The Problem

Cybersecurity Education in a Changing World

With the Internet and other technology playing a greater role in everyday life, it is more important than ever that the general public be up-to-date on basic cybersecurity principles. However, it can be difficult for a layperson to educate themselves on cybersecurity because the world of cybersecurity is rapidly changing and existing resources tend to be tailored toward IT professionals and other tech-savvy individuals. Our goal is to lower the bar to cybersecurity education so that everyone, from high school students to working professionals, can keep themselves safe.

(Left image source)

The Context

There is no doubt that we live in the digital era. Every area of life, from the working world to education to home life, seems to rely to some extent upon digital technology and the internet. While undoubtedly bringing great benefits, increasing connectivity has brought greater risk of cyberattacks, and the general public is not adequately prepared to protect themselves against such incidents. It is imperative that cybersecurity education be improved so that everyone, not just IT professionals, can understand and practice basic cybersecurity.

The Problem

Millions of users log onto the internet each day to do work, attend online classes, carry out financial transactions, talk with their friends and family, and more. However, many of these users have little knowledge of the cybersecurity issues going on in the background as they click from page to page. A survey from Pew Research Center found that only 1% of adult internet users in the U.S. could correctly answer all 13 questions of a cybersecurity quiz (source: https://www.pewresearch.org/internet/2017/03/22/what-the-public-knows-about-cybersecurity/). This lack of cybersecurity knowledge among the general public can have consequences. For instance, in 2019, 90% of organizations reported being targeted by phishing attacks in 2019, leading to trillions of dollars lost globally due to internet users falling victim to social engineering (source: https://www.frontiersin.org/articles/10.3389/fcomp.2021.563060/full). In other cases, victims face large-scale cyberattacks. For example, the 2013 Yahoo data breach exposed the account data of over 3 billion users (source: https://www.csoonline.com/article/534628/the-biggest-data-breaches-of-the-21st-century.html). The incident was worsened by many victims being unaware of how to respond to the breach, or even that it occurred, allowing the account data to be further used for malicious purposes.

Moreover, victims of cybercrimes face personal consequences such as identity theft, loss of money due to scams, exposure of personal information, and more, which can cause massive disruption of everyday life. On a personal level, you probably know someone--a friend, family member, or even yourself--who has been affected by an incident like this. If you or someone close to you has ever lost money due to a phishing scam or had sensitive personal information released in a data breach, you know about the immense personal consequences of cybersecurity incidents.

What's Wrong With Existing Solutions?

Given the scope of this issue, it is imperative that internet users know how to protect themselves from cybercrimes. This is particularly important in specific fields such as healthcare, education, and finances, where cyberattacks may have even larger consequences. However, existing cybersecurity education for the general public can be lacking. Although workplaces often provide cybersecurity training modules to employees, this training often relies on rote reading and multiple-choice quizzes, which are unlikely to instill deep understanding of cybersecurity. In addition, these trainings are not usually tailored to a specific environment (for example, an office vs. hospital vs. a bank). Other resources are much more in-depth, but they are aimed at IT professionals and do not focus on the basic knowledge that an everyday internet user or a working professional needs to know to stay safe. Another issue with cybersecurity education is that although it may give an overview of best practices, it does not keep users up to date on recent events (such as recent data breaches or changing best practices).

What's The Improved Solution?

Teaching about cybersecurity in an accessible way would have great value to the general public. To do this effectively, the educational platform should not assume technical background and should present information in a digestible manner, starting from the most basic principles. In addition, rather than simply giving readings or narrated videos, it should have an element of interactivity so that users can truly understand the concepts. Finally, it should be tailored to the particular user. For example, a hospital worker might need training on database security to ensure user's data is kept safe, while an operator at a power plant might need training on SCADA attacks to understand cybersecurity risks to infrastructure.

