The issue of cybersecurity in schools is not going away anytime soon. A worldwide survey conducted by cybersecurity firm Sophos between January and March involving 3,000 IT/cybersecurity leaders revealed that 80 percent of school IT professionals reported ransomware incidents within the past year. This is an increase of 24 percent from the previous 12-month period.

While we are seeing progress being made to foster cybersecurity awareness in schools around the world—such as the 'Cyber for YOUth' targeting school students in India or the ‘Savvy Cyber Kids’ in the US which both use a sequence of engaging interactive sessions and innovative participatory activities—there isn’t widespread knowledge of how to go about leveraging technology to help promote cybersecurity awareness.

And it’s not as if there are even significant doubts about the effectiveness of cybersecurity awareness programs. Government and private investment has increased with Amazon Web Services committing $20 million towards cyber grant programs for school districts and state departments of education.

So how can schools use tools available to make cybersecurity awareness an engaging and fruitful activity, securing teachers' and students’ online presence? Let’s dive in.

Gamification

Gamification is one solution that can help students engage and interact more with cybersecurity education. The great thing about games is that they can be used to replicate real-life scenarios, applying theoretical knowledge to create practical solutions without the risk or threat of anything going wrong.

Gaming also provides instant feedback to let the user know what has happened, helping students see the potential consequences of their actions. Children love competition, so giving them the drive to beat their peers while fostering collaboration between them can only aid in their cybersecurity awareness.

There are a few examples of gaming in cybersecurity. The National Cyber League (NCL) provides students with simulated scenarios cybersecurity professionals face, including individual and team-based challenges to enhance collaboration. There is an upcoming competition for the league which involves navigating issues like attributing hackers using forensic data, conducting penetration testing and vulnerability assessments on websites, recovering from ransomware attacks, and similar challenges.

Elsewhere the picoCTF, Organized by Carnegie Mellon University, is a beginner-friendly capture-the-flag competition, presenting challenges related to cryptography, web exploitation, and reverse engineering.

Training modules

Nurturing a culture of cybersecurity within educational institutions relies on a continuous learning approach, and training modules fit into this premise. This involves grounding e-learning content and design in the latest insights from the psychology of learning, enabling staff and educators to practically shield themselves from online threats and extend this knowledge.

The process of fostering ongoing cybersecurity awareness compromises distributed learning, encompassing modularized content and immersive phishing simulations. Engaging participants in gradual learning experiences enhances their comprehension of cybersecurity matters, allowing them to more effectively absorb and retain the material.

Moreover, elevating engagement with e-learning modules can incorporate compelling narratives and gamification techniques mentioned above. Drawing on motivational psychology concepts establishes an enjoyable learning environment, capturing participants' interest and refining their learning experiences.

As part of the commitment to personalized learning which schools aim to achieve, experiences can also be tailored to individual engagement levels. The learning journey can be finely tuned through advanced optimization techniques based on each participant's unique interaction history, ensuring that the educational process remains relevant, impactful, and effective.

Measuring the success and long-term impact

Schools need to construct a comprehensive framework that encompasses various methodologies such as surveys, simulated incidents, event logging, and assessments to see how aware staff and pupils are about cybersecurity. A mix of objective and subjective data is what will give schools a complete picture.

For example, gauging observed behavior objectively through simulated events, such as phishing simulations, offers insights into employee knowledge. However, such metrics may not capture employee satisfaction with the training experience. To provide a holistic assessment of program performance, it's crucial to gather subjective feedback through interviews and surveys to complement the training.

You can think about assessing cybersecurity awareness in three phases:

1. Gathering data: Collect training statistics, participant satisfaction, training effectiveness, return on investment (ROI), and subjective indicator metrics. You might have specific goals about what kind of adoption rate you're expecting as well.
2. Tracking progress: Long-term tracking of metrics and key performance indicators (KPIs) is absolutely pivotal as the security program matures. This enables the verification of improved overall security awareness and the identification of potential strategy gaps.
3. Reporting insights: Once metrics have been collected and tracked over time, generating reports to share insights with stakeholders is essential. Streamlined digital reporting solutions with automated email reports and graphical displays help effective communication of trends and data points.

Maintaining a balance between data collection and avoiding survey fatigue is critical—staff and pupils could quickly get bored with a mountain of surveys. Preventing disengagement and incomplete responses necessitates minimizing the time required for surveys and interviews. You can make things easier with quick multiple-choice questions and picking a small group of respondents to give discussions and interviews.

Final Thoughts

By harnessing technology-driven methods, educational institutions can both make staff and students more aware of the importance of cybersecurity while forging resilient defenses against evolving cyber threats. The combination of e-learning modules and simulations not only nurtures a culture of cybersecurity consciousness but also empowers individuals to recognize, prevent, and mitigate potential risks. Furthermore, data and insights from various surveys and other metrics can be a huge aid in ensuring that cybersecurity awareness is maintained in schools.

About the author

Charlie Sander is CEO of ManagedMethods, a Boulder, Colorado-based data security and student safety platform for K-12 schools. With more than three decades of experience in the IT industry, Charlie has been an executive at some of the fastest-growing companies in business. He holds 10 patents and graduated from the Cockrell School of Engineering at the University of Texas at Austin with a BSEE degree.