Cybersecurity in Higher Ed Has Been Maturing for a While
The concept of cybersecurity has been around for decades and information security programs in higher education have been steadily maturing over the past 20 years. We have highly trained cybersecurity professionals, industry standards, new or improved tools, and frameworks that allow for continuous improvement. So why does it feel like we’re stuck in a “Groundhog Day” time loop where we have the same issues and threats, end up sending the same educational messages with more of the same advice and best practices, and don’t experience much change in end user behavior?
Fear, uncertainty, and doubt (FUD) is a common motivational tactic used in the cybersecurity industry, and it has crept into many security awareness and training programs over the years. Whether the use of FUD is intentional or not, shame is a byproduct of this outdated approach to educating end users, which can lead to apathy and an unwillingness to change how things are done.
How do we break free of this time loop trap and move forward with security awareness, training, and education efforts that are not only more mature, but also use inclusive approaches that take advantage of teachable moments and help educate, empower, and inspire people to learn more? In the end, we want end users to better understand cybersecurity and feel comfortable approaching the infosec team if they have questions or want to learn more.
First, let’s consider how the workforce has changed, how generational culture shifts are affecting organizations (especially since the pandemic), how we’re talking more openly about mental health and wellness—and how these affect cybersecurity training and end user behavior. Then we can focus on how we want to change things for the better and create an actionable plan for redesigning and refreshing our security awareness and training programs.
Consider the Workforce and How It Has Changed
Cybersecurity awareness and training began blooming into formalized programs for private industry back in 1998 following one of the first public mainstream hacks from a group threatening to use Yahoo! to detonate “logic bombs” on any PC in an effort to get famous hacker Kevin Mitnick released from prison. The claim was a bluff, but it did succeed in bringing about a new appreciation for how securing our digital assets was as much the responsibility of end users as it was the IT department. The tech workforce looked a lot different back then, primarily comprising members of the Baby Boomer generation in leadership roles. It is important to acknowledge that individuals, naturally, can fall outside of generational stereotypes and where implying ubiquitous personality traits based on a birth year is absurd, generational characteristics have always pervaded workplace norms and expectations, influenced by cultural standards across the industry as much as anything else.
|First Birth Year
|Last Birth Year
|Baby Boomers (AKA Boomers)
|Generation X (AKA Gen X)
|Generation Z (AKA Gen Z or Zoomers)
|Generation Alpha (AKA Gen A)
One thing research has shown us is that Baby Boomer-led workplaces romanticize a strong work ethic, competition, and focus; sometimes summarized as a workaholic characteristic. As such, early infosec training programs leveraged shame culture a fair amount (e.g., Shame in Cyber Security: Effective Behavior Modification Tool or Counterproductive Foil?, Shame on You! Do You Use Shame to Control Others?, and To Win the Fight Against Cyberattacks, Stop Shaming). Shame culture maintains conformity of behavior through the individual’s fear of being shamed. These programs did result in some favorable cybersecurity training results as shame avoidance is an excellent motivator, especially for a generation that places such a high value on discipline and enjoys the game of competing with and “one upping” colleagues. However, shame avoidance can also include undesirable cybersecurity end user behaviors like not reporting incidents or—even worse—hiding a mistake an individual realized they made.
In 2008, the first of the Baby Boomers reached age 62. By 2030, the entirety of the Boomer generation will be over the age of 65. What’s notable is that the pace of expansion of the US tech workforce has gone up in recent years compared to even a decade back despite the Baby Boomers’ progressive retirement from the workforce. It was predicted that by 2020 Millennials would make up 50% of the workforce, and by 2030 would make up 75%. What this signals is a major shift in the desired workforce culture from the workaholic ethic to one that suits the defining characteristics of what motivates Millennials and Gen Z (aka Zoomers).
At this point we’d like to acknowledge that we’re neglecting to include the ephemeral Gen X in this discussion, but we believe that is the way they’d want it.
