Notes from the first ENISA Cybersecurity Awareness Raising Conference – 27 November 2024, Ljubljana, Slovenia
The inaugural ENISA Cybersecurity Awareness Raising Conference, hosted by the Slovenian national CERT at the impressive cultural centre Cankarjev Dom, welcomed over 200 cybersecurity awareness experts from across the European member countries. I was there too.
The well-structured programme packed with great content made me feel like a child in a candy store, this, paired with the excitement of returning to one of my favourite European capitals doubled the enjoyment! The talks explored cyberpsychology, crime prevention for older adults, the role of neurodiversity in cybersecurity awareness, and much more. But to find out more, you’ll need to read on.
Cybersecurity as second nature
Dimitra Liveri from ENISA gave the welcome address and it was music to my ears: “Emphasising the human factor underlines a cultural transformation that necessitates a behavioural change. It’s crucial to create an environment that rewards the right behaviours rather than punishing mistakes.” And the music played on: “Simplicity and accessibility, alongside a safe space for reporting incidents without fear of retribution, are also essential. As awareness professionals and communicators, we are uniquely positioned to make cybersecurity feel personal. Let’s move beyond technical solutions, build the human firewall and be the first line of defence”. (A proud moment there as Dimitra actually quoted the tagline of our 2024 Cybersecurity Month Campaign!).
Victim bias and the privacy paradox
The keynote by Dr. Louise O’Hagan from Cyber Awareness Ireland explored how psychological theories are leveraged both in cybercrime and cybersecurity: “We need to understand cybercrime through psychology in order to create effective cybersecurity measures.” Dr. O’Hagan also touched upon victim bias and the privacy paradox. “By simply being online, we’re all vulnerable to data exploitation, the same persuasion techniques used by cybercriminals are also employed by legitimate companies to collect our data, only to further target and influence us”. Remember the Cambridge Analytica scandal? She concluded with a powerful reminder that the emotional and psychological toll of cybercrime on its victims often far exceeds the financial losses.
I’d rather not be the firewall because I am flammable
Dr. David Modic from the University of Ljubljana delivered a thought-provoking speech on a project exploring human attack vectors. He highlighted how this collaboration project revealed ethical dilemmas stemming from the reluctance of one of the partners to acknowledge vulnerabilities due to fears of reputational damage, hence risking to compromise the project’s authenticity. Modic underlined the critical importance of understanding and confronting one’s vulnerabilities instead of remaining in denial. However, he also highlighted a paradox: while people often recognise their weaknesses, they are frequently unwilling to face them.
Inclusive systems foster security
Dr Joakim Kävrestad from Jönköping University (Sweden) presented his insightful research on cybersecurity and diversity. Cybersecurity tasks can be mentally exhausting, especially for neurodivergent users who require more cognitive energy to complete them. As a result, they may struggle with security measures and adopt lower security postures. This issue affects about 15% of the population and highlights a key inclusion problem—systems must remain secure even when users’ cognitive abilities are temporarily or permanently reduced. To improve security for everyone, systems should be easy to use and navigate, regardless of cognitive ability, plus cybersecurity measures should be simple to understand and easy to follow, ensuring that all users, including neurodivergent individuals, can engage effectively with security practices.
Making legal choices in the digital world
“Around 60% of DDoS attacks are carried out by young people, many of whom are first exposed to cybercrime through online gaming.” (Who knew?) explains Jan Olson from the Swedish Cybercrime Centre. “Most of these young cyber attackers don’t fully grasp the legal and ethical consequences of their actions”. To address this growing issue, the International Cyber Offender Prevention network (InterCOP) made up of international law enforcement agencies are jointly developing, implementing and evaluating COP interventions and prevention campaigns. One of the network’s main goals is to guide young cyber-skilled individuals in the right direction and focuses on deterring young people from engaging in illegal online activities through a variety of initiatives including Google ads, virtual police stations and one day workshops.
