Cases & Voices
- Ixchel Pérez
Running effective student security awareness campaigns: Insights from Brazil
Think of Brazil, and it’s probably Carnival, lush rainforest, or football legends that first come to mind, rather than cybersecurity. But in Brazil, as elsewhere, cyber attacks are on the rise – and ensuring the next generation is cybersecurity-savvy is crucial.
Author: GËANT by Davina Luyten
Emilio Nakamura is the CISO of the Rede Nacional de Ensino e Pesquisa (RNP), Brazil’s national research and education network. Amongst its other services, the RNP focuses on security awareness for students. Here, Emilio shares the challenges and opportunities of making cybersecurity accessible and relevant to young people in Brazil.
The RNP´s security awareness programme for students
Central to the RNP’s approach is its recently launched Hackers do Bem (“good hackers”) programme. This is aimed mainly at students aged 15 and up, plus professionals intending to change careers to cybersecurity. The RNP plans to deliver three to four sessions monthly, visiting different universities, colleges, and schools to promote the programme. A project webpage and webinars are also in the pipeline.
“Hackers do Bem is a white hat programme that mixes security awareness with capacity building,” explains Emilio. “We aim to encourage students to think more about using cybersecurity in their personal lives, and also to consider cybersecurity careers. And the main goal is to provide technical training to develop cybersecurity professionals and reduce our workforce gap.
“We go and talk to students about cybersecurity risks, their impacts, common cyber attacks, and how to assess risks. Then we talk about different areas of work within cybersecurity.”
“The students are very interested in learning about cybersecurity. And they can see the opportunities to work in this field and contribute to building a more secure world.”
The challenges of teaching Brazilian students about security
Explaining complex information in ways students can understand is vital. “We use lots of practical examples and talk in simple language so they can understand clearly. We start with the basics and then dive deeper into some areas with students who have the interest and knowledge.”
Another big challenge Emilio and his colleagues face is students’ belief that cybersecurity is only about complex technical skills.
“There’s a perception among students here that cybersecurity is a very difficult field to work in, very technically challenging. It seems very distant to many students,” Emilio says.
“So we explain that working in cybersecurity isn’t only about ethical hacking. Some jobs focus on providing security awareness, writing security policies, or talking to people. While some tasks require deep technical knowledge, others need good writing or people skills. We want to help students find the right area that suits them.”
Maximising the effectiveness of security awareness training for students
Emilio identifies seven key strategies which help make the RNP’s security awareness campaigns for students effective:
1. Gamification
The RNP uses a lot of gamification in its security awareness campaigns to capture attention and increase participation. For example, by answering quizzes on topics like phishing and two-factor identification, people can gain points and win prizes. It’s a more fun and interactive way to learn.
“In our experience, gamification is very effective for getting attention and making students participate in security awareness campaigns. That might be mainly because of the prizes involved! But the important thing is that it gets people’s attention onto cybersecurity issues they need to be aware of.”
The RNP works with a Brazilian partner who manages the gamification platform. Together, they choose the right content for each security awareness campaign, using plenty of real-life cyber attack examples and reflecting current issues.
2. Tailoring messages for different groups
Using appropriate language for different audiences is essential to getting your message across. Although the RNP targets students as a general group, they recognise different sub-categories within this group – each with slightly different needs, interests, and existing cybersecurity knowledge.
“It’s important to adjust our language for different audiences. It’s one thing talking to 15-year-olds, and a very different thing talking to graduates,” Emilio says.
“And speaking to computer science or engineering students is entirely different to speaking with odontology students.”
3. Emphasising the personal impact of cybersecurity
Emilio and his team believe the starting point should be highlighting how cybersecurity affects people’s personal lives, rather than a purely corporate or professional viewpoint.
“Presenting cases that students can relate to is crucial. Things they can see around them in their daily life, or can imagine happening to them personally.
“Everybody needs to understand that cybersecurity primarily impacts our personal lives. So it’s not something that only concerns cybersecurity professionals. It does also affect professional lives, but to get people engaged I think the message needs to focus on the personal impact.”
4. Managing information overload
“In today’s world, everyone receives a lot of messages from multiple sources, every day. There are so many ways we can share information: WhatsApp, social networks, emails, webinars, and more. But we need to take care not to overwhelm students with so many messages that they become less effective,” Emilio notes.
Using different communication channels can be helpful, as long as you regulate the frequency of the messages. Short, easily digestible information is ideal.
“We’re trying to use more light, visual messages that people can quickly process and understand the risks. We need to hammer home the information, but carefully.”
5. Taking your message to a captive audience
The RNP collaborates with various events happening across Brazil, such as during science and technology week, to raise awareness among attendees about cybersecurity. This helps broaden the RNP’s reach by taking advantage of audiences already gathered in one place.
“Going to talk about cybersecurity at different events is a very important strategy to get our message to more people. For example, we attend the Campus Party in Brazil, which is a big event in several cities focusing on younger people, kids and teenagers. And we talk to them in very simple language about cybersecurity.”
6. Partnering with well-known personalities
Another effective approach for the RNP is engaging popular influencers and experts to help share and champion cybersecurity messages.
“Using well-known personalities can mean people are more likely to listen,” says Emilio. “We’ve already trialed bringing in YouTubers and other people who are famous in Brazil.”
As well as general awareness raising, this tactic can also be used to generate interest in cybersecurity as a career.
“We’re also considering bringing in cybersecurity specialists who are well-known in Brazil to talk to students about working in this field. They would act as a role model or idol for younger people, to inspire and guide students about studying and working in cybersecurity.”
7. Prioritising education, not just awareness
Fundamentally, Emilio believes, it’s not enough just to tell students about cybersecurity risks. We need to teach them what to do if something goes wrong – and help them recognise that cyber attacks can happen to anyone.
“I believe many people are already aware of the risks but think, ‘It won’t happen to me.’ And many people wouldn’t know how to respond to threats like ransomware,” Emilio says.
“So education is vital from as early as possible in personal life. That can also help people see that cybersecurity can be a great career.”
Final thoughts: students and the future of cybersecurity
Looking ahead, Emilio feels a mixture of excitement and worry about the rapid evolution of cybersecurity, with technology, job opportunities, and threats transforming almost weekly. He believes students have a pivotal role to play in helping us shape a more secure future – but that there are many challenges ahead.
“Improving cybersecurity awareness is very important, but we have much more to do to effectively improve cybersecurity behavior in people’s personal lives.
“The challenge is educational. We need to educate people from when they are young children, because cybersecurity is part of everybody’s lives nowadays. It’s not possible to live or work without knowing about cybersecurity.
“So, we have some very hard work to do. And students can play an important part in that.”