Last week, I started reading into various forms of literacy: digital, financial, information, etc. Reading about the many types of literacy got me wondering if security literacy was an existing concept. It wasn't, as far as I was able to find. I'm taking this opportunity to organize my thoughts about all of this and see what the existing literacy research offers as guidance for potentially developing security literacy.
I found that three types of literacy that might be helpful when starting this development. I'll give a quick overview of each and then go over my initial thoughts on what security literacy could and should be.
is the cache of knowledge and skills necessary to effectively engage with digital information.
Beyond functional computer skills, digital literacy focuses on cognitive strategies associated with information retrieval and management from networked computers (Bawden, 2001). Digital literacy must focus of ways of thinking rather than specific task capabilities because of the variety of systems, apps, software (etc.) being used. There are four components that make up digital literacy:
Photo-visual: ability to process image-based information
Reproduction: ability to copy-paste content
Lateral literacy: ability to navigate through non-linear situations
Information literacy: see next section
Early explorations of digital literacy also tested basic computer skills but the majority of recent research assumes that participants possess those skills. Digital literacy has been touted as some scholars as a prerequisite for functioning in society today and therefore, several programs exist to teach or improve digital literacy. These might offer guidance to future security literacy programs.
is the cache of knowledge and skills necessary to effectively locate, evaluate, manipulate, and utilize information.
While it is a component of digital literacy, information literacy is also a robust area in and of itself. In fact, digital literacy is frequently treated as information literacy complicated by technology. The following knowledge and skills are included in many information literacy scales:
recognize need for information
choose appropriate source
evaluate; organize; manipulate and process; communicate and store information
effectively use information
Information literacy was developed in library sciences well before technology became a major source for information to most people. It has been adapted to incorporate aspects of computer literacy and used to inform digital literacy. Because information needs are extremely contextual, a key for information literacy models, scales, and training is adaptability.
is the cache of knowledge and skills necessary to effectively regulate personal privacy online.
This is definitely the newest form of literacy that I read about. Scholars are still working on empirically determining what knowledge and skills are part of privacy literacy; how to measure it; and the benefits of improved literacy. Initial studies have found that users' privacy knowledge is low. Users are largely unaware of how organizations (specifically social networking sites, like Facebook) will use their personal information. This lack of awareness prevents people from engaging privacy protection.
While digital literacy has advanced to the stage of education and training programs, privacy literacy has not. The focus has been on testing measures of privacy literacy. Three components that have emerged for privacy literacy are:
Informed concern for privacy
factual knowledge: technical aspects of privacy; laws and directives; institutional practices
procedural knowledge: strategies for privacy regulation and data protection.
It wasn't clear in the scholarship I read whether privacy literacy is treated as a standalone literacy or is seen as building upon digital literacy. I would be interested in whether/how digital literacy informs privacy literacy. Following from that, what are the connections between privacy literacy and security behavior?
These various literacies may offer some guidance on how to develop security literacy. Using them as models, security literacy should be a combination of awareness, knowledge, and skills. The task now is to identify the specifics of those components. I've outlined the beginning of this below and I hope to develop it more.
Before we even begin, digital literacy is a prerequisite for online security literacy. Because the specific policies and procedures that impact an individual's online security are so varied, being literate in security involves navigating a lot of information online and selecting the right information from the right source to guide behavior.
1) Awareness: The phrase "informed concern" is very appealing from the privacy literature and overlays with the "recognition of need" from information literacy. The first component of security literacy is an accurate and well-informed awareness of security issues.
2) Knowledge: Privacy literacy standards include knowledge of laws, policies, and institutional practices. This standard can be carried over to security literacy. Knowledge of resources or tools to guide security behavior should also be included in this component.
3) Skills: For privacy literacy, this is the ability to manipulate privacy settings and regulate the amount of personal information exposed. Effectively using privacy settings might be a skill for security literacy as well. This might also include development of strong passwords or identification of phishing websites.
At this stage, I mostly have a lot of questions:
- What are these issues people should be aware of for security literacy?
- Should there be multiple standards of security literacy (i.e. do some people need more advanced security skills than others)? If so, how should they be determined? Workplace, access to information, etc.
- What is the minimum level of security awareness needed?
- At this point, should security literacy be more focused on knowledge and awareness, rather than skills?
- Should security literate people be able to evaluate security tools or advice? There is some bad advice out there and some advice contradicts others and everyone seems to have a solution. Is security literacy the ability to judge advice and pick the best for your specific situation? How can that be taught and tested?
- Can we make a security literacy standard or program that is both general enough to be used in several contexts and is still useful?
Security literacy has a lot of potential. It will take time and diverse viewpoints to develop it effectively. I believe security literacy may be able to act as an actually useful concept to bridge the knowledge and skill gap that makes security such a slippery subject for many people. However, it will require figuring out what people actually need to be secure. If you have thoughts, I'd love to hear them.
Bawden, D. (2001). Information and digital literacies: a review of concepts. Journal of documentation, 57(2), 218-259.
Bawden, D., & Robinson, L. (2002). Promoting literacy in a digital age: approaches to training for information literacy. Learned Publishing, 15(4), 297-301.
Bartsch, M., & Dienlin, T. (2016). Control your Facebook: An analysis of online privacy literacy. Computers in Human Behavior, 56, 147-154.
Jones, B., & Flannigan, S. L. (2006). Connecting the digital dots: Literacy of the 21st century. Educause Quarterly, 29(2), 8-10.
Park, Y. J. (2013). Digital literacy and privacy behavior online. Communication Research, 40(2), 215-236.
Trepte, S., Teutsch, D., Masur, P. K., Eicher, C., Fischer, M., Hennhöfer, A., & Lind, F. (2015). Do people know about privacy and data protection strategies? Towards the “Online Privacy Literacy Scale”(OPLIS). In Reforming European data protection law (pp. 333-365). Springer Netherlands.