The need to raise the public’s cyber IQ has never been greater. Escalating cyberattacks are hitting organizations and infrastructure around the world, from Australian broadcasters and regulators to American fuel pipelines and software providers to educational institutions in the United Kingdom. The issue topped the agenda when President Joe Biden met recently with his Russian counterpart, Vladimir Putin.
Countries and companies should use this crisis to spread awareness of cyber risks and teach citizens and employees how to protect themselves, says Flore-Anne Messy, a senior official at the Paris-based Organisation for Economic Co-operation and Development. Messy speaks from experience. An economist and auditor by training, she has been leading the OECD’s efforts to improve financial literacy for two decades. She capitalized on the 2008-2009 financial crisis to mobilize member central banks, finance ministries, educators, and employers in developing guidelines for national literacy programs.
Business and political leaders should use a similar playbook today in cyber, she says: “If there is a moment to push, it is right now.”
Messy discussed the parallels between financial and cyber literacy recently with Rico Brandenburg, an Oliver Wyman partner and co-head of the OIiver Wyman Forum’s Cyber Risk initiative.
What was the state of financial literacy when the OECD began work on this in the early 2000s?
Countries like the United States, the United Kingdom, and New Zealand had made a major shift from pensions to defined contribution retirement plans, and realized something needed to be done to make people aware of the need to save and how much to save.
When we started, there was one survey in the UK and one in New Zealand showing a very low level of financial literacy, but we had no way to compare across countries. In 2008, we decided to build a questionnaire to assess the level of financial knowledge, attitudes, and behavior. We have since added financial wellbeing and financial resilience. Now every three years we assess 20 to 30 countries.
And how is the world doing?
Let’s say there is plenty of room for improvement. In our latest survey, conducted last year among adults in 26 countries, people scored just 61 percent on average on a test of their basic knowledge of financial concepts and on financially prudent attitudes and behaviors. Only a quarter of people could answer questions about simple and compound interest, for example, and only 49 percent achieved the minimum target score for behavior such as saving and planning for the long term.
Education is one of the planks of our Cyber Risk index. What lessons does your experience offer for determining the extent of the problem and building awareness?
You have a bit of momentum with attacks bubbling up all over the place, so I would say never waste a crisis. I would use the G7, which has done a lot of work on cyber, to raise the level of awareness. This is an issue not only with consumers but also with companies. And young generations feel very comfortable with the virtual world but perhaps are taking more risk than older generations. That’s something to keep in mind.
But if you want to build a strong use case, you have to provide figures and tell policymakers, “This is the reality, and these are the implications.” You already see the bad effects of what we can assume is a low level of cyber literacy.
What are the main challenges of raising financial literacy, and what does that suggest for cyber?
The education system itself is the challenge. The curricula are crowded, the teachers are very reluctant to keep adding new topics, and sometimes there is this idea that education won’t be successful. Which is interesting because nobody is saying that teaching reading and math is not going to be successful. If it’s properly done, it’s going to work. If it’s not properly done, it’s not going to work.
In terms of when, I would say the earlier the better. We don’t think financial literacy is only about money. It’s about needs and wants, choices in life. These are things you can start making kids aware of: Do I really need this candy, or do I want it? Then you can build on that.
In cyber, an early start is even more relevant. Everyone is connected so early and there is a chance for fraud to happen very early.
What role can employers play?
Surveys show employees that have difficulty with their finances are less productive. So there is an incentive for employers, especially big firms, to try some financial literacy. I think the case is even greater in cyber. If employees are the victims of fraud or their accounts are hacked, the whole company’s system can be hacked.
There will be a push in many countries for cyber literacy in schools because of the amount of attacks we are seeing. We had momentum on financial literacy after the global financial crisis, and the pandemic has created fresh momentum because of the amount of vulnerable people who don’t have a buffer. But it’s not enough to have momentum. You need to have champions, leadership, and partners who will continue pushing because people tend to forget.
Inclusion also plays a part in our index. How do you apply the principle of inclusion in financial literacy?
Financial literacy is for everyone, but we see a large variation among different groups. Women generally have a lower level of financial knowledge than men. Young people have a lower level of financial literacy. I would guess the young have a higher level of cyber literacy but perhaps are overconfident. The elderly population is an issue with cyber fraud, so that’s an audience to look at very carefully, as well as low-income, less-educated populations. It’s very important to identify the populations that are at risk or have special needs.
You need to be innovative, creative, and understand the audience you’re speaking to. The people they trust should be the ones you approach to make sure people receive the education they need.
How have you developed best practices?
After the global financial crisis, we started gathering information on what countries were doing and drew up guidance and principles. We tried to build governance mechanisms so all the institutions involved – including business and civil society – would come together and coordinate their approach. Leadership is equally important. If you don’t have at least one leading institution, countries may not make any progress. Then you need a road map: What do you want to achieve, and what are the clear steps to achieving that.
Can you see where education is having an impact?
Brazil has run a very large pilot in secondary schools. They introduced financial literacy as a cross-cutting issue. They trained teachers from different subjects – math, science, literature, and others – and conducted workshops with parents. The group that participated showed an improvement in knowledge and in attitudes, and they also saw improvement in the parents as well.
It’s really important to design programs for communities, not only individuals, because peer pressure is essential. We’ve seen programs for women and girls backfire because the men felt excluded. These programs aimed to give women access to credit and accounts, but they ended up with no access at all because the whole community was against the program.
How would you apply these lessons to cyber?
Start with teachers and the heads of the schools. Get them excited about this idea and try to incentivize them. Make them realize that they need cyber education, and that it could be part of their career development. Get a few champions and then train others.
It’s important that parents feel included and that they also can learn. We want this topic discussed at the family dinner table. This is how you change behavior.