Security awareness

Building a Security Awareness Program in the Education Sector

Greg Belding
November 30, 2018 by
Greg Belding


There are few things as important to the professional development of people as the education sector. Despite this importance, the education sector is currently the industry most victimized by ransomware attacks and among the top three industries targeted by data breaching hackers. Using this revelation as a backdrop, it is clear that more focus needs to be placed on building security awareness programs in the education sector.

This article will address three points: How do we begin building security awareness concepts from within education? What are three steps required in the short term to promote security awareness in education? What does the future landscape of security awareness in education look like?

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

How Do We Begin Building Security Awareness Concepts From Within Education?

To begin to answer this question, we first need to look at the risk level of the industry and what areas are at most risk. Some food for thought:

  • A recent database breach of a major state university revealed 287,570 records of students, staff and faculty affiliated with the university
  • According to the 2017 Verizon Enterprises Data Breach Investigations report, 26% of higher education institutions had cyber-espionage present. This figure is significantly higher than the value given to human error
  • The education sector is the industry ranked #3 in the list of those most targeted for data breaches, with only the finance and healthcare industries being targeted at a higher rate
  • Each stolen or lost data record costs educational institutions approximately $246

This glaring lack of strong information security in the education sector is compounded by the information security weakness present in education sector employees and staff. In 2017, a State of Privacy and Security Awareness survey was offered to 1,011 employees in the education sector of the United States that exposed some concerning issues. Consider this information gleaned from the results of the survey:

  • Employees in the education sector performed far worse than the general population of adults in the United States
  • Of the 1,011 employees surveyed, 76% earned a score designating them as a security risk or novice
  • Private school employees fared worse than public school employees — some as much as 8% more likely to exhibit risky behavior
  • Faculty fared worse than general staff
  • Static, annual security awareness programs do not adequately prepare employees in the education sector for real-world information security application or teachable moments that may arise
  • An important Australian study found that an employee’s intention to comply with security awareness programs is dependent upon the employee’s level of information security awareness

So, what is it that we can say with these findings? Can we say that the education sector is full of faculty members that are really more of a security risk than anything else? Sure we can, but even more important is that we know where the problems lie so we can address them.

The question of where to begin with building security awareness in the education sector is where the problem lies — most notably with employees of the education sector itself. Employees are the weak link in security, but we also know that annual security awareness training is a losing strategy.

Sage advice in this case is to craft security awareness programs that target the weaknesses present in education sector employees but done in a way that the programs are flexible and permit the employees to learn as they go. Event-Activated Learning (EAL) is a good method to provide flexible, teachable moment-based information security education as the need arises. This should, of course, be just part of the overall information security awareness program strategy implemented at an education sector institution.

What Are Three Steps Required in the Short Term to Promote Security Awareness in Education?

While some aspects of addressing the problem of information security in the education sector are long-term solutions, some solutions can definitely be implemented in the short-term to remedy the situation.

Implement More Efficient Issue Notification Between Employees and IT Departments

One of the fastest and easiest ways to remedy an information security scenario where stale and outdated security awareness training is implemented is to require as close to real-time issue reporting to the IT department as possible.

This small change will pay dividends, as it will make some of the recommendations below more feasible to implement. As shown above, most faculty members in the education sector can be referred to as “computer illiterate.” Reporting issues with greater frequency will not only smash this often-internalized apprehension about technology but also teach faculty members what issues to look for as they come up.

Implement Event-Activated Learning to Address Teachable Moments

A great way to address the need to have a flexible security awareness program within the education sector is to use Event-Activated Learning. EAL is a way that industries can use information as it arises to ensure that it sticks in the employee’s mind enough to apply it in practice in the workplace. This approach to teaching employees information, coupled with teachable moments that can pop up at any time, equals an approach to information security that will address issues as they come up and help ensure that it is applied where needed.

An example of this approach would be where an information breach happens to an institution in the education sector. The breach is reported to the institution’s IT department, and the IT department would then quickly assemble a short lesson to illustrate the issue that occurred and how it should be addressed in the future.

Create Information Security Surveys for Employees in the Education Sector

Another short-term step to promote security awareness in the education sector is to require employees to take an information security survey. This survey should be offered as soon as possible, especially for new employees, to gather appropriate information about employee security awareness. As mentioned above, when employees are more aware about information security, they will be more likely to comply with information security programs.

Information security surveys in the education sector will accomplish some important goals that can be quickly used for the respective institution’s benefit. First, as mentioned above, the education institution will have a much better feel of the information security aptitude of their employees. This information can be used when establishing a baseline of information that needs to be taught in the institution’s next security awareness training program.

Second, this survey can be used to document that the institution is going the extra mile in meeting any applicable compliance requirements. Documenting efforts like this will look good the next time compliance auditing comes due.

Third, the survey can be used as an extra reporting method for current employees that did not report information security issues properly when they occurred (as they should have, with the heightened IT department reporting requirement explored above). Timid employees can use the survey as a catch-all to get outstanding issues in front of the IT department, so they can be properly addressed.

What Does the Future of Security Awareness in the Education Sector Look Like?

The future of security awareness in the education sector, as things are going now, does not look the best. The education sector is the most at risk for ransomware attacks and at high risk for data breaches, and its employees are in a worse spot regarding information security than the general adult population.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

However, if the short-term steps listed above are implemented and followed by long-term steps on an institution by institution basis, the education sector can have an information security renaissance.


  1. Education Industry Insights: State of Privacy and Security Awareness, MediaPRO
  2. Managing Cybersecurity in Higher Education, United Educators
  3. Security Awareness in Higher Education, The Edublogger
  4. Significance of Information Security Awareness in the Higher Education Sector, Hong Chan, Sameera Mubarak


Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.