Internet security awareness explained

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior.[1] [2] End users are considered the weakest link and the primary vulnerability within a network.[3] [4] Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element (end users). This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

Cyber security awareness, training, education

A cyber security risk mitigating end user program could consist of a combination of multiple approaches including cyber security awareness, cyber security training, and cyber security education.  According to, and adopted from, see the below table that provides a comparison of the approaches.

AWARENESSTRAININGEDUCATION
Attribute“What”“How”“Why”
LevelInformationKnowledgeInsight
ObjectiveRecognitionSkillUnderstanding
Delivery MethodMedia

Including: video, newsletters, posters

Practical Instruction Including: lecture, case study workshop, hands-onTheoretical Instruction Including: discussion seminar, background reading
Impact TimeframeShort-termIntermediateLong-term

Threats

Threat agents or threat actors are the perpetrators of the threat and usually look for the easiest way to gain access into a network, which is often the human element.[5]   However, these cyber threats can be mitigated.[6] Some common threats include but are not limited to below.

Social engineering is when someone uses a compelling story, authority, or other means to convince someone to hand over sensitive information such as usernames and passwords.[7] [8] An end user with cyber security awareness will have the ability to recognize these types of attacks which improves their ability to avoid them.

Phishing is a form of social engineering.[9] It is a popular attack that attempts to trick users into clicking a link within an email or on a website in hopes that they divulge sensitive information.  This attack generally relies on a bulk email approach and the low cost of sending phishing emails. Few targets are fooled, but so many are targeted that this is still a profitable vector.

Spear phishing is an email crafted and sent to a specific person to whom it may appear to be legitimate.[10] It is a form of phishing, but it is more convincing and more likely to succeed than traditional phishing emails because it tailors the email to the victim.   Its deployment can range from a bulk automated process, such as accessing the address book of a past victim and sending simple phishing attacks to their contacts (thus appearing to come from a recognized past contact), to more sophisticatedly hand-written communications to target specific recipients.

Vishing or voice phishing is a form of social engineering that involves contacting individuals via traditional landlines, telephony (i.e., Voice over IP), automated text-to-speech systems, or other forms of voice communications to trick them into divulging sensitive information like credit card data.

Smishing or SMS phishing is social engineering that leverages SMS or text messages as the vector to trick end users into divulging sensitive information.

Tailgating is a physical security social engineering attack in which an unauthorized individual can access a location by following an authorized user into the location without the authorized user's knowledge.[11]

Piggybacking is a physical security social engineering attack in which an unauthorized individual can access a location by following an authorized user into the location with the authorized user's knowledge.

Malware is software created and used for malicious intent.  It includes a range of software to include but is not limited to viruses, trojan horses, worms, rootkits, spyware, and crypto-jacking.[12]

Ransomware is another cyber threat where attacks are carried out on the computer system but are often the result of a social engineering attack.[13] [14]  This type of malware encrypts data and holds it for ransom which could paralyze the whole computer system.

Internet of Things (IoT) based attacks are a form of cyber threat in the 21st century and beyond that leverage vulnerabilities in the embedded devices found in, i.e., cars, refrigerators, and smart speakers or digital assistants.

Insider threats in cybersecurity (internet security) are security risks that come from individuals within an organization, such as employees or contractors, who have access to its systems and data.[15] [16] [17] [18] These threats can include data theft, sabotage, fraud, or espionage, posing significant risks due to the insider's knowledge and access.

Topics

There are various approaches within the cyber security risk mitigating end user program (see table above). And while this article is geared towards cyber security awareness, the following topics could also be leveraged for cybersecurity training, and cyber security education.

As reflected in the above table, there are several different delivery methods that can be taken to provide cyber security awareness. Some of which include using posters, guides, tips [19] or even video and newsletters.  Some possible Cyber security awareness topics according to [20] [21] include but are not limited to the following.

