Security and privacy awareness measurement in education and research 2022: make awareness less non-committal
Compulsory training and phishing tests as a big stick
Respondents agree that structural attention to security and privacy is indispensable to be a resilient organisation, and that employees play an important role in this. Some of them indicate that security and privacy are now too non-committal topics. They therefore advocate introducing mandatory training and phishing tests, for example. They see it as a big stick, because at the same time they also indicate limited motivation, due to work pressure, unclear rules and lack of interest.
Be clear about what the institution expects from employees
The measurement also shows that respondents feel that it is unclear what the institution expects from them when it comes to privacy-aware and information security. Therefore, make sure the security and privacy guidelines match the employees' work situation, and differentiate by target group if necessary. Draft the guidelines in concise and clear language and make sure the guidelines are in an accessible location.
Support staff are more aware than lecturers and researchers
Support staff, library and the target group 'other' score higher than lecturers and researchers on all components of the measurement. This may be due to perceived workload, which is higher among lecturers and researchers than support staff. For support staff, it may be more natural to see security and privacy as part of their core tasks, as their other duties are also supportive of the primary process. For lecturers and researchers, the reverse may be true.
In early 2022, 26 institutions (wo, hbo, mbo, other - including libraries and research institutes) responded to SURF's call to take part in a cybersecurity awareness measurement as part of the Cybersave Yourself (CSY) service. The measurement - set up in collaboration with BDO, an organisation specialising in improving organisations' digital resilience - involved completing an online questionnaire on privacy and security. The participating institutions distributed the questionnaire themselves within part of their own organisation. Respondents received immediate feedback after completing the list. A number of in-depth interviews were also conducted. The participating institutions each received their own report.
Download the report (in Dutch)