Cybersecurity Education is a Social Equity Issue

The title of this post might seem like it is 'out of left field'. Access to clean water? Yes, that is a familiar social equity issue. Affordable housing? Yes. Access to legal representation? Yes. But cybersecurity education? After all, we see many examples of affluent people that barely care or aren't educated about cybersecurity until they are hacked. How can it be a social equity issue?

The differentiating factor is access to infrastructure and a support system that provides confidence when navigating cybersecurity issues. Not everyone can count on access to a tech savvy friend, multilingual guides on your tax filing rights after identity theft, or having savings and a credit card to recover from fraudulent charges.

The turn of the 21st century saw nearly every basic service or product pushed online. Initially a novelty, it is now prohibitively inefficient to use non-digital means to access these services and products. Most of us are familiar with this 'digital divide' as a social equity issue. A lack of high-speed internet, computer, or phone access can prevent widespread inclusion in digital services. Not teaching with these digital tools in the education system propagates this social inequity to future generations.

While society has been struggling to address the digital divide, cybercrime has had no inclusionary issues of its victims. Governments, large enterprises, local businesses, and individuals are all affected are all affected by cyberattacks. The costs to the global economy are staggering. Surprisingly, minimal research has been conducted to investigate the social equity costs of cybercrime.

A Seminal Study Makes The Cybersecurity Social Equity Case

One of the first such studies published by UC Berkeley's Center for Long-Term Cybersecurity (CLTC) investigates how cybersecurity awareness among San Francisco’s underserved residents affects participation and behaviors with digital services. The on-the-ground surveys of low-income residents, seniors, and foreign language speakers were compared to a control group representing the general SF population. The results provide a stark ‘state of cybersecurity readiness’:

  • Underserved residents are nearly 2 times as likely to report being a victim of a cyber scam than the general population (26% vs 15%) and nearly a third (31%) of those victims had been scammed 3 times or more
Cybersecurity behaviors between underserved communities vs general population control group (Source: Improving Cybersecurity Awareness in Underserved Populations, AHMAD SULTAN)
  • The above statistic is even more concerning when you consider underserved residents likely underreport being victims of cyber crime: 19% don't know if they have ever been a victim of cyber scam, 41% don't know if their device has ever had a virus, and 44% are unsure if they have ever provided personal information to strangers
  • Underserved residents who self-reported 'low confidence' in their cybersecurity readiness are up to 8 times less likely to use online banking, job hunting or other online services than the general population.
Usage rates of core digital services among general population control group vs. low-confidence underserved and total underserved groups (Source: Improving Cybersecurity Awareness in Underserved Populations, AHMAD SULTAN)

Extrapolating beyond the study's survey questions, consider how likely it is that the underserved population is able to:

  • Take advantage of free credit checks or credit freezes. (Note: up until 2018, credit freezes cost $10+ per freeze, per bureau).
  • Enroll in real-time online banking notifications to reverse fraudulent charges on a credit card. (Note: Underserved populations typically have less access to credit, and debit card holders are under a tighter 2 business day timeline to report fraud or face up to $500 in fraud liability).
  • Skip the budget mobile phone and purchase a high-end model with strong security features (e.g. default local data encryption, biometric face or fingerprint authentication, etc), and have educational access on how to use these features.
  • Use the 'Find my Phone' feature to locate a lost phone when the lost phone is their only gateway online.
  • Protect themselves and their kids as they navigate risky gaming apps (see Rubica's 2019 Report: Cyber Crime and Privacy Risks in Free Mobile Apps for Kids).
  • Enroll in free credit monitoring after being a victim of a data breach.
  • Employ available tools to reduce fraudulent activity (e.g. do not call lists, device spam protection features, mobile service provider account PIN security to prevent SIM swapping and account takeovers, 2 factor authentication, etc.).
  • Understand and exercise their rights after falling victim to ID theft (e.g. file a police report, request ID theft protection from the IRS for their taxes, create a credit fraud alert, use their renter's insurance ID theft policy, etc.).

This is only a small sample of the many real world cybersecurity challenges faced by the underserved. It is indicative of an issue of empowerment, not an issue of capability.

Investing In Our Communities With Cybersecurity Education and Training

The low levels of cybersecurity awareness and resulting reluctance to use online services among the underserved exposes the tech industry's and society's failures in cybersecurity education. While attempts to rapidly enroll the underserved in the digital world via mobile phones might have helped address the digital divide, doing so without basic cybersecurity training has left them as 'sitting ducks' for cybercrime.

These CLTC survey findings are particularly telling:

Underserved citizens whose primary language is not English often struggle to find resources on cybersecurity in their own language, and many do not know what resources to trust. Residents often turn to friends or relatives and receive partially accurate information at best.
Organizers should not encourage cyber-hygiene through an appeal to fear, but rather should leave participants feeling equipped to deal with the cyber threat landscape, as opposed to withdrawing from it.

Education efforts should use experiential learning programs directly in underserved communities so that when we teach one, we teach many.

Investing in cybersecurity education for the underserved can have a multiplicative return. It empowers them to use online services for success, helps avoid the economic losses associated with cybercrime, and can even help address the cybersecurity industry's other failure: the inability to create a pipeline of new diverse talent. The workforce gap in cybersecurity is debilitating to the economy, with no near term solution in sight. Introducing cybersecurity and data privacy basics at the same time we train children to use the internet, developing new high school programs, and providing specialized training at community colleges are all necessary components to lift our local communities.

CyberDefenders Community College Cybersecurity Program 2018
Teens try out the Cyber Defenders Escape Room @ The Mix, San Francisco Public Library, 2019
Cyber Defenders Escape Room @ The Mix, San Francisco Public Library, 2019
Elementary school kids try out the Cyber Defenders Escape Room at the Maker Faire Expo, 2019
Santa Teresa High School students try the Cyber Defenders Escape Room, 2019
Santa Teresa High School Cyber Explorers Program, Demo Day, 2019
Cyber Defenders Community College Hackathon at Merritt College, 2019