I had been doing cybersecurity for years—hardening servers or configuring firewalls—but your average person doesn’t need to know all of the technical details about security. And unfortunately, at first, rather than figuring out the foundation of knowledge that I needed to provide, I focused on the details. When it became common for employees to carry smartphones, my team and I focused on how to secure those devices. When ransomware rose in popularity, we educated users about what it is and how to avoid it. As phishing continued to rise, we began using simulated phishing campaigns to teach about recognizing such messages. After years of this, I realized we were just plugging our fingers into the holes of the dam. This was the wrong approach. What we had been doing was giving people fish instead of teaching them to fish. Instead, we needed to understand what a foundation for security might look like. So, I tried to figure out what cybersecurity awareness was and how I could make people cybersecurity literate without forcing them to become firewall engineers along the way.

If you were to ask someone what it meant to be literate, they would say that you should be able to recognize the words on a page. You can be fluent in spoken English but still be illiterate if you can’t read the words and write them down. I think the definition of cybersecurity literacy should follow this model. You don’t need to know everything there is to know about cybersecurity to be considered literate. But you do need to be able to recognize the words on the page. You need a proper foundation so you can ask the right questions and know where to get answers to those questions. This foundation is built by optimizing cybersecurity education, building awareness, understanding tactical literacy, having an adaptable framework in place, and securing the brain.

Acevedo had been on the board of the Girl Scouts for eight years when she was asked to become the interim CEO in June 2016. At the time, the Girl Scouts were in the planning stages of completely revamping their merit badges to incorporate science, technology, engineering, and math (STEM) and other important concepts. Through surveys across the country, they asked girls what they were interested in, and girls of all ages answered that they wanted to learn about one topic: cybersecurity.

In 2016 TechCrunch reported that the average girl gets a smart-phone at age ten.¹ By that age, many children already have email addresses necessitated by their school or other activities. The Girl Scouts realized that girls didn’t have a trusted source for information on how to protect themselves in a digital world. They realized they had a calling to fill that gap. But what would be the best method to teach these girls about cybersecurity?

The real challenge for Acevedo was figuring out how to teach girls about something as complicated as cybersecurity. The answer, as it turns out, doesn’t just apply to Brownies or Daisies. The answer applies equally well to dentists or CEOs. To teach someone, you need to figure out what interests them and what is relevant, and then you need to find a way to make that knowledge practical.

Acevedo began her career as a rocket scientist at NASA’s Jet Propulsion Laboratory, where she worked on NASA’s Voyager 2 mission.² She has held executive and engineering roles at leading technology companies, such as Apple, Dell, Autodesk Inc., and IBM. Acevedo’s background in technology led her to ask the following questions: What if we adopt agile development methods and apply them to the merit badge process? How can we short-circuit the development process and get girls the skills they need when they need them?

In technology, the concept of agile development began to gain momentum in the early 2000s.³ Modern software can include billions of lines of code. So, it’s important to make sure that the code, as written, actually does what the users, customers, and businesses need it to do. Old development methods were like those used to build a building: An architect came up with the plans, and the builder delivered on those plans. Unlike with a building, if the software wasn’t right at the end of the project, it would usually get thrown away, and the process would start over. Agile development is different in that it gives the users, customers, and executives a chance to provide feedback while the building is being built. This process requires developers to break projects down into small, individual pieces. They use “sprints” to deliver these pieces quickly, usually within two to three weeks instead of the years or decades it normally takes to build software. This is why companies like Google now deliver their software with “beta” on them; being in beta means that the software is still being tested and new features will continue to roll out much more rapidly than they otherwise would.

