Enhancing resilience to cybersecurity events through citizen engagement

In the Basque Country of Spain, the prevention of cybercrimes constitutes one of the greatest modern challenges for the police. Although some improvements have been made, hackers are getting more skilled and, in instances where critical infrastructure is targeted, it can be difficult for authorities to trace the exact cause of a cyberattack. Iker Legardon and Iñaki Gangoiti, police officers in the Basque Country, and John Rincón, a researcher involved in the EU-funded ENGAGE project from TECNUN- University of Navarra, spoke with Alexandra Olson, EENA’s EU Projects Officer, about the awareness campaigns that have been carried out as a part of a validation exercise of the project.

The ENGAGE project seeks to take a “whole of society” approach to enhancing the ability of societies to respond to and recover from nature-derived or man-made disasters. In this regard, ENGAGE seeks to identify solutions (guidelines, technologies, campaigns, or other tools) that can improve collaborations between citizens, first responders, and public authorities and demonstrate through exercises their applicability in other contexts.

School training campaigns, which target children aged 5-18 in the Basque Country, are one such identified solution and one of the main preventative tools that the Basque police (the Ertzaintza) have at their disposal. Recently, the Ertzaintza (in collaboration with TECNUN) developed another additional solution- a social media campaign to enhance awareness of cybercrimes to a wider audience. These campaigns played a large role in a validation exercise within the ENGAGE project, which focused on a cyber-attack scenario where critical infrastructure, such as the energy delivery sector, was impacted.

The exercise studied the ability of municipal and regional authorities to respond and recover from the event. A particular emphasis was placed on interactions with citizens, exploring how prevention activities could enhance their awareness of the risks that cybercrimes pose. The exercise culminated in a tabletop workshop involving a scenario where the enterprise side of a network was being used to attack an operational technology via malware through the employment of methods such as phishing. In this scenario, these methods led to a power outage for several hours.

Can you tell us a little bit about the risks that cybercrimes pose in the Basque country? Are there any common trends that you frequently see?

Iker: In the Basque country, the levels of cybercrimes throughout the year are more or less the same- they don’t increase but they don’t go down, either. Some of the most prominent risks that we see include fraud, grooming, and sex extortion among young people.

Ertzaintza has set up two types of campaigns: a school training campaign and a social media campaign. Could you tell us more about the training campaign that has been carried out in schools?

Iker: The campaigns are carried out during the scholarly year because during this time we know that the messages we want to convey will reach young people. The campaigns include presentations of 1.5 to 2 hours and aim to teach children about different types of safety measures. For children who are aged 5-9 years old, for example, the training focuses on how to call 112, how to safely cross the street, and how to use various tools or devices at home. However, since children aged 9 to 18 start using social media networks, we talk about the threats and dangers that they can come across on the internet and normally we modify the training during the year if we detect a new kind of crime or threat.

How was the social media campaign developed?

Inaki: The social media campaign on [raising awareness of] cybercrimes was launched, which included an infographic about a specific cybercrime along with several tips to stay safe online. These tips were shared daily for thirty days.

In preparation for this campaign, a search was conducted for videos, links, campaigns, photographs, or any other visual material that could complement the ideas, messages, and objectives of the campaign.

John: The social media campaign was created from scratch and involved several departments within the Ertzaintza. We started with our contact within the project and the campaign then scaled out to involve their communications and press departments. They created the content based on our input and the input from the awareness campaigns, which resulted in 30 tips to help individuals stay safe while online, which they then posted on their social media accounts.

How was the effectiveness of the campaigns measured?

John: The effectiveness of the training campaigns was measured differently according to the type of activity. For instance, the school training campaign was assessed through questionnaires conducted before and after the presentations were shown to the students. In this way, we tried to understand the knowledge they have built up over the years since the presentations are given throughout elementary and secondary education. Also, we wanted to observe whether the students improved their scores after the presentation is shown so we make sure that the new message has been received. So far, we noticed that there are no big gaps between the before and after tests, proving that having the campaigns carried out over the years are making the students more aware of the cyber risks. Likewise, the slight improvement in the scores showed that the new information has been regarded as useful for the students. This result is also backed by the appreciation of the students when they rate the presentation on average 8 out of 10 in terms of both information and presentation quality.

Inaki: Surveys are conducted with the students after each outreach activity. The school principals also complete a separate survey, conducted at the end of the school year, which evaluates all the activities carried out by the Ertzaintza in the school. Both surveys assess quantitative and qualitative aspects and the results are then analyzed and evaluated to identify opportunities for improvement.

John: The social media campaign aimed to reach a wider audience compared to the school training campaigns. In this case, we used the social media channels of the Ertzaintza since it is a trustworthy source of information for citizens. In this case, we assessed the campaign by using common metrics for social media such as views, impressions, and playtime. Despite the challenges posed by the content not being viral and able to be replicated easily to reach more people, it could be said that the campaign itself was a success based on the number of followers and the metrics produced during the long month length of the campaign. For example, users were interested to know more about two-step authentication, personal information online, private VPNs, fake profiles, phishing and so on.  Although it is hard to predict if the results of the campaigns will have a direct impact on the reduction of cybercrimes, it is proven that a population more aware of cyber risks would definitively be more prone to avoid being an easy target for cybercrimes.

How do the campaigns fit into the validation exercise that was being carried out by ENGAGE?

John: Since it is difficult to make a direct link between cybercrimes and the campaigns, we planned a workshop (tabletop) to validate these solutions. We tried to involve different experts with different perspectives so that we could further our approach, rather than just having a tabletop exercise based on the technicalities of a cybersecurity incident. We tried to get them to think about a scenario where a cyber incident could happen, where they are not able to get a handle on the situation within the first few hours. [We wanted to evaluate] how they will react with citizens, how they could be involved, and how [the situation] can play out. During the tabletop, we showed the experts the results of the campaigns and checked if the solutions that we proposed would be useful in this scenario.

Our members may read this blog and want to implement similar awareness campaigns in their own area. What challenges would you advise them to keep in mind when doing so?

Inaki: In an online campaign, it is important to use language tailored to the target age group. In our case, we had to strike a balance between the language used by young people and the institutional aspect of the campaign. Since it was a campaign of a public administration, we were not able to incorporate all of the suggestions that we received from individuals we collaborated with.

John: The school training campaign is now in high demand by schools and has become one of the flagships of Ertzaintza’s work in the community. Having this programme operate on a voluntary basis gives the volunteers more room to be creative when giving the presentations. They also usually have internal training to update them on the latest cybercrimes so that they can be implemented into the presentations. One key aspect to keep in mind [when implementing a similar initiative] is to ensure that you have a leader for this role, especially someone who feels that such work is crucial for the overall mission of the organization. Cross-departmental collaboration is also very important, particularly since volunteers come from different departments, and strengthens the overall quality of the campaigns.

For both campaigns, the common factors that [that were necessary for their success] were consistency and commitment.