The Cybercrime Awareness Clinic: Lessons in Training Individuals within the Organisation to Become More Cyber-Aware 

Between 2021 and 2022, 39% of UK businesses identified cyber attacks on their businesses, according to the Cyber Security Breaches Survey 2022. Dr Vasileios Karagiannopoulos, a Reader in Cybercrime and Cybersecurity at the University of Portsmouth and Co-director of the Centre for Cybercrime and Economic Crime discusses the University’s Cybercrime Awareness Clinic, a research and innovation hub that aims to support and connect relevant stakeholders, businesses and even vulnerable groups, educating them on the challenges of cybercrime.

What is the Cybercrime Awareness Clinic?

The Cybercrime Awareness Clinic started in early 2017 with the support and funding received from Hampshire Constabulary. Initially, the project was more focused on Portsmouth and the surrounding areas, conducting research and public engagement sessions with multiple stakeholders to support young people in schools and colleges, small businesses and older adults. Since then, the Clinic has become a hub for related cybercrime awareness activity, having worked on multiple projects funded by the EU Commission, the National Cyber Security Centre, the Office of the Police and Crime Commissioner of Hampshire and the Isle of Wight and the Economic and Social Research Council. 

The underlying philosophy behind the Clinic has always been one of grassroots multistakeholder collaboration, with the Clinic acting as a super node connecting the dots in a network of stakeholders that need to speak and collaborate with each other. For the Clinic, working from the ground up and empowering those on the receiving end of cyberawareness support is crucial. It enables those in need of assistance to feel more connected to the advice and support provided and offers them a sense of real involvement in the process; a sense of ownership. The combination of research and public engagement has allowed us to overcome communication barriers and understand the challenges that cyberawareness education is facing by actually speaking to the people and organisations from the bottom all the way to the top.

The Cybercrime Challenges Organisations are Facing

The reality is that irrespective of who we are working with, we see similar issues and challenges arising. One major issue is that as a society, we seem to have made huge steps in the development of initiatives for cyberawareness and there is a wealth of advice out there for everyone. And yet, we perform poorly at incentivising users to look for it and adopt it and finding ways of tailoring that advice to those needing it. We are struggling with inclusive methodologies and conceptual clarity and in the new, hybrid landscape we live in, these deficiencies make it even more challenging to communicate the importance of cybersecurity awareness to businesses and employees. We do not seem to manage to challenge effectively the culture that views cybersecurity as a specialised responsibility that only ‘techies’ and big businesses can and need to care for. Our language is often jargonistic, exacerbating these feelings and our cyberawareness trainings are often mechanistic tick-box exercises that are rarely updated and very infrequently repeated, even though we all know that cybercriminals advance their tactics and techniques on a daily basis.

Rethinking Cybersecurity Awareness

We need to rethink how we do cybersecurity awareness and first of all find the balance between communicating the risks of breaches and the inevitability of a potential breach without solely resorting to scaremongering tactics that terrorise and alienate. We ought to look instead at promoting how cybersecurity hygiene can be positive and developmental for businesses and organisations, building business trust and enabling a stronger economic growth perspective. Alongside this, we need to work on finding a language for cyberawareness that is easier to digest and does not feel too technical. We need advice that avoids constantly shifting standards – password policies are a typical example of this constant shift in best practice. 

A constant request in cyberawareness training is that one-page silver bullet document with all the necessary advice that we can print and stick on a wall and forget about. But we need to realise that the way forward is not just about finding that ‘holy grail’ of documents with all necessary advice that everyone can understand and follow; mainly because such a thing does not seem to exist. 

Our goal should instead be about changing perceptions from thinking there is such a perfect tool or any perfect tool, to understand that there is no one document or software or training that can be relevant to everyone and work by itself in isolation and for all. The starting point must be a conceptual shift that leads us to view cyberawareness as a useful everyday aspect of our lives, in the same way that we lock our home doors when we leave or we double-check for traffic and cyclists when we cross a street. We have to remember that every employee is also an individual, private user. Separating the two and thinking that a user who is negligent with their personal cybersecurity can be a very cyber-conscious employee because of our one-hour online training two years ago is one of our biggest delusions and it is one we see organisations succumb to very often, even at a high level.

How can we Improve Cyberawareness in the Business Sector?

We first need to realise that mechanistic, top-down advice cannot penetrate and users need to be involved in the co-creation of supporting processes and tools in order to feel a sense of ownership and have a better understanding of the rationales and practices behind making cybersecurity an integral part of everyday business processes. More importantly, this process needs to be inclusive and interactive rather than passive. It needs to become part of the culture of an organisation, rather than a tick-box compliance exercise.

Through our work with the Clinic we want to take this a step further and move from educating about risks to working with trainees on the identification and development of the skills and challenges that are useful in cyberawareness, including building skills that reinforce our critical thinking and emotional awareness and resilience. We find these are intrinsic underlying skills that will tackle a core element that underpins the majority of cyber-risk, its reliance on persuasion techniques to trick, induce or force users into doing something they shouldn’t or not doing something they should. And this needs to be a self-conscious, reflective process of personal and organisational fortification to persuasion-based cyberattacks, where we all accept our resilience and vulnerability levels are in constant flux, not just because we have or have not completed a training, but due to internal and external factors that affect our emotional stability and our thought processes.

Closing Remarks

I want to close this brief with some final, yet important realisations from our cyberawareness journey with the Clinic. First, our experience has shown that those that need cyberawareness the most are usually the hardest to reach or incentivise, so we should always strive to find more inclusive strategies. Secondly, cyberawareness evolves constantly and develops organically in different settings. No one knows what works without experimentation and being prepared to invest the time to experiment and adapt to specific needs and desires is crucial. That is why typical exercises often fail, as they tend to be generic and boringly passive. In order to be constantly adaptive and interactive, there need to be champions in an organisation on all levels, with cyberawareness as a core part of their mission, constantly feeding an organisational culture of awareness and resilience. Only by changing the culture on multiple layers, can we expect a holistic shift in focus. Finally, we need to move away from scaremongering and blaming rationales and move to positive, collaborative and constantly interactive structures.