A Comparative Assessment of Human Factors in Cybersecurity: Implications for Cyber Governance

This paper provides an extensive overview of cybersecurity awareness in the young, educated, and technology-savvy population of the United Arab Emirates (UAE), compared to the United States of America (USA) for advancing the scholarship and practice of global cyber governance. We conducted comparative empirical studies to identify differences in specific human factors that affect cybersecurity behaviour in the UAE and the USA. In addition, we employed several control variables to observe reliable results. We used Hofstede’s theoretical framework on culture to advance our investigation. The results show that the targeted population in the UAE exhibits contrasting interpretations of cybersecurity awareness of critical human factors as compared to their counterparts from the USA. We identify possible explanations for this relatively different behaviour in the UAE population. Our key contributions are to provide valuable information for cybersecurity policymakers in the UAE and Gulf Cooperation Council (GCC) region to further enhance cyber safety, governance, awareness, and trust among citizens.


I. INTRODUCTION
Cybersecurity and cyber vulnerabilities are usually attributed to various physical, humanistic, or social factors. Many global institutional policymakers and governments prefer building more robust physical infrastructures to counter them. This phenomenon is also recognized as the outdated ''Castle Model,'' according to which thick defense boundaries (or walls) are built around the system to protect against security breaches ( [1], [2], [3]) The Castle Model helps protect; however, due to cultural diversity, complex socio-technical systems, and cybersecurity awareness levels among global populations, governments to struggle to eradicate these cyber The associate editor coordinating the review of this manuscript and approving it for publication was Liang-Bi Chen . risks. Therefore, an evidence-based investigation of human factors and cyber risk awareness levels is required to build a holistic cybersecurity framework.
Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These attacks are usually aimed at accessing, changing, or destroying sensitive information, extorting money from users, or interrupting normal business processes, [4]. Information security awareness plays an essential role in preventing cybercrimes in [6] and [5]. Due to a lack of understanding cybersecurity risks, online user behaviour becomes vulnerable to cybercrimes. According to a general observation, global Internet users possess divergent online habits and behaviors. Given the vast Internet connectivity and diversity worldwide, it is challenging to educate people about the correct behaviours to preserve cybersecurity. To support this point, according to the Cybersecurity Exposure Index, 1 the United States of America (USA) has one of the lowest exposure rates of 0.145, while the United Arab Emirates (UAE) has a comparatively higher exposure index of 0.359.
Consequently, the Gulf Cooperation Council (GCC) region seems more exposed to cyberattacks than the United States of America (USA). Recent research suggests a significant lack of security awareness among GCC countries' citizens compared to the USA, [7]. Among European countries, Finland tops the Cybersecurity Exposure Index list with a score of 0.11, whereby Afghanistan ranks the lowest with a 1.0 score. These facts illustrate significant differences in the cybersecurity risk awareness of various countries. We suspect that global cybersecurity exposure scores result from behavioural aspects of human factors that influence cybersecurity awareness. For instance, the diversity between cultures, socioeconomic characteristics, digital divide, education, and beliefs of people living in the GCC countries versus the USA directly influences these rankings.
Furthermore, there is a gap in the literature that examines the linkages between various human factors of Internet users living in different regions or countries. Some users' positive attitudes toward cybersecurity a specific region could pose a striking contrast with the negative or indifferent attitudes in another. Prior literature investigated human-centric factors that interplay with autonomous systems [50] and cybersecurity awareness. However, most of these studies focus on business environments (for instance investigating employees' behaviour and their implications for organizations) or lack empirical evidence, [9], [10], [11].
Recently, two separate cyberattacks in Canada compromised thousands of citizens' identities using the Canada Revenue Agency (CRA) portal, disseminating employment insurance, child care, and other critical social benefits to its citizens [12]. It has further implications, as it occurred during the ever-testing times of the COVID-19 pandemic. As a result, the Canadian government temporarily shut down its CRA portal, which is critical for supporting many citizens to avoid further damage. According to some experts, a major factor contributing to this breach is ''credential stuffing,'' which refers to individuals re-using their username and password on multiple websites and applications. Similarly, in other countries, such as Saudi Arabia and UAE, a wellreputed Information Technology (IT) firm, IBM, recently estimated that there would be a yearly increase of 9.4% in the cost of data breaches in 2020 [13]. Given the alarming rates at which cybercrime has grown globally, it is an urgent issue that researchers must explore further. Previously, it was reported that black-hat hackers have caused a 20% loss in companies' clientele, which translates to a decline in revenues [14]. This makes cybersecurity a topic of deep interest for scholars and practitioners.
Hackers typically exploit Internet users based on their online behaviours and habits. Due to cultural differences between humans, these factors vary globally. Overwhelming evidence demonstrates that cybersecurity awareness among individuals can significantly counter these threats. However, this area lacks proper empirical inquiry [15]. We believe investigating cybercrime awareness among different world regions could significantly contribute to understanding the cybersecurity phenomenon. To fill this gap in the literature, we decided to focus on two culturally different regions, such as the UAE, and compare the outcomes of cybersecurity awareness to a similar population in the USA. In this exploratory study, we addressed these two questions: 1. Which specific human factors affect cybersecurity behaviour in diverse cultures, such as the UAE and USA? Why is it important to draw this comparison? 2. How can these findings benefit governments at a global level to enhance cybersecurity policymaking? We acknowledge that including other regions will broaden our understanding of global cybersecurity awareness issues. However, to manage this study's scope, we restricted our inquiry to draw a comparison between the UAE and USA populations as a first step. In the future, our goal will be to compare the state of cybersecurity awareness among other regions of the world and provide guidance to policymakers at a global level.
To investigate the first question, we decided to employ an existing cybersecurity awareness survey instrument, called the Human Aspects of Information Security Questionnaire (HAIS-Q), a validated and reliable instrument [16]. However, when we conducted a pre-test of this instrument on our targeted UAE population, we experienced non-responsiveness due to our participants' inability to understand some factors properly. This experience proved to be consistent with the findings of a study conducted by the Pew Research Center 2 on the ineffectiveness of using existing cybersecurity questionnaires on the American population. We attempted to simplify further and adapt these questions. However, that also proved to be futile. We realized that instruments such as HAIS-Q would not capture the correct picture of cybersecurity awareness, especially among our targeted population in the UAE. Therefore, we decided to conduct an exploratory study to enlist factors that define cybersecurity awareness construct more accurately for the UAE population. Following this exploratory study, it involved a systematic literature review and interviews with five global cybersecurity experts from the UAE and North America. A convenience sampling technique was employed to select these experts. Two expert respondents were recruited from the UAE and the interviews were conducted online. Whereby, three experts representing the USA were recruited, and the interviews were conducted inperson. On average, each interview took about fifty minutes to complete. We then designed a survey instrument to collect responses from our targeted populations in the UAE and the USA.
In the following sections, we outline the theoretical framework for our research and highlight factors that prior literature and cybersecurity expert panelists recommend contributing to cybercrime incidents globally, especially in the GCC countries. Subsequently, we describe the process of survey instrument development and research method. We then share the study results and offer an extensive discussion on GCC countries' state-of-the-art information security awareness. Our discussion mainly features these six factors contributing to cybercrimes in the GCC region: the growth of the user base, lack of security awareness programs, inadequate laws and regulations, limited education, culture, and the Internet gender gap. We propose various interventions relevant stakeholders, such as governments or other lawmaking authorities, can implement to improve cybersecurity awareness in different regions. Several interventions can be implemented to prevent cybercrimes, such as capacity-building initiatives, security awareness/training programs, and legislation. In particular, prior research has demonstrated that an increased emphasis on security training programs leads to fewer cybersecurity incidents occurrences [17]. Finally, we conclude with a summary to offer practical recommendations for policymakers. We believe that our findings will contribute to a greater theoretical and practical understanding of cybersecurity in different regions and assist multiple stakeholders, such as governments, business communities, and the public, in creating awareness around information security at a global level.

