By visiting our site, you agree to our privacy policy regarding cookies, tracking statistics, etc.
This guide provides an overview of best practices for incorporating equality, diversity, and inclusion (EDI) into practical cybersecurity education, especially in the Google.org Cybersecurity Seminars program.
We first outline what we mean by EDI, and why EDI matters for cybersecurity education. Not only is an EDI-centered approach the right thing to do, because it supports and advances human rights, but it is also good for educational outcomes. We then show how EDI considerations are relevant throughout the whole lifecycle of the Google.org Cybersecurity Seminars program, and explains how institutions can advance EDI goals without excessive collection of personal data. We include a list of additional resources and an appendix on definitions at the end for further reference.
Embedding EDI takes time, and sometimes requires additional human and financial resources. We strongly encourage you to take steps towards integrating EDI into as many areas as possible, as soon as possible. By implementing EDI into practical cybersecurity education, you not only improve the learning environment for your students and staff, but also contribute to a better future for the cybersecurity industry.
This guide is primarily for universities and other higher education institutions currently running or thinking of introducing Google.org Cybersecurity Seminars in their institution. It is addressed to the Faculty Champions and EDI Champions of these programs. Beyond the Google.org Cybersecurity Seminars program, this guide may also be relevant for other organizations involved in practical cybersecurity education.
EDI is an acronym for Equality, Diversity and Inclusion (also known as DEI).1 Implementing EDI into university strategies and practices can help promote a representative and inclusive environment for students and faculty.2
EQUALITY |
Equality ensures that everyone, regardless of their personal characteristics, has access to the same opportunities. You might also come across the term Equity. Equity refers to acknowledging and resolving disproportionate barriers to opportunities and resources that someone might face. |
DIVERSITY |
Diversity involves recognising and valuing the different backgrounds, experience and knowledge that an individual has. |
INCLUSION |
Inclusion involves creating an environment where people can be themselves, voice and share opinions and where differences between individuals are welcomed and encouraged. |
It is important to consider diversity in its widest sense. This goes beyond the usual elements of race, ethnicity, religion, age, ability / disability, and sexual orientation to include factors such as education, socio-economic background, migrant / refugee status, geographic diversity (rural or urban), cultural and linguistic diversity and diversity in terms of ways of thinking and viewing the world, including but not limited to neurodiversity.
Another overarching framework to consider is intersectionality. Intersectionality can be seen as a theory, methodology, paradigm, lens or framework which will help you apply an inclusive element to your work. In essence it is about recognizing the multiple and intersecting identities every person has (such as age, sex, sexual orientation, race, nationality, migrant status, disability, religion, ethnicity, education, poverty status, geographic location (rural / urban), family status, etc.) and how this complexity forms part of a person’s lived experience.
These multiple identities can compound existing forms of marginalization or discrimination. For example, an elderly, disabled woman living in a remote rural location will have different challenges and possible forms of discrimination than a young, able bodied urban woman, and these different elements of age, ability, sex and geography, among other identity factors combine to form who she is and how she accesses services. It is important that the multiple and overlapping parts of women and men’s identities, and a person’s identity and relationship to power, are considered in cybersecurity education.
Another related principle is “do no harm”.4 Sometimes programs can inadvertently reinforce stereotypes or social or cultural norms and attitudes which reinforce discrimination or inequality. One mitigating strategy is to build a diverse team to design and implement the program.
Firstly, EDI is important in and of itself. Implementing EDI into the workplace, and classroom, creates a positive environment where people with different backgrounds can work together and learn from one another. It is beneficial for students and faculty, and aligns with wider societal expectations that the workplace and educational institutions are inclusive.
Secondly, taking proactive measures towards EDI makes organizations and individuals more productive and improves cybersecurity.5 Not only is an EDI approach the right thing to do, and furthers a human rights-based approach to education, but it is also good for program outcomes and enhances decision making. It has been proven that more diverse organizations perform better and make better decisions. In particular, there is both acceptance and evidence that gender equality promotes better workplace conditions, better decisions, improved productivity, research outcomes and improved policies and governance.
The opposite is also true. A lack of sufficient knowledge and analysis of the challenges and needs of target groups and beneficiaries can lead to the adoption of inappropriate or partial solutions to these problems and needs. It is therefore important to keep EDI considerations at the forefront of educational design to make it more responsive to the needs of all participants, which in turn will create more robust, comprehensive and more sustainable learning.
