CYSE 497

Cybersecurity Research Paper

Maximizing the Impact of Cybersecurity Awareness and Education in School-Aged Children: Challenges and Benefits

Susan Brown-Clukey

CYSE 497

July 25, 2024

 

The escalating cyber-attack threat, fueled by our increasing dependence on technology, has made cybersecurity a pressing concern. We are increasingly vulnerable, with schools and society relying more on computer networks and the proliferation of sensitive data. This vulnerability extends to the most innocent members of our society, our children. Therefore, providing cybersecurity awareness and education to school-aged children is imperative, ensuring they can navigate the online world safely.

Over the years, parents have been their children’s primary source of safety instructions. Before the digital age, they would advise their children to be home when the streetlights came on, stay in a group, never be alone, not talk to strangers, not get into a car with someone they don’t know, and so on. As technology advances, so do the dangers to children. Now, parents may not be fully aware of the hazards their children face while using their smartphones, laptops, tablets, gaming systems, etc. However, they play a crucial and empowering role in protecting their children in the digital world, just as they do in the physical world. (Rahman N. A. A, 2020) Cybercrimes against children are a concern as parents may not realize that they have become victims and are mostly unaware of their activities while on the internet. Many parents utilize tablets, smart devices, computers, etc. as a form of distraction for children not realizing the adherent risk, such as cyberbullying.

While educating school-aged children about cybersecurity is crucial, it is equally important to equip parents with the necessary knowledge and skills to protect their children. A comprehensive and vital approach to cybersecurity education, which involves integrating it into the school curriculum and training teachers or support staff to teach cybersecurity awareness and education effectively, is a good idea and a necessity in today’s digital world.

Teaching basic cybersecurity concepts, each developmental stage provides the opportunity to learn and build on the cybersecurity fundamentals, and as they mature, their ability to understand more complex topics. Teaching children about cybersecurity should be based on grade level, early childhood (Ages 3-7), elementary school (ages 8-12), middle school (Ages 13-15), high school (Ages 16-18), and post-secondary and beyond.

Early childhood should focus on basic concepts of online safety, such as understanding that not everyone online is your friend and the importance of speaking with a trusted adult when someone asks for or about personal information.

Elementary School would be the time to talk about the importance of having a basic idea of what online privacy is, why it is essential to have a strong password that isn’t easily guessed, and how to recognize what phishing may look like, by having interactive activities and discussions it can help children understand these concepts better.

Middle School teenagers can handle more complex topics, such as understanding online scams, the risks of oversharing on social media, and the entailment of a digital footprint. They can benefit from practical exercises, discussions about real-world scenarios, and the consequences of their online behaviors.

High School students tend to be well-versed in cybersecurity topics, including identity theft, encryption, and why protecting their personal data is essential. Introducing and engaging them with real-life case studies and simulations could prove very effective.

Post-Secondary and Beyond, as technology evolves, so does the need for continuous education. Providing ongoing education, training, and updates on the newest/latest cyber threats and best practices is extremely necessary regardless of their age or level of experience in cybersecurity.

As technology continues to change, so does the need for education. As technology becomes more integral to education and daily life, vulnerability to cyber-attacks has risen. By addressing these challenges and utilizing the benefits, educators, parents, and policymakers can work together to maximize the results of cybersecurity awareness and education in K-12 children, which will prepare them to better navigate the digital world responsibly and safely.

Challenges:

Availability: The availability of age-appropriate information is crucial to cybersecurity education. In a K-12 school environment, younger grade levels will need simpler course material than middle/high school students. Designing a curriculum and having material available that is suitable and engaging for all age groups is a significant responsibility for educators. This challenge calls for innovation and creativity in developing educational materials that can effectively convey the importance of cybersecurity to children of different age groups.

Limited resources and funding: (McKenzie, 2022) Limited funding due to budget constraints and a shortage of qualified teachers or experts in cybersecurity education is a further challenge that schools could face when trying to bring awareness and education to K-12 students. Many schools do not have a curriculum dedicated to cybersecurity and are unsure where to start to develop the curriculum.  Nor do they have properly trained educators

Ever-changing technological advancements: Educators find it challenging to keep educational content current and updated with ever-changing technology and cyber threats. Keeping the curriculum relevant to current threats is difficult, as new threats and vulnerabilities are constantly emerging. Furthermore, children tend to be more tech-savvy than their parents and teachers, making it a challenge to keep their attention and keep them engaged in cybersecurity education. (USA, 2024)According to the IT Governance USA Blog, in 2024, 6,8458,908,997 known records were breached, as shown in the chart below. Note that the largest breach involved Discord, which many students utilize for chats related to gaming, homework, social purposes, and so on. The need for teachers and parents to stay current with all the new apps, websites, and other technology tools is continual, but the challenge lies in the lack of funding for teachers and the lack of knowledge for parents.

