Building an information security awareness program does not guarantee that users will be aware it exists.
October is National Cybersecurity Awareness Month (NCSAM), a collaborative effort spearheaded by the US Department of Homeland Security and the National Cyber Security Alliance (NCSA). EDUCAUSE and the higher education information security community have participated in the annual cybersecurity awareness campaign since 2004, joining forces with a range of organizations to expand cybersecurity awareness and education on campuses around the globe.
This year's overarching theme is Own IT. Secure IT. Protect IT. [https://staysafeonline.org/ncsam/themes/], and the 16th annual National Cybersecurity Awareness Month (NCSAM) is focused on encouraging personal accountability and implementing proactive security best practices. For National Cybersecurity Awareness Month, the EDUCAUSE Center for Analysis and Research (ECAR) presents findings from EDUCAUSE Technology Research in the Academic Community (ETRAC) data on whether institutions are providing security awareness training to students and faculty; results suggest that few faculty or students are aware of this training, but when they are aware of and participate in it, they find it beneficial.
Merriam-Webster defines awareness as "the quality or state of being aware: knowledge and understanding that something is happening or exists."1 College and university cybersecurity awareness campaigns have historically focused on external threats: hackers, phishing, etc. ("something is happening"). In this post, I focus on internal processes: how to build recognition among faculty and students of security awareness programs ("something exists").
Awareness of Awareness
A recent EDUCAUSE survey of students and faculty revealed some interesting data about our collective efforts to raise student and faculty awareness about cybersecurity. Similar to our findings in 2017, few students (13%) told us that their institution provides mandatory or optional information security training. Of the 13% of students who said that their institution provides security training, about a third (35%) indicated that they had participated in the training within the last 12 months. This means that of the total number of 40,596 students surveyed, only 4% had received information security training (whether their institution offers it or not). More than half (57%) of students reported they don't know if security training is provided. A third of the students told us that no training is provided.
Slightly more than half (51%) of faculty reported this year that they do not know whether security training is conducted at their institution. Faculty at larger, more complex institutions—master's (57%) and doctoral (52%)—reported that they do not know if security training is provided as compared to associate faculty (43%) or bachelor's faculty (45%).
The More You Know
ETRAC's findings this year suggest that if higher education IT departments can get students and faculty into seats for cybersecurity training sessions, then information security awareness training will be of benefit. Of the students who attended their institution's information security training, 88% told us that it was at least moderately useful, and 45% reported that it was very or extremely useful. When faculty attended their institution's security training, 83% found it to be at least moderately useful, and very few faculty (17%) found it to be not at all useful or not very useful. This bodes well for ensuring that attendees put information security education into action. If sessions are found to be relevant or useful to their current jobs, attendees are likely to apply what they've learned.
If You Build It . . .
Cybersecurity is no Field of Dreams. Simply building an information security awareness program does not guarantee that users will be aware that the program exists. Higher education cybersecurity programs have matured, and the content reflects the cybersecurity threats students and faculty are facing. As cybersecurity professionals, we need to "meet them where they are"2 by understanding faculty and student perspectives on security. Raising awareness of our programs requires us to engage students and faculty in the classroom and online. If we build effective well-rooted3 programs, we know that students and faculty will benefit, and they will come.
For more information about information security governance, compliance, data protection, and privacy programs, please visit the EDUCAUSE Review Security Matters blog as well as the Cybersecurity Program page. Access additional information security and data privacy resources through the Awareness Campaign page.
Notes
- Merriam-Webster, s.v. "awareness (n.)," accessed September 23, 2019. ↩
- Daphne Ireland, "Meeting Faculty Where They Are," Security Matters (blog), EDUCAUSE Review, June 10, 2019. ↩
- Ben Woelk, "Wind, Trees, and Security Awareness," Security Matters (blog), EDUCAUSE Review, September 13, 2019. ↩
Brian Kelly is Director of the Cybersecurity Program at EDUCAUSE.
© 2019 Brian Kelly. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.