Developing Secure-By-Design Humans

Cyber education needs to start at kindergarten, not New Hire Orientation

Throughout my career, I made the development of security knowledge across my organization’s workforce a top priority. As posted last week, I am now starting at an earlier stage - as a professor teaching cybersecurity at Belmont University, I have the opportunity to prepare college students to become business professionals who understand cybersecurity.

It is exciting to start building at this earlier stage, but is college when individuals should first formally learn about cybersecurity? No! "Secure by design" is a principle in software and system development that emphasizes integrating security into the design from the very beginning. The same principle should apply to people - cybersecurity and data/online privacy need to be part of K-12 education.

Dr. Gary Garrison, Professor and Department Chair for Business Systems & Analytics at the Jack C. Massey School of Business at Belmont University, joined me in speaking with a trailblazer in this area – Adam Levin, a consumer advocacy leader, founder of CyberScout, and author of the book, “Swiped – How to protect yourself in a world full of scammers, phishers, and identity thieves.”

Adam makes a powerful case for teaching “Cyber Wellness” in the K-12 years of school. “Bullying, human trafficking, grooming, scams, and other bad things can happen to young people as soon as they start going online. Data breaches have become the third certainty in life behind death and taxes. Children need to develop a set of practices and skills that guide them through all their interactions in the digital world, similar to teaching dental hygiene early on – so it becomes a framework they operate under for life.”

“When you start that early the principles become ingrained muscle memory.”

Over the past thirty months I have consulted with more than one hundred cybersecurity leaders across industries as a member of the faculty at IANS Research, and a frequent topic is workforce awareness and training. Every cybersecurity program is challenged by the critical risk of human behavior. While almost everyone in the workforce wants to do the right thing, many people do not understand the threats and how their actions create risk, e.g., clicking on the link in an external email, or have good habits ingrained in how they operate, e.g., not putting sensitive personal information online.

The security and privacy training we developed at my former company often started with habits that protect one on a personal level, and we urged colleagues to take the messages home to share with their family. Our thought was - if we can teach members of our workforce to reduce their personal risk, they will bring those good habits back to work and reduce our business risk.

Imagine if those habits were ingrained muscle memory since kindergarten!

Cybercrime is projected to cost the world economy $10.5 trillion this year. How much would that risk (and cost) drop if our population were taught cyber wellness from the time they first started using computers? It would make a massive impact.

This seems like a no-brainer. How do we make it happen?

• Cyber professionals can volunteer to help local schools and teachers with content and even teaching.

• Businesses can help by educating their workforce on personal cyber wellness and urging them to share the lessons at home, and baking concepts into their products.

• Parents can use available resources to educate their children, and push their local schools and school boards to include it in their curriculum.

• We can all appeal to our elected officials to push this agenda.

• Entrepreneurs can start companies and build learning tools. Adding innovations like gamification can create modern day versions of “The Oregon Trail” that teach children cyber wellness.

Adam is involved with one such company – Hackersjack. Hackersjack is an EdTech company focused on cybersecurity education for children and young people. They aim to empower students to identify, avoid, and mitigate cyber threats through an engaging web-based learning platform, partnering with schools, and involving parents. Their curriculum is built around four key pillars:

• Cyber safety: Protecting children from threats that can lead to physical danger, e.g., grooming, human trafficking, cyberbullying.

• Cyber security & privacy: Keeping personal information and other data secure from threats like malware, phishing, and ransomware.

• Cyber hygiene: Promoting best practices for online behavior and device usage, e.g., strong passwords.

• Cyber wellbeing: Protecting mental and emotional health and fostering a positive online perspective, e.g., social media interactions.

Kindergarten may seem early for this at first thought, but my kids were already playing Math Blaster, Where in the World is Carmen Sandiego?, and other “edutainment” games on a tablet in the back of our minivan at that age. It is the ideal point for starting on the basics, with broader topics and details added as the children advance in school.

Belmont University is taking steps to support this concept, pursuing collaboration with EdTech innovators like Hackersjack and K–12 schools to promote early cyber wellness education across Tennessee. Said Dr. Gary Garrison, “Through this collaboration Belmont can help schools deliver age-appropriate lessons that introduce essential concepts to lay a strong foundation for lifelong cybersecurity wellness. By integrating this initiative with Belmont’s existing community outreach and service-learning initiatives, the university aims to equip the next generation with cybersecurity principles that become second nature.”

Some keys to making this strategy work include:

• Making the material interesting and relatable to what children and young adults at that age are doing.

• Ongoing reinforcement – making it continuous learning rather than something only brought up occasionally, and engaging parents so it is supported at home.

• Making it fun. Humor is a secret weapon in cybersecurity training, and delivering lessons with fun and humor will make students want to learn.

This proactive investment in early education in cybersecurity and privacy could create a ripple effect of digital resilience from the classroom to the boardroom that strengthens individuals, families, communities, and companies - as well as our economy and national security. I challenge you: What can you, your team, and your organization do to help drive this change and help our coming generations grow up secure by design?

Hold Fast!

Stay True!

********************************************

This week’s Shameless Family Promotion: The new streaming series, “Ballard,” based on my brother Michael’s books featuring LAPD homicide detective Renée Ballard, was released on Amazon Prime Video last week to rave reviews! In fact, one week in it is the #1 ranked show on Amazon Prime Video. “Ballard” is a spinoff of the Bosch and Bosch: Legacy series. It stars Maggie Q, who makes a perfect Renée Ballard, and yes, Harry Bosch (Titus Welliver) and others from those earlier series appear, too.