Cyber safety for older adults
All heads were nodding in approval during the very engaging talk by Dr. Hazel Murray from Munster Technological University (Cork, Ireland) who shared details about a project aimed at enhancing cyber safety for older adults: an excellent example of how digital literacy initiatives can have a significant, positive social impact. A nationwide survey commissioned by the project revealed that older adults are particularly vulnerable to cybercrime, often risking their life savings with little chance of recovery, which can lead to devastating consequences.
This well-thought project included one-on-one interviews and focus groups designed to offer personalised support and education on how to avoid scams, managing privacy online, creating strong passwords, and secure online banking. This approach is designed to help reduce the anxiety and embarrassment that many older adults feel when they don’t know where to turn for help. As Dr Murray highlighted: “Creating an inclusive and safe digital environment for older adults and vulnerable individuals in society increases safety for all.”
Beyond Fear
Rethinking cybersecurity awareness by focusing on empowerment rather than intimidation is at the core of Beyond Fear, an initiative presented by Brian Honan an experienced cybersecurity consultant from Ireland. “The current approach to awareness-raising often falls short, it’s about ticking boxes without genuinely raising awareness. The 2024 data breach investigation report highlights that humans, not devices, are the primary targets: communicating in a way people understand is crucial.”
The speaker highlighted that awareness campaigns typically use complex terminology, failing to connect with the audience. “The focus should shift from GDPR to GPPR (replacing Data with People) protecting people and encouraging those who engage and report cybercrime.” And continued: “To be effective, we need to design systems that support users, even when they make mistakes, by providing clear warnings and promoting behaviour change. Think of the introduction of the seatbelt in cars, the parallels are clear. We must focus on building better infrastructure, improved detection and response systems, and rethink past practices to create a more user-centric approach that safeguards everyone.”
Let’s play
The final session of the event featured presentations on gamified awareness raising tools for cybersecurity.
Katja Dörlemann from Switch the Swiss National Research and Education Network talked about the use of gaming in cybersecurity awareness and training. ”Games are an effective way to engage people and help them understand cybersecurity concepts they might think they already know.” Katja presented an escape room-style game (Hack the Hacker), an outdoor quest/scavenger hunt (Track the Hacker) and, the very popular role-playing game based on the Dungeons and Dragons model which applies social engineering techniques (Piece of Cake). These three games focus on demystifying information security, empowering users, and improving teamwork. I wholeheartedly encourage you to contact our friends at Switch to find out more and try playing them with your teams.
Marianne Lindroth from Aalto University (Finland) told us about Cyber City Tycoon, an online game (11 years +) developed with support from the EU in the context of the Cyber Citizen initiative, and available in all European languages. The interactive learning method applied to this game enables players to familiarise with cybersecurity concepts by just playing, and be in the position to recognise common threats in everyday life. (When I spontaneously offered my 12yo to download it, she nearly fell off her chair.)
I am going to tell you a story
With a large constituency and over 100,000 incidents handled in 2024, the Polish National CERT must communicate effectively. Iwona Prószyńska shared details of the CERT’s latest cybersecurity awareness campaign, a series of short information videos that were broadcasted on national TV during EURO 2024. She explained: ‘Why storytelling? Because it leverages emotions, involvement, and truth to present complex data in an accessible and engaging manner that captures and sustains the audience’s attention.”
And now the science bit: when we hear or read a narrative, especially one that evokes emotion or action, it activates not only the areas responsible for language, but also the brain regions involved in sensory processing, memory, and emotional response. This is why storytelling is so impactful.
Prószyńska also brought to our attention the success of storytelling in the New Zealand government’s “Keep it Real Online” campaign, a brilliant example definitely worth exploring.
Knowledge and action
What a day! My head is still buzzing—I learned so much, made some great new connections, and had the chance to reconnect with old friends. Here are my key takeaways in a nutshell: the human element is crucial in the cybersecurity field; inclusive cybersecurity strengthens security for everyone; raising awareness needs to be a collective effort; and engaging C-suite leaders can amplify the impact of awareness programmes and drive cultural transformation.
The knowledge in this area is expanding rapidly, and awareness experts across Europe and beyond are actively turning it into action.