II. THEORETICAL FRAMEWORK
In order to address our above-mentioned research questions, we use Hofstede's theoretical framework on culture. Hofstede's model provides valuable insights into cross-cultural relationships' dynamics, which can be applied directly to our research theme. In his framework, Hofstede discovered that four dimensions characterize differences across various cultures: Power Distance (PD), Individualism-Collectivism (IC), Masculinity Femininity (MF), and Uncertainty Avoidance (UA), [18]. These four dimensions can draw comparisons between factors that impact cybersecurity behavior in the UAE and USA.
Hofstede's cultural dimensions theory provides valuable insights into the impact of cultural differences on cybersecurity strategies in the USA and UAE. In the USA, a culture characterized by low power distance, individualism, and low uncertainty avoidance shapes the approach to cybersecurity [19], [26]. This translates into an emphasis on personal privacy and individual responsibility in protecting online information. The competitive nature of the society fosters a focus on technological dominance and proactive measures to secure cyber assets. Additionally, the culture's low uncertainty avoidance encourages a willingness to adopt new technologies and adapt to emerging threats promptly. Conversely, the UAE's cultural landscape, marked by high power distance, collectivism, and high uncertainty avoidance, has implications for cybersecurity. The emphasis on hierarchical structures and respect for authority promotes a centralized approach to cybersecurity, with a reliance on designated authorities to protect shared resources. Furthermore, the high uncertainty avoidance drives a conservative approach, favoring established security practices and validated technologies over unproven solutions.
To start with, power distance is a relevant dimension that affects cybersecurity behavior in the UAE culture. Power Distance (PD) refers to the extent to which unequal distributions of power and wealth are tolerated within certain countries [20]. Individuals who uphold hierarchy positions demonstrate considerable power in high power distance cultures. In contrast, in low power distance cultures, individuals are less likely to accept hierarchical inequality and participate in decision-making [21]. For example, Hofstede Insights indicates that Saudi Arabia scores high on this dimension with a score of 95. This research demonstrates that citizens in the country follow a hierarchal order in which everyone has a status and requires no justification [22]. This cultural dimension tends to represent an obstacle and has a negative effect on the country's information security practices [21]. Thus, power distance is a factor that affects cybersecurity practices in UAE culture. Whereas power distance tends to be higher in the UAE, the United States has a comparatively lower score on this dimension [22]. Since Americans are less likely to accept rigid power structures, this dimension does not significantly impact their information security practices. In this regard, Hofstede's framework can draw comparisons between cybersecurity behaviors in the UAE and the USA.
Another cultural dimension of Hofstede's framework that impacts cybersecurity behavior in the UAE is individualismcollectivism. According to [20], this scale is a measure of whether people prefer to work within groups or alone. Individualist cultures value personal accomplishments over group achievements, whereas collectivist cultures emphasize the group's well-being rather than individual desires [23]. To illustrate this point, Saudi Arabia is a country that measures high on collectivism and low on individualism [24]. This may suggest that Saudi society is less likely to implement and adopt cybersecurity practices in their culture. In contrast, the United States is an individualistic country with independent values [22]. Given its high individualism, the USA is more likely to integrate cybersecurity practices into its culture. For instance, a recent study found that countries from national cultures that express individualism tend to perform better in cybersecurity development [25]. Given its highly individualistic culture, the United States has a high level of cybersecurity development. Therefore, individualism-collectivism may explain differences in cybersecurity behavior between the UAE and the USA.
The Masculinity and Femininity (MF) aspect of Hofstede's cultural model represents societal values, ranging from the pursuit of achievement, heroism, assertiveness, and material success (masculinity), to favoring cooperation, modesty, care for the vulnerable, and a focus on life quality (femininity) [26]. These cultural preferences could shape individual attitudes towards cybersecurity procedures, the understanding of cyber threats, and the emphasis placed on cybersecurity strategies. We believe that there is a potential difference in the MF dimension between the United Arab Emirates (UAE) and the United States (USA) populations, which may influence cybersecurity behaviors. The USA, scoring highly on the masculinity scale tends to prioritize achievement and success, possibly leading to a competitive approach to cybersecurity awareness. Conversely, the UAE, with a tendency towards the femininity side of the scale, appears to adopt a cooperative stance, emphasizing collective responsibility for cyber safety [26]. These cultural distinctions are expected to provide valuable insights into the divergent cybersecurity behaviors we plan to further examine in our study. Hofstede's initial survey had estimation errors, particularly in the masculinefemininity dimension, challenging the notion that the US society is more feminist than the UAE [27].
The final aspect of Hofstede's framework that affects cybersecurity behavior in the Middle East is uncertainty avoidance. Alamri et al., [28] define uncertainty avoidance as the degree to which members of a culture feel a sense of threat in ambiguous or uncertain situations. Research suggests that Arab countries such as Saudi Arabia measure high on this dimension. Given their high levels of uncertainty avoidance, countries in the Middle East are less likely to integrate new technologies and cybersecurity practices into their culture [29]. On the other hand, the opposite is true when it comes to the United States. Unlike the UAE's fear of uncertainty, the USA has been found to score only a moderate degree on this dimension. This indicates that the country shows a fair degree of acceptance and is willing to be exposed to new experiences [30]. The USA places great value on technology, innovation, and individual initiatives and embraces new scientific advancements. Consequently, Patton [30] proposes that the USA is more likely to adopt cybersecurity practices than other countries. Therefore, uncertainty avoidance is a cultural factor highlighting significant discrepancies between cybersecurity behavior in the UAE and the USA.
In summary, Hofstede's framework can be used to inform researchers about cybersecurity policy development. Exploring the specific themes or human factors that cause a difference in cybersecurity practices and their implications remains under investigation. Therefore, the central focus of this paper is to expand onthe cultural differences, as indicated by Hofstede's framework between the tech-savvy and educated populations in the UAE and USA, and then identify human factors that affect cybersecurity behaviour in these diverse cultures. Theoretically, it is evident from the above discussion on Hofstede's framework that the citizens in the UAE and USA regions belong to opposite poles on the power distance, individualism-collectivism, masculinity-femininity, and uncertainty avoidance continuums. Prior research points to cultural and behavioral differences between the techsavvy, educated populations in the USA and UAE, especially regarding cybersecurity awareness [26], [14]. However, very little is known about certain human factors, such as cognitive biases and social influences to better understand the human dimension of cybersecurity. Our hypothesis suggests these factors will reveal cultural and behavioral differences in newly identified cybersecurity awareness constructs among these populations. Thus, we hypothesize that: H1: the tech-savvy and educated populations in the UAE and USA regions will predominately demonstrate cultural and behavioural differences with respect to the newly elicited cybersecurity awareness constructs and overlooked human factors.
We believe that this comparative investigation will allow the governments and relevant law enforcement agencies in the UAE region to further enhance cybersecurity policymaking and reduce cybersecurity risks for their citizens.

