Although digital transformation and cybersecurity are one of the most important challenges faced by governments today, public awareness remains limited. Almost everybody has heard of cybersecurity and its importance; however, the behaviour of citizens does not always reflect a high level of awareness. Cybersecurity is essential for individuals and for public and non-public organisations yet observing security practices often proves to be difficult.
Surveys are a crucial part of successful awareness raising
Based on a survey of over 1,000 Europeans about an awareness of cybersecurity issues, the FIC Agora white paper takes an in-depth look at how can citizens be better protected in a changing online landscape. What is particularly welcoming about the FIC Agora approach, is its use of public survey.
Awareness is the starting point for any organisation to gain understanding of its current cybersecurity status, and the ways in which human factors might support or detract from that defensive stance. Gathering data and statistics from public surveys and establishing metrics about the cybersecurity behavioural aspects is a crucial part of successful awareness raising.
Public surveys provide background on cybersecurity thinking and behavioural patterns of people, which give important input for preparation of cybersecurity awareness campaigns. Statistical information on how citizens perceive digital risks, their attitudes and knowledge can help to provide better direction for choosing measures for protecting the digital environment.
Polls and surveys allow to get to know the target groups. This, in turn, helps in deciding what kind of information the target audience needs to improve their skills and knowledge about cybersecurity. Using public polls and fostering close cooperation with national statistics offices helps to better identify, understand and reach specific target audiences.
Existing regular EU public opinion surveys such as the Eurobarometer or the EU Digital Economy and Society Index can serve as a useful starting point for nations striving to connect data with awareness raising activities. In addition to data from Eurobarometer, drawing on systematically collected aggregate data from national Computer Emergency Response Teams (CERTs) and law enforcement agencies about cyber incidents and cybercrimes can highlight trends and be used to build situational awareness.
It is also useful to analyse cyber incident data to better understand what societal groups have been hurt the most and subsequently analyse what are the best risk mitigation measures.
E-social contract = National Cybersecurity Strategy
The FIC Agora paper, then, proceeds to explain what the EU, Member States, industry, and civil society organisations do to protect citizens. It offers 12 recommendations to encourage a more people-centric cybersecurity. Amongst these recommendations, two in particular deserve attention – first, the idea to develop an e-social contract and second, the proposal to improve threat information sharing.
FIC Agora suggests that the terms of a contract should defined in consultation with all relevant stakeholders, including governments, industry, civil society organisations and citizens. Indeed, as ENISA paper on raising awareness of cybersecurity (2021) underlines, a clear vision about cybersecurity awareness raising should be a key element of national cybersecurity strategies.
Cybersecurity awareness raising is more likely to be successful when the corresponding vision is spelled out in the national cybersecurity strategy to help all stakeholders understand what is at stake and why cybersecurity awareness raising is needed (context), what is to be accomplished (objectives), as well as what is it about and to whom it applies (scope). The clearer is the vision, the easier it is for key stakeholders to ensure a comprehensive, consistent, and coherent approach.
For example, the Czech Republic has published its national cybersecurity strategy for 2021–2025 with a separate chapter titled “Resilient Society 4.0” addressing education and awareness raising of the overall population. The Finnish Cybersecurity Strategy from 2019 focuses, inter alia, on the need to increase public cybersecurity competence.
The awareness raising objectives of the Latvian Cybersecurity Strategy 2019–2022 focus on building an information society that include raising cybersecurity awareness amongst teachers, students, governmental employees, and society in general by promoting safe use of hardware, software and the Internet.
Improving threat information sharing between governments, industry and citizens
Traditionally, cybersecurity threat information products are technical in nature. Information about vulnerabilities in certain ICT products is typically published in specific information channels of national Computer Emergency Response Teams (CERT) targeting the IT community. Such expert information remains incomprehensible for the wider, non-technical audiences.
Yet regular non-tehcnical public assessments that are comprehensible for a wider audience help citizens to realise how each person can contribute to a better protected cyberspace. Regular publication of cybersecurity trends and challenges is important because it promotes public discussion about the possible impact cyberattacks can have not only on the particular information systems targeted, but also on national security as a whole.
Best practices in this field include Norway that in 2019 launched a separate National Strategy for Cybersecurity Competence, because competence and knowledge about cyberthreats, vulnerable areas, and effective measures are a precondition for the ability to protect digital systems against cyber incidents.
The Estonian Information Systems Authority publishes monthly, quarterly, and annual cybersecurity assessments. In addition, the Estonian Internal Security Service and Foreign Intelligence Service both publish annual assessments that have a separate chapter on cybersecurity covering the intelligence angle of cyber threats.
The Finnish Transport and Communications Agency National Cybersecurity Centre publishes a monthly Cyber Weather report that provides an update on the key information security incidents and phenomena of the month. The Cyber Weather news items are assigned one of the three categories: calm, worrying or serious.
Following the Finnish example, once a month, the Latvian national CERT also publishes a detailed cyber weather report about past cyber incidents in Latvia divided into five segments: scams and phishing, malware, and vulnerabilities, IoT, data breaches and data leaks, and network performance. If everything is fine, the weather is sunny; if there are a few incidents – it is raining, and if there are a lot of incidents or big financial losses – it is a thunderstorm.
The FIC Agora white paper seeking to address the role of the human in cybersecurity reflects a growing recognition that technical cyber security measures do not exist in a vacuum and need to operate in harmony with people.