Cybersecurity awareness is paramount in an increasingly digital world, especially in K-12 education. Cyber threats pose significant risks to schools, making it essential to measure the effectiveness of cybersecurity awareness programs.

Schools have a crucial responsibility in promoting and educating students about online safety. Teachers have now inadvertently taken on the role of online safety tutors, facing the challenging task of addressing issues such as combating false and misleading information and fostering young people's awareness of the broader impacts and risks associated with media.

This piece explores the key aspects of measuring such programs in K-12 schools, including developing healthy skepticism, measuring knowledge and comprehension, assessing attitudes, and defining standards for success. By understanding these factors, schools can enhance their cybersecurity education efforts, protect their systems, and equip students, faculty, and staff with the necessary skills to navigate the digital landscape securely.

Developing Healthy Skepticism

Developing a healthy level of skepticism is the goal of these cybersecurity awareness programs so that schools can identify and respond to unusual situations. According to a recent study from the World Economic Forum, 95 percent of cybersecurity incidents involve human error or manipulation, highlighting the importance of skepticism in mitigating risks. Teachers should stay informed about the latest cybersecurity news, trends, and best practices to understand potential risks and recognize unusual situations. Subscribing to reputable cybersecurity blogs, following security experts on social media, and attending webinars or edtech conferences can provide valuable insights.

Teachers could even include high-profile cybersecurity incidents and breaches as general discussion points before class to help pupils understand how these events occurred and the impact they had. Analyzing case studies enhances comprehension of common attack vectors and techniques used by cybercriminals, making individuals more alert to potential threats. Continuous training and awareness programs that educate students, faculty, and staff about the latest threats and preventive measures also contribute to developing skepticism.

Measuring Knowledge and Comprehension of Security

Effectively measuring the knowledge and comprehension of cybersecurity among students, faculty, and staff in K-12 school districts requires a comprehensive assessment approach. One possible method involves using surveys and questionnaires to gauge understanding of cybersecurity concepts, best practices, and potential risks. One such survey recently conducted among K-12 students found that only 36 percent demonstrated a basic understanding of safe online behavior and cybersecurity concepts. By including questions about password hygiene, recognizing phishing emails, data protection, safe internet usage, and device security, schools can identify knowledge gaps and areas that require further education.

Simulated phishing campaigns are another valuable assessment method. These campaigns involve sending fake phishing emails or messages to gauge the number of individuals who fall for them. The results provide insights into the effectiveness of awareness programs and help identify areas for improvement.

Practical assessments or scenarios that simulate real-world cybersecurity situations also effectively measure knowledge and comprehension. By asking students, faculty, and staff to identify and respond to suspicious emails, secure their devices, or navigate potential cybersecurity threats, their ability to apply cybersecurity best practices can be assessed.

Measuring Attitude Towards Cybersecurity

Assessing attitudes towards cybersecurity is crucial in understanding individuals' perceptions, beliefs, and behaviors related to security. To a greater extent than just measuring comprehension, surveys, questionnaires, focus groups, and interviews can be particularly useful here to capture insights into participants' perceived importance of cybersecurity, their level of concern about potential cyber threats, and their willingness to adopt security practices.

According to a recent survey among K-12 educators, 86 percent reported receiving less than six hours of training, with just 23 percent feeling confident about teaching cybersecurity concepts to their students, highlighting the need for improved attitudes and engagement. A range of responses can be obtained by including a Likert scale or open-ended questions, providing valuable insights into their perspectives. Additionally, focus groups and individual interviews can delve deeper into motivations, beliefs, and experiences related to cybersecurity.

Standards for an Effective and Successful Cybersecurity Awareness Program

It is important to note that—from research into cybersecurity effectiveness at the school level—it seems clear that the occasional training session is ineffective:

“One-off training does not affect their responsive online behavior and is not a suitable solution for effectively improving online safety skills. The aim is to involve cyber security awareness education in the whole educational process.” - The good practices for implementation of cyber security education for school children

It is essential to prioritize activities that encourage children to evaluate the information they encounter online critically. With the growing reliance on social media for information sharing, there is an urgent need for information literacy education that equips students with the skills to navigate and evaluate digital content effectively.

Other research from Saudi schools also found that children behave intuitively, dive into every online adventure themselves, and sometimes don’t consider threats. While they did show to have a good foundation in terms of recognizing hazards online, it was not based on habits they had learned from training but rather just their own judgment. This is why it is crucial to have good multi-task preparation for risky cyber environments with a wide range of activities realized over the course of the whole school year and throughout all the subjects taught at school.

According to industry research, organizations that establish specific cybersecurity objectives are 70% more likely to effectively manage cybersecurity risks. Targeted audience segmentation helps tailor the program to meet specific needs, roles, and levels of technical expertise.

School leaders need to consider the following:

● Executive support and leadership involvement to demonstrate the importance of cybersecurity.

● Multi-channel communication to ensure effective dissemination of cybersecurity updates and reminders.

● Tailored policies and procedures to support the awareness program and provide guidelines for secure practices.

● Collaboration with internal stakeholders and external partnerships to enhance the program's content and delivery.

By measuring the effectiveness of cybersecurity awareness programs in schools, educational institutions can strengthen their security posture and equip their community with the necessary skills and knowledge to navigate the digital landscape safely. Through continuous evaluation and adaptation, schools can refine their programs to meet the evolving needs of the organization and effectively address the ever-changing cybersecurity landscape.

About the author

Charlie Sander is CEO of Managed Methods, a Boulder, Colorado-based data security and student safety platform for K-12 schools. With more than three decades of experience in the IT industry, Charlie has been an executive at some of the fastest-growing companies in business. He holds 10 patents and graduated from the Cockrell School of Engineering at the University of Texas at Austin with a BSEE degree.