Properly trained educators: Finding educators who are adequately trained in cybersecurity and can teach children about cybersecurity is sometimes difficult, leading to unpredictability in the quality of the material provided to the children. (McKenzie, 2022)

Behavioral Challenges: Instilling good habits and behaviors in cybersecurity can be challenging for younger children as they do not fully understand the dangers or threats that they could encounter or what consequences of their actions.

Effective Communication: Teachers can face significant challenges when teaching cybersecurity awareness to younger students, as they may not understand when they need help, hence the need for age-appropriate material.

Communication with Parents: If there isn’t adequate support at home for the student already academically, it could add to the challenge for the teacher in providing cybersecurity awareness education at home because they can teach it at school, but having follow-up and re-enforcement at home is necessary. The student is likelier to succeed when the parent is involved in the children’s learning environment. Some teachers use various apps to invite parents into their students’ academic lives, such as Seesaw and Prodigy for younger students and student portals for older students. In apps like Seesaw and Prodigy, parents can see their student’s progress through reports and send their students messages of encouragement as they complete their daily tasks.

Benefits:

In spite of these challenges, the multiple benefits of providing cybersecurity awareness and education to school-aged children are unmeasurable.

Empowerment: Cybersecurity education instills a sense of empowerment by equipping children with the knowledge and skills to protect themselves and their peers from online threats. This reassures the audience about the initiative’s positive impact.

Early Awareness: Educating children at a young age about cybersecurity helps them develop good habits. They will be more likely to display safe online behaviors as they age, which can help reduce the risk of becoming victims of cyber threats and attacks.

Potential careers: Early exposure to cybersecurity can spark interest in related fields such as information technology, computer science, and cybersecurity careers. This emphasis on future opportunities can make the audience feel optimistic about the potential impact of cybersecurity education.

Involvement from Parents: Educating children about cyber threats and cybersecurity will indirectly educate the parents since most children share what they learn with their families, which extends the impact past the classroom. Parents and teachers must adjust their approaches to ensure children are adequately educated about online safety. This can be done by equipping the parents with the knowledge to monitor and support their children online.

Relevance Globally: Educating K-12 children about cybersecurity fosters a worldwide responsibility and security consciousness culture. This emphasis on global relevance can connect the audience to a larger international community.

Strategies for Maximizing Impact:

Continuous Updates: Regularly update all educational materials about the latest cybersecurity threats and practices to ensure effectiveness and relevance.

Community Engagement: Involves teachers, parents, communities, and local businesses in cybersecurity education to help create an environment that supports learning and practicing safe online behaviors.

Comprehensive Curriculum: A comprehensive curriculum should cover a wide range of information and topics for all ages within K-12. It should teach and support online etiquette and privacy settings and recognize phishing attempts, including identity theft and malware. It should also include information regarding cyberbullying, exposure to harmful content, and online exploitation and abuse. The curriculum should be engaging and age-appropriate, using interactive material such as simulations, games, and real-life scenarios to make cybersecurity education memorable and engaging.

Interactive Learning: Using interactive material such as simulations, games, and real-life scenarios to make cybersecurity education memorable and engaging.

Types of Cybersecurity attacks that could happen to K-12 students:

Social Engineering Attacks: According to Saferkidsonline.com (saferkidsonline, 2022), “Psychological manipulation is a key characteristic of social engineering attacks, so identifying them is critical. Children with less experience in the digital world are much more vulnerable to cyberattacks.”

They are targeting children through phishing emails, text messages, and malicious websites to gather personal and financial information. These types of attacks may also spread ransomware and malware. Ransomware would disrupt the computer system until the demanded ransom is paid.

Phishing attacks are fake communications designed to look like an email that will lead them to a website from a trusted source when it isn’t, making it difficult to recognize as a possible threat. Cybercriminals implore this technique to steal passwords, usernames, credit card numbers, and other sensitive information for financial gain. (Chachak, n.d.)