Characteristics of the Millennial generation include being technology natives (unlike previous generations, they grew up with the internet), curiosity, craving constant feedback and collaboration, and celebrating individuality and diversity. There is no drive from this generation to create and maintain a homogeneous culture, but instead Millennials question traditional norms, especially if the “how things have always been” approach is leaving people out. Further, this generation has broken down the ignominy of self care and mental health awareness—and just in time—as the pandemic (with months of forced isolation and rupture from normalcy) confronted our entire population with a collective need to quickly reinvent how we all managed to function (as families, communities, students and employees). This includes a new mindfulness of what we can reasonably ask of ourselves (‘A bigger paycheck? I’d rather watch the sunset!’: is this the end of ambition?).
The characteristics of Zoomers are very much in line with Millennials as well, with an emphasis on seeking collaborative environments and development opportunities, flexible hours, authenticity, and making a positive impact on the community. What this looks like as more and more Millennials and Zoomers are comprising the workforce is a rejection of toxic work cultures, and an ingrained openness to leaving a job if they don’t feel like it is a good fit for them; a quality the previous generations do not share (What some business owners STILL don’t get about hiring and keeping millennials).
According to ISACA when they surveyed their membership and those working in IT risk and compliance professions, those who were 30+ years old in 2020 were more willing to endure career stress and burnout conditions than those younger than 30. Additionally ISACA found that 70% of the workforce declared they would consider changing jobs within the next two years. Thus, we shouldn’t be surprised that the higher ed IT workforce has been getting slimmer, as EDUCAUSE observed in May 2022, “[Eleven percent] of the [higher education] IT workforce has separated from the institution either through retirement or for other opportunities.” This is in spite of the fact that the US tech workforce has been expanding throughout the pandemic while other occupations contracted. In short, higher ed has been trending towards failing to retain our IT talent. This trend is expensive, time consuming, and threatens an IT department’s ability to meet immediate institutional needs, not to mention plan, prepare, and innovate for future needs.
It is not a far stretch of the imagination to draw the line between the generational culture shift and workforce burnout to the turnover rates in higher ed IT. As the generational composition of the workforce yearns for social consciousness and inclusion, institutions must adapt and move towards something their community appreciates and can be proud of or risk more resignations. Detoxify your work culture by focusing on modernizing not only your infosec team norms, but how your team engages with the community it supports, placing community-thriving as a primary objective. The goal should be not only a workforce culture that retains the talent and staffing that higher ed IT is losing right now, but also a compelling cybersecurity awareness and training program that your community finds helpful and engaging.
Changing Things for the Better
So what’s next? How should we be thinking differently about our approach to educating end users about cybersecurity using this knowledge of the changing workforce? And how can we prioritize refreshing security awareness and training programs when departments are struggling to maintain their teams, support existing workloads, improve operational efforts, and create better work-life harmony?
Changing human behavior isn’t simple or easy. Most cybersecurity professionals have observed this over (and over) in the past few decades. While the threats and risks faced by organizations have evolved, they are still similar to the things we faced at the beginning of the 21st century. (As Randy Marchany notes, “The more it changes, the more it stays the same.”) The approaches we’ve used to teach people how to protect themselves, their devices, and their personal information also haven’t changed too much, other than adapting the training modules to educate people about new technologies and safeguards. Whether it’s using FUD, rewards, or constant communication, we haven’t seen huge shifts in people’s behaviors, from how they respond to phishing messages or how often they change their passwords.
People don’t need to be fearful, uncertain, or doubtful—especially in this pandemic-hardened world. We are all tired and doing the best we can to get by. We need to take a different approach. Empower end users. Show them that they can take control and help keep their personal and workplace information secure. We just have to find the right (self)motivation.
