Best Practices for Promoting Information Security Awareness
By IEEE Computer Society Team on
From data breaches to ransomware, how cyber thieves infiltrate systems has evolved with the rapid growth of the Internet of Things. The COVID-19 pandemic necessitated a reliance on online platforms and collaborative meeting spaces, but many people were ill-prepared for the potential cybersecurity threats from such an approach. Even educational institutions were not immune, reporting an increase in ransomware attacks during the pandemic timeframe.
As the need for training to address information security topics has increased, universities and other organizations have adapted curricula to account for the likelihood that their systems could be breached. A recent case study details the peer review of an introductory course in information security and shares tips for how such courses can be improved upon.
The Evolution of Information Security Training
Information security is now a prominent part of everyday life, and the volume of material to be covered can be daunting if not handled correctly. Too much information can have the same effect as none at all: Learners tune out the training because it is overwhelming and lacks context. This puts an organization’s data and systems at risk, so it is worth seeking ways to improve upon your existing curriculum.
Peer review, with a team of individuals from diverse backgrounds and varied levels of expertise, provides a more balanced perspective of the concepts to be covered and the depth in which they should be explored. This multi-disciplinary approach helps streamline the review process, making it easier to identify duplicate and outdated material and agree on what should be altered or removed from the basic curriculum. Instituting a “less is more” approach and incorporating more engagement and active discussion as part of your lesson plans benefits students and helps streamline curriculum planning.
The preferred approach to delivering education on information security concepts are not simply a switch to smaller, bite-sized courses, but training that is targeted to meet the role of the learner. While everyone can benefit from knowledge about the basics of information security and how to protect their online footprint, certain positions and academic disciplines require less exposure to the technical components. Rather than disseminate a broad view of topics, it is recommended that content be segmented and factor in ample time for discussion and absorption of the material. Advanced concepts like penetration testing and audits should be reserved for those in technical positions or seeking a similar academic discipline.
Keeping curricula generic makes the content you deliver suitable for a broader target audience. Imposing restrictions, such as 45-minute lectures with a maximum of 20 slides, offer the best pacing and depth of material. Including real-world examples, such as a scenario in which an individual receives a phishing email and must decide how to respond, helps put the information into context for the learner. The use of scaffolding techniques, which builds on a learner’s current understanding by breaking complex tasks into smaller steps and providing feedback and resources to support each phase, is also beneficial, as is the evaluation of a student’s familiarity, usage, and assessment level to ensure mastery of the content.
Download “Introduction to Information Security: From Formal Curriculum to Organisational Awareness”
To learn more about the benefits of implementing a peer review of your information security curriculum, download the study “Introduction to Information Security: From Formal Curriculum to Organisational Awareness” from 2022 IEEE European Symposium on Security and Privacy Workshop (Euro S&P). Steps for balancing your content to reflect both an awareness of cybersecurity risks and the appropriate technical knowledge required of your students are also addressed.