Malware can target children by exploiting their online activities, specific behaviors, and vulnerabilities. Some standard methods could include developing malicious apps and games that look inviting and harmless but contain malware. These games and apps can track activity, steal personal information, or even turn devices into bots for malicious activities. Some malware pretends to offer free or premium memberships/content in exchange for personal information.

Password Reuse is a significant safety concern for children as their general lack of experience with cybersecurity could lead to account compromise by using the same password across multiple accounts. If one account becomes compromised through a phishing attack, it could lead to unauthorized access to school accounts, personal accounts, social media accounts, and any digital account.

Teacher resources for teaching about cybersecurity:

  1. org: Resources for teaching cybersecurity to all grade levels.
  2. NIST: Offers online learning content for K-12 education.
  3. NICCS: This is a comprehensive resource for cybersecurity training.
  4. Microsoft Security: Provides multiple resources and certifications

Resources – Teach Cyber

Empowering Educators to Teach Cyber | Cyber.org

Available Cybersecurity Awareness Programs for K-12:

 CISA Cybersecurity Awareness Program CISA, per the CISA.gov site, “The CISA Cybersecurity Awareness Program is a national public awareness effort aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online. Cybersecurity is a shared responsibility and we each have a part to play. When we all take simple steps to be safer online – at home, in the workplace, and in our communities – it makes using the Internet a more secure experience for everyone.” Exploring this site further, a link to schoolsafety.gov will lead to topics that cover cybersecurity issues and any problems that might impact students.

Low-Cost Online Cybersecurity Learning Content | NIST: This website provides multiple websites and links for cybersecurity career and professional development, educator training, employee awareness training, and K-12 education and games.  https://www.nist.gov/itl/applied-cybersecurity/nice/resources/online-learning-content

Cybersecurity Awareness – Education and Resources | Microsoft Security: Student Hub Overview – Microsoft Learn Student Hub | Microsoft Learn resource and certifications available for teachers, students, and businesses.

Cybersecurity Awareness | NICCS (cisa.gov): According to the website, “The National Initiative for Cybersecurity Careers and Studies (NICCS) website is the premier online resource for cybersecurity training, education, and career information. NICCS connects government employees, students, educators, and industry with cybersecurity resources and training providers throughout the Nation.”

Defending cybersecurity attacks against K-12:

Legal resources to defend against cybersecurity attacks against children/students:

Children’s Internet Protection Act (CIPA) (Commission, n.d.) It was enacted by Congress in 2000 to address concerns about children’s access to obscene or harmful content over the Internet. Schools and libraries that receive funding from the CIPA E-rate program must follow specific Internet policies that address and certify that they comply with the following: 1. Access by minors to inappropriate matters on the Internet. 2. The safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications. 3. Unauthorized access, including so-called “hacking” and other unlawful activities by minors online. 4. Unauthorized disclosure, use, and dissemination of personal information regarding minors. 5. Measures restricting minors’ access to materials harmful to them. https://www.fcc.gov/sites/default/files/childrens_internet_protection_act_cipa.pdf

The Internet Crimes Against Children Task Force Program (ICAC) was developed in 1998 in response to the ever-increasing number of children and teenagers using the Internet. The ICAC Task Force has helped state and local law enforcement agencies in approximately 184,700 investigations, leading to 10,800 arrests in 2023. https://www.icactaskforce.org/

Crimes against students/children involving cybersecurity:

Prosecuting perpetrators of cyber-attacks involving students or children will vary depending on the details of the attack and the jurisdiction of the attack, but common charges that could be charged:

  1. Identity theft: the student giving personal information unknowingly to a perpetrator.
  2. Child Exploitation: if the attack involves possessing, creating, or distributing inappropriate or harmful material involving children, it could be considered child pornography or child exploitation.
  3. Cyberstalking: the perpetrator could be charged with cyberstalking if they were repeatedly threatened or harassing a child online.
  4. Data Breach: the attacker could face data breach charges for stealing or exposing a student’s personal or sensitive information.
  5. Distribution of Malicious Software: The attacker could be charged with distributing malware by deploying ransomware, viruses, and other malicious software.

Example: (Valle, 2024) From 2018 to 2021 James Patrick Burns used several platforms to contact minors to coerce or threaten them into providing sexually explicit content according to the document presented to the courts for trial. In March 2024 he was convicted on “eight counts of sexual exploitation of a minor, eight counts of coercion and enticement of a minor, and one count each of advertising, receiving, distributing, and possessing child pornography.”

