Cybersecurity awareness and training

Before the development of cybersecurity knowledge and skills can improve security, it is necessary to ensure that security policies are reasonable. If some security rules are impossible to follow, this undermines the credibility of all security policies and creates a negative attitude towards security. In such cases, security is compromised.

Cybersecurity awareness means that people pay attention to security and understand that it is worth the effort. It is important to recognise that (a) cybersecurity concerns everyone and risks exist for all, and (b) there are ways by which everyone can reduce risks. Security is a shared responsibility.

The purpose of education is to provide information about risks and how to protect against them or reduce them. People may have incorrect or incomplete mental models regarding security. Training corrects these and lays the foundation for cybersecurity skills. Experts designing training must find out about the learners’ prior skills and knowledge. The effectiveness of training may decrease if it is either too easy or too complex for the target group.

The purpose of training is to teach practical cybersecurity skills, such as the correct use of security mechanisms or recognising social engineering. Cybersecurity skills should be exercised in practice so that people can try out what kinds of decisions and actions they would take in cyber threat situations. It is better to identify error-prone areas in an exercise than to learn only from real incidents. Practice helps people make better decisions and reveals where there are gaps in their own competence.

Cybersecurity awareness, education, and training all support each other. Even if an organisation has addressed these, there may still be room for improvement. It must be remembered that behavioural changes take time. New ways of working must replace old, poorer habits, and this does not happen overnight. Multiple repetitions may be required, and it is good to keep goals sufficiently small. Employees must also be able to take care of their primary tasks, and therefore only one or two security-related behaviours should be targeted for change at a time. Cybersecurity awareness, education, and training can be one factor in creating an organisation’s security culture, but they are not sufficient on their own to establish it.

Question 1

Select the correct statements.

Cybersecurity education and training support each other.

Cybersecurity awareness, education, and training form a security culture.

Cybersecurity experts can always design education that suits the learners.

Exercise reveals how one would act in a real situation.

A negative attitude towards security is caused by too many instructions.

Exercise is of little benefit if one already knows how to act.

Security policies should be feasible to follow in practice.

Education helps identify incorrect mental models related to security.

Approaches to security awareness and behaviour change (advanced)

Games and simulations can be used to increase interest in cybersecurity and to support behaviour change. For example, anti-phishing simulations can be used to train employees not to click certain links. Short-term results have been positive, but it is unclear whether their use leads to real behavioural changes. There are also issues associated with using simulations: employees’ trust in their organisation may decrease if they perceive simulations as a sign of distrust or even as hostile. On the other hand, employees may become overly cautious and fail to open even important and legitimate messages and links. The measurement of benefits and potential drawbacks should therefore be carefully considered when using these tools.

Mental models of cyber risks and defence (advanced)

A large part of human long-term memory is built on mental models. These range from detailed and structural representations, such as design diagrams, to simple task–action models that allow, for example, the use of devices without fully understanding them. A task–action model allows a person to drive a car, but a more structural model is needed to diagnose faults and repair them. The same applies to cyber risks. It cannot be assumed that ordinary users understand risks in detail.

Inaccurate mental models related to cybersecurity can make users vulnerable to various attacks. They may create a false sense of security, leading risks to be overlooked. In addition, incorrect mental models can make it difficult to use security tools or prevent users from understanding their benefits. For example, a user of a password manager may assume that the program also protects against viruses, or another user may not adopt the program because they consider it unnecessary, as reusing three passwords across different services seems to work well.

Posting submission...