Oct 28 – NCSAM – Awareness of Awareness

A recent EDUCAUSE survey of students and faculty revealed some interesting data about our collective efforts to raise student and faculty awareness about cybersecurity. Similar to our findings in 2017, few students (13%) told us that their institution provides mandatory or optional information security training. Of the 13% of students who said that their institution provides security training, about a third (35%) indicated that they had participated in the training within the last 12 months. This means that of the total number of 40,596 students surveyed, only 4% had received information security training (whether their institution offers it or not). More than half (57%) of students reported they don’t know if security training is provided. A third of the students told us that no training is provided.

Slightly more than half (51%) of faculty reported this year that they do not know whether security training is conducted at their institution. Faculty at larger, more complex institutions—master’s (57%) and doctoral (52%)—reported that they do not know if security training is provided as compared to associate faculty (43%) or bachelor’s faculty (45%).

The More You Know

ETRAC’s findings this year suggest that if higher education IT departments can get students and faculty into seats for cybersecurity training sessions, then information security awareness training will be of benefit. Of the students who attended their institution’s information security training, 88% told us that it was at least moderately useful, and 45% reported that it was very or extremely useful. When faculty attended their institution’s security training, 83% found it to be at least moderately useful, and very few faculty (17%) found it to be not at all useful or not very useful. This bodes well for ensuring that attendees put information security education into action. If sessions are found to be relevant or useful to their current jobs, attendees are likely to apply what they’ve learned.

If You Build It . . .

Cybersecurity is no Field of Dreams. Simply building an information security awareness program does not guarantee that users will be aware that the program exists. Higher education cybersecurity programs have matured, and the content reflects the cybersecurity threats students and faculty are facing. As cybersecurity professionals, we need to “meet them where they are”(1) by understanding faculty and student perspectives on security. Raising awareness of our programs requires us to engage students and faculty in the classroom and online. If we build effective well-rooted(2) programs, we know that students and faculty will benefit, and they will come.

Here at Millersville, we have offered Cyber Security Awareness Training to both students as well as faculty/staff since 2017. Over the years there has been a steady amount of individuals taking part in the annual training. MU has offered the training on a voluntary basis since the beginning. Each year participants are asked to take 4 modules. One module is a 30 minute all inclusive training encompassing different cyber threats and how to combat them. The remaining modules usually are much shorter and dive deeper in to additional topics. Topics have included phishing red flags, remote work, public wifi, traveling, and more. Over the past years and including Fall 2020 NCSAM approximately 12% of the population asked to complete the trainings has done so during the time allocated. If you dive in and look at the just the 30 minute module that percentage averages to be 15%. Below you will find some graphs representing this years participation rates.

There is still plenty of time to take part in the Fall 2020 Security Awareness Training. Even though October is nearly over, you can still enjoy your pumpkin spice latte while taking your awareness training until November 20, 2020. If you have already taken the training THANK YOU!! Here is your opportunity to encourage colleagues and teammates to take the training. Awareness is power, with it we can help protect our digital lives both at home and at work. You can navigate to   https://training.knowbe4.com/auth/saml/1a96552345e9   to take part in the training.

Lastly, today, October 28th from 1:30pm – 2:30pm,  members of IT will be available in a Teams Live Event for a IT Town Hall talking about Cyber Security principles and talking about how IT is keeping out the bad guys and protecting MU resources, information, and intellectual property.  Come with your questions around information security and topics that were covered during Cyber Security Awareness Month.

Here is the link to the event  –  https://bit.ly/3kvFoO2

You can always email us at  muncsam@millersville.edu if you you have any further questions or concerns about cyber security here at MU.


  1. Daphne Ireland, “Meeting Faculty Where They Are,” Security Matters (blog), EDUCAUSE Review, June 10, 2019.
  2. Ben Woelk, “Wind, Trees, and Security Awareness,” Security Matters (blog), EDUCAUSE Review, September 13, 2019.