2022-2024

Empowering minds, securing futures

Cyber Citizen &

The human aspect of
cybersecurity
Agenda

• What is the role of human in cybersecurity

• What are the cybersecurity skills that everyone needs
• How to develop human cybersecurity awareness and skills
• Cyber Citizen project of Aalto University and the Finnish Ministry
of Transport and Communications
Digital threats are a growing problem

30.01.2024
 85 %
of data breaches involving social
engineering involved the theft of
credentials

It takes approximately
“If you think technology

74%
can solve your security

Data breaches as a result of

227 days from

an organisation to detect and

problems, then you don't
understand the problems
human error respond to data breach and you don't
The cost of cybercrime
Global average cost of a data understand the
breach
technology.”
8
Trillion USD per year globally
4,5 M - Bruce Schneier
USD for and organisation
”Human is not the
weakest link…

…but they are a

primary attack
vector for
criminals.
 Investing in technology vs. protecting people

Organisations invest up to 20 times

more resources in protecting
technology than in educating,
training and awareness raising
among people.
Resources

$50-150 This may explain the security

problem…

$5-15

Laptop Human
Citizen – an underutilized resource of
cybersecurity

Citizens are traditionally The Finnish model of Collective societal and

seen as consumers of comprehensive security individual resilience by
security, not as states that everyone has a engaging citizens to become
contributors to it. role in ensuring security. active actors in security of the
EU.
How AI Attacks Affect Humans: Deepfakes, Fake Calls and Beyond

AI in fraudulent and illegal activities AI Attacks Recognition

• Image and video manipulation Fact checking and verification
deepfake scams
• Fake calls to trick people into The Role of Critical Thinking
sharing sensitive information Distinguishing real from AI-
• Phishing emails with AI- generated content
generated content
Individual Vigilance
• AI-generated malware that can
Strengthening collective security
be difficult to detect and
through personal awareness
neutralize
• Automated social media bots
used for identity theft or
spreading propaganda
• AI-powered voice cloning, that
can create convincing
impersonations of individuals
Cybersecurity education and training in Finland
- Cybersecurity is taught to
varying degrees in educational
institutions
- Currently in Finland, people are
trained in cybersecurity especially
in the workplace  these skills
are useful not only at work but
also in people's personal lives
- Compliance vs. security culture
- Lots of cybersecurity material
available, but those who need it can't
necessarily find it
- Information is in silos,
cybersecurity, information security,
privacy, information operations… 
all affect everyone's daily life
Cyber Citizen creates a safer future for Europe

Vision Mission

A resilient Europe Empower EU citizens with

fostered by a the skills, knowledge, and
comprehensive culture confidence to safely
of cyber security navigate the digital world

Funding: 2022–2024, 5M€ Project Manager: Marianne Lindroth Responsible Researcher: Yki Kortesniemi Professor in Charge: Petri Mähönen
Phases of the project

2022 2023 2023-2024 Outcome 2024

Research and Development of Learning hub and Innovative learning hub,

planning the learning model, game development, experimental learning game
phase community content production, and EU wide community
establishment community building

