Why the average person’s cyber security knowledge should worry you

Screenshot of the initial assessment pop up on the CybSafe homepage.

Joe Giddens

Director of Content & Communications

2021/12/10

You didn’t remember!

You arrive at school and realise you have an exam you’ve forgotten about. You haven’t attended any of the classes, completed the reading, and definitely didn’t prepare. Sound familiar?

This is the recurring “final exam” dream. It’s one of those shared human experiences that wakes you up in a cold sweat at 3 am, even though you haven’t touched an exam in years! 

Many theories exist about why this is a common experience. Most of them centre around feeling unprepared for–or having forgotten about–something important. 

Strong parallels can be drawn between the final exam dream and the average person’s cyber security awareness. Most people aren’t formally taught about staying safe online. So testing people on knowledge they don’t know can feel like an exam they haven’t prepared for. 

 

You don’t know what you don’t know

Whether it’s cool space facts, or the latest methods criminals are using to steal information, there will always be places where we are clueless about our ignorance. We face many risks in life we don’t know about until it’s too late!

This is what’s worrying when it comes to staying safe online. A study from the Pew Research Center found a significant number of adults are not sure of the correct answer when answering basic cyber security questions. In fact, they’re more likely to answer “not sure” rather than provide an incorrect answer.

That said, there is one thing people are highly aware of when it comes to staying safe online…

 

It’s only a matter of time

According to Ipsos MORI’s UK cyber survey, 70% of people believe they will fall victim to at least one type of cybercrime in their lifetime. Depressing, right?

But there’s another way to look at it, one that is glass half full. People understand cyber security is important, which is a good thing. From the research, it appears they just don’t know where to find information and don’t feel confident in what they already know. 

Enter security awareness! 

 

Where to start?

The best way to help someone is to start by measuring what they do and don’t know. This can be difficult given the endless sea of information out there (try asking someone what a good password looks like…!). 

Welcome, stage left, the CybSafe “Initial Assessment” (or IA for short). By asking a few questions to test key cyber security knowledge points, you can understand the abilities of your people and run appropriate campaigns to support them.

What does success look like? This depends on the needs of your organisation, but you can start with one vital question. 

 

Is it interesting, or is it helpful?

Think back to a time you were at a party. Stuck in the corner with someone who was going on and on about their job or niche hobby. You switch off and start planning what you’re going to eat when you get home. Why was it so hard to concentrate on the conversation? 

It is probably because you are thinking, “how does this affect me?” Security professionals will often run campaigns with the information they find interesting. All without asking themselves, is it actually helpful? 

The Content and Behavioural Science Teams at CybSafe put this theory to the test. 

 

Testing our test

The IA has been a part of the CybSafe experience for some time. It’s a great way to assess the starting point of people when it comes to staying safe online. But just like the exams that haunt our dreams, not all tests are made equal. 

For a test to be effective, the purpose of the assessment should be considered. That means being intentional about the topics being assessed, the difficulty of the questions, the effectiveness of the questions to measure understanding, and the overall experience people have when taking the assessment.

 

Back to the basics

We run a study to find the best questions to gauge the general cyber security knowledge of the average person. 

We drafted a handful of questions for each of the key areas of cyber security knowledge: MFA, passwords & passphrases, reporting incidents, identifying fake emails, and browsing securely. 

Sixty participants aged between 25 and 54, all in full-time employment took part in this study. This matches the demographic using CybSafe.

During this study, we wanted to find out:

  1. How many people got the questions right
  2. Self-reported difficulty score of each question
  3. Average level of knowledge for each area
  4. Overall feedback on the assessment experience

 

Think like Goldilocks

The findings were illuminating. Across the different areas, people were good at identifying fake emails, spotting secure passwords and identifying when to report security incidents. In fact, more than 50% of participants chose the right answers for these areas and reported the difficulty as being easy to average.

An area where participants struggled was multi-factor authentication, with only 40% of participants selecting the correct answers. Yet they demonstrated a strong understanding of the importance of this knowledge in their feedback. 

When looking at the perceived difficulty level, things got even more interesting! In almost half of the questions, a mismatch was present between the number of correct answers and the mean difficulty score. 

For example, when asked to select the most important characteristics when creating a password, participants rated the question as average difficulty, but only 13% answered correctly!

In our study, we saw the findings of the Pew Center’s research in action – people don’t know what they don’t know! So, how can we guide them in the right direction?

We started by narrowing down the questions using the Goldilocks principle. Striking a balance between a question being too easy and too hard. If a question is too hard to answer, people get disheartened. If it is too easy, people get complacent and switch off. 

Other factors that shaped the IA: 

  • Testing practical knowledge that makes a difference in daily life (e.g. what a good password looks like and how to spot a fake email), and not just knowledge that is simply interesting.
  • Assessing what the average person knows, not the average cybersecurity enthusiast (hint: it’s less than you think!)

 

It isn’t scary if you’re prepared

Gaps in knowledge shouldn’t worry you, that’s why security professionals have jobs! What should concern you is when they don’t know about the risks they face (until it’s too late).

This is why the IA is at the beginning of the CybSafe journey. It’s vital. It captures a baseline before you roll out any campaigns. Instead of guesswork, you can track progress over time using our data and analytics, and see the effectiveness of your campaigns from the jump.

Once you know what people are struggling with, you can help. Show your people what they need to learn, why it’s helpful and how to find the info. 

By assessing your people’s knowledge when you launch CybSafe, you can make the most of the tools on the platform. For example, you can use custom Assist entries to plug knowledge gaps. Or you can use custom Protect cards to improve security behaviours. 

 

Take a look for yourself 

We’ve created a quick video to walk you through the initial assessment, what it looks like and how you can make the most of the feature. 

Try it yourself or see it in action