Cybersecurity, although a newer industry, has grown rapidly in recent years. Most people can agree that it’s an important industry but couldn’t explain why exactly. Vague ideas of hackers in black hoods stealing credit card numbers may come to mind when the topic of cybersecurity or internet safety. This problem stems from the lack of easily digestible internet safety resources. There are very few accessible resources that exist to teach everyday users the best practices and policies in cybersecurity.
Rather than taking a trickle-down approach to cybersecurity education that starts with cybersecurity experts and hopes that their advocacy within industry and policy is enough to protect the general population of users, we should be building a security literate user base from the ground up. There is no excuse for cybersecurity to be foreign idea anymore, as these threats are very real and cannot be stopped at a border. As such, it is important to provide the public with resources and knowledge to defend themselves. To effectively educate non-technical users on cybersecurity practices and policies, there are a few key shifts in the communication model that need to occur. First, the messaging needs to focus on relatability and education rather than scaring users into submission. Next, educational resources must be made more accessible by communicating threats and solutions at a level every user can understand and publishing them for varying audiences.
Cybersecurity is like infrastructure – you take it for granted and only realize its importance when you experience a problem, but then it is too late. Relating cybersecurity threats to the individual user can help tackle the sense of ambiguity surrounding the concepts. Despite the use of terms such as cyberwarfare, most cyber attacks are dependent on human error. By connecting users’ personal lives to phishing, identity theft, data breaches, and denial of service type attacks, they realize they have a personal stake in these threats.
The stigma that those outside of technical industries cannot understand security policy is dangerous. Just as the health industry provides accessible and easily understood resources for the general population’s safety, the technology industry must follow suit. Companies will need to spend less time and resources training their workforce to utilize cybersecurity best practices if adequate resources are provided to the general population. The more people with a basic understanding of how to protect their information online, the fewer people who will need to unlearn bad habits upon their entry to regulated industries. This means providing cybersecurity resources and literature being communicated on lower reading levels. Additionally, the dissemination of this information must be prominent enough to reach a variety of audiences.
Existing communication on cybersecurity's best practices and policy range from formal government policies to niche technology news outlets such as SC Media, The Hacker News, and AFCEA’s International Journal. The everyday user is not included in these audiences. Users who have no personal connection to what cybersecurity is and how it affects them are exceedingly unlikely to seek out information from cybersecurity company blogs, Homeland Security policy briefs, or niche magazines. Many young cybersecurity companies now house blogs and educational resources such as whitepapers and webinars, to market their products by informing their consumer base of the threat and providing the solution in one fell swoop. The goal of these articles is often to bridge the gap in security literacy between various departments, such IT and marketing, rather than to bridge the gap between the business and their users or consumers. This is evident in two common themes of these resources. Since professionals are their target audience, the documentation is frequently riddled with technical jargon or applied to specific business scenarios that the public cannot relate to.
The audience that cybersecurity content is written for is incredibly limited. This is one of the largest contributing factors to the inaccessibility of the information revolving around internet security and best practices. The recommended reading level for informative brochures and resources in the health industry is 5th grade to ensure that health literacy information can reach all patients. Although vastly different industries, this standard of providing accessible information should be mirrored in the technology industry. The ACM Code of Conduct dictates that technology professionals should strive to “improve public awareness and understanding of computing, related technologies, and their consequences.” And yet, a sample of a cybersecurity literature -- including blogs from cybersecurity companies, niche security magazines, large news outlets, and the White House Cybersecurity Strategy -- all scored reading levels of 10th grade or above. In fact, the average reading level of these sources was 13th grade, meaning that the intended audience of most of these articles is a reader with a college degree. However, 71% of U.S. adults who have less than a high school degree use the internet regularly.
The audience that cybersecurity content is written for is incredibly limited. This is one of the largest contributing factors to the inaccessibility of the information revolving around internet security and best practices. The recommended reading level for informative brochures and resources in the health industry is 5th grade to ensure that health literacy information can reach all patients. Although vastly different industries, this standard of providing accessible information should be mirrored in the technology industry. The ACM Code of Conduct dictates that technology professionals should strive to “improve public awareness and understanding of computing, related technologies, and their consequences.” And yet, a sample of a cybersecurity literature -- including blogs from cybersecurity companies, niche security magazines, large news outlets, and the White House Cybersecurity Strategy -- all scored reading levels of 10th grade or above. In fact, the average reading level of these sources was 13th grade, meaning that the intended audience of most of these articles is a reader with a college degree. However, 71% of U.S. adults who have less than a high school degree use the internet regularly.
Rather than taking a trickle-down approach to cybersecurity education that starts with cybersecurity experts and hopes that their advocacy within industry and policy is enough to protect the general population of users, we should be building a security literate user base from the ground up. There is no excuse for cybersecurity to be foreign idea anymore, as these threats are very real and cannot be stopped at a border. As such, it is important to provide the public with resources and knowledge to defend themselves. To effectively educate non-technical users on cybersecurity practices and policies, there are a few key shifts in the communication model that need to occur. First, the messaging needs to focus on relatability and education rather than scaring users into submission. Next, educational resources must be made more accessible by communicating threats and solutions at a level every user can understand and publishing them for varying audiences.
Cybersecurity is like infrastructure – you take it for granted and only realize its importance when you experience a problem, but then it is too late. Relating cybersecurity threats to the individual user can help tackle the sense of ambiguity surrounding the concepts. Despite the use of terms such as cyberwarfare, most cyber attacks are dependent on human error. By connecting users’ personal lives to phishing, identity theft, data breaches, and denial of service type attacks, they realize they have a personal stake in these threats.
The stigma that those outside of technical industries cannot understand security policy is dangerous. Just as the health industry provides accessible and easily understood resources for the general population’s safety, the technology industry must follow suit. Companies will need to spend less time and resources training their workforce to utilize cybersecurity best practices if adequate resources are provided to the general population. The more people with a basic understanding of how to protect their information online, the fewer people who will need to unlearn bad habits upon their entry to regulated industries. This means providing cybersecurity resources and literature being communicated on lower reading levels. Additionally, the dissemination of this information must be prominent enough to reach a variety of audiences.
Comments
Post a Comment