Ultimately, fostering an equal, diverse and inclusive environment for faculty and students within universities and industry will attract diverse talent and help to advance the cybersecurity field. Creating an inclusive environment at universities improves EDI culture in the future industries students work in, with positive impacts on those industries.6
Embedding EDI takes time, and sometimes requires additional human and financial resources. There is no expectation that you will be implementing EDI across all areas of cybersecurity education at all levels. However, we strongly encourage you to take steps towards integrating EDI across as many areas as possible, as soon as possible. By implementing EDI into practical cybersecurity education, you not only improve the learning environment for your students and staff, but also contribute to a better future for the cybersecurity industry.
Conducting a basic EDI assessment (sometimes referred to as a gender equality and social inclusion (GESI) assessment) of the content, methodology and approach of your seminars does not have to be costly or timely - it merely involves taking some time to consider the diversity elements of your seminar as well as the logistics of seminar delivery.
Some questions to consider are:
CONSIDERATE SCHEDULING |
Is the seminar delivered at a time that is convenient for students / participants to access the seminars? |
CARING RESPONSIBILITIES |
If delivery is in person, are there any provisions that can be made for childcare or other caring responsibilities during the seminars? |
PHYSICAL ACCESS |
Will transport, accessibility or safety concerns be a barrier to participation? |
EQUAL PARTICIPATION |
What adjustments are needed to ensure physical or remote access for those with physical, visual or auditory impairments or neurodiverse students who may need adjustments / accommodations? |
EDI is relevant across the whole lifecycle of a Cybersecurity Seminar (see figure below). First, it is relevant for the faculty and administration of the seminar, including teachers, managers, and instructors. Second, it is relevant for the students participating in seminars, learning from the resources, classes, and activities provided by the university. Third, it is relevant for the local community organizations (LCOs), who receive cybersecurity assistance from those students.
Many cybersecurity agencies are already championing EDI.7 The UK National Cyber Security Centre (NCSC) has conducted pioneering research into diversity in the UK cybersecurity industry.8 In the EU, ENISA has championed for inclusion and the removal of biases through their #CyberAll campaign.9 At an educational level, there are numerous university initiatives in related fields. One example is the Rising Stars project, first launched at MIT in 2012, where students from underrepresented groups interested in an academic career within computer science, or electrical engineering, participate in a workshop.10
Ensuring an EDI perspective in the early stages of seminar design helps to address more appropriate issues for specific target groups and enables proper planning.
As well as being relevant across all three elements of program design, EDI is simultaneously an individual, organizational and systemic issue:
INDIVIDUALLY |
EDI concerns an individual’s identity and self-presentation, including their personal perspectives and decisions. |
ORGANIZATIONALLY |
EDI concerns the policies and practices put in place by institutions, including both those explicitly dealing with EDI considerations and those indirectly affecting them (ranging from harassment and abuse policies to employment contracts and opening hours). |
SYSTEMICALLY |
EDI concerns the wider social and national contexts affecting the life chances of individuals, including systemic racism or sexism, population-wide issues such as forced migration, and particular political or cultural touchpoints. |
It is important to understand EDI across these categories, as well as how decisions made in one category will inform another. As introduced earlier, the overlapping influence of different aspects of a person’s identity on their overall experience of an organization or system is known as intersectionality. Through the Google.org Cybersecurity Seminars program, you can shape individual and group decisions to better inform students' understanding of the cybersecurity field, whilst making the environment and classroom more diverse.
You can improve EDI without excessive personal data collection. Consider the following:
INSTITUTIONAL AWARENESS |
Monitoring EDI progress within your institution is helpful in understanding what is and what is not working. However, care must be taken over how data is collected and stored to ensure that the institution is abiding by EU or local laws and that the individual(s) who have supplied the data are not at risk. |
GDPR COMPLIANCE |
Institutions should exercise discretion regarding what equality monitoring data they collect and how they collect it. If the person or institution collecting the data is able to identify the person whose data has been collected, then equality data is considered personal data under the General Data Protection Regulation (GDPR) and is protected. |
ANONYMIZATION |
Data which is anonymized, that is data which is unidentifiable to the person(s) who it attributes, is not considered personal data by the GDPR. Care must be taken to ensure anonymized data cannot be attributed to the person(s) it relates to. |
EQUALITIES MONITORING POLICIES |
Universities should consult their equalities monitoring policies and relevant legislation to ensure they are complicit with all relevant data protection laws. |
The following sections ask who, what and how to incorporate EDI in three key steps:
STEP 1: EDI IN YOUR UNIVERSITY TEAM
WHO? | Build an inclusive environment among faculty and students. |
WHAT? | Construct inclusive seminars with accessible methods and approaches. |
HOW? | Create an open environment to overcome workplace barriers faced by employees and employers. |
STEP 2: EDI IN STUDENT INSTRUCTION
WHO? | Aim to increase diversity in participation of your seminars and tailor delivery to your target audience. |
WHAT? | Consider if your materials are negatively reinforcing stereotypes, language and terminology used, cultural sensitivity, inclusivity and accessibility. |
HOW? | Increase flexibility to accommodate needs of students and staff. |
STEP 3: EDI AND LOCAL COMMUNITY ORGANIZATIONS (LCOs)
WHO? | Prioritize EDI impact when selecting LCOs. |
WHAT? | Emphasize a non-hierarchical learning environment and the importance of co-creation with LCOs. |
HOW? | Ensure engagement with LCOs is inclusive for both students and LCOs. |
Incorporating EDI within the leadership of the cybersecurity seminars will help build an inclusive environment among faculty, better reflect the field of cybersecurity to students, and will also promote engagement and responsiveness from all students.
