Awareness measurement education and research 2023: embed awareness organisation-wide

Main conclusions

Employees, as in the 2022 measurement, are convinced of the importance of cyber-safe and privacy-aware behaviour, but have limited motivation to pay attention to it. This is because they lack support within their institution and the lack of clarity on what secure working means in practice. They are reasonably satisfied with the facilities at their disposal, but a strong security-awareness culture is lacking. Respondents were less positive about the role model role of managers compared to last year.

Results across the board better than in 2022

On average, participating institutions scored a 6.5. This is an improvement from the 2022 measurement where the average score was 6.1.

Recommendations

• Ensure that awareness activities and materials connect to daily work in education and research.
  
  Invest in a strong security awareness culture by embedding awareness structurally, organisation-wide and at all hierarchical levels. For example, by making security and privacy a regular part of the onboarding of new employees.
• Remove barriers to working safely.
• Invest extra in teachers, researchers and managers.
• Focus on specific themes such as secure software and safe storage and sharing of personal data.

About the measurement

In early 2023, 70 institutions (wo, hbo, mbo, other - including libraries and research institutes) took part in a cybersecurity-awareness measurement as part of SURF's Cybersave Yourself service, in collaboration with BDO Cybersecurity and the Centre of Expertise Cyber Security of The Hague University of Applied Sciences.