Cyber Risk Literacy Is Everybody's Job

Governments, business, and individuals need to protect information and infrastructure from hackers. Our new Cyber Risk Literacy and Education Index shows how.

This article originally appeared in Brink on October 21, 2020.

Cybersecurity frequently makes the headlines and has featured as an issue in the US election, yet many people lack the basic skills to keep themselves, their communities, and their workplaces safe from cyberattack. And most governments lack a clear understanding of how to overcome these knowledge gaps.

The cost of the problem is becoming exorbitant. The World Economic Forum ranks cyberattacks as the second most concerning risk for doing business globally over the coming decade. The COVID-19 pandemic has increased that threat by accelerating the spread of digital technologies and giving bad actors the opportunity to target tens of millions of people working from home. Ransomware attacks jumped by 20 percent in the first half of 2020, while the cost of cybercrime continues to climb and was estimated to be $600 billion globally – or nearly one percent of world GDP – in 2018.

Missing a Crucial Vulnerability: People

Over the past decade, governments have stepped up their efforts to strengthen cybersecurity defenses and work with the private sector. The global information security market is expected to grow to $170 billion by 2022. But most of these initiatives ignore a crucial vulnerability: people.

An estimated 95 percent of cyber incidents can be traced to human error, such as failing to use secure passwords, falling for a phishing scam by opening emails from unknown addresses, or exchanging data without due care. To address this pressing need, the Oliver Wyman Forum has launched its Cyber Risk Literacy and Education Index. As the world rapidly becomes more digitized, governments and business are relying more and more on individuals to protect themselves and others. This phenomenon demands that people are sufficiently aware of growing cyber threats and practice good digital hygiene to thwart such threats.

In essence, universal cyber literacy will be as much of a foundation of the prosperity and security of nations in the 21st century as the ability to read and write was in the 20th century.

What Constitutes Cyber Risk Literacy?

In building our index, we identified five key drivers of cyber literacy:

● The public’s motivation to practice good cybersecurity hygiene;

● Government policies to improve cyber literacy;

● How well cyber risks are addressed by educational systems;

● How well businesses are raising their employees’ cyber skills,

● And the degree to which digital access and skills are shared broadly within the population. 

We take a broad approach because cybersecurity should involve everyone, from governments to businesses to individuals. So where does excellence lie? The countries that rank at the top of our inaugural index of cyber literacy and education are Switzerland, followed by Singapore, the United Kingdom, Australia, and the Netherlands. They stand out for having specific government policies and metrics of success for cyber literacy, robust education systems that emphasize quantitative skills and cybersecurity instruction, and employers who take cyber risk and literacy seriously.

The complete ranking covers 50 geographies, including the European Union, that collectively account for nearly 90 percent of the world’s economic output.

Rankings typically make good reading – who doesn’t want to know who’s up and who’s down? But the real value of the index is how it identifies the elements of good cyber literacy. We measured 32 different objectives – everything from giving people a basic understanding of cyber risks to a geography’s ability to attract digitally savvy talent to active collaboration on cybersecurity between government, industry, and academia – and discovered which geographies best meet these key goals. In effect, the index is a user manual for developing a cyber savvy population.

Governments across the ranked geographies have issued cybersecurity strategies, and most of them address key literacy issues such as educational curricula and collaboration between the public and private sectors. But few contain a detailed action plan with dedicated resources and metrics of success.

Turning Strategy Into Action

The leaders in the ranking take their strategies to the next level. Switzerland has published an implementation plan with target milestones, Estonia provides quantitative metrics for measuring progress against its goals., and Australia provides specific funding for cyber literacy efforts rather than asking government departments to fund initiatives out of existing budgets.

Most educational systems do too little too late – failing to recognize the fact that many children today are online by the age of four. They would do well to look at geographies like Singapore, which introduced a cyber wellness course in 2014 and incorporates safety topics in multiple computer science courses, or Lithuania, which includes online safety lessons as part of its overall curriculum, including foreign language and literature courses.

We also looked at inclusivity because any cyber defense is only as strong as its weakest link. Denmark excels at providing near-universal access to digital technology and the Internet, for instance, while Ireland ranks at the top for an educational system that offers equal opportunities in rural and urban areas and across genders. It also boasts strong school completion rates.

Geographies that rank lower generally lack a thorough or truly national strategy, fail to emphasize cyber risk in school curricula, and lack measurement or tracking arrangements that demonstrate progress made and hold leaders accountable. Many, particularly in emerging markets, are only beginning to identify cybersecurity as a national concern. Plus, a low degree of technological and educational inclusivity across income, gender, and urban versus rural locations can also be an issue. Some populous geographies boast high-tech hubs but are only beginning to develop the cyber risk knowledge of their population at large.

Cyber risks threaten the security and prosperity of everyone. All of us need to be part of the solution.