Cybersecurity attacks are on the rise in all areas of society, and, with the help of today’s artificial intelligence tools, they are becoming more sophisticated. However, there are not enough cybersecurity professionals, either globally or even in Europe, with the necessary skills to deal with these attacks. The recent pandemic has highlighted the dependence of all citizens (young, old, with or without experience) on digital technologies to carry out a variety of daily activities. Thus, it is necessary to be aware of the risks associated with frequent interaction with digital technologies and to be familiar with good practices in order to promote the safety of this interaction, otherwise the consequences can be disastrous. A cybersecure society depends on the education and awareness of the entire population, so it is essential that this is ensured as early as possible.

The project “YUCA” (Young Cyber-Aware to build a resilient cybersecure society) explores the teaching of cybersecurity in the 1st and 2nd CEB in Portugal. It obtains opinions from teachers and guardians on the current and future state of education in this area, and could help to define a strategy to integrate it into the education of school pupils aged 6 to 12. 

The focus at these ages is on the fact that interaction with digital technologies becomes more frequent with the beginning of school activity. Furthermore, children aged 9-10, who are about to start the 2nd CEB, spend more time at school, and usually have their mobile phone with them to contact their parents if they need to leave early or for any other reason. Presenting cybersecurity topics within the context of their school activities in these phases of transition between cycles can help young people to start a safer relationship with technology, before dangerous habits can crystallise. There is also the potential for these young people to grow up better informed, thus gaining knowledge and interest in these areas, which, in the future, may be their areas of choice for study and specialisation.

The sample obtained in this study consists of: 

• 1,348 teachers, who teach in 25 school group districts in mainland Portugal (North: 36%; Centre: 52%; South: 10%),

and

• 560 guardians of pupils in the 1st CEB (71%) and the 2nd CEB (29%), living in 68 municipalities in mainland Portugal (North: 39%; Centre: 48%; South: 5%).

The majority of the teachers are female (80%). Their ages are between 18 and 30 (20%), between 31 and 45 (64%), and between 46 and 60 (15%), and they have a length of service of 21 to 30 years (41%) and 31 to 40 years (32%). The majority of the teachers (67%) have a bachelor’s degree, 18% have a master’s degree and 12% a postgraduate degree, while 7% of teachers hold senior staff positions.

As for the education guardians who participated in the study, most are female (85%), aged between 30 and 45 (61%) and between 46 and 60 (38%), and the vast majority are the parents of the pupils (99%). 

Half of the pupils concerned in the guardians sample are female (50%), are aged between 6 and 10 (76%) and between 11 and 14 (24%), and most of them attend the 1st CEB (76%). 

Teachers, guardians, and even pupils, use various types of devices on a daily basis, in different contexts and for different purposes. The most frequently used are mobile phones and laptops, regardless of context and purpose. However, teachers prefer the use of laptops in a professional context, for the preparation of lessons and work with pupils, while guardians use their mobile phone much more, even in professional environments. In the same way, pupils use their mobile phones a lot in this age group, because the goal is essentially to keep in touch with their families, and tablets, probably to access recreational content and games online. When it comes to doing their schoolwork, pupils prefer laptops. 

Generally, this is a sample that is quite accustomed to using different technological devices every day, so they have a frequent relationship with digital technologies and are exposed to the dangers and risks that they can entail.

​
 

​

​

​

​

 Most teachers state that they have some kind of training in digital technologies and cybersecurity. Although only about a quarter of guardians indicate that they have little training in technologies, half of those who do state that they have some kind of training in cybersecurity.

Of the cybersecurity content in which teachers indicate they have training, the five most mentioned issues, in order of selection, are: a) cyberbullying; b) sharing of personal data; c) password protection; d) social media risks, and e) identity protection. As for guardians, the selection differs slightly: a) password protection; b) sharing of personal data; c) cyberbullying; d) identity protection, and e) risks on social networks.

The majority of teachers (54%) and almost half of guardians (46%) are of the opinion that the general population should have some training in the area of cybersecurity. The reasons given in favour of this are as follows: “We are increasingly exposed and need to protect our data, our privacy”; “To know and prevent risks”; “It should be part of everyone’s knowledge, because it is important in every dimension”; “For personal protection”, and “To stay attentive and informed”.

Despite this, there are also some reasons given to justify why this training is not necessary: “It’s enough to know a little and you can read to get the necessary information, you don’t need training”; “We learn through practice and social awareness”; “Lack of availability/opportunity”; “It’s not my area”; “I don’t work with digital content on a regular basis”, and “The knowledge I have acquired through self-teaching is adequate, because I don’t use social media.” 

Very few teachers (5% of the total sample) answered the question of whether cybersecurity is addressed by the school, whether with pupils or with guardians, and also whether there are information and communication technology Curriculum Enrichment Activities (CEA) in the school where they teach. 

Guardians shared a little more on this subject (36%) indicating that the school addresses cybersecurity issues with pupils, but half of the respondents did not know how to answer this question. Those who answered affirmatively indicated that cybersecurity issues are mainly addressed within the ICT and Citizenship disciplines. There are also some CEAs that do so, as well as some projects that pupils have to work on.

It can be inferred from this lack of response from both teachers and guardians that the issue of cybersecurity is not integrated into the basic education curriculum of Portuguese public schools in a systematic and regular way. 

This may explain the need among the majority of teachers (71%) to state that they address these issues with their pupils, with the main ones being the dangers of social networks, sharing personal data, cyberbullying, and identity and password protection.

Similarly, the vast majority of guardians (81%) indicate that they talk about cybersecurity topics with their wards, however, only 13% of them have any training in this area. Some of the most appropriate topics include not providing or sharing personal data; being wary of fake profiles; paying attention to downloads and passwords; how to protect ourselves, and not talking to strangers. Some guardians also report that they use parental controls to block content that is less age-appropriate. 

