Cover publicatie awarenessmeting security en privacy 2022

Security and privacy awareness measurement in education and research 2022: make awareness less non-committal

BDO, commissioned by SURF, conducted a security and privacy awareness survey at 26 institutions in early 2022. It showed, among other things, that staff feel that structural attention to security and privacy is necessary to be resilient as an institution. A number of them call for less non-committal awareness.

Compulsory training and phishing tests as a big stick

Respondents agree that structural attention to security and privacy is indispensable to be a resilient organisation, and that employees play an important role in this. Some of them indicate that security and privacy are now too non-committal topics. They therefore advocate introducing mandatory training and phishing tests, for example. They see it as a big stick, because at the same time they also indicate limited motivation, due to work pressure, unclear rules and lack of interest.

Be clear about what the institution expects from employees

The measurement also shows that respondents feel that it is unclear what the institution expects from them when it comes to privacy-aware and information security. Therefore, make sure the security and privacy guidelines match the employees' work situation, and differentiate by target group if necessary. Draft the guidelines in concise and clear language and make sure the guidelines are in an accessible location.

Support staff are more aware than lecturers and researchers

Support staff, library and the target group 'other' score higher than lecturers and researchers on all components of the measurement. This may be due to perceived workload, which is higher among lecturers and researchers than support staff. For support staff, it may be more natural to see security and privacy as part of their core tasks, as their other duties are also supportive of the primary process. For lecturers and researchers, the reverse may be true.

Research approach

In early 2022, 26 institutions (wo, hbo, mbo, other - including libraries and research institutes) responded to SURF's call to take part in a cybersecurity awareness measurement as part of the Cybersave Yourself (CSY) service. The measurement - set up in collaboration with BDO, an organisation specialising in improving organisations' digital resilience - involved completing an online questionnaire on privacy and security. The participating institutions distributed the questionnaire themselves within part of their own organisation. Respondents received immediate feedback after completing the list. A number of in-depth interviews were also conducted. The participating institutions each received their own report.

Download the report (in Dutch)