Commissioner: Finnish Ministry of Transport and Communications Professor in Charge: Vice-Dean Petri Mähönen
Executor: Aalto University, Finland Duration: 2022–2024
Project Manager: Marianne Lindroth Funding: Five million euros from the EU recovery
Responsible Researcher: Dr. Yki Kortesniemi instrument for a three-year period
Observations from the research report
Cyber Citizen Skills
Cyber Citizen project has 4 key outcomes
Learning model
Methods, tools, and materials to
cover the diverse learning styles in
cyber security
Community
Governmental organisations,
NGOs, and companies join forces
to generate and disseminate best
cybersecurity knowledge
Game
A fun way to develop
fundamental
cybersecurity skills
Hub
An extensive toolbox of
cybersecurity resources
maintained by the Community
The Learning model
COMPETENCE AREAS CYBER CITIZEN LEARNING SKILLS
DigComp: INFORMATION AND DATA LITERACY Learning outcomes covered: Critical thinking;
ESCO: Digital data processing Attitude
Is able to evaluate the reliability of information
and information sources
Is able to analyse, compare, and process
● Cyber Citizen skills mapped to
information
align with Digcomp and ESCO
skill frameworks
Understands the cyber environment
Develops foresight skills
Sub-skills needed to master the
● DigComp: COMMUNICATION AND Learning outcomes covered: Critical thinking;
cyber citizen skills defined
COLLABORATION Ethics, rules, rights, and responsibilities;
ESCO: Digital communication and collaboration Understanding of value; Attitude
Understands rules and their impact on a personal There are numerous rules, conditions of use and pieces of legislation to guide
and communal level
Understands the effect of their actions on general Understands how the way they use a service or technology or process information can
● Methods to learn different skills
security
Manages their digital footprint
developed and described
Recognises the importance of different interaction Is able to select communication channels based on the needs and the content of the
channels in communication
DigComp: DIGITAL CONTENT CREATION Learning outcomes covered: Ethics, rules, rights,
ESCO: Digital Content Creation and responsibilities; Secure technology
Understands copyright principles
Knows how to use current technologies and
services
DigComp: SAFETY Learning outcomes covered: Ethics, rules, rights,
ESCO: ICT safety and responsibilities; Secure technology
Is able to use prevalent technology securely
Is able to protect used information and look after Is able to protect used information based on its sensitiveness. Masters the basics of
their digital identity
Is able to maintain sense of security and
awareness concerning themselves and others
#NAME?
CYBER CITIZEN DESCRIPTOR TOPICS FOR COMPTENCE AREAS
Evaluation of an information source depends on several factors from national culture to
personal social environment and identity. In assessing the reliability, situation awareness Media literacy and information influencing
skills and general understanding of the environment have a significant impact on Cyber hygiene
decision-making and behaviour. Cyber threats (incl. social engineering) and cyber
The know-how required for analysing information is individual and depends on the crimes
situation. Information from different sources may be contradictory and prepared for Data, privacy, and legislation
different purposes. A cyber citizen must be able to critically assess how the information Digital footprint and social media
is formed, where does it come from, on what forum and how it is presented, what are Being responsible online (incl. netiquette and
ethics)
the background motives for producing the information, who produced it and to what
purpose and what is the motivation. When processing information, cyber citizens use Wellbeing online
prevalent and chosen technology to ensure that information is processed and managed AI, cloud, big data, algorithms, technology
in a systematic and appropriate manner. Preparedness and resilience
The environment consists of user experience and the hidden, more extensive social Reporting and support
dimension of systems. In cyber environment, very few services or applications are truly
free of charge. Browsers collect user information for marketing and product
development purposes. It is important that cyber citizens understand the business logic
behind services and applications and are aware that many factors affect search results
and recommended content in social media.
Understands how to develop knowledge and skills to improve foresight skills related to
cybersecurity. Is able to choose learning and education programmes which develop
foresight skills. Has an extensive understanding of the importance of preventive actions
in terms of cybersecurity and system-level security.
cyberspace, at both EU level and Member State level. These norms affect us on personal
and social level. Increasing understanding of the existing regulations improves citizens
opportunity and ability to abide by general rules.
either improve or impair total security. Understands their responsibility and knows what
to do in incidents or problem situations.
Understands the basic principles of the systematic operation of websites, cookies, and
systems. Is able to use the selected services and devices in such a way that harmful
visibility and exposure is minimized.
message. Understands that social media platforms can differ in terms of content,
language, culture, and technological solutions.
Understand how immaterial rights affect what content found online can be used,
modified, cited and distributed and how. Is able to check and choose elements and
information for content production that do not infringe the rights of others. Is able to
protect their own copyrights. Asks for advice when problems or risks related to
information security or data protection are suspected.
Understands the main principles of used services and selected technologies to ensure
that their activities do not threaten, intentionally or unintentionally, existing content or
information security.
Understands the main principles of used and selected technologies, knows how to
change their settings when necessary and analyse the included content and information.
Is able to use selected off-the-shelf software responsibly. Has a general understanding of
what factors have the most impact on the security of used technologies and applications.
Is able to ensure that the devices’ latest official updates have been installed and the
manufacturer supports the operating system version. A citizen is able to choose and
demand more secure digital products. This is also guided by EU level regulation. For
example, one objective of the EU’s Cyber Resilience Act is to create conditions allowing
users to take cybersecurity into account when selecting and using products with digital
elements.
protecting digital identity, recognises the importance of protecting against topical threats
and knows what measures to take (for example additional certificates in access control).
Understands the creation of digital footprint related to identity and the principles of
harmful exposure and visibility.
Recognises models of harmful behaviour and their effects in cyberspace. Recognises
characteristics of digital violence, violent acts (for example cybercrime and bullying
aimed at individuals) and structural violence (for example inequality and possible
escalation in digital environment) and knows what to do in these situations. Is able to
protect themselves and others against the threats and dangers of digital environment
(for example warn others of observed scam attempts). Actively gathers information on
cybersecurity and shares it with others.
The Community

● A loose unofficial network of professionals, individuals and

organisations interested in developing the cyber citizen skills

● Every party can contribute as much as is suitable for them

Learn security fundamentals through a Mobile game

Gamified Learning

Covers fundamental
cybersecurity skills

Citizen Awareness

Raising awareness of
common digital threats

Polished experience

Created in collaboration
with a professional game
development studio

Target Age Group: 12+ Languages: Available in 24 languages Launch: 9/2024 Genre: Business Idle Tycoon

7/10
Portal: an extensive cybersecurity toolbox

Micro-learning
Quick solutions for specific In all 24 EU
languages​
needs​ with easy accessibility

Online courses
1. Basics of cybersecurity
2. Protection against influence operations

Personalized content
Diverse and up-to-date content,
personalised with AI technology

Emergency assistance
A Panic button guides in case
of cyber incidents ​
Users

• The target group of the materials and activities is EU citizens of

working age (15-64 years)
• Material for children and senior citizens can also be linked from
other sources.
• Target groups include:
• Employees of companies and other organisations who do not
receive cybersecurity training in their workplace (blue-collar workers,
employees of SMEs, etc.)
• People in positions of responsibility in companies and entrepreneurs
• People outside the labour force
• Verification of competences useful for e.g. job search (students,
unemployed, etc.)
• Information seekers, e.g. those who have experienced an incident
• A panic button in the portal that provides instructions on what to do
in the event of a problem.
Cyber Citizen journey checkpoints

02/2024 04/2024 08/2024 09/2024 11/2024 01/2025

Learning model published

Learning
Model

Workshops in different countries Network event Promotional TBA

Community tour

Initial version Complete Dissemi-

Piloting TBA
Game
of the game game ready nation
Launch
Finished Layout End-user First version
of the HUB participation of the HUB TBA
Hub
Thank you!
Cyber Citizen cyb e r- citize n.e u/e n
m a ria nne .lind roth@a a lto.fi