The school community is not immune to cybersecurity incidents, not least because it increasingly uses and interacts with digital technologies, without having the necessary knowledge or paying the necessary attention to the risks inherent to them. To confirm this, 76% (n = 1,027) of teachers indicated that they had no knowledge of incidents of this kind, while 17% (n = 235) identified that they happened to pupils and 9% (n = 117) to colleagues or education professionals from the school in question. 

Some examples of cybersecurity incidents shared by teachers are the following: sharing photos of pupils; accessing own or classmates’ email accounts to misuse; cyberbullying attacks; using fake profiles; identity theft, and sharing of classroom photos and videos on social media without permission from participants.

In the case of guardians, only 5% indicate that they have had any cybersecurity problems with their ward. Some of the examples shared are: installation and registration of untrustworthy mobile apps and games; access to age-inappropriate content; access to unsafe websites; registration of adult phone numbers on WhatsApp; account theft; phishing used for unauthorised monthly charges; adult adverts; sharing of photos and personal data with strangers; online games with access to players’ video, and arranging to meet with online predators.

The vast majority of teachers and guardians surveyed agree with the importance of including educational content on cybersecurity in the curricula of the 1st and 2nd CEB. The main content focuses on cyberbullying, social media risks, and protecting identity, personal data, and passwords. 

Good practices and examples of cybersecurity should be incorporated into training on these issues, not least because many of these incidents can be easily related to the physical world.

Thus, 891 teachers gave reasons why they consider it important to include cybersecurity in the curricula of the 1st and 2nd CEB. Several categories emerged, the most common being: a) “The need for young people to know and be aware of the risks inherent in digital technologies and to have the means to protect themselves against them”, and b) “The assumption that the current and future reality of learning will be conducted using technologies, whether these or others”. It should also be noted that teachers indicate that this inclusion is fundamental, not least to allow equal access to information for all pupils. They also indicate that the school environment may be more effective in sharing this data, and can do so in a wider-ranging and cross-disciplinary way, also overcoming some gaps due to illiteracy on the part of guardians.

There are also those who point out that cybersecurity issues, like those related to road safety, healthy eating, or even sexuality, are fundamental issues that need to be presented and discussed with young people, both for their protection and for their proper development in society.

As indicated in table 1 below, the main reason that both teachers and education guardians (EG) identify for including cybersecurity in basic education is the need to know the risks in order to increase and improve the care, prevention, protection, and awareness of young people in these age groups. 

Respondents also agree that technologies are the current reality and the future of learning and, especially guardians, indicate that the school environment is more effective for sharing cybersecurity knowledge as it allows for cross-disciplinary, inclusive, and egalitarian training.

Regarding cybersecurity teaching formats, there is some consensus among teachers and guardians that formats should be shared, preferably, in specific workshops and via games or other online content. The preference for paper content, such as pamphlets, is lower. 

However, guardians (70%) are much more adept than teachers (40%) at having cybersecurity-related topics explained in the classroom. An issue as fundamental and transversal as this should have, in the opinion of teachers, less classic formats (e.g., exhibition in the classroom) and focus on the use of the technologies themselves to find training and sharing solutions that are more appropriate for the younger population. In other words, more interactive and play-based formats, which may include video content and even dramatization of scenarios that address the topics being learned.

The “YUCA” project made it possible to characterise the training needs of the youngest school levels in Portugal (the 1st and 2nd cycles of basic primary education), in relation to the theme of cybersecurity.

The results indicate that the school community is aware that cybersecurity is fundamental today. This is not only true for the general population, but especially for young people, who must be well informed, and as early as possible, about how to protect themselves online and make the best use of technologies in a safe and useful way. The use of digital technologies in the school environment and beyond will be more and more frequent. At present, the topic is not addressed in a cross-disciplinary and wide-ranging way in all schools and, therefore, both teachers and guardians are of the opinion that cybersecurity should form an integral part of the curricula of the 1st and 2nd public CEB in Portugal. 

However, there is a need for training, preparation, and accountability, for teachers and for guardians alike, to prioritize current issues with greater social impact in terms of cybersecure interaction with technologies, as in the case of phishing (currently one of the most common cyberattacks, whose main objectives are identity or financial theft and fraud). 

Considering the results obtained in this study, it is the author’s opinion that the subject of cybersecurity has to be introduced in a concerted and systematized way in the CEB curriculum in public schools in Portugal, to reach as many young people as possible, in an equitable and inclusive way. This way, the information will be more uniform and will reach a large number of young people, and it may even help to increase the literacy of guardians and/or family members in Portugal and have a greater impact on the creation of better informed and safer generations at a cyber level.

Exclusive collection of data online may have excluded from the sample teachers and guardians with greater difficulty in, or less appetite for, using digital technologies. 

AMANKWA, E. (2021): «Relevance of Cybersecurity Education at Pedagogy Levels in Schools», Journal of
Information Security, 12(4). 

WITSENBOER, J. W. A., K. Sijtsma, e F. Scheele (2022): «Measuring cyber secure behavior of elementary and high school students in the Netherlands», Computers & Education, 186.  

RAHMAN, N. A. A., et al. (2020): «The Importance of Cybersecurity Education in School», International Journal of Information and Education Technology, 10(5): 378-382 . 

CENTRO NACIONAL DE CIBERSEGURANÇA (2021): Relatório CiberSegurança em Portugal, 3.ª ed.  

UN GENERAL ASSEMBLY (1948): Universal Declaration of Human Rights, 217 A (III), art. 12.