Supporting approachable, available, and knowledgeable peers for better cybersecurity hygiene
Dr. James Nicholson
Lecturer, Computer and Information Sciences, Northumbria University
University of the Third Age (U3A); The Old Low Light
Start: September 2019
End: April 2020
The vulnerability of older users
Understanding cybersecurity threats and defences is essential for citizens to effectively protect themselves from the ever-changing technological landscape. Recent work has reported that older adults look for information in different ways to younger users. Specifically, the availability of the information source seems to be most important to older users whereas younger users will prioritise expertise.
This suggests that older users may be more vulnerable than the general population when it comes to understanding and protecting against current and future cybersecurity threats, despite the fact that older people are adopting internet technologies at a higher rate than any other segment of the population.
Older users typically struggle to understand the ever-changing landscape of cybersecurity threats and defences and are often targeted by attackers, resulting in them losing more money than the general population when scammed.
This project aims to …
… support older digital users in becoming cybersecurity guardians (or ‘CyberGuardians’) for their local community and to organically train other older users in this practice.
Specifically, it will …
… train older volunteers (55+ years) to become CyberGuardians over several weeks through dynamic workshops that will inform them about relevant cybersecurity threats and how to counter them.
CyberGuardians will serve as points of contact for questions about cybersecurity for peers in their local communities. Research is needed to understand the most appropriate training methods for older adults and what support is needed for them to carry out the job effectively. We will develop and design age-specific cybersecurity training sessions based on perceived cybersecurity threats identified by participants and literature.
We will then monitor the effectiveness of our CyberGuardians in action throughout the remainder of the project using digital diaries and interviews to understand what support CyberGuardians need in order to effectively perform their guardianship.
By partnering with the University of the Third Age (U3A) and the Old Low Light, the project is potentially reaching over 400,000 members of the general population nationwide. By training and empowering members of the community to take on the role of CyberGuardians, more older users will have access to reliable cybersecurity information and advice.
This project’s social impact is …
… to empower regular members of the community to become reliable sources of information for cybersecurity queries. In this pilot, we will be testing this programme with older adults.
This means that older internet users will have approachable, available, and knowledgeable peers who can support them through the scary and confusing world of cybersecurity.
It is innovative because …
… this project takes the novel approach of training members of the community to be ‘experts’ who will in turn help other community members, rather than the traditional model of having academic or industry experts attempt to disseminate relevant information to individuals (on a one-to-many basis).
This pilot will give us insights into the challenges and opportunities that arise from training and supporting CyberGuardians. If the pilot is successful, it could set a blueprint for the development and support of CyberGuardians across different communities and demographics. For example, while many working age adults keep up to date through security training at work, those without access to such programmes (or who are part of organisations with poor training programmes) face similar issues to older users.
So Far …
Fourteen CyberGuardians, predominantly recruited from the project partners, the University of the Third Age (U3A) and the Old Low Light, a North Shields based charity, have completed their formal training through interactive workshops with presentations, live demonstrations (e.g. password cracking) and hands-on activities (e.g. phishing test). The topics covered in the training had been identified by the group themselves, as well as through existing literature.
The topics were covered in three workshops, each lasting three hours. A representative from U3A and the Old Low Light, familiar to the participants, also attended. This seemed to provide the group with some reassurance when initially engaging with the university.
The second training session focused on three main areas: password management, scam detection and protective software. The training material was in user-friendly, non-technical language, for example describing the process of encryption as ‘juicing an orange’.
Next Steps …
Video recordings of the sessions have been shared with the CyberGuardians and will be made more widely available following the conclusion of the project. Participants requested digital versions of the presentations and posters/fliers for them to advertise their own cybersecurity events. As they develop these, they may request more specific teaching materials tailored to the needs of their ‘CyberCitizens’, who can be defined as anyone who requires help with online security.
The CyberGuardians are already putting into practice what they have learnt themselves by improving their own cybersecurity behaviours and practising on relatives and friends in preparation for working with CyberCitizens. They will also keep a diary of interactions with CyberCitizens which should provide a valuable insight into how CyberGuardians approach the dissemination process, and the types of issues that older citizens face around cybersecurity. It will also help the researchers reflect on and evaluate their training topics and methods with a view to improving the process in the future.
The audio recordings made of all the CyberGuardians sessions are yet to be analysed. However, one of the main concerns voiced appears to be around the use of antivirus software and scam phone calls. One striking observation raised from the training was just how unaware this group were of the value of personal data not just in terms of being used in fraudulent activity but also in the targeting of individuals by commercial companies.
Since the training has ended, the CyberGuardians have organically formed themselves into a support network organised on a regional basis which aims to improve self-confidence and discuss best-practice.