During the research process, when talking with local educators about what is taught in the schools about cybersecurity awareness, it was surprising to find out that most of the education is provided by one teacher for the entire school, an Instructional Technology Resource Teacher. Below are some of the responsibilities of the teacher. The requirement is a teaching license or acquiring a teaching license. The instructional technology resource teacher is not in the classroom each day; they are simply a resource.  The school system also employs a Technology Support Technician (TST) in each school. The TST handles broken Chromebooks, software updates, and facility updates but minimal student teaching, if at all. However, neither requires any cybersecurity certifications like Security+. It is essential to have appropriately trained educators so that they may train other staff members and students on the dangers of cyber threats and attacks; without adequately trained educators, students are exposed and vulnerable. Having appropriately trained educators will assist parents in protecting their children/students from cyber threats and attacks.

Curriculum taught last year for the cyber club in a local elementary school. https://microbit.org/teach/lessons/cyber-security-what-is/ https://microbit.org/teach/lessons/computing-fundamentals-unit-of-work/

As technology and cyber threats continue to advance, so does the need to include cybersecurity education and awareness in daily teachings. Students in the local K-12 that I researched are not issued physical schoolbooks; all their educational material is on their Chromebooks. Most student’s backpacks are used to carry a binder, Chromebook, pencils, and lunches; gone are the days of a notebook/binder for each class and a textbook for each class. This makes school systems like this one extremely vulnerable to multiple cyber threats and attacks listed previously in this paper.

Recommendations for Moving Forward:

  1. Increase funding and resources: To support cybersecurity education and awareness, advocate for better funding and resources. Enquire about partnering with tech companies and non-profits to help with funding and resources. Also, seek governmental backing and funding.
  2. Enhance Curriculum Development: Work with cybersecurity experts to develop age-appropriate materials and merge them into existing curriculum.
  3. Parental Education Programs: Develop resources and programs to help parents understand and support their children’s cybersecurity education.
  4. Community Partnerships: Seek out local organizations and businesses to support cybersecurity education through resources, including new computers with up-to-date software, workshops, and real-world scenarios.
  5. Professional Development for Educators: Provide teachers with training and certification opportunities to ensure they are adequately equipped to educate students effectively.

Addressing these areas will not only help build a more secure digital environment for children but also ensure that they are adequately prepared to navigate the online world safely and responsibly.

Cybersecurity education, awareness raising, and training initiatives: National level evidence-based results, challenges, and promise – ScienceDirect

The Effectiveness of Cybersecurity Awareness Programs in Schools — the Learning Counsel

(PDF) Addressing Cybersecurity Challenges in Education (researchgate.net)

What Is Cybersecurity’s Impact on K–12 Education Today? | EdTech Magazine

fta-tn-education-cs.pdf (fortra.com)

The Importance of Cyber Security Awareness in Education | Terranova Security

CISA Cybersecurity Awareness Program | CISA

Cybersecurity in Education: What Teachers, Parents and Students Should Know | Berkeley Boot Camps

https://www.sciencedirect.com/science/article/pii/S2212868921000581 Cybersecurity awareness for children: A systematic literature review

Chachak, E. (n.d.). CyberDB The Cyber Research Databank. Retrieved from Cyberdb: https://www.cyberdb.co/common-types-of-cyberattacks-that-affect-students/

McKenzie, L. (2022, Sept 7). Statescoop. Retrieved from https://statescoop.com/state-edtech-leaders-schools-insufficient-cybersecurity-funding/

Rahman N. A. A, S. I. (2020). The Importance of Cybersecurity Education in School. nternational Journal of Information and Education Technology, Vol. 10, No. 5, May 2020, 378-382.

saferkidsonline. (2022, December 1). saferkidsonline. Retrieved from saferkidsonline.com: https://saferkidsonline.eset.com/uk/article/identifying-common-social-engineering-attacks-to-kids

USA, I. G. (2024, June 18). it governance. Retrieved from itgovernanceusa.com: https://www.itgovernanceusa.com/blog/data-breaches-and-cyber-attacks-in-2024-in-the-usa

Valle, G. D. (2024, July 22). msn.com. Retrieved from msn.com: https://www.msn.com/en-us/news/technology/man-convicted-for-sextortion-of-more-than-100-children-on-omegle-snapchat-and-tiktok/ar-BB1qqCas