Anti-Malware Protection

Anti-malware is sometimes referred to as anti-virus This type of application is used to protect systems against malicious software by preventing, detecting, and deleting the malware.  Some popular malware includes computer viruses, ransomware, rootkit, trojan horses, and worms.  Security end user awareness guidelines include device scans for malware and updating the anti-malware application definitions.

Data Protection and Privacy: There are various types of data that might be mandated to be protected from unauthorized disclosure, including personally identifiable information (PII), protected health information (PHI), intellectual property (IP), and other sensitive information.  Security awareness guidelines include teaching related to data classification, encryption, data anonymization, and data masking or data obfuscation.  Permissions and who can access data, which includes file sharing via email attachments, are additional safeguards that could be discussed. Another data protection control that could be included is backing up data as it could be restored if the original becomes unavailable.

Device Management

involves knowing how to protect mobile devices and computers.  Device Management is also concerned with security related to Bring Your Own Device (BYOD).  Security awareness guidelines include encryption, protecting the system with a password, PIN, or multi-factor authentication, and other forms of credential.  Additional awareness tips include end-users downloading, installing, and reviewing applications and the requested permissions from unknown sources.[22]  According to, another awareness tip is to read reviews and comments about the application before installing it.  Additionally, the use of public WIFI is another discussion point.  Device management also relates to maintaining an accurate inventory of assets from purchase to disposition. This includes knowing when to wipe a device and media sanitization.

Incident Response

An incident is any observable event of malicious intent.  Security awareness guidelines for end-users include what types of events are considered suspicious or malicious, who should be contacted if an incident occurs, and what actions should be taken in the event of an incident.

Internet of Things Security

are remotely controlled capable, resource constrained devices with embedded sensor chips that interact with people and objects to collect data and provide it to remote sources on the Internet for additional analysis in an effort to personalize and customize a user's experience. These devices include but are not limited to smart speakers, wearable devices like smart watch, surveillance cameras, lights, door locks, thermostats, appliances and cars.  Guidelines include maintaining an asset inventory, patch control, and changing default credentials.[23]

Password Management

A password is a string of secret characters used to authenticate a user's account. Security awareness guidelines suggest presenting requirements for creating a strong password or Passphrase, how frequently passwords should be changed, and how to protect passwords.  Additionally, guidelines suggest the need to change all default passwords and to not share passwords with others.[24]   Additional protection options could include making end-users aware of using multi-factor authentication, password managers, and awareness of various password-related threats like password cracking.

Patching: Software and system changes to update, improve, or resolve weaknesses are usually released via a patch.  Security awareness guidelines include the timely installation of security patches as well as implementing vulnerability assessment and vulnerability management.

Removable Media

are storage devices that could be added or removed from a running computer, such as CDs, DVDs, removable SD cards, and USB drives (including flash drives, thumb drives, external hard drives). Security awareness guidelines include drive encryption and following the policy and guidelines presented at the organizational level regarding the use of personal removable media on organizational systems.

Safe Web Browsing

Security awareness guidelines regarding securely navigating websites include looking for the padlock icon on the URL bar before entering sensitive information like credentials, credit card information, or personally identifiable information.   Another visual indicator is "https" reflecting in the web address.  The padlock and "https" indicate that the entered information will be secure. Lastly, guidance could be shared to set privacy options on the browser or use the incognito option to limit the information shared. Yet another guideline is to consider using a virtual private network (VPN).[25]

Social Engineering involves interacting with humans in hopes that they will disclose sensitive information. Security awareness guidelines include not opening suspicious emails from unrecognized senders, not clicking on suspicious links in emails or on websites, not opening attachments in emails, not disclosing information, and not responding to suspicious emails or contacts provided therein.

