Cybersecurity and incident response processes for maintaining operational security and continuity at vocational education institutions

Abstract

The presence of cybersecurity in educational institutions, including vocational education and training (VET), plays a vital role in ensuring the overall societal security in an increasing digital world. This study explores how staff of VET institutions respond to suspected cybersecurity incidents, focusing on reporting channels and methods used. The objective is to better understand incident response practices in the under-researched VET context, with special attention given to the human and organisational aspects of cybersecurity. VET institutions operate digital systems that mirror real workplace environments and often handle authentic customer data, exposing them to risks that differ from those of general education settings. A qualitative methodology was employed, consisting of thematic interviews with twenty-seven staff members across three Finnish vocational schools. The analysis was guided by the Situation Awareness in Cybersecurity Incident Response model and the Zone of Proximal Development framework, allowing for a deeper exploration of how staff perceive and act upon potential threats. Although formal reporting procedures exist, staff frequently rely on informal networks and direct contact with IT support. Urgent cases are often communicated via phone, a method perceived as efficient but lacking in documentation and structure, which can hinder post-incident analysis and learning. Improving cybersecurity incident response in VET institutions requires the integration of formal digital tools with flexible, human-centred communication methods. Strengthening these systems is essential, not only for protecting sensitive data, ensuring continuity, and creating safer learning environments, but also for reinforcing the digital resilience of society as a whole.