Turning a Core Competency into a Campus Culture of Cybersecurity: A Guide for Higher Ed
2) Explain why cybersecurity is so crucial for everyone.
There are always be many competing priorities and cybersecurity is rarely at the top for most people with non-technical roles. Clearly explain the risks and highlight the benefits to everyone, regardless of their role.
“When it comes to CSAT, this means providing information about the latest cyber threats, how they affect individuals, how much damage they can cause, and how everyone can work together to prevent them,” said the Ninjio report. “Given the importance of cybersecurity awareness in today’s workforce, universities should emphasize the ways CSAT can help students and employees build marketable skills after they leave the institution.”
3) Personalize your cybersecurity training.
It’s important that you meet your learners where they are. That means customizing training content to different learning styles and subject matter familiarity.
“The most effective CSAT platforms are personalized, which means they account for individual skill levels, personalities, and learning styles,” the report said. “This will improve engagement by building content around the specific needs of each learner, which will improve learning outcomes and make students feel valued. Beyond the psychological value of personalization, universities will also be in a stronger position to determine how well learners are absorbing the material if they have more in-depth, individualized data.”
4) Promote accountability.
“It's a given that teaching but not testing for understanding will get you nowhere,” Ninjio said. “Regularly evaluate your program with simulated phishing, assessments, engagement tracking, and reporting. When institutions hold themselves accountable, they will ensure that their CSAT programs are creating long-term behavioral change.”
Why is Education in Cybersecurity Basics So Hard for Higher Ed?
The report notes that institutions of higher education are already skilled at education, yet IHEs seem to lag behind other sectors in educating their users on cybersecurity best practices.
McAlmont said he believes IHEs innately face three hurdles that most organizations in other sectors don’t: complexity, culture, and priorities.
“Complexity is a big issue because campus communities include people from so many different disciplines, life stages, and job functions. Creating a training program that speaks authentically to the needs of each of these learners is difficult to do at scale,” McAlmont said.
“Beyond that complexity, modern universities foster a culture of openness to support the exploration of free thought and inquiry,” he said. “Making people feel included and empowered to contribute is key in an educational setting, which is a little antithetical to the guarded, skeptical stance that they need to be taking online.”
Lastly, training such as CSAT programs “can get lost in the shuffle” of a long list of other priorities at a large institution, McAlmont said.
“Campus IT security leaders can’t pull off training 25,000 users in a vacuum – they need stakeholder support for making cybersecurity awareness training part of the workplace experience and campus life,” he said. “The separation of admin and student networks adds complexity. There are about 15 million to 17 million students in U.S. higher education today who will become the business leaders of the future; however, I don’t believe institutions see preparing students with these types of tactical business and technical risk and awareness skills as part of the educational mission.