www.abertay.ac.u k
Young Children’s Cybersecurity Knowledge and Practice: A Systematic Literature Review Maria Lamond, PhD student, Division of Psychology, Abertay University Email: m.lamond2000@abertay.ac.uk Background
Data Synthesis & Results Figure 2 Grey Literature Prisma Data Collection Diagram
•
Children are interacting with an increasing amount of digital [2]. • 1 in 3 five- to seven-year-olds and nearly 50% of eightto ten-year-olds use social media and online messaging [12]. • Children are vulnerable to online risks [2]. • Cybersecurity education in primary schools is rare [4]. • Cybersecurity practice requires mature cognitive abilities that children are only developing[9,10]. • Research Questions A systematic literature review was undertaken to explore the current landscape of cybersecurity research related to children’s cybersecurity knowledge and behaviours. We aimed to answer the following research questions
Academic Data Synthesis The papers were synthesized by research focus and then a narrative account of key findings were produced. RQ2 • Children have low awareness and knowledge of cybersecurity risks [2,10], with an inconsistency between subjective and objective knowledge [8]. • Children rely on parental support for security practices[1]. • Children have difficulty with password practices including: password creation, sharing, and authentication [3, 10}. • Parents feel they have limited cybersecurity knowledge Figure 2 Data flow Diagram and adopt passive and restrictivePrisma strategies towards their children’s cybersecurity [1]. RQ3 • Interventions to improve children's’ cybersecurity awareness and knowledge are positive but lack generalisability. • Graphical passwords can be a useful authentication method for children [1]. • There are few papers that investigate anti phishing training for younger children, although this training is effective but diminishes over time [6]. • Cybersecurity web-based learning improves children’s cybersecurity knowledge [5]. • Incorporating relevant pedagogy and psychological theories can improve cybersecurity education [4, 10].
Methodology Following preferred reporting items for systematic reviews and meta-analysis (PRISMA). We reviewed the grey literature related to Scottish curricula including government documents such as: the curriculum for excellence, policy documents, and strategic frameworks. Additionally, targeted online websites pertaining to cybersecurity education for children were reviewed. The academic literature was identified through database searches and manual reference searching.
RQ1 Scottish guidance and Resources The review of the grey literature revealed an inconsistency between curriculum benchmarks, policy and the resources. Curricula outcomes do not reflect children’s cognitive development or the potential online risks. For example, the outcomes at different levels do not consider children’s developing cognitive abilities. Early level: children are expected to use a password to log on to a preferred device. First Level : Children are able to use a strong password [11]
Figure 1 Systematic Literature Review Process
Cybersecurity outcomes are limited to password knowledge and practice until children are in secondary education, where other concepts such as hacking, phishing and virus protection are introduced [11].
RQ4 The majority of papers propose developing cognitive functions as being responsible for difficulties in cybersecurity practice. Figure 3 shows the prevalence of cognition being mentioned in the literature. Figure 3 Papers identifying cognitive functions Proposed Cognitive Functions 12 10 8 Number of Papers
1. What cybersecurity guidance and resources are offered to teachers and schools? 2. What cybersecurity knowledge is possessed by young children, their parents and teachers? 3. What interventions have been trialled to improve cybersecurity knowledge and skills in young children? 4. What cognitive abilities scaffold the learning and practice of cybersecurity skills?
6 4 2 0
Problem Solving
Cognition General
Literacy
Social cognition/ sharing
Meta cognition
Memory
Attention
Cognitive Function
Conclusions • There is a need for well-defined age-appropriate outcomes, and for teachers and parents to receive adequate training to empower them to protect and teach children the principles.
References 1.
Assal, H., Imran, A. & Chiasson, S. 2018, "An exploration of graphical password authentication for children", International Journal of Child-Computer Interaction, vol. 18, pp. 37-46.
2.
Choong, Y.Y., Theofanos, M., Renaud, K. and Prior, S., 2019, February. Case study: exploring children’s password knowledge and practices. In Workshop in Usable Security and Privacy. Internet Society. Kumar, P., Naik, S., Devkar, U., Chetty, M., Clegg, T. & Vitak, J. 2017, “No Telling Passcodes Out Because They're Private”, Proceedings of the ACM on Human-Computer Interaction (CSCW), vol. 1, pp. 1-21. Kumar, P.C., Chetty, M., Clegg, T.L. and Vitak, J., 2019, May. Privacy and security considerations for digital technology use in elementary schools. In Proceedings of the CHI Conference on Human Factors in Computing Systems (pp. 1-13). Lamichhane, D.R. and Read, J.C., 2017, June. Investigating children's passwords using a game-based survey. In Proceedings of the 2017 Conference on Interaction Design and Children (pp. 617-622). Lastdrager, E., Gallardo, I.C., Hartel, P. and Junger, M., 2017. How Effective is {Anti-Phishing} Training for Children?. In Thirteenth symposium on usable privacy and security (soups 2017) (pp. 229-239). Livingstone, S., Davidson, J., Bryce, J., Batool, S., Haughton, C. and Nandi, A., 2017. Children’s online activities, risks and safety. London: London School of Economics and Political Science.. Macaulay, P.J., Boulton, M.J., Betts, L.R., Boulton, L., Camerone, E., Down, J., Hughes, J., Kirkbride, C. & Kirkham, R. 2020, "Subjective versus objective knowledge of online safety/dangers as predictors of children’s perceived online Prior, S. and Renaud, K., 2020. Age-appropriate password “best practice” ontologies for early educator Reid, R. and Van Niekerk, J., 2014. Snakes and ladders for digital natives: information security education for the youth. Information Management & Computer Security.s and parents. International Journal of Child-Computer Interaction, 23, p.100169. Education Scotland. Benchmarks Technologies. 2017. Available at https://education.gov.scot/nih/Documents/TechnologiesBenchmarksPDF.pdf Ofcom 2021. Children and parents: Media use and attitudes report 2021. https://www.ofcom.org.uk/__data/assets/pdf_file/0025/217825/children-and-parents-media-use-and-attitudes-re port-2020-21.pdf
3. 4.
• There is a requirement for a more inclusive cybersecurity education.
5. 6.
•
Note. Adapted from “Guidance on Conducting a Systematic Literature Review” by Xiao and Watson, 2017, p103. Journal of Planning Education and Research. 2019;39(1):93-112. Copyright 2019 by Sage Publications
7.
Passwords are difficult for children and require several cognitive functions that younger children are still developing.
• Future work is required to understand children’s developing cognition in line with cybersecurity skills they are expected to have.
8.
9. 10.
11. 12.
• Research developing and accessing interventions to improve awareness on a larger scale, with robust research methodology is also needed.
Abertay University is an operating name of the University of Abertay Dundee, a charity registered in Scotland, No: SC016040.