With the phenomenal growth that has been observed in the smartphone industry over the past few years it has become more evident that smartphones are not just about the hardware and device manufacturer anymore, but also the supported Operating System (OS) and content enriching applications (apps). Stock-standard, static OSs are a thing of the past and have given way to dynamic, customisable OSs that support the installation of additional, mobile apps on the fly.

Such freedom, however, comes at a price. Smartphone apps that are written by cyber criminals are naturally also able to harness the full capabilities of these smart devices and access the information stored on them – possibly without a user’s knowledge or consent. With the recent introduction of wearable devices that act as an extension of the smartphone, cyber criminals may now produce apps that are even more invasive to the smartphone user’s everyday life.

With smartphone usage becoming more popular, in both personal and professional capacities in an overlapping fashion, cyber criminals can now potentially gain access to not only personal user information, but also sensitive organisational information stored on these devices.

By introducing the Smartphone Application User Security Competency Evolution (SAUSCE) model, this thesis aims to provide a model that may be used to demonstrate the typical competency evolution that a smartphone user may undergo by asking 5 main questions including: (1) Is the user in possession of a smartphone? (2) Does the user make use of the smartphone in their possession? (3) Does the user customise the smartphone by downloading and installing apps? (4) Is the smartphone rooted or jailbroken/are apps installed that require root or privileged access? (5) Are developer options active on the smartphone/does the user write their own apps and deploy them on the device?

The reasoning behind why exactly these 5 questions are asked becomes clearer as the thesis progresses. As a result, the model may be used to establish a particular smartphone user’s competency level which, in turn, simplifies the task of providing level-appropriate training and/or awareness.

Additionally, the proposed model may also be used (by individuals, organisations, institutions etc.) in determining whether a specific user could, for example, be classified as a potential risk to (their own or organisational) information security. Initial verification of the model’s use in an operational environment (university) proved its viability and ability to be successfully utilised in establishing the maturity of not only an individual, but also groups of individuals as a whole.

The versatility of the model was further illustrated through its successful implementation by a variety of approaches including a web portal, hybrid Android smartphone app, online questionnaire and paper-based questionnaire.