In applying this agile method of development, the Girl Scouts looked to partners like Palo Alto Networks for subject matter experts in different areas. Finding the core subjects in a field helped define what needed to be taught. The Girl Scouts then applied their understanding of how girls learn to come up with the programs and activities for how to teach these subjects in each age group. They continue to test these teaching methods to find out what works best and to make sure the activities are fun and relevant, ensuring the girls want to keep learning. The security strategy that fits your needs might be different depending on who you are: A recent college graduate looking for a job needs different strategies to stay secure than a vice president who is looking to become a CEO. A one-size-fits-all approach won’t meet either person’s needs, so it’s best to experiment rapidly to see what doesn’t work and what leads to success.

In the Girl Scouts, girls are grouped by age. Grouping the girls this way is important to learning because each age defines a new stage of development, and education is tailored to each stage. To teach coding to Daisies (grades K-1), you need to show how computers talk to one another in binary language. Computers transmit code in bits that are labeled as a zero or a one. Computers string millions of these ones and zeros together every second as they talk to one another. But you’ll lose the Daisies if you talk about ones and zeros. Instead, the Girl Scouts put blue and yellow beads on the table. Then, they have the alphabet expressed not as zeros and ones but as yellow and blue. The Daisies are asked to write their initials on a bracelet using the code. What happens after this is amazing. The girls come back wanting a longer piece of string. They want to write not just their initials but their whole name. Then they come back and ask for an even longer piece of string because they want to write all their names together. “You’ve taught them an unbelievably complex idea in a way that they can wrap their heads around,” said Sapreet Saluja, chief strategic partnerships and new ventures officer for the Girl Scouts. “And then they build on it and build on that. And then by the time they’re ready to learn the next skill, they get it practically, and they know how to build from there. Not only do we, per our mission, want them to use those skills to impact the world, but it’s also what they want. It’s one of the most important things to them. It ends up being the delta between interest and disinterest if there is something practical they can do with their knowledge.”

To teach Brownies (grades 2-3) about important concepts in cybersecurity like networking and malware, where would you begin? You can’t start by describing how TCP/IP protocols encapsulate data into headers. You can’t teach them the OSI seven-layer model of networking. Instead, the Girl Scouts teach the importance of a physical network in transmitting computer viruses to someone the girls have never connected with. The Brownies sit in a circle and pass a ball of yarn to one another; in a short amount of time, a physical network appears. Then they can show how Alice talked to Jane and then Sara talked to Jane. They can see in the network how the malware was transmitted from Alice to Sara. This is relevant to the girls not just because they start to see a pattern emerge but because while they’re doing it, they’re constantly reinforcing the things most important to the girls: community and connection. But how do we apply this agile development model of learning to help others learn about cybersecurity?

When I began running the training program at SMU, we trained our employees about cybersecurity exclusively through yearly in-person sessions. At the time, we typically only reached about 5 percent of our total workforce each year using this method. One session, for which I had spent months developing the content and rehearsing, only had two people show up. We offered free drinks, popcorn, and prizes to encourage people to come. But our outreach efforts were always limited because our staff was too busy doing their day-to-day work. Our most successful outreach came from going to departmental meetings where we would talk about relevant security issues for twenty to thirty minutes, but those opportunities were rare.

Before I go too much further, I should acknowledge that the goal of training isn’t efficiency. It’s tempting to say that in-person training was a waste of time. The goal of training is to help employees or family members understand security and make better decisions based on this understanding. When we were able to train one-on-one at SMU, we found that one of the biggest benefits of this approach was the relationships we built along the way. Even if the message wasn’t clearly understood, everyone knew whom to call when a problem came up. These meetings established enough trust that they were comfortable sharing those problems with us. And as you will see, this in itself is a very important part of cybersecurity literacy.

Next, I adopted a hybrid approach: We still met with departments about cybersecurity to continue the dialogue we had already begun, but we switched our main outreach method to an online class. We were able to drastically increase our outreach. We went from reaching 5 percent of our users to reaching nearly 20 percent. Employees who couldn’t get away from their desks could now take our training whenever they were able. The training program wasn’t mandatory at this point, but this was a huge success.

