The Difference Between Cybersecurity Literacy and Awareness

The issue of cybersecurity has finally gained the attention of top company decision-makers in light of the ongoing large-scale breaches that continue to jeopardize company assets and customers’ privacy. However, as executives and board members become more aware of the impact of cyber attacks on the business, is awareness enough to allow them to effectively manage these cybersecurity risks? A recent study revealed that there’s a significant difference between cybersecurity literacy and cybersecurity awareness among corporate executives. The United Kingdom Executive Cybersecurity Literacy questioned more than 100 board-level executives at FTSE 100 firms, and found that the majority (54 percent) would rate their board with “excellent” cybersecurity literacy, meaning they understand the issues well and are actively engaged on a routine basis. In addition, nearly 40 percent of respondents also gave their boards a “good” grade for cybersecurity literacy, indicating that they have a reasonable understanding of key security issues and are occasionally engaged in strategic decisions. Source: United Kingdom Executive Cybersecurity Literacy, Tripwire Tripwire’s Chief Technology Officer Dwayne Melancon says the results are rather surprising, and demonstrate the distinction between executives being cybersecurity literate or simply aware. “If the vast majority of executives and boards were really literate about cybersecurity risks, than spear phishing wouldn’t work,” said Melancon. Although the survey findings are indicative of the growing awareness that cybersecurity risks are business-critical, Melancon added it would appear that there is still significant room for improvement.

“Executives and IT security teams have dramatically improved their ability to communicate cybersecurity risk to boards, but the key is to make cybersecurity actionable before a breach.”

The study also surveyed 176 IT professionals outside the board, whom were for the most part (47 percent), “not concerned” about their board’s knowledge of cybersecurity. Of those who expressed concern, 28 percent stated they did not have visibility into what the board is told about cybersecurity; 22 percent claimed the information given to the board is not adequate; while a small number (4 percent) said they are not in active dialogue with c-level executives about infosec issues. Other key findings from the study indicated that the challenges with cybersecurity are ultimately, not associated with having the right tools – an overwhelming 85 percent of respondents stated that their executive team has the tools they need to accurately present cybersecurity risks to the board. “Since respondents believe they have tools and data in place, but breaches continue to grow, this really does appear to be a literacy problem,” said Tripwire’s Tim Erlin, director of IT risk and security strategy. As Melancon further explained, the problem likely comes down to effective communication among IT professionals and C-level executives.

“[Organizations] are instead struggling with finding the right vocabulary and information to accurately portray cybersecurity risk to their boards, and they are trying to find the right balance of responsibility and oversight for this critical business risk.”

With ongoing high-profile incidents and vulnerabilities serving as a clear reminder, the study shows that decision-makers and IT staff are becoming well aware of how cybersecurity risks can directly impact their organization. “Confidence in communication that moves cybersecurity up the list of business priorities is the objective,” said Melancon.   _{Title image courtesy of Shutterstock.com}