III. RESEARCH METHOD A. SURVEY INSTRUMENT
We used a causal-comparative research design to determine the difference in cybersecurity awareness between two distinct groups (respondents from the UAE versus respondents from the USA). We ensured that education, gender, age group, and qualification were controlled (see Table 1 for details). We have discussed the effects of these variables on the cybersecurity practices in detail in the descriptive statistical section below. A minimum sample size of 122 respondents from our targeted populations was estimated using the G * power 3.0 program by [32].
In addition to systematically reviewing prior literature, the survey was developed in consultation with five global cybersecurity experts specializing in cybersecurity awareness and cybercrime prevention. The sampling strategy was designed to target individuals with expertise and experience in the specific topic of cybersecurity. We employed rigorous selection criteria, including pre-screening measures and targeted recruitment from professional networks, to ensure the inclusion of knowledgeable participants. Semi-structured interviews were initially carried out with these experts to develop questions for the survey. The interviews lasted thirty to forty-five minutes each. The experts were asked to enlist the most common cybercriminal activities in the global and GCC regional contexts. The results of the interview process were structured and coded using NVivo 12 Pro. We later applied thematic analysis to identify themes (also referred to as constructs) that helped us craft the survey questions. As a result, only one construct emerged, termed cybersecurity awareness, consisting of fourteen items (questions) about preventative practices, experiences with cybercrimes, and perceptual reflections about feeling safe and secure online.

1) DESCRIPTIVE SECTION
In total, our survey consisted of thirty questions. The first question was set up to gather consent from the study participants. We asked four demographic questions about age, VOLUME 11, 2023 87973 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.
gender, professional, and educational background, categorized as control variables in the study. In addition to the fourteen Likert scale questions (to measure the cybersecurity awareness construct), we also carefully crafted another eleven descriptive questions, that sheds light on other important factors, such as experiences and reporting of cybercrimes, password compositions, the prevalence of protective software, the ranking of common cybercrimes, and monetary loss.

2) CYBERSECURITY AWARENESS
Our resultant theme of cybercrime awareness outlines several sub-categories. These factors have been deduced from extensive literature review and elicited constructs from our five cybersecurity experts. Within this category, while developing the survey instrument, we inquired about whether individuals opened their emails received from unknown sources or not. We also probed about users storing important documents or credentials, such as credit card information, in the web browser. Other important issues were also highlighted: how often users secure their data or files using a password or encryption techniques. How often do they check the security features of a website before sharing sensitive information online? We further explored how often online users update their social media apps or devices and how often they change their account passwords or privacy settings. Lastly, we wanted to know how comfortable users feel about the multi-factor authentication techniques that many social media accounts require to function.
Furthermore, we inquired about the frequency of phishing requests. For instance, how often do users receive fake urgent requests in an email to reset their password? We also investigated whether participants' close family or friends also fell victim to phishing attacks or received messages from fake accounts/strangers. We then asked about how common cyberbullying is, and whether participants of the study have experienced it themselves or witnessed it being done to others. Among related issues was how secure users felt about sharing information on social media and performing online banking. Lastly, we wanted to inquire whether respondents have awareness or experience Artificial Intelligence (AI) agents, such as ''bots'' operating in the social media space.
A 7-point Likert scale was used in the survey to explore potential differences between respondents from the UAE and respondents from the USA. On this scale, 1 depicted ''Not at all,'' whereby 7 described, ''A great deal/Regularly.'' Both these survey studies were administered online using the Sur-veyMonkey®tool.
This study is notable for its comprehensive analysis of human factors and their influence on cybersecurity practices. It adopts a unique comparative approach, examining cultural and organizational contexts in the USA and UAE regions, to provide valuable insights for stakeholders. By highlighting the significance of addressing human vulnerabilities and decision-making in cybersecurity, the research contributes to the improvement of practices and policies in this field. To design more effective cybersecurity technologies, it is essential to incorporate human factors into the systems' design, considering cultural considerations. Traditional technologies have often focused excessively on infrastructure, following a one-size-fits-all approach, such as the castle model. However, for policymaking, it is crucial to tailor strategies to address the specific cultural needs of the local context. The approach should be flexible, acknowledging the heterogeneity of factors in the local landscape.

B. PARTICIPANTS
Study participants were initially screened to determine whether they met the inclusion and matching criteria. We set the criteria to include participants who have completed secondary education and are pursuing or have already pursued professional education. After receiving ethics approval from our institution's Office of Research Ethics to conduct the study with human participants, we circulated the survey to a well-reputed post-secondary institution in the UAE. Our survey instrument remained open for three weeks to collect responses. To recruit our participants from the USA, we used Amazon Mechanical Turk and restricted the settings to only recruit participants from that region. On average, the questionnaire took 10 minutes to complete. A total of 157 individuals participated in the survey from the USA and 176 from the UAE. There were no incomplete responses from our USA sample. However, only eleven respondents from the UAE submitted incomplete survey responses, which failed to meet the inclusion criteria and were excluded from our analysis. As a result, 157 and 165 survey responses from the USA and UAE regions were used for further statistical analyses. The survey was conducted independently, without the sponsorship from an organization. This was done to ensure unbiased data collection and research integrity. Additionally, we collected demographic information to identify any biases and employ statistically control while conducting data analysis. The respondent's demographic detail is presented in Table 1.
The overwhelming majority of respondents from the USA and UAE have a background in Science, Technology, Engineering, and Mathematics (STEM) related education/professions. According to our survey, the following branches refer to STEM disciplines: IT, enterprise systems, cybersecurity, computer sciences, engineering, mathematics, life sciences, and physical sciences. Respondents could select as many options in this question as they desired. We received 163 (103.2%) responses from the USA sample in the STEM category, whereby 217 (131.73%) respondents picked this discipline from the UAE sample. This similarity in age groups, education, gender, and professional backgrounds in these two populations helps us draw meaningful conclusions.

IV. RESULTS
This section provides a detailed descriptive analysis of categories, such as experiences and reporting of cybercrimes, password compositions, the prevalence of protective software, the ranking of common cybercrimes, and monetary losses. Also, we conducted a statistical analysis of the cybersecurity awareness questionnaire (fourteen 7-point Likert questions) by drawing comparisons among the means of two groups (i.e., the UAE and the USA).
Similarly, in another question, we asked whether people in their close circle (e.g., family, friends, and relatives experienced or suspected a cybercrime situation). The majority, 65.61%, of respondents from the USA, picked ''Yes,'' versus 39.39% from the UAE sample. At a similar level, 14.01% from the USA and 18.10% from the UAE picked ''No'' as their choice. Fewer, 10.83% of respondents from the USA picked ''Probably Yes,'' versus 24.85% of respondents from the UAE suspected ''Probably Yes.'' Very few, 2.55% from the USA sample answered, ''Probably Not,'' whereby 10.91% from the UAE picked this answer. An almost similar number of respondents (7.01% from the USA and 6.67 from the UAE) picked ''Don't Know'' as their response.
Amongst devices, the majority (75.16%) of the USA respondents reported that they experienced or suspected cybercrime while using a laptop. These figures dropped significantly for operating a gaming console (7.01%), Apple iPhone (8.92%), and smartwatch (18.47%). On the other hand, Android phones (28.03%) and desktop computers (47.77%) ranked somewhere in the middle. The same respondents also revealed that they mainly experienced such cybercrime incidents at their workplace/university (61.15%) and home (59.87%), followed by public places (20.38%), such as shopping malls and airports. In comparison, the majority (66.05%) of our respondents believe that they have experienced cybercrime incidents on their Apple iPhones. This finding seems counterintuitive and warrants further research. Generally, Apple products are considered to be much safer than other devices. Our respondents from the UAE also reported laptops at the second position (56.79%), followed by Android phone (46.30%). Their responses about gaming consoles (12.35%) and smartwatches (4.94%) appeared very similar to their counterparts in the USA. The majority (82.72%) of the UAE respondents mentioned that they experienced cybercrime incidents at home. Approximately 31% and 25% experienced it in public places and workplaces/universities. In this particular question, respondents could select multiple options.

2) REPORTING OF CYBERCRIMES
When asked whether they report digital or online crimes to a security agency, about 67% said ''Yes'' from the USA, compared to only 31.52% from the UAE. About 39% of the UAE indicated that they do not possess much knowledge about reporting cybercrimes to relevant authorities, compared to only 2.55% from the USA. This finding provides an opportunity for relevant stakeholders, such as the government, educational institutions, organizations, and law enforcement agencies in the UAE, to better educate citizens about reporting cybercrimes.

3) PASSWORD COMPOSITION
We also inquired about how many different passwords respondents use to operate online (i.e., using banks, social media accounts, online shopping portals, etc.) The majority, 49.7% of respondents from the UAE region, picked 3 to 4 passwords to respond to this question. This outcome is similar to the USA sample, where 54.14% picked the same 3 to 4 passwords option. However, we asked them about what constitutes their passwords. This question allowed respondents to choose as many options as they deemed fit. We noticed that our UAE respondents showed all the best practices of picking almost all of the categories: at least 6 to 8 characters (86.06% versus 63.33% in the USA); at least an uppercase letter (84.24% versus 43.31% in the USA); at least a lowercase letter (76.97% versus 46.5% in the USA); at least a number (80% versus 37.58% in the USA); and at least a special character (69.7% versus 28.03% in the USA).

4) PREVALENCE OF PROTECTED SOFTWARE
In response to our question about installing security software, such as antivirus, anti-spyware, and firewalls on their systems, 80.89% of respondents in the USA said ''Yes,'' versus 68.48% in UAE. Almost 15% of the UAE respondents mentioned that they do not know about it, compared to only 3.18% from the USA.

5) RANKING COMMON CYBERCRIMES
In particular, we asked whether respondents believe that their social media accounts have been hacked. In summary, 68.15% from the USA said ''Yes,'' compared to 52.12% from the UAE. A larger number of respondents, 24.24% from the UAE, answered that they did not know, compared to only 6.37% from the USA.

6) MONETARY LOSSES
The majority of study participants (52.87%) from the USA mentioned that they or people in their close circle had incurred a monetary loss between US$ 1 and US$ 1,499. Whereby 22.93% reported losses between US$ 1,500 and US$ 2,999. Similarly, only 12.74% reported losses between US$ 3,000 to US$ 9,999, while 11.04% reported no losses. Compared to this, the majority (58.18%) in the UAE reported that they or people in their close circle had not incurred any monetary losses. Almost 26% of them reported losses between AED 1 and AED 4,999 (approximately US$ 1 and US$ 1,500). Only 9.09% suffered losses between AED 5,000 and AED 9,999 (approximately US$ 1,500 and US$ 2,999). In contrast, 6.67% reported a loss between AED 10,000 and AED 50,000 (approximately US$ 3,000 and US$ 15,000).

B. STATISTICAL ANALYSIS OF CYBERSECURITY QUESTIONNAIRE
An independent sample t-test was used in this study. There were no outliers in the data, as assessed by inspection of a boxplot. The results were normally distributed, as assessed by Shapiro-Wilk's test (p >.05), and variances were homogeneous, as assessed by Levene's test for equality of variances (p =.164). All descriptive statistics, such as the mean and standard deviations, are shown in Table 2. The outcomes of this research study indicate that there are several areas in which cybersecurity awareness among respondents from the UAE is statistically significantly different from their counterparts in the USA. We first ran the study in the UAE. Based on the demographics, we set similar controls on Mechanical Turk to ensure the experiment's demographic makeup was similar to the USA data set. Additionally, we observed similar outcomes by comparing the males in the UAE population (n = 42) to the USA population (n = 40). These steps enabled us to control gender biasness in our study.
This questionnaire consisted of fourteen Likert-scale (7point) questions. The scale had a high internal consistency level, as determined by a Cronbach's alpha of 0.794. We believe that translating the questionnaire in the local languages (instead of relying on local interpreters to conduct questionnaires), brining clarity in item wording, limiting redundancy, and adding more items when aligned with the measured construct might further enhance the internal consistency scores. These steps could increase the internal consistency and reliability of future questionnaires. The results of the t-test (in Table 3) indicate that items 1, 3, and 4 were statistically insignificant, whereby the remaining items 2, 5, to 14 were statistically significant.

V. DISCUSSION
This section explains the results and discusses the implications of our findings to allow relevant cybersecurity stakeholders to develop an effective strategy against the cybercrime pandemic globally. Our paper significantly contributes to the field by examining the role of human factors in cybersecurity and their implications for cyber governance. The findings expand the understanding of the socio-technical aspects of cybersecurity, highlighting the need to address human vulnerabilities alongside technical measures. This has practical implications for policymakers, organizations, and cybersecurity professionals, empowering them to enhance strategies, policies, and practices to mitigate risks effectively and improve overall security resilience.
Our study investigated specific human factors that affect cybersecurity behaviour in diverse cultures. Prior studies have not addressed this gap adequately. We further probed the issue of whether people in different geographies behave differently online. We conducted two empirical survey studies on the UAE and USA populations while controlling various factors, such as age group, gender, and educational and professional qualifications. We attempted to address these questions in our detailed study: What specific human factors affect cybersecurity behaviour in diverse cultures, such as the UAE and the USA)? And why is it important to draw this comparison? How can these findings inform governments at a global level to enhance cybersecurity policymaking?
A detailed analysis of descriptive and Likert scale questions revealed that the UAE population lacks cybersecurity awareness at various levels. A combined view of the twentyfive (eleven descriptive and fourteen Likert scales) factors provides in-depth knowledge about the targeted, technologysavvy population in the UAE to be diverging from their USA counterparts. These results collectively confirm that superior measures are required for effective cybersecurity policymaking in different parts of the world, especially in regions like the UAE.

A. EXPLANATION OF RESULTS
This study examines cybercrime and cybersecurity awareness in the USA and UAE, revealing some key differences. A larger portion of respondents from the USA (68.79%) reported personal experiences or suspicions of cybercrime compared to UAE participants (32.34%). Moreover, a higher percentage of participants from the USA reported cybercrimes (67%) compared to the UAE (31.52%). Participants in both countries predominantly experienced cybercrimes through laptops, though in the UAE, Apple iPhones were also a common source.
UAE participants demonstrated safer password practices, though protective software use was higher in the USA (80.89%) than in the UAE (68.48%). The most common types of cybercrimes differed between the two regions, with social media fraud most frequently reported in the USA and phone call fraud in the UAE.
Statistical analysis of cybersecurity awareness showed significant differences between the USA and UAE, with the USA scoring higher in areas like data security practices, comfort with sharing phone numbers for social media authentication, changing social media passwords or privacy settings, storing important documents/credentials in the browser, and awareness of social media ''bots''.
While there are common behaviors and experiences between the groups, the study suggests that the USA participants demonstrate greater cybersecurity awareness and preventative behaviors, despite having higher exposure to cybercrime. UAE respondents report less cybercrime but also show less awareness and reporting of such incidents. This research underscores the need for enhanced cybersecurity education and policies in regions like the UAE and highlights the importance of future research to better understand and address the differences between the two regions.
The outcomes of this research study also indicate that there are several areas in which cybersecurity awareness VOLUME 11, 2023  among respondents from the UAE is statistically significantly different from their counterparts in the USA. Out of fourteen Likert scale items, only three factors resulted in similar higher awareness levels among respondents from the UAE and USA. These three factors are: a) opening an unsolicited email from an unknown person, b) checking security features (e.g., https://) of a website before sharing sensitive (banking) information, and c) updating apps or devices regularly. The remaining eleven items (factors) showed statistically significantly different results for the UAE and USA populations.
Among the ones that are statistically significantly different, it is interesting to note that respondents from the UAE scored less than their USA counterparts in terms of using passwords or encryption techniques to transfer files, comfortable in using phone number authentication for creating social media accounts, changing account password and privacy settings after signing up on social media services, storing important credentials (e.g., credit card information) in system browser, making personal information available on social media, doing banking and shopping online, experiencing urgent unsolicited email requests to change password, awareness about ''bots'' operating in social media space, cyberbullying, and awareness of phishing attacks and receiving of messages on social media from fake accounts.
Overall, these results predominantly support our hypothesis (H1) that the tech-savvy and educated populations in the UAE and USA regions will demonstrate cultural and behavioural differences with respect to the newly elicited cybersecurity awareness constructs and overlooked human factors. These findings also indicate that our targeted population in the UAE is very conservative about fully exploring the extent of online services (e.g., banking, shopping, and social media) compared to the USA population. There are two possible explanations for this behaviour among the UAE respondents: a) lack of awareness about these factors or b) lack of trust in operating safely online. Either way, this depicts an important area for further exploration. We believe that our empirical findings provide guidance for cybersecurity policymakers in the UAE and the extended GCC region to focus on these significant factors for enhancing cyber safety, awareness, and trust. We also propose various interventions that relevant stakeholders, such as governments and law enforcement agencies, can implement to reduce cyber risks in the region.