Things to consider when forming your team:
CROSS-DEPARTMENT COLLABORATION |
The way we think about cybersecurity is changing, and drawing from the expertise you have across other departments can be an excellent way to reflect a broad approach to cybersecurity education. This might include consulting colleagues from a politics department, to expand knowledge of the political consequences of cybersecurity across different environments, the gender studies department, to discuss the gendered implications of this work, the law department to understand policy implications, or the department of Philosophy for practical ethics. |
TEAM STRUCTURE |
Taking the time to consider the structure of the team, including leadership, teaching, and non-teaching staff, can help to foster an inclusive and open environment. As previously noted, forming a diverse team is beneficial for output. Similarly, encouraging open communication between teaching and non-teaching staff involved in the cybersecurity seminar will help in reporting and responding to feedback and contribute towards a positive and improved work environment. |
In addition to this, steps can be taken to embed EDI within the team:
CREATE AWARENESS |
Ensure staff understand what EDI is, its purpose and how they can participate in improving the EDI culture. |
BUILD A VISION |
In creating a vision for what EDI will look like among the teaching and non-teaching team, and within teaching materials for students participating in the cybersecurity seminar. |
COMMUNICATE AND ENCOURAGE OTHERS |
Find ways to communicate your goals and achievements. This could be done internally among students and staff, or externally on your department’s website or social media. |
ADVERTISE CYBERSECURITY SEMINARS WIDELY |
Use creative, different methods to ensure they reach a diversity of prospective participants. |
EDI can be integrated into teaching methods and approaches. When constructing the seminar, you should develop an inclusive and engaging programme for students. For example, the University of Carleton offers a toolkit to incorporate EDI in syllabus and teaching.11
This toolkit proposes the following considerations:
You should consider training / sensitization in EDI terminology. For example, all trainers / facilitators should learn the difference between ‘gender-sensitive,ʼ ʻgender-neutral,ʼ and ʻgender-transformativeʼ language to understand how language can perpetuate bias and discrimination. Avoid using harmful stereotypes and gender-discriminatory language that demeans or ignores women, men or gender non-conforming people.
Consider some of the definitions below, and refer to the Appendix for definitions and more detail.
GENDER-SENSITIVE LANGUAGE | ensures gender is appropriately discussed |
GENDER-NEUTRAL LANGUAGE | is not gender specific |
GENDER TRANSFORMATIVE LANGUAGE | changes biased thinking |
Creating an inclusive and open environment for members of your team is important for overcoming workplace barriers faced by employees and employers.
Many institutions have adopted flexible working policies, giving members of staff the opportunity to create a schedule which helps maintain their work-life balance and meet their responsibilities away from the office. Flexible working refers to any work arrangement which accommodates flexibility on where, how long and when a member of staff works.
Possible options include:
The options for working arrangements for your employees should be clearly communicated to staff, and available to all. Policies should be clear and easy to understand, so that staff do not feel deterred from choosing flexible working as an option.12
Additionally, when on-campus meetings and teaching are taking place, ensure that buildings and rooms are accessible for all team members in attendance. This goes beyond physical access issues to include any auditory, visual, lighting or technological accommodation needed for those with an auditory, visual, linguistic or other impairment or neurodiverse needs.
Students of cybersecurity and related fields reflect the future cybersecurity workforce. A well-known survey by ICS2 reported that women account for only 24% of the cybersecurity workforce, an improvement from 11% in 2017.13 However, many groups remain underrepresented in the field, with marked intersectional differences. Asian women represent 8% of the workforce, Black women 9% and Hispanic women 4%. Similar numbers are seen in universities.
