New CSY e-learning module on phishing and ransomware

By Rosanne Pouw, Product Manager Awareness and Training at SURF

Phishing and ransomware are the most common cybersecurity threats for the research and education sector. Research and education institutions have to find ways to raise awareness among their employees and students on a tight budget. Cybersave Yourself added a new online e-learning module on phishing and ransomware that institutions can customise and use free of charge. The generic module is available for everyone on the CSY website.

Based on a real ransomware attack

The module follows the story of a ransomware attack at Maastricht University that put education on hold during the Christmas Holiday. It started with a phishing mail that turned into a full scale attack. With a tight deadline of starting again in January, the University had to make a though decision.

Learn how to recognise a phishing mail and how to prevent a ransomware attack in this ten minute module. The module integrates the story line with different types of media: emails, letters, tweets and audio dialogues. Knowledge is tested by several short quizzes.

An effort of collaboration

We started by forming a work group and interviewing experts from Maastricht University for the story line. The module was created by professionals from Dutch Universities and with the help of educational experts. The module can be embedded in a Learning Management System (LMS). While reviewing our existing e-learning module we found out that for many institutions, using the LMS was a complicated and slow process. That is why we chose for an online magazine format. The module can be embedded as an i-frame in Sharepoint or other system, or made accessible by adding a button with a link to the online module in whatever system an institution uses.

Awareness metrics made easy

Measuring the effect of awareness campaigns is complicated. Knowing how many of your employees or students have completed the e-learning is a valuable insight. Through interviews we found out that gathering metrics and creating reports was one of the most wanted functionalities, yet also one of the most complicated processes to implement.

Looking at the systems Dutch institutions already use, we added the quizzes by creating quizzes in Microsoft Forms. Institutions that want to know how many of their employees or students have followed the e-learning can request a version for their institution that can be customized. The customisation entails:

• Replacing quizzes by their own knowledge quiz made in their institution’s O365 space. Allowing full control on the questions they like to test on, plus giving them direct insight in basic metrics through Microsoft Forms
• Replacing the CSY logo by the logo of the institution

Limitations of this module

This module does not contain video’s due to budget limitations. However, institutions are free to record their own video that they can embed in the version of their own institution.

Some systems prevent i-frame embedding. In that case, the module can be accessed by a button or adding the link to the module. The link is leading to the website where the module is hosted, thus making it less attractive for security professionals who often prefer awareness material to be hosted within the systems of their institutions.

The quizzes can be replaced if an institution has Office 365. If this is unavailable, the generic module can still be used to raise awareness. If an institution has a LMS, they can move the quizzes to the LMS to generate metrics.

The quizzes in this module are formative. This means that they are aimed at helping the reader learn the material. For awareness purposes, summative testing is often required. This is a test that you have to pass to show you mastered the material. If institutions require summative testing, embedding the module in their LMS and moving the final test to the LMS can solve this problem.

Privacy & Security

We chose a supplier (Maglr) who explicitly choose to not gather and store personal data of visitors of publications. For the generic module we used O365 forms that do not need or gather personal data.

Since embedding an i-frame introduces a certain risk, some institutions block this function. If you want to embed the form you have to request the IT department to allow embedding from Maglr as a source. If you want to avoid this risk of embedding an i-frame altogether, we advice placing a button with a link to your module in your own learning environment.

About Cybersave Yourself

This module is offered as part of the Cybersave Yourself toolkit. Cybersave Yourself is the security awareness campaign for education and research in the Netherlands. It contains security tips, videos and games about security and privacy awareness. Cybersave Yourself provides a toolkit with materials for institutions to create their own awareness programs.

About the author

Rosanne Pouw is Product Manager Awareness & Training at SURF. In this role she merges knowledge about cybersecurity, privacy and social psychology to create products that meet the needs of the R&E community. She manages the Cybersave Yourself toolkit, a free repository with materials and information for R&E institutions to build their own awareness campaigns. SURF also conducts an annual awareness survey for the sector, organizes security training and workshops and hosts awareness community events.

In her mission to inspire and innovate she likes sharing her enthusiasm for the human factor in cybersecurity on LinkedIn.

Also this year GÉANT joins the European Cyber Security Month, with the campaign ‘Become A Cyber Hero‘. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm23