// Leena Nyman, Mikko Vieltojärvi
// Rainer Saks, Kari-Pekka Rannikko and Lucie Kadlecová (CybExer Technologies)1
It is undisputable that cyber security is to remain among the top global challenges for the decades to come. Different IT networks have become a core component of the critical infrastructure globally while their interconnectedness has grown exponentially. Despite the improvements in the quality of life stemming from this technological advancement, this also brings along serious cyber threats and risks. Cyber crime is the fastest growing branch of criminal activities worldwide. Different state-supported actors permanently enlarge their activities in cyber space.

Remote work, forced upon us by the global pandemics, is to stay with us even in the future increasing the number of potential targets and challenges for cyber security systems of public institutions and enterprises. And the list goes on.

Although the general awareness about these cyber threats has improved recently, especially among decision makers, it is still relatively poor. Many decision makers keep leaving the responsibility for cyber issues mainly to their IT departments while they omit rising cyber awareness among their employees and miss a chance to implement a complex top-down solution. This is the moment when cyber safety enters the picture.

Cyber security is generally understood as the practice and application of technologies, processes and controls to protect systems and data from cyber attacks. In other words, it is group’s efforts and measures to protect its members from harm in cyber space. On the other hand, cyber safety can be described as part of social security of our society.

Safety relates to a personal feeling of being free from danger and harm. Applied in cyber space, cyber safety is the feeling of citizens to operate safely in any sphere of activities using internet-based services. While cyber security is defined as measures and efforts in cyber space that are outside of an individual, cyber safety relates to individual’s inner feelings in respect to the online activities.

The individual’s feeling of cyber safety is influenced in two directions – from top-down and bottom-up. The top-down influence can be defined through external factors originating in authorities present in the individual’s life. For example, the feeling of cyber safety is in this case influenced by the cyber security regulations of an employer, national cyber-related policies and legislations, media’s reporting on cyber incidents, insurance policies for organizations or the maturity of service providers’ market.

In contrast, the bottom-up influence on an individual’s cyber safety feeling is based on the society and its general approach to cyber domain. This can, for instance, include the perception (or lack thereof) that cyber security is a citizen’s own responsibility, limited training and educational opportunities, lack of opportunities for insurance cover or understanding cyber threats as one of the security risks in a person’s life.

Successful cyber safety can only be achieved when the whole society is engaged, and comprehensive security thinking is employed. The bottom line for efficient cyber safety is professional and responsible security authorities, resistant critical infrastructure solutions and service providers and educated decision makers. Nevertheless, this all will not achieve a well-developed cyber safety if, first of all, a key factor is not addressed immediately and comprehensively – education of individuals, the centrepiece of cyber safety concept, on the topic of cyber security throughout all levels of society.

There is currently a need for cyber security skills across a wide swath of the educational and professional areas and each has different needs and require tailored approaches. Each category should have a pathway resulting in a Cyber Educational Development Plan. This plan is much like a Professional Development Plan; however, it describes a training and education pathway from the earliest years until professional roles. It provides information and develops skills how to be cyber safe not only at school and workplace but also at home and when on-the-go with a mobile device. We have identified and proposed the following four primary audience types.

Firstly, our attention has to be focused on the youth at primary (age of 6-10) and secondary (age of 11-18) education. If we want to achieve the point at which the whole society is educated on cyber issues, it does not suffice to start with cyber education only at university level. Already the education of students at primary level should be centred around basic cyber hygiene principles and progress to a level of knowledge preparing them for the higher classes. By the time students reach the senior classes of secondary education, they should be steeped in basic cyber security concepts and understand how those concepts interrelate with their courses (e.g., software development, biology, physics, etc.). Overall, the development plan should prepare them for university or any other type of post-secondary education.

Secondly, university students should focus their attention at how cyber security, data analysis, and advanced topics such as machine learning or artificial intelligence might affect their current studies and what impact it might have upon their studies and profession as well as personal life later on in the future.

While incorporating the cyber element into the school and university curricula, two more fundamental topics must also be kept in mind. It is absolutely essential that students are familiarized with ethical principles of their behaviour in cyber space from the very beginning.

To adopt the ethical way of acting in IT networks is core so that the students do not use their preciously acquired knowledge for malicious purposes later on. The other topic is to go beyond a theory of cyber security in the curricula and actually adopt an experiential learning, loosely defined as learning through reflection on doing.

In other words, students should not learn only theory, but schools must provide them with opportunities to train real skills. A hands-on experience is fundamental in cyber security. Our practical experience with trainings and exercises in our cyber range proves this point.