A lot of companies provide online security awareness training. A company called Cybrary offers free security awareness classes, but other excellent training is available from the SANS Institute, KnowBe4, Proofpoint, MediaPRO, and others. Compliance regimes now recommend some form of training, and programs like this will check the box of security awareness training. But checking a box doesn’t create security literacy. Often, these programs operate more like sexual harassment or diversity training—the same courses are offered year after year. People see them as a waste of time and make fun of them. They try to cheat to skip ahead or just leave the mandatory video playing while they walk away for a meeting. These programs aren’t customized for individuals, and they don’t consider what that person might already know. They aren’t progressive. In a college course, you would take a 101 class your freshman year, then a 202 class your sophomore year, and so on. You learn concepts, and then you build on those concepts, progressing to a more advanced level.

This isn’t a book about metrics, but it’s tempting to look at the percentages above as a reflection of the effectiveness of our security program. I certainly focused far too much on the numbers. It’s easy to focus on percentages when they aren’t very high, but these numbers fall short of telling the whole story. Our 20 percent outreach was good for a voluntary program but not great in the larger scheme of things. This didn’t mean we weren’t secure or didn’t have a culture that valued security. We would later make annual training mandatory. At that point, we consistently got above 95 percent participation, but this number still does not reflect the effectiveness of our security training efforts. The number of users trained isn’t a success metric. Some training programs require a quiz before and after the training session, but that doesn’t reflect the success of training efforts either—that is more like teaching to the test.

What I’ve realized is that the way to measure the effectiveness of training, and thereby help create cybersecurity literacy, is to measure the outcomes of that training. Have your behaviors changed? Has the success of phishing campaigns been diminished? Do employees engage in less risky behavior? Has the number of breaches or incidents dropped because employees are more secure? Or has the number of breaches or incidents increased due to a higher awareness of issues and reporting? Are we still building relationships so people will call us when there is a problem? Or are we harming those relationships because people resent us for wasting their time?

Without a way of measuring global outcomes, we can’t evaluate which training method for an individual is most effective. We can’t measure which training session had the biggest impact. We can’t know which security training vendor has the right courses that will work for each person.

The other mistake I made in developing a security awareness training program was that I only considered the program one class at a time. I didn’t consider each individual’s training needs. If you are educating your employees to be literate in cybersecurity, you must first assess what the relevant individuals’ learning styles are and how you can customize the material to meet their needs. Consider where an employee is in terms of their security maturity—what courses have they already taken and what good habits do they already have? Think about their role and how they perform their duties. How much access to sensitive information do they have? How much or how little do they use technology? How computer literate are they already? By knowing the answers to these questions, you can tailor education to your employees.

In marketing, they use “personas” to understand who their audience is before developing a campaign for them, and in security, this is also crucial. When I create training materials, I use several security personas based on the level of access for each person and how they use technology. Using these personas helps me understand the needs, motivations, pain points, and communication styles for each and allows me to meet employees where they are to connect with them rather than expect them to connect with me. A good persona includes a photo, a name, demographics, motivations, quotes, and more.

Users who telecommute or travel frequently for work might have time constraints or limitations on how and when they can receive training. Users who primarily use mobile devices might have more limited access with which to receive training. Telecommuters should be very knowledgeable about virtual private networks, while mobile users might need more device-specific policies and procedures for how to access information. But the final dilemma is how to measure whether your efforts have been effective and to further improve them based on reaching the desired outcome: changing behaviors.

The nine habits presented in this book are my answer to this dilemma. Each habit is a measurement of a dimension of security outcomes. Each can be measured, just like high blood pressure, cholesterol, daily caloric intake, or daily exercise rates. This provides a more global picture for an organization, but it also gives us a detailed picture of an individual. The same training course for one person won’t be as effective for someone else in a different job or with a different personal history or learning style. Once you have a way to educate in place, you need to build awareness of what we are trying to protect and from whom.

Unfortunately, learning can be scary. One group suggests that up to 38 percent of the population has moderate to severe test anxie...