Determining personnel’s level of cyber security knowledge in Sasky Education Consortium

Abstract

The subject of the research was to study how the personnel of the consortium of education associations understands the threats caused by cyber security and to find out the initial level of cyber security expertise. In addition, the aim was to develop a reference framework for the organization that it can use to improve the cyber security skills of the personnel in the future. The client was the Sasky Education Consortium. The importance of cybersecurity has increased with globalization and digitalization and thus added challenges for the organization. However, to achieve a good level of cyber security, it is not enough for the organization to invest in software and hardware. Still, the competence and motivation of the personnel play a significant role in forming the level of cyber security. The theoretical part deals in general with data protection and data security issues, legislation, the EU Data Protection and Regulation, and reference frameworks related to cyber security. In addition, the theory has addressed the impact of corporate culture in information security situations and the effect of psychology on personnel operations. Cybersecurity of hardware and software was excluded from the study. Similarly, students' cybersecurity competencies were left unaddressed. Quantitative research was used as the research method. An electronic survey was utilized in the personnel competence survey. The findings of the study were compared with other similar studies. Based on the comparison, it was found that the results obtained are in line with previous studies. Based on the results, the consortium has needed to improve the cyber security skills of the personnel, the skills are mainly good, but some short-comings were also found. In the big picture, an organization needs a culture change. Cyber security expertise must be in everyone's control to understand the impact of the choices made on overall cybersecurity. Thus, cybersecurity is a part of everyone's daily work, not a separate entity taken care of by the IT department or management. Further training and precise guidance can improve this understanding.