GG2022 – A Chain is Just as Strong as its Weakest Link - A Call for Better Education in Cyber Security
Puja Abbassi argues for widespread education on cyber security challenges
New challenges in the cyber security realm require innovative solutions, especially in areas where traditional systems and processes fail to keep up with the speed of change. The interconnections between risks make securing information systems so complex that it is no longer sufficient to address them at the individual level alone. Cyber attackers target specific victims and carefully plan their actions to induce damage and send the message they want. Given the level of interconnectedness, attackers find the weakest member in their victim’s network – including external partners – as a point of entry, be that on a national, corporate, or even individual level. New creative solutions require not only the leading countries, like the US, China, and the EU, to initiate action, but also the securing of a variety of private and public stakeholders to contribute to global solutions. Many of these stakeholders do not have the resources and knowledge to address the full range of cyber threats. This calls for an ambitious approach to cyber security education.
While some cyber threats can be addressed through legislation, others are better suited to be addressed by individuals and companies, which in turn leads to the need for proper education to reduce risks stemming from lack of awareness, uniformed behavior, and lack of knowledge about best practices. A number of reports on cyber security have suggested that specialized institutions (CERTs and IT forensics) should support companies and end-users by offering comprehensive education. By offering best practices and tools, they can increase not only the security of single individuals and companies, but also the general security of global systems by means of elevating the security of weak members. To guide this, we need a framework of comprehensive goals.
The World Health Organization (WHO) developed a set goals for organizations addressing the current lack of structure in cyber security education that can be adapted and applied to fit on the more abstract level of global governance. They include: raising awareness; promoting a culture of security; fostering greater confidence among users; helping to understand security issues; promoting cooperation and information sharing; and promoting security as an important objective. From a global governance perspective these goals need to adapted and amended with focus on three levels: securing the public sector, securing the private sector, and securing individuals.
Raising awareness should zoom in on educating organizations and individuals about internal and external security risks to information systems and network. Emphasis should be placed on a need for security on all levels and for all stakeholders involved.
Promoting a culture of security builds on raising awareness, where everyone feels responsible for their own as well as others’ security. Best practices, measures, and tools to mitigate cyber risks should be at the center of these education efforts.
This would set the basis for fostering greater confidence among all users of information systems and networks, which includes informing them about the way in which these systems are provided and should be used as well as the security measures in place.
Helping users to understand security issues is an integral step in security education. It includes knowledge about security risks and the mechanisms of cyber risks. Actors need to be aware that security failures could not only harm their own systems and networks but also pose a threat to others because of the interconnectivity and interdependency of these systems.
The interdependency of systems as well as the fact that many information systems are standard systems that bear the same security vulnerabilities across organizations, makes promoting cooperation and information sharing in cyber security one of the key priorities in education. Here, especially the private sector needs to understand that sharing is not exposing their vulnerabilities or damaging their reputation. On the contrary, it improves trust for all stakeholders including their customers and can help to establish more secure and robust systems. Some corporations are already realizing this and voluntarily cooperating on cyber issues, as seen in the recent case of the European Cyber Security Group, a consortium formed to promote cross-border inter-organizational collaboration on cyber security issues. However, information sharing can also be forced by legislation, like the recent strategic cyber security plan by the European Union, which proposes a requirement for all web-based companies and critical infrastructure operators such as e-commerce platforms, social networks and members of the energy, transport, banking and healthcare services to report security incidents.
Finally, promoting security as an important objective that needs to be taken into consideration in all decision-making activities, including the development and implementation of new systems, networks, and standards, is a further part of cyber security education. Similar to HACCP (Hazard Analysis & Critical Control Points) in food security, there should be a framework for cyber security that helps assessing cyber security risks in systems, networks, and processes and offers guidelines and best practices to mitigate them. To develop this framework above-mentioned CERTs could play a key role. By offering this as a guideline for implementing best practices and providing it as part of their general education efforts, the process of securing information systems could be more streamlined.
The above mentioned goals will not be reached overnight. Coordinated legislative efforts might not be the only way to achieve them. They need to be implemented by stakeholders at all levels. As the coordinated approach including various stakeholders is often hindered by different and unclear understandings of the meaning of cyber space and cyber security, more loosely coupled efforts and cooperation on an informal level - aligned to the common set of goals outlined in this article - might be a way to start a movement of cyber security education. Democratizing this knowledge will help achieve a more secure cyber space by elevating security not only for the big players but also for smaller, weaker actors, whose vulnerabilities could otherwise act as backdoors to seemingly secured information systems.
Puja Abbassi is a fellow of the GG2022 program and a PhD candidate at the University of Cologne, where he studies the influence of networks on the success of technology startups and works on a project that focuses on IT-assisted security in food supply chains.