Cybersecurity Public Awareness Campaigns

Cybersecurity education and awareness training are crucial for modern society as they enable people to defend against cyber threats and explore cybersecurity careers while being interdisciplinary and encompassing various fields to prepare for future difficulties and save resources.[26] [27] [28] Research on cybersecurity awareness education reveals inconsistent results, with some studies suggesting limited effectiveness and experts advocating for the customization of training programs to enhance awareness. There are many cybersecurity awareness campaigns in the public domain, please find some as follows:

Microsoft's Cybersecurity Awareness Month: Celebrating its 20th anniversary in 2023, Microsoft partnered with the National Cybersecurity Alliance and CISA to amplify cybersecurity best practices globally. Their focus includes educating organizations on multifactor authentication, updating software, recognizing phishing, and checking privacy settings. Microsoft also provides resources for small and medium businesses, which are often vulnerable to ransomware attacks.[29]

NIST's Cybersecurity Awareness Month: In 2023, NIST emphasized four key behaviors: (1) enabling multi-factor authentication, (2) using strong passwords and password managers, (3) updating software, and (4) recognizing and reporting phishing.[30] This annual event, celebrated every October since 2004, is part of a collaborative effort to provide resources and raise awareness about cybersecurity, thereby increasing national resilience against cyber incidents.

The nature of cybersecurity awareness training suggests it's an ongoing process,[31] primarily because threat vectors— or methods and paths by which hackers attack systems— constantly evolve. As cyber threats become more sophisticated,[32] the strategies and knowledge required to defend against them must also advance. Continuous education and adaptation are essential to keep pace with new security challenges. This perspective aligns with the understanding that as long as technology advances and integrates more deeply into everyday life, the need for up-to-date cybersecurity awareness and training will remain critical. Ansari et al. (2022) utilized the AI-based cybersecurity awareness training to the cyberspace.[33]

