Executive Summary
Globally, governments fall short relative to their commitments to Cyber Risk Literacy and Education for their citizens
Key Findings
  • Due to a lack of societal structural support and focus on cyber risk literacy, many individuals are inconsistent when it comes to cyber safety practices and prioritize convenience instead.
  • While governments set appropriate priorities and goals in cyber risk literacy, they consistently fail to commit the resources necessary for their success.
  • Cyber risk education begins too late and lacks standardization, common assessment goals, and reinforcement.
  • Globally, employers demonstrate greater commitment to teaching cyber risk literacy than governments, but they remain challenged by their own knowledge lag in the topic.
  • Geographies largely do not prioritize or assess the cyber risk education needs of vulnerable or underserved populations, such as seniors or non-native language speakers.

Download Summary as PDF

Mind the Gap

Over the past decade, governments around the globe have begun taking a more active role in geographic cybersecurity, releasing national strategies, dedicating resources to cyber defense, and exploring methods to equip companies with stronger protections. The worldwide information security market is predicted to reach US$170 billion by 2022.

Yet governments often overlook one major issue: How can they cultivate a population that is conscious of cyber risks and continue to seek to understand how to practice safe digital habits? In the United States, 64 percent of Americans have never checked to see if they were impacted by a data breach, and 56 percent would not know what steps to take if they knew their data had been compromised. While many governments pay lip service to the need for a cyber-educated workforce or students who use the Internet safely, few truly understand the magnitude of the challenge or comprehend the foundational overhaul of education and business practice that’s required.

Among cybersecurity and other relevant experts, there are two competing approaches to address the challenge in cyber risk literacy. One school of thought argues that technology should be made smarter and more secure, incorporating principles such as security-by-design/default, which proposes incorporating security mechanisms in the foundation of digital products as opposed to adding an element on to a finished product. This in theory can make users safer without requiring widespread education efforts or behavior change, but it is far from foolproof. Conversely, other experts emphasize the importance of educating individuals and equipping them with a basic set of cybersecurity skills to minimize the human contribution to cyber risk events, regardless of advancements in technology security.

Many of the geographies included in this inaugural Oliver Wyman Forum Cyber Risk Literacy and Education Index are embracing both solutions in their cybersecurity strategies. For example, the United Kingdom has set ambitious goals mandating security-by-design in consumer devices but also emphasizes the importance of population cyber risk literacy and education in schools. While the Index accounts for the extent to which national cybersecurity plans encourage security-by-design principles for businesses and manufacturers, this measurement is modest and largely serves the Index’s primary aim of measuring each geography’s level of cyber risk literacy.

Like financial literacy or health literacy, cyber risk literacy is fundamental knowledge that all individuals should understand. As the world digitizes, governments and businesses increasingly rely on individuals to protect themselves and others in cyberspace, but often fail to provide or disseminate the necessary tools and training. Geographies understand the challenges but do not have a clear sense of what their populations know or where there may be gaps.

The Oliver Wyman Forum’s Cyber Risk Literacy and Education Index provides a comprehensive framework for measuring literacy at the population-wide level to enable geographies to discover best global practices and focus their attention on areas of need. Our approach builds on top of existing digital frameworks such as UNESCO’s A Global Framework of Reference on Digital Literacy Skills and DQ Institute’s Global Standards Report 2019: Common Framework for Digital Literacy, Skills and Readiness. The Index measures not only current populations’ ability to understand cyber risk but also whether current structures in governments, education systems, and employers have the tools and incentives to train future generations with essential cyber risk knowledge and skills in an inclusive manner.

The first edition of the Index ranks 50 geographies, including the European Union as a population-weighted aggregate of our ranked EU geographies. The Index, developed through consultations with policy, industry, and academic experts, leverages 42 aggregated indicators across 32 objectives that contribute to scoring 9 “pillars” of cyber risk literacy and education. They in turn fall under five key drivers of cyber risk literacy and education:

Public motivation–Measures the population’s commitment to practicing cybersecurity, including metrics such as the rate of adherence to specific safe cyber practices

Government policy–Evaluates government policies to improve cyber risk literacy and education, including evaluation of metrics that assess the geography’s national cybersecurity strategy;

Educational system–Measures the extent to which cyber risk instruction is encouraged or mandated, includes metrics that assess primary and secondary school curricula;

Labor market–Measures the degree to which employers drive demand for cyber literacy skills, including metrics such as the uptake of cybersecurity-related roles and the number of cybersecurity startups; and

Population inclusivity–Measures degree of equal access to digital technologies and formal education in a geography, including metrics such as Internet access and school completion rates.

The geographies with the highest rate of cyber risk literacy and education, in descending order, are Switzerland, Singapore, the UK, Australia, and the Netherlands. These geographies scored well across all or nearly all drivers, distinguishing themselves through the integration of cyber risk into their educational systems, labor markets, and government policies. All support robust education from primary to tertiary levels that emphasize quantitative skills and recommend or mandate some level of cybersecurity instruction. Employers in these geographies recognize the significance of cyber risk and demand cybersecurity-skilled workers. Their government policies in cyber risk literacy are expansive and specific, and frequently transparent about funding and the metrics to assess progress and success.

Geographies that are ranked lower overall generally lacked a thorough national level cyber risk literacy strategy and/ or emphasis on cyber risk in school curricula. Still, many of these populations often ranked mid-level on “cyber risk awareness and motivation” or their “cultural proclivity towards security risk reduction.” This indicates that while some governments may not be prioritizing cybersecurity at this moment, many within their population are beginning to understand the need to take responsibility for improving personal cyber hygiene.

Taking Action

6 things governments can do to improve their nation’s score on the Cyber Risk Literacy and Education Index

Demonstrate to population that benefits of good cyber-risk literacy is equivalent to those of other good literacies (e.g., financial, health)

Establish long-term, transparent, and benchmarkable goals in cyber-risk literacy and education initiatives to ensure the government executes its promises

Create easily accessible teaching resources for schools and non-traditional educators (e.g., librarians) who can then be aware of and be trained to utilize them

Integrate the framework for cyber-risk education into education curriculums at the earliest levels (i.e. including kindergarten, or primary

Convince employers to re-envision cyber-risk budgeting and investment among their employees as an investment equivalent to other commonly considered risk-reduction rather than a regulatory cost

Establish certifications, standards and ‘nutrition label’ like badges for devices and services such that consumers can appreciate the cyber risk associated with the use of a given device/ application