Security and privacy awareness survey in education and research: awareness levels of institutions are comparable
In early 2021, SURF and BDO conducted a security and privacy awareness survey at 26 institutions as part of the Cybersave Yourself service. This showed that the institutions have similar levels of awareness of privacy and information security. What is needed, however, is a focus on lecturers and researchers. Read more about the this survey.
Awareness important in preventing incidents
Many security incidents are related to the actions of employees. For example, clicking on a phishing e-mail, losing a hard disk with research data, accidentally putting all recipients in the cc instead of the bcc in a sensitive e-mail. It is therefore important that students and employees are privacy- and security-aware. The results of this survey (in Dutch) provide insight into how to increase awareness within one's own institution.
Awareness levels are similar, motivation is - in their own words - high
The survey (in Dutch) shows that the awareness levels of the employees who participated in the measurement are more or less comparable. The average score is 6.8. A total score of 7 or higher is sufficient basis for working in a privacy-aware and information secure way. There is therefore still some room for improvement. The measurement examined how motivated employees are to work in a privacy-aware and information-aware way (motivation component), to what extent they are given the opportunity to do so (opportunity component) and whether they have sufficient knowledge and skills (capacity component). In their own words, employees are highly motivated to work in a privacy-aware and information-secure way.
Focus on lecturers and researchers necessary
It is notable that the education and research function group lags behind compared to the other function groups, both in participation in this survey and in results. A possible explanation is the high work pressure. Working in a privacy-aware and information-secure way probably gets less priority as a result. Another cause may be that the work situation, especially for researchers, cannot be clearly described in a set of rules or guidelines. Researchers often work in (international) partnerships, in which the rules and guidelines of the institution cannot simply be followed.
Determine what privacy-aware and information secure working means
One of the recommendations is that institutions should be clearer about what they expect from staff in terms of privacy-aware and information-secure working practices. Be realistic: prohibiting tools or activities if there are no reasonable alternatives is not workable. Employees also need short and concise guidelines that are written in clear language and are easy to find.
About the assessment
In early 2021, 26 institutions (higher education, vocational education, and other, including libraries and research institutions) responded to SURF's request to participate in a cyber security awareness survey as part of the Cybersave Yourself (CSY) service.
The survey - set up in collaboration with BDO, an organisation specialising in developing an approach to bring about behavioural changes among staff - involved completing an online questionnaire on privacy and security. The participating institutions distributed the questionnaire themselves within part of their own organisation. The respondents received immediate feedback after completing the list. The participating institutions each received their own report.