B. REASONS FOR RELATIVELY LOW AWARENESS IN THE UAE
Since our findings indicate that the UAE respondents differed in demonstrating adequate cybersecurity awareness compared to the USA population, it is useful to uncover the underlying reasons for the rise of cybercrime and low cybersecurity awareness in the UAE and other GCC countries. We also acknowledge that although the UAE is ranked very high on the Global Talent Competitiveness Index in terms of attracting top talent by offering internal and external openness [33], there is room for improvement in terms of innovation and technology outputs [34].
Cybercrime has long been a contentious issue in the region. The last decade has seen a drastic increase in the number of cybercrime incidents [35]. Research indicates that several factors contribute to the rise of cybercrime, such as the growth of the user base, lack of training for law enforcement, and lack of regulations [7]. Also, information security awareness has proven to be one of the strongest lines of defense against cybercrimes. There is a serious lack of security awareness among the population of other GCC countries which has its bearing on the UAE. Users are not educated enough on cybercrime and lack basic knowledge of information security concepts. Consequently, limited security awareness among users has made the region an attractive target for cybercriminals [36].
We also take this to mean that since the UAE government provides adequate safety to its citizens, the general population does not feel the immediate need to protect themselves against cybercrimes. This may also have to do with the UAE culture, which focuses on collectivism, compared to the USA, which is more geared towards individualism. In case of a cyber breach, an extended circle of family, friends or the government would likely provide relief to the individual in the UAE. A similar outcome may be different in the USA. The stakes are also considered low in the UAE, as compared to the counterparts of the USA. For instance, someone with a cyber breach or identity theft in the USA may run into a variety of serious financial and social issues. However, UAE protections might result in less serious outcomes.

1) GROWTH OF THE USERBASE
Perhaps, the most important factor contributing to rising cybercrime in the region is the growth of the user base. With the increasing availability of broadband connections, the number of online users in the GCC countries has surpassed the rest of the world [7]. For instance, a longitudinal study found that in the past 10 years, the GCC region had registered an internet usage growth of 1825% compared with 445% in the rest of the world [37]. This growing number of users has made the Internet a popular means of communication and opened up new online businesses in the GCC countries. However, at the same time, it has also led to an increase in the number of cybercrime incidents. To provide a specific example, one of the fastest developing countries in the region that has been particularly affected by cyber-attacks is Saudi Arabia. According to Alotaibi [38], Saudi Arabia is the second largest e-commerce market in the region, with figures accounting for $520 million. Due to its overreliance on the Internet, the country has become a popular hotspot for cybercrime, with 60 million cyber-attacks witnessed in 2015 alone [38]. In this respect, the Internet's reliance on various activities has made the whole region more vulnerable to cyberattacks.

2) LACK OF SECURITY AWARENESS PROGRAMS
Another factor contributing to cybercrimes is a lack of security awareness. El Guindy [7] argues that there is a lack of security awareness initiatives for the public, organizations, and enterprises. Although security awareness programs do exist, they are generally considered to be ineffective. Moreover, most IT security awareness programs are available only in English, making them difficult to implement in the region [7]. Furthermore, [35] concur that there is a need for effective information security awareness programs in the GCC countries. For instance, these researchers found a clear lack of knowledge concerning information security concepts and low awareness levels within the GCC region's educational environments. An extensive study conducted in the academic sector indicated that participants did not possess the requisite knowledge of information security principles and their application in day-to-day work [35]. Implementing security awareness programs can alleviate these issues among the masses as it would help them develop a deeper understanding of cybersecurity principles.

3) SLOW-PACED LEGISLATION
Another factor that contributes to cyberattacks in the GCC countries is poor laws and regulations. According to El Guindy and Hegazy [39], cybercrime legislation in the region is largely absent. While a few countries, such as Oman, Saudi Arabia, and the UAE, have attempted to form new legislation for cybercrime, there is a need for more specific cybercrime activities. Governments often use traditional laws, penal codes, or emergency regulations, making it hard to investigate real cases of cybercrime [39]. This inconsistency in law makes it almost impossible to efficiently address the issue of cybercrime in the region.
Similarly, Al Amro [40] concurs that there is a need for more specific laws to address cybercrime in the region. Their study highlights that many countries merely use emergency laws rather than laws that address online crimes against citizens [40]. Other countries have attempted to prevent misconduct by blocking access to illegal websites. However, these procedures have proven ineffective because emergency regulations are not explicitly designed to combat cybercrime

4) EDUCATION
Arguably the most important factor that affects information security awareness is the education of users in the GCC countries. According to Aloul [36], user education and training are crucial to combating IT security threats. Uneducated users can easily target hackers and increase their vulnerability to cyberattacks [36]. However, research suggests that little effort is being made to educate users about cybercrimes. For instance, a survey conducted in three cities, including Abu Dhabi, Dubai, and Sharjah found that 35% of organizations employed Wi-Fi Protected Access (WPA) encryption, 33% employed WEP encryption, and 32% had no encryption [36]. These findings suggest limited security awareness among users and a pressing need for further education in the region. Furthermore, Alqurashi et al., [41] believe that education is one of the most effective tools that can be used to combat cybercrime.
Unfortunately, there is currently no operative approach or proposal to advance cybercrime education in the region [41]. To confront cybercrime, Alqurashi et al., [41] propose that administrations must advance their workforce and inhabitants' education. Despite this lack of progress, Aboul-Enein [42] argues that a few awareness campaigns are currently in place in Oman, Saudi Arabia, Qatar, and the UAE to increase cyber education. For instance, one proposal involves the United Nations Women and its programs for Syrian refugee women. In this manner, the research suggests minimal efforts are being made to educate GCC citizens on the dangers of cybercrimes

5) THE INTERNET GENDER GAP
In relation to education, another factor that poses challenges to cyber stability is the Internet gender gap. According to an extensive report by the Government Commission on Internet Governance [43], many individuals in the region are denied Internet access due to high costs and limited availability of the necessary technology. Most women have lower earnings and less control over spending than men and are disproportionately affected by a lack of access to the Internet [43]. Consequently, limited access to the Internet reduces information security awareness and knowledge among women in the GCC countries. To illustrate this point, another report by Intel (2012) found that nearly 25 percent fewer women than men have access to the Internet in the developing world.
Moreover, it is estimated that almost 35 percent fewer women than men have Internet access in the GCC countries alone (Intel, 2012). This lack of access to the Internet puts women at a severe disadvantage compared to men. Not only does it reduce their sense of gender equity, but it puts them at greater risk of becoming victims of cybercrimes. Gender-wise differences have also been observed in terms of behaviour and self-efficacy in cybersecurity [45]. In this regard, bridging the Internet gap can transform women's lives by contributing to greater awareness of information security. To become conscious of cyber-attacks, women need to be given ample access to the Internet and equal opportunities to build knowledge. Bridging the Internet gender gap would provide women with the tools necessary to make information security awareness better equipped to combat cybercrimes. Therefore, addressing the Internet gender gap will pave the way for vast improvements in women's information security awareness in the GCC region