While gender gaps among students will vary between universities, a study carried out by the UK’s Department for Science, Innovation and Technology (DSIT) examining cybersecurity university education found that just 12% of undergraduate students and 23% postgraduate students in cybersecurity identified as female.14
Many universities and industries are adopting strategies to address these gaps, including outreach to encourage women and girls into STEM generally, or into cybersecurity specifically. An example of this is the Future Advancers of Science and Technology (FAST) programme at the University of California Berkeley, where scientists, technologists, artists, engineers and
mathematicians (STEAM) connect with high school students to work on projects and encourage students from diverse backgrounds into STEAM professions.15
Diversity in cybersecurity is moving in a positive direction, but more action can be taken to promote diversity among current and future cohorts, as well as to encourage students from a non-technical background to consider cybersecurity as a career option.
Some questions to consider in terms of ensuring diversity of participation in the seminars:
The selection of the right entry points to spark engagement should be a priority consideration for the training team. This result should subsequently inform any necessary change to the training materials and included in the facilitation notes for the training.
Some additional tips for your training team are listed below:
Ask for feedback from students, reflect, and respond.
Teaching materials are crucial in establishing and supporting EDI goals, and can help build a diverse and inclusive understanding of cybersecurity among students and staff. Universities should consider carefully the messaging behind what is being taught and the language used.
Some questions to consider when selecting and teaching cybersecurity course materials are:
DO MATERIALS NEGATIVELY REINFORCE STEREOTYPES? |
In course materials and assigned readings, use source materials from authors from different backgrounds to counter stereotypes of who works in the cybersecurity field. When designing your lectures, incorporating diverse images in your lecture slides is a simple way to better represent the cybersecurity field, counter stereotypes, and improve the feeling of EDI in the classroom. Be careful of AI-generated material, as AI-generated content draws from material online, some of which is sexist / biased / gendered. AI-generated content, used without care, can inadvertently reinforce harmful stereotypes and perpetuate discriminatory or harmful content. |
DO YOUR TOPICS REFLECT THE BREADTH OF THE FIELD? |
In addition to technical topics, your cybersecurity seminars could integrate topics which relate to EDI including ethics of cybersecurity, policy implications, and history of the field and influential figures. Other cybersecurity threats could relate directly to EDI characteristics.16 For example, women (especially of color) face a disproportionate level of harassment and abuse online. Enshrining good safeguarding practices online should be a priority for all cybersecurity education. |
ARE MATERIALS INCLUSIVE? |
Inclusion should be interpreted widely, and should include ensuring gender, race and religious diversity as well as diversity of backgrounds and opinions, diversity of age, migrant status, religious or ethnic minority. Emphasize an intersectional approach, taking into account the differing and compounding forms of discrimination faced by marginalized groups.17 |
IS THE LANGUAGE AND TERMINOLOGY INCLUSIVE? |
Many cybersecurity actors are taking steps to think about and reframe many traditional cybersecurity terms, such as ‘Whitelist’ and ‘Blacklist’. Whitelist is used to refer to something which is ‘good’, whereas Blacklist is used in reference to something ‘bad’. Alternative words you can use instead are Allow List or Block List. For further examples, see the ICS2’s guide to inclusive language in cybersecurity.18 Language can serve to reinforce or perpetuate existing inequality, discrimination, and power dynamics, hence being conscious of your word choice throughout is critical. All language in the seminars should be checked with the most up-to-date terminology around EDI. EDI implications of the topics discussed (especially those which might not be obvious to the students) should be added to the seminars’ curriculum. |
ARE MATERIALS CULTURALLY SENSITIVE? |
All university staff and instructors / trainers should ensure they are aware of cultural differences and friction points, knowing that EDI discussions can be very sensitive and can stir up discomfort and debate. Seminars must be tailored to the audience and able to adapt and respond to contextual regional specificities. |
ARE MATERIALS ACCESSIBLE? |
Depending on the structure of your cybersecurity seminar, you might have students participating with different levels of knowledge. Students can be supported by providing additional background readings appropriate for their level of knowledge, and by contacts of the teaching teams for students if they need additional learning support. Additionally, measures should be taken to ensure students have equal access to course materials, including textbooks, resources and equipment. This should also include accessibility considerations for those with a disability or neurodiverse students, both groups of whom may require additional accommodations which need to be taken into account and planned