Given that cybersecurity issues affect nearly everyone in the United States, general cybersecurity education would be useful for anyone, but it is particularly important to companies, who face daily cybersecurity threats and lose millions of dollars per year on cyberattacks. While companies can mitigate these issues by having IT departments and hiring cybersecurity experts, there is another avenue of risk through their employees who are not cybersecurity experts and may unknowingly expose the company to threats. We believe these companies would be more than willing to pay for better educational resources for their employees so that everyone, not just experts, can practice cybersecurity.

Cybersecurity is a complex field, but it does not need to be solely the domain of experts. With more accessible cybersecurity education, anyone can understand and practice basic cybersecurity for a safer, happier world.

The Design Thinking Process

Our design thinking process began by conducting background research on cybersecurity. Aside from reading background literature, we conducted interviews with members of the public to ensure that our design mindset is empathetic and human-centered. Rather than only relying on studies of cybersecurity issues, we felt it important to truly see things from the view of the user and understand the challenges they face.

After conducting research, we examined the common threads across interviewee's experiences and found issues with cybersecurity education to be the unifying factor. This led us to our problem definition--poor cybersecurity education negatively impacts the lives of the general public. From there, we began brainstorming and fleshing out potential solutions in an iterative process. The idea we decided on, an educational app, was inspired by apps such as DuoLingo and Bloom; further iteration and feedback led us to flesh out our idea into an app that has different "skill branches" for different use areas (e.g. healthcare vs. education).

After fleshing out our idea, we began designing our paper prototype, showing how the user interacts with various screens of the app, what information they learn, and how they will learn it. This allows us to clearly define what information is and is not conveyed through the app.

Building Empathy

Our clients are primarily internet users in the United States, ranging in age from teenager to older adult and varying widely in their overall technical knowledge. As such, we began our empathy process by interviewing a range of internet users.

The Interviewees

Interviewees shared a variety of experiences with cybersecurity. One interviewee, a young professional working in a university office, shared that she had completed required cybersecurity trainings but did not find them very helpful as she already knew most of the information (for example, how to create a strong password); she also shared that students and faculty often sent sensitive personal information over email rather than using more secure channels. Another interviewee, a dining hall employee, mentioned that the online employee management and payroll system is unintuitive and difficult to use, making it hard for employees to input their personal information securely. Other interviewees discussed social engineering-based cyberattacks: a volunteer at a literacy organization discussed how clients of the organization are often targeted by online scams, and another interviewee discussed helping an older relative deal with a scareware scam which told them to call a particular number for "computer repair."

What We Learned

After conducting our empathy interviews, we discussed what could be done to improve the experiences of the interviewees and people like them. We identified a variety of issues, from poor user interface design creating cybersecurity risks to older internet users having limited information on recent cyber scams, but a unifying issue we noticed was poor cybersecurity education. All of these users, regardless of their position or knowledge level, would benefit from having accessible cybersecurity training tailored to their specific area. This would allow them to meaningfully improve their cybersecurity knowledge without being inundated with cybersecurity facts which they already know or which are not relevant to them.

These interviews taught us a great deal which we could not have learned from literature research alone. For example, although we were aware that most members of the public do not know much about cybersecurity, we assumed that young people would follow good cybersecurity practices. Our interview with the university office employee shows that this is not necessarily the case--many young students, despite using a computer daily, are not aware of the best practices for sending sensitive personal information. We also assumed that cybersecurity education would mostly only benefit those who use the internet regularly as part of their job and those who do not already know the basic principles of cybersecurity. Our interviews taught us than anyone can benefit from basic cybersecurity education, regardless of where they work or what they already know. Although the office employee already knows the basics of cybersecurity, she could still benefit from a training program that is specifically tailored to what her office does (in this case, handling study abroad trips). The dining hall employee and other employees who do not use the internet regularly as part of their job will still need to go online to work with the payroll system and could benefit from training that teaches them to be sure they are inputting their personal information securely.

Page updated

Report abuse