Four Actionable Areas for Infosec Awareness and Training Programs
Many cybersecurity professionals are feeling burned out from the past two years and security awareness teams may not feel like they have the time, energy, or creativity to develop a fresh approach. However, the higher education information security community has proven time and again that we are more successful when we work together and collaboratively develop new ideas and approaches that are more engaging and (dare we say it?) fun for us and our end users. Here are just a few ideas for reinvigorating cybersecurity awareness and training programs.
Diversity, Equity, and Inclusion (DEI)
Training programs must continually evolve to remain relatable to a variety of races, nationalities, and orientations. To reduce the possibility that anyone may feel disconnected or alienated from the program content, steps can be taken to acknowledge diversity in program materials. Also, always consider content accessibility when planning or creating materials—including vision or hearing impairments, color blindness, or even assuming end user access to a personal smartphone or mobile device. Finally, run your training material through HR or your institution’s DEI group for feedback to ensure that your material is as inclusive and accessible as possible.
We now prefer information presented in bite-size learning modules. During the pandemic, our population amused itself by absorbing news and trivia through captioned photos online, infographics, and short but compelling videos (imagine how many Zoomers have taught themselves a new skill using only YouTube or TikTok over the pandemic!), so why not use our short attention spans to your program’s advantage? Take those longer training modules you’ve used in the past and split them up into little gold nuggets of information. Use a creative, multimedia approach to training involving self-directed, on-demand content on a number of platforms (Instagram, TikTok, YouTube, Twitter, Vimeo etc). Consider ways to ask for feedback from your users so you can offer follow-up content based on interest. Incorporate both usefulness and ease of consumption in your program content in a self-guided format to fully leverage how your user base has grown accustomed to learning, and it will take the burden out of increasing completion rates.
Mental Health Adjustments
There is already too much stress in higher education. Consider eliminating the mandatory infosec training quizzes to check people’s understanding of the material altogether. Instead, aligned with the suggestion to deconstruct content above, add “test yourself!” quizzes as optional content that a user can consume if they have the time and interest. Also, embrace potential mistakes and failures into your training program in some way. Take the shame out of getting things wrong. Failures can create some of the most empowering learning opportunities and are ABSOLUTELY a natural part of healthy personal growth.
Make the World Better
If your awareness and training program aligns with values that resonate with your end users, you can create a relationship of trust with them. In place of training completion incentives like bookstore gift certificates or a drawing for fancy headphones, launch a rewards initiative that gives back to the community based on how well people interact with the awareness and training program (think about how back in 2007 FreeRice made us enjoy vocabulary quizzes with the feel good bonus of generating real rice donations to the World Food Programme for starving communities). Identify a cause that speaks to your user base, whether it be a campus food pantry, planting trees, trash pickup, or even a cash donation to a well-regarded charity, and use that as an incentive for achieving completion rates in your awareness and training programs. Additionally, create a resource center your users can visit any time when they are curious about cybersecurity, either for your institutional data protection or tips for their digital personal life. Drive home the value set that cybersecurity is trying to make the world better.
Because we underestimate the value of a refresh, cybersecurity awareness and training programs continue to be a mandatory task that subtly leverages shame avoidance from our end users to motivate good cybercitizenship. Institutions embracing the wash-rinse-repeat strategy of using the same content year after year and hoping for an improved community engagement lack situational awareness. Our entire higher ed community has changed massively in the past decade: younger generations have entered the ranks en masse, older generations are moving on to retirement, and everyone has had to navigate a multiple-year global pandemic. Part of elevating the maturity of your cybersecurity awareness and training program means operationalizing a feedback loop and updating the program regularly. If you get this right, you can increase end user interest and engagement with your program as well as support a work culture that IT employees are proud to be a part of. That juice is worth the squeeze (that’s what the kids are saying these days, right?).
This post was co-authored by Senior Strategic Consultant Jacqueline Pitter, who advises clients on network modernization, information security program development, and technology architecture, and Strategic Consultant Valerie Vogel, who advises clients on information security and privacy awareness and education programs, IT and data governance design and implementation, and strategic planning.