C09: Enabling and supporting cybersecurity literacy - From user awareness to usability

Back to Courses' Program

Monday, 23 June 2025, 13:30 - 17:30 CEST (Central European Summer Time - Sweden)

Prof. Steven Furnell (short bio)
University of Nottingham, UK

Modality

on-site

Room: TBA

Target Audience

Researchers/academics, students, professionals, and industry practitioners interested in guidance on supporting cybersecurity literacy

Requirements for participants

Use of laptop or tablet, and use of notes / word-processing software

Abstract

Cybersecurity is essential for IT users in all contexts, across all devices and online services, and spanning both personal and workplace uses of technology and data.  However, cybersecurity literacy among end-users remains varied and is rarely the natural starting point, and so people often need support and encouragement to reach a point where they understand the issues and can practice appropriate cyber hygiene.  Linked to this are the need for effective awareness-raising and usable technologies that expected to use.  Unfortunately, however, these aspects are often lacking in practice, with the result that user's security experience can be unclear, confused, and potentially failing to deliver the protection needed.

This course examines the requirements and challenges from the end-user perspective and means by which the security experience can be improved. It begins by considering the main principles of cybersecurity and what it means for users to be cybersecurity-literate.  This leads into examination of the related efforts that are made to support awareness-raising, which are often limited in practice and go some way to explaining why users may fail to play their part.  Even having raised their awareness, however, users need cybersecurity to be available in a manner that they find usable.  If it is hard to understand or burdensome to use, then its effectiveness may be limited. The session will examine the factors of interest, with examples of how things can go wrong in practice.  In the final part of course, attention is given to the issue of user authentication – an aspect of cybersecurity that all users will use across multiple devices and services, but where the experience can vary considerably according to the technology choices and support provided.

Benefits for attendees

  • Understanding the core elements of cybersecurity literacy for users
  • Recognising the need for user awareness-raising and related practical considerations
  • Understanding the dimensions of usability in the context of cybersecurity controls
  • Relating the issues to personal experiences through the example of user authentication

Attendees will emerge with a better appreciation of the importance of cybersecurity literacy for end-users and the elements that need to be considered for this to be effective in practice. 

Course Content

The main themes covered through the course will proceed as follows (indicative timings are given for the duration of each segment, with a further 30 minutes then being added for a break):

  • Introductory cybersecurity concepts - what is it and what do users need to know about it in terms of basic cybersecurity literacy?
  • The awareness hurdle - how is awareness raising approached and does it deliver what users need?
  • The usability hurdle - having raised awareness of the need to maintain cybersecurity, what issues need to be considered in providing it and what does the security experience look like from the user perspective?
  • Usability in practice - an examination of a specific aspect of cybersecurity that all users encounter, namely user authentication, and the varying levels of usability that can be achieved depending upon the method(s) used and support provided.

Hands-on part

The session will involve a practical activity that gives attendees experience in developing user-facing cybersecurity guidance, highlighting the need to think of the audience.  This will be focused around the use of passwords, in order to ensure an aspect of security that all participants will be familiar with, but which is prone to numerous problems in practice.

Bio Sketch of Course instructor

Prof. Steven Furnell is Professor of Cyber Security in the School of Computer Science at the University of Nottingham. His research interests include security management and culture, usability of security and privacy, and technologies for user authentication and intrusion detection.  He has authored over 390 papers in refereed international journals and conference proceedings, as well as various books, book chapters, and industry reports.  Steve is the UK representative to Technical Committee 11 (security and privacy) within the International Federation for Information Processing, and a board member of the Chartered Institute of Information Security, and a member of the Steering Group for the Cyber Security Body of Knowledge (CyBOK) and the Careers and Learning Working Group within the UK Cyber Security Council.