6) CULTURE
The final component that influences information security awareness in the GCC is cultural practices. According to Alzahrani and Alomar, cultural values play an essential role in individuals' information security awareness. We did not come across significant literature discussing the impact of culture influencing cybersecurity awareness in the UAE. However, we found some unique studies that explain the impact of culture on Saudi Arabia. While the UAE's situation might be more relaxed than Saudi Arabia's. It certainly has a traditionally orthodox culture and similar to Saudi Arabia in many aspects. It is important to note that Saudi Arabia's national culture substantially affects its information security awareness. In a study involving undergraduate students in Saudi Arabia, these researchers found low information security awareness. To account for these results, the researchers explain that information security awareness is low mainly due to the highly censored, patriarchal, and tribal nature of Saudi culture. Furthermore, Al Arifi et al., [47] found that its culture influences Saudi Arabia's poor information security rating. In an extensive survey, these researchers found several information security risks linked to the country's culture. For instance, most participants in the study were comfortable sharing their passwords with family members. Moreover, the majority of participants believed that the government or other information providers were responsible for information security. Finally, Alnatheer and Nelson [24] contended that cultural factors impact the information security awareness of individuals in Saudi Arabia. Studies have found that the country has specific cultural characteristics that lower its chances of implementing information security. For instance, cultural research based on Hofstede's framework found that the country measured high on the following scales: power distance, uncertainty avoidance, collectivism, and femininity [21]. These factors tend to be obstacles and prevent the adoption of information security practices in Saudi Arabia.
According to Sofio and Carter [48], cybersecurity culture is perceived from the ''end-users'' viewpoint. It enables them to become conscious of various threats of online malpractices and avoid bad practices to enhance cybersecurity. In the USA, among other important laws and regulations, the ''Cybersecurity Culture and Compliance Initiative (DC31)'' and ''Promoting Good Cyber Hygiene Act'' have enabled the US government to protect businesses, ordinary citizens, and military establishments against vulnerabilities. It is generally believed that providing education about cybersecurity or creating awareness about effective practices will significantly reduce cybercrimes. This notion is quite intuitive; however, we contend that the dynamics of different regions or countries are so diverse that it will not be enough to implement the laws and rules of one particular region into another.
We believe these implications from our study will guide relevant authorities in the UAE to take measures that can increase cybersecurity awareness among citizens. In the following section, we elaborate on some of the points discussed earlier as practical recommendations for the future. In light of the above discussion, there is a pressing need for stakeholders, such as organizations, governments, and law-enforcement authorities, to implement interventions to improve information security awareness among the general population, business organizations, and employees. Research indicates that targeting individuals' attitudes and implementing cybersecurity awareness programs are considered proactive steps to prevent cybercrime. It is also important that training programs serve the needs of distinct stakeholder groups at the start-up, growth, and mature organizational life cycle stages of technology firms. At each organizational developmental stage of the information and communications technology sector, stakeholders either evolve or change, presenting organizations with unique challenges to overcome and providing an opportunity to create sustainable technological advancement [49], [50].

a: TARGETING EMPLOYEES' ATITUDES
One of the most effective ways organizations can improve information security awareness is by targeting employees' attitudes. According to [51], employees' perceptions, attitudes, and behavior play a significant role in their information security awareness. In a study investigating employees' attitudes, these researchers found constructivist methods to 87980 VOLUME 11, 2023 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply. enhance awareness of information security ideas and concepts [51]. The constructivist method involves the active engagement of individuals interacting in enjoyable activities to improve information security awareness. These findings suggest that constructivist methods are an effective way of boosting information security awareness.
Moreover, [52] contended that targeting employees' attitudes improves their information security awareness. In their investigative study, these researchers found that employees' information security awareness significantly affected attitudes toward security compliance [52]. In this respect, the researchers suggested that it is important to create a security-aware culture within an organization, posing a significant threat to both business and non-business entities. Prior research has also indicated differences in terms of smartphone cybersecurity-related behavioural preferences of employees in regions such as the UK, USA, and UAE [26]. To ward off the dangers posed by cybercrimes, it is essential to create a positive culture that promotes security awareness. By targeting employee attitudes, organizations can go a long way in improving information security awareness.

b: SECURITY AWARENESS AND TRAINING PROGRAMS
Another approach that can be employed to prevent cybercrimes is implementing Security Awareness and Training programs (SAT). According to Eyadat [53], using an SAT program is one of the most important steps organizations or other relevant agencies can take to prevent cybercrimes. Security awareness programs are designed to modify any person's behavior that threatens the organization's security [53]. These programs are extremely effective in that they minimize the risks of cybercrimes. However, in his study, Eyadat [53] found an alarmingly low SAT program employed by educational institutions in the GCC region. The results indicated that the majority of institutes offered no SAT program, and only 30% offered a complete or partial program [53]. Therefore, universities must integrate security awareness and training programs into their curriculum.
Furthermore, Al Shamsi [54] supported the effectiveness of cybersecurity awareness programs in educating young children. Children may face different kinds of danger while using the Internet and are thus especially vulnerable to cyberattacks. In this regard, cybersecurity awareness programs help educate children about online safety [54]. A study investigating cybersecurity programs offered to children in the UAE found these programs extremely effective. All children that participated in the program vouched for its effectiveness and agreed that it influenced their online behavior. Therefore, these research findings suggest that security awareness programs are efficacious interventions that can reduce cybercrimes in the GCC countries.

2) TOWARDS A UBIQUITOUS CYBERSECURITY POLICY
Given the effectiveness of these interventions, there are several procedures that policymakers can take to address cybercrime in the region. For instance, governments can significantly reduce cyber risks by focusing on various ethical issues in cybersecurity and using a stakeholder theory approach. According to stakeholder theory, an organization's fiduciary duty is to create value for all its stakeholders, typically classified as suppliers, financiers, communities, customers, and employees [55]. In the case of cybersecurity, the list of stakeholders also includes governments, Internet users, and law enforcement agencies. In other words, these stakeholders must work together and harmonize their interests by removing or reducing any competing trade-offs. The current literature offers strong recommendations on policymakers' steps to address cybercrime in the GCC countries. A literature review suggests several guidelines that governments can enact to reduce cybercrimes and address these multistakeholder issues, from capacity-building to promoting a cybersecurity culture. Therefore, this section will discuss the most effective initiatives that policymakers can implement to minimize the likelihood of cybercrimes in the region.