See also

Notes and References

  1. Web site: NIST SP 800-12: Chapter 13: Awareness, Training and Education. csrc.nist.rip.
  2. Kim. Lee. April 2017. Cybersecurity awareness: Protecting data and patients. Nursing Management. en-US. 48. 4. 16–19. 10.1097/01.NUMA.0000514066.30572.f3. 28353477. 9518792. 0744-6314.
  3. 2019-08-01. Improving employees' cyber security awareness. Computer Fraud & Security. en. 2019. 8. 11–14. 10.1016/S1361-3723(19)30085-5. 1361-3723. Kemper. Grayson. 201901451.
  4. Web site: 2018-12-21. What is Cybersecurity Awareness Training & Why is it so Important?. https://web.archive.org/web/20190429045453/https://fraudwatchinternational.com/security-awareness/what-is-cyber-security-awareness-training/. dead. April 29, 2019. FraudWatch International. en-AU.
  5. Abawajy. Jemal. 2014-03-04. User preference of cyber security awareness delivery methods. Behaviour & Information Technology. 33. 3. 237–248. 10.1080/0144929X.2012.708787. 12289090. 0144-929X.
  6. Web site: 2020-11-23. Top 10 Cyber Security Threats & Its Mitigation. vCloud Tech Blogs - Your IT Solutions & Servicers Provider. en-US.
  7. News: Fruhlinger. Josh. 2019-09-25. Social engineering explained: How criminals exploit human behavior. CSO Online. en.
  8. Web site: What is Social Engineering? Examples and. www.webroot.com. en.
  9. Web site: Avoiding Social Engineering and Phishing Attacks CISA. us-cert.cisa.gov. February 2021 .
  10. Web site: 2021-01-13. What is Spear Phishing? - Definition. usa.kaspersky.com. en.
  11. Web site: Security. Mitnick. 6 Types of Social Engineering Attacks. www.mitnicksecurity.com. en-us.
  12. Web site: Fruhlinger. Josh. 2019-05-17. What is malware: Definition, examples, detection and recovery. CSO Online. en.
  13. Web site: Fruhlinger. Josh. 2020-06-19. Ransomware explained: How it works and how to remove it. CSO Online. en.
  14. Web site: What is ransomware? Techniques & Prevention Terranova Security. terranovasecurity.com. en-US.
  15. Web site: Cybersecurity and Infrastructure Security Agency . Defining Insider Threats CISA . 2024-01-15 . www.cisa.gov . en.
  16. Web site: Cybersecurity and Infrastructure Security Agency . Insider Threat 101 Fact Sheet . 2024-01-15 . www.cisa.gov.
  17. Web site: National Institute of Standards and Technology . insider threat - Glossary CSRC . 2024-01-15 . csrc.nist.gov . EN-US.
  18. Web site: U.S. Department of Homeland Security . Cybersecurity Insider Threat Homeland Security . 2024-01-15 . www.dhs.gov.
  19. Tasevski. Predrag. 2016. IT and Cyber Security Awareness – Raising Campaigns. Information & Security. 34. 1. 7–22. 10.11610/isij.3401. free.
  20. Web site: Wilson. M.. Hash. J.. 2003. NIST Special Publication 800-50: Computer Security.
  21. Web site: Building a Security Awareness Program. www.gideonrasmussen.com.
  22. Web site: Securely Using Mobile Apps - SANS OUCH! Newsletter - June 2021. www.sans.org.
  23. Web site: Forrest. Conner. Ten best practices for securing the Internet of Things in your organization. ZDNet. en.
  24. Web site: Common Cyber Threats: Indicators and Countermeasures.
  25. Web site: Privacy - Protecting Your Digital Footprint - SANS OUCH! Newsletter - April 2021. www.sans.org.
  26. Triplett . William J. . 2023-01-01 . Addressing Cybersecurity Challenges in Education . International Journal of STEM Education for Sustainability . en . 3 . 1 . 47–67 . 10.53889/ijses.v3i1.132 . 2798-5091. free .
  27. Safa . Nader Sohrabi . Sookhak . Mehdi . Von Solms . Rossouw . Furnell . Steven . Ghani . Norjihan Abdul . Herawan . Tutut . 2015-09-01 . Information security conscious care behaviour formation in organizations . Computers & Security . 53 . 65–78 . 10.1016/j.cose.2015.05.012 . 0167-4048.
  28. Book: Wang . Yu . Qi . Bin . Zou . Hong-Xia . Li . Ji-Xing . Framework of Raising Cyber Security Awareness . 2018-10-01 . 2018 IEEE 18th International Conference on Communication Technology (ICCT) . https://ieeexplore.ieee.org/document/8599967 . IEEE . 865–869 . 10.1109/ICCT.2018.8599967 . 978-1-5386-7635-6.
  29. Web site: Jakkal . Vasu . 2023-10-02 . Celebrate 20 years of Cybersecurity Awareness Month with Microsoft and let's secure our world together . 2024-04-03 . Microsoft Security Blog . en-US.
  30. National Institute of Standards and Technology (NIST) . 2023-10-25 . Cybersecurity Awareness Month . NIST . en.
  31. Zwilling . Moti . Klien . Galit . Lesjak . Dušan . Wiechetek . Łukasz . Cetin . Fatih . Basim . Hamdullah Nejat . 2022-01-02 . Cyber Security Awareness, Knowledge and Behavior: A Comparative Study . Journal of Computer Information Systems . en . 62 . 1 . 82–97 . 10.1080/08874417.2020.1712269 . 0887-4417.
  32. Amanowicz . Marek . 2021-09-30 . A Shared Cybersecurity Awareness Platform . Journal of Telecommunications and Information Technology . 3 . en . 2021 . 32–41 . 10.26636/jtit.2021.154421 . 1899-8852. free .
  33. Ansari . Meraj Farheen . Sharma . Pawan Kumar . Dash . Bibhu . 2022-03-01 . Prevention of Phishing Attacks Using AI-Based Cybersecurity Awareness Training . International Journal of Smart Sensor and Adhoc Network. . en . 61–72 . 10.47893/IJSSAN.2022.1221 . 2024-04-13 . 2248-9738. free .