Who Is Responsible for Teaching College Students About Cybersecurity?

Setting the Stage

The summer before I went to college, I remember having to take online training programs just like every other freshman. These programs focused on topics such as alcohol awareness and general campus safety. We had to watch videos, read excerpts, and then pass the online quizzes with a certain percentage to demonstrate we understood the material.

While these topics are important, another equally important matter that was not addressed was Internet safety and cybersecurity. With students frequently using campus portals to access their courses, financial information, reading materials, and more, why wasn't safeguarding ourselves technologically also a primary focus—whether through a college-level introductory course or a mandatory online training program?

In the event that a student suffers a malware attack on her personal computer due to a phishing e-mail with a malicious attachment, which could then affect the school's network, who would be at fault—the student because she fell for the suspicious e-mail, or the institution for failing to properly train incoming students on how to spot a phishing attack?

While there are a number of opinions on the topic of training college and university students in information and cybersecurity, I believe that mandatory security training is an overdue addition to the first-year curriculum—it's a fundamental skill that should be taught to incoming freshmen and refreshed annually, if possible, to keep pace with change.

Why Is Cybersecurity Important?

Before attending graduate school, I wasn't exposed to the world of cybersecurity. During my undergraduate career, I took a lot of IT courses about computer networks, systems integration, and enterprise architecture, but never security. In conversations with my classmates who did take cybersecurity classes, I learned that they were taught information security best practices, how to safeguard against cyberattacks, and much more, which is similar to what some organizational information security awareness programs teach. Because my undergraduate institution did not offer mandatory training programs on this subject, I would have had to take specific courses to learn about security and related topics. And this I find troublesome: all students access the Internet on a daily basis, so why isn't every student required to learn about security essentials at the very least?

Compare a security requirement to the equivalent in English. For English, I had to write papers in a particular style called rhetorical analysis, which has no applicability for me as an intern in the technical field. In contrast, had I been required to take a class on Internet safety or cybersecurity or enroll in an awareness program at my college—along the lines of overall safety or alcohol awareness—what I learned would still apply in some meaningful way to my daily online behavior.

According to the CIO article "Top U.S Universities Failing at Cybersecurity Education," cybersecurity is quickly becoming a priority for organizations, so if students aren't graduating with the necessary education, the skills gap will only grow wider…. The reality of the situation is that security affects nearly every aspect of IT and technology at a company, and it's not just something the CSO needs to be worried about." Whatever career path people decide to take, it is very likely that they will be using some form of technology to complete their tasks, so it's important that they at least know how to properly and safely use technology.

Where Do We Go from Here?

In order for students to comply with college or university acceptable use policies, as well as general online safety practices, they must be properly trained. Every higher education institution should take the steps necessary to incorporate online safety and cybersecurity training into first-year orientation or mandatory introductory-level courses. And to ensure that what students have learned sticks, training should be offered every year or, at a minimum, every other year—especially since cybersecurity is such a relevant topic.

We live in a digital age where the number of technologies with corresponding attacks is growing by the day, yet individuals aren't trained on how to combat these attacks or protect themselves. It is time that institutions start treating and teaching topics in cybersecurity as seriously as other fundamentals (e.g., rhetorical analysis in English, the quadratic formula in math, and alcohol abuse awareness and prevention). By requiring students to learn the best practices in information and cybersecurity, whether in the form of an awareness program or an actual course, colleges and universities will be doing an even better job at cultivating more technologically aware citizens.


Stephanie Kumi is a second year graduate student studying Information Security Policy and Management at Carnegie Mellon University. Her interests in security include applying security within an enterprise's architecture to ensure proper protection and using her knowledge about security best practices in relation to IT project management.

© 2017 Stephanie Kumi. This EDUCAUSE Review blog is licensed under