Security and privacy awareness survey in education and research: institutions' awareness levels comparable

During Cybersecurity Awareness Month, SURF and BDO will present the results of the security and privacy awareness survey for education and research. This survey, conducted among 26 institutions as part of the Cybersave Yourself service, shows among other things that the awareness levels at institutions are comparable.
Illustratie van een laptop waarop persoongegevens met een haak worden weggehaald

Awareness important in preventing incidents

Many security incidents are related to the actions of employees. For example, they click on a phishing e-mail, lose a hard disk with research data, or accidentally put all recipients in the cc instead of the bcc in a sensitive e-mail. It is therefore important that employees are privacy- and security-conscious. The results of this survey (in Dutch) offer you insight into how you can raise awareness within your own institution.

Awareness levels are similar, motivation is - in their own words - high

The survey shows that the awareness levels of the employees who participated in the measurement are comparable. The average score is 6.8. A total score of 7 or higher is sufficient basis for working in a privacy-aware and information secure way. Some improvement is therefore still needed. The measurement examined how motivated employees are to work with information security and privacy awareness, to what extent they are enabled to do so and whether they have sufficient knowledge and skills. In their own words, employees are highly motivated to work in a privacy-aware and information-secure way.

Focus on lecturers and researchers necessary

It is striking that lecturers and researchers lag behind compared to supporting job groups, both in participation in this survey and in the results. This could be due to the high work pressure. Working in a privacy-aware and information-secure way is probably given less priority as a result. Another cause may be that the work situation, especially among researchers, cannot be clearly described in a set of rules or guidelines. They often work in (international) partnerships, in which the rules and guidelines of the institution cannot simply be followed. The research consortium determines what tooling is used, and that can be at odds with the institution's guidelines.

Determine what privacy-aware and information secure working means

One of the report's recommendations is that institutions should be clearer about what they expect from staff in terms of privacy-aware and information-secure working practices. Be realistic in this respect: prohibiting tools or activities if there are no reasonable alternatives is not workable. Employees also need short and concise guidelines that are written in clear language and are easy to find.

"Education is often improvisational and pragmatic. (...) An activating quiz, doodle, creative break or whiteboard session cannot be done without external tools. Rules and guidelines are far removed from these needs."
Quote from one of the respondents

About the survey

In early 2021, 26 institutions (universities of applied sciences, universities of applied sciences, and others - including libraries and research institutes) took part in a cyber security awareness measurement as part of SURF's Cybersave Yourself service in collaboration with BDO, a company that helps organisations to change their employees' behaviour.

Download the report of the awareness survey(in Dutch)

About the Cyber Security Awareness Month

Besides having technology in order, awareness is an important part of preventing security incidents. October is cybersecurity awareness month. This month various organisations around the world will be drawing attention to cyber security and cyber awareness. SURF also participates. Read more about cybersecurity awareness month.