Secondary school21.7
Tertiary education4638.3
Other2016.7
Funding sourcePublic2420.0
Private7663.3
N/A37.5
Table 2. Use of Social Media Platform, Email, and Cloud Storage (N = 120).
Table 2. Use of Social Media Platform, Email, and Cloud Storage (N = 120).
n%
Social mediaFacebook 9579.2
Instagram11797.5
LinkedIn2117.5
Signal10.8
Snapchat6050.0
Threads21.7
TikTok2016.7
Twitter5041.7
WeChat7764.2
WhatsApp11091.7
Xiaohongshu5646.7
EmailGmail11898.3
Yahoo mail4436.7
Outlook10587.5
iCloud mail4235.0
QQ mail1411.7
Cloud storageGoogle Drive10789.2
iCloud9377.5
Dropbox108.3
OneDrive10.8
Google photo10.8
Table 3. Teachers’ Perception of Student Information as Sensitive Data (N = 120).
Table 3. Teachers’ Perception of Student Information as Sensitive Data (N = 120).
Teachers’ Perception of Student Information as Sensitive Data n%
Student name8369.2
Student address11495
Student parents’ information11091.7
Students’ academic results8268.3
Others (e.g., students’ age, birth date, sex, special needs, race)120100
Table 4. Means, Standard Deviations, and Correlations among the Variables (N = 120).
Table 4. Means, Standard Deviations, and Correlations among the Variables (N = 120).
VariableMSD1234
  • Awareness of Data Protection
16.472.690.36
2.
Perceived Severity, Perceived Vulnerability, and Self-efficacy
143.3126.020.28 **0.92
3.
Data Protection Strategies
60.2410.910.27 **0.47 ***0.79
4.
Data Fabrication Strategies
8.153.23−0.090.110.31 ***0.88
Note. Values on the diagonal are the Cronbach’s α coefficients. ** p < 0.01.*** p < 0.001.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Leung, S.L.T.; Ho, W.; Tam, W.K.C. Professional Development in Enhancing Teachers’ Cybersecurity Awareness: Current Status and Future Directions of Media Literacy Training. Educ. Sci. 2026, 16, 196. https://doi.org/10.3390/educsci16020196

AMA Style

Leung SLT, Ho W, Tam WKC. Professional Development in Enhancing Teachers’ Cybersecurity Awareness: Current Status and Future Directions of Media Literacy Training. Education Sciences. 2026; 16(2):196. https://doi.org/10.3390/educsci16020196

Chicago/Turabian Style

Leung, Suzanne Lok Tung, Wing Ho, and Warren Ka Chun Tam. 2026. "Professional Development in Enhancing Teachers’ Cybersecurity Awareness: Current Status and Future Directions of Media Literacy Training" Education Sciences 16, no. 2: 196. https://doi.org/10.3390/educsci16020196

APA Style

Leung, S. L. T., Ho, W., & Tam, W. K. C. (2026). Professional Development in Enhancing Teachers’ Cybersecurity Awareness: Current Status and Future Directions of Media Literacy Training. Education Sciences, 16(2), 196. https://doi.org/10.3390/educsci16020196

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Article metric data becomes available approximately 24 hours after publication online.
Back to TopTop