The third audience group for cyber security education is front-line professionals who are generally classified as information technology workers in that they are system/network administrators, database administrators, storage administrators, etc. Although their roles have a cyber security component, they are focused on administration, provisioning and other back-office support functions. However, because they are generally the experts on the systems and the first to notice anomalous activities, it is paramount that they not only understand the basics of cyber security but also specifics related to their devises and when to escalate to a Security Operations Centre, Incident Response Team, or other cyber security teams.

Finally, the last audience group are cyber security professionals themselves. This group is the most in need globally. Training and education should begin with establishing a baseline of common knowledge. This baseline ensures that all participants have a common understanding of core concepts. From the baseline, participants then move into specialized knowledge required for their respective roles and still provide a pathway for advancement.

Besides the identified audience, there are two more groups to which a particular attention should be paid, and a specific approach adopted. The first group is the older generation which grew up at the times when internet was still a research project of DARPA. This is a particularly vulnerable audience which quickly needs to acquire the basic knowledge of cyber hygiene and elementary IT protection. Special educative programmes in that regards can be developed in cooperation with universities or NGOs while important role could be played by young people who might help to educate their grandparents and parents in cyber matters.

The other vulnerable group are girls and women in general. Overall, cyber security and IT is still misperceived as a primarily man-dominated industry throughout the society. This perception must start to get eroded already in the heads of the youngest generation. There is no objective reason to think that men are necessarily better than women in IT or cyber security. There is an urgent need for more IT and cyber security specialists and bringing more girls and women into the industry can significantly help to fill in this gap.

To make this complex educational structure successfully work, there is an urgent need for private and public sectors to cooperate closely. Private sector owns the resources necessary for cyber education, be it funding, knowhow, infrastructure or experts while public sector has the power to make the policies effective. We also must not forget about the role of academia. Lack of scientists, teachers and employees is massive but universities, in collaboration with private and public sectors, have the potential to help create functioning educative programmes and training courses for schools and general public.

The starting point for this multistakeholder cooperation could be briefer events like boot camps, corporate and government scholarships and internships which would serve as a basis for further, more complex initiatives and programmes.

In conclusion, this article introduced many different ways how to support and enhance education on cyber matters throughout the whole spectrum of society. All of them have, however, one thing in common – only through the education of individuals on all the societal levels, we can strengthen the cyber safety of our citizens and ultimately empower the whole society in its feeling of being truly safe online. Cyber security, its principles and processes must be widely understood as a collective responsibility, but that will not be achieved unless every citizen is educated in at least basic cyber security principles, understands the importance thereof and sees the relevance of feeling cyber safe.
1 We would like to thank Mr. Kevin Estis for his original thoughts on the complex approach to cyber education in the society.
CybExer Technologies is a NATO-awarded Estonian cyber security company. CybExer's flagship solution is its proprietary cyber range and highly realistic cyber security exercises conducted on the range. Its capabilities and solutions have been used to conduct some of the world's largest cyber exercises.

Rainer Saks:
Board Member (CybExer Technologies)

Kari-Pekka Rannikko:
Senior Advisor (CybExer Technologies)

Lucie Kadlecová:
Senior Associate (CybExer Technologies)
Rainer Saks joined Cybexer Technologies OÜ as member of Management Board in late 2020. He is responsible for government relations and some of the research and development projects in the company. He worked as a civil servant for Estonian Republic between 1999- 2020. Rainer Saks worked as a Government Security Coordinator, Director of the Office of the President of Estonian Republic, Director-General for Foreign Intelligence Service and finally as a Secretary General for Ministry of Foreign Affairs. He has a long experience in dealing with foreign and security policy issues and strategic planning.

Lucie Kadlecová works as a Senior Associate (Strategy and Threat Intelligence) and the company’s representative in the Czech Republic in CybExer Technologies. Previously, Lucie served as a cyber security and policy specialist in National Cyber Security Centre of the Czech Republic and as a trainee in Cyber Defence Section, Emerging Security Challenges Division at NATO HQ in Brussels.

She was also a visiting scholar on Fulbright scholarship at Massachusetts Institute of Technology (MIT), Cambridge, USA. Besides her professional career, Lucie works as a postdoctoral researcher in Peace Research Centre Prague focusing on the study of states’ behaviour in cyber space. She holds a PhD from Charles University in Prague and an MA degree with distinction from War Studies Department, King’s College London.

Col (Ret.) Kari Rannikko joined CybExer Technologies OÜ strategy team 2020 as Senior Advisor focusing on hybrid threats and strategic decisionmaking. His academic interests are focused on EU’s Integrated Approach to Crisis Management, which he is realizing as a senior instructor in Finnish Defence Forces International Centre. In 2019 Kari-Pekka served as the Project Manager in Prime Minister’s office of Finland during country’s EU Presidency.

He was responsible for Scenario Based Policy Discussions on Countering Hybrid Threats. Kari-Pekka has a long experience in dealing defence policy issues on the strategic level.