a: CAPACITY-BUILDING
To start with, one of the most successful initiatives that can be implemented to address cyber threats is capacitybuilding. According to Aboul-Enein [42], capacity-building regularly tests national cybersecurity capabilities to pinpoint weaknesses and develop mitigation plans. It consists of promoting cybersecurity as a vital component of the state, private sector, and citizens' decision-making. Aboul-Enein [42] suggested that capacity-building is an important initiative that can be used to alleviate the risks posed by cybercrimes. On a similar note, Tohme et al. concurred that capacity-building should be a part of the GCC countries' strategic plan to combat cybercrimes. The government should take the lead in developing preventive and reactive national cyber-security capabilities to prevent cybercrimes in the region. For instance, this may include developing national cyber-security standards and policies such as the national information assurance standard (Tohme et al.). Building capacity through protective behaviour training can also reduce cybersecurity risks significantly [57]. Finally, Al-Alawi et al. [58] contended that cyber defense capacity building should be a top priority for GCC region governments. In a literature review, these researchers suggest that developing the ability to adapt cyber defense resources is essential to responding to cybercrimes [58]. To mitigate the dangers posed by cybercrimes, regional states must remain committed to making capacity-building a national priority. In this regard, these research findings suggest that capacity-building is a practical initiative that policymakers can employ to address cybercrime in the GCC region.

b: PROMOTING CYBERSECURITY CULTURE
Another cost-effective approach that policymakers can take to combat cybercrime in the region is promoting a culture of cybersecurity. Given the rapid rate at which cyber warfare has grown in the GCC countries, fostering a global culture VOLUME 11, 2023 of cybersecurity is an essential step for policymakers. This procedure would entail three steps: creating awareness of the dangers posed by cybercrimes, tightening information management systems to safeguard information security, and integrating cybersecurity needs into education programs [42]. To create a culture of cybersecurity, it is crucial to raise awareness of cybercrimes. In the wake of imminent cybersecurity risks, researchers have investigated precautionary cybersecurity measures, such as a preventive cybersecurity protocol and an identifiable anonymity protocol [59]. These tools enhance defensive cybersecurity infrastructure.
Moreover, Al Neaimi et al. [60] stressed the importance of creating culturally sensitive training and awareness programs. In a study investigating cyber defenses in the UAE, these researchers found a lack of awareness of cybersecurity issues to be the greatest danger facing organizations [60]. In light of these findings, the researchers proposed a framework for cyber defenses that incorporates user training and awareness programs. By implementing these programs, policymakers could ensure a strong cybersecurity defense in the UAE. Finally, Alnuaimi further supported culturally sensitive training and awareness programs. In a study that evaluated cybersecurity effectiveness in Abu Dhabi, Alnuaimi found training/awareness programs integral to combating cybercrime. The multicultural nature of the GCC countries necessitates culturally appropriate training and awareness programs to combat cybercrime (Alnuaimi). Therefore, Alunaimi advised that governments need to play an active role in instituting a cybersecurity culture among citizens through training and awareness, culturally sensitive policies, and education. By cultivating a cybersecurity culture, policymakers would go a long way in preventing cybercrime in the GCC region.

c: CYBERSECURITY LEGISLATION
The final aspect of cybersecurity policy that merits research attention is legislation. As discussed in section 4.2.3, one of the major factors contributing to cybercrimes in the region is poor laws and regulations. Thus, Hakmeh [62] argued that there is a critical need for GCC countries' governments to update their anti-cybercrime laws. Governments can accomplish this endeavor by training the judiciary and law enforcement agencies, pioneering public-private partnerships, and revisiting cybercrime legal frameworks [62]. In this regard, legislative frameworks can assist policymakers in combating cybercrimes.
Furthermore, Finckenstein [63] concurred that there is a need for cybercrime laws in the region. While a few GCC countries have updated their cybercrime laws from 2011 onwards, these laws lack the mechanisms to tackle actual cybercrime [63]. Finckenstein [63] proposed that countries in the region could orient themselves toward several existing conventions to solve this issue. For instance, the Budapest Convention on Cybercrime could assist GCC countries tremendously by putting them on the appropriate path of legislation and harmonizing cybercrime laws. Finally, Alshammari and Singh [64] contended that countries in the region need to strengthen their anti-cybercrime laws. In a study investigating Saudi Arabia's preparedness to defend against cyber-crimes, these researchers found that the country was only semi-prepared [64]. Although Saudi Arabia formed the anti-cybercrimes law in 2007, it was deficient in protecting against identity theft, invasion of privacy, and cyber-bullying. To become one of the leading nations in cybersecurity, Alshammari and Singh [64] proposed that Saudi Arabia needs to strengthen its anti-cybercrime law and regulations. Ultimately, these recommendations on legislation can tremendously assist policymakers in their crusade to eradicate cybercrimes in the UAE and other GCC regions.

VI. CONCLUDING REMARKS
In this paper, we argue that due to diversity in cultures, sociotechnical systems, human factors, and risk awareness levels, governments worldwide struggle to fully mitigate cyber risks. We investigated various human factors and cybersecurity behaviour in two distinct regions, such as the UAE and the USA, and compared them. We provided an extensive overview of cybersecurity awareness in particularly young, educated, and technology-savvy populations of the UAE compared to the USA. Based on the findings presented, it is reasonable to conclude that the UAE population differs in awareness of cybersecurity risks compared to their counterparts in the USA. Whether it is due to education, the internet gender gap, or cultural factors, the UAE citizens lack a comprehensive understanding of cybersecurity. Drawing a comprehensive comparison between the UAE and USA targeted populations enabled us to identify major cybersecurity concerns in the GCC region. Our paper's key contributions are providing evidence-based information for cybersecurity policymakers in the UAE and other GCC countries to further enhance cyber safety, awareness, and trust among citizens. In light of these findings, several training and intervention programs can raise cybersecurity awareness in the region. In regard to developing an effective strategy, policymakers can combat cybercrimes through capacity-building, promoting a culture of cybersecurity, and reforming legislation. Hopefully, these pertinent research findings will incentivize states in the region to take immediate action and raise awareness of cybersecurity.

VII. LIMITATIONS AND FUTUTRE WORK
This paper attempted to develop a survey instrument that captures the main differences between the UAE and the USA. Although the sample from both groups (the UAE and the USA) was large enough to run adequate statistical analyses, it was mostly limited to university students, young, educated, and technology savvy, limiting generalization to a more general population. In the future, we will continue this study to include more regions and countries and gather responses from a more generalized population. Furthermore, we will continue to develop a robust measurement scale that accurately captures the cybersecurity awareness level of people from different cultures and origins. We plan to exhibit the best approaches to guide a comprehensive policy on ethics and privacy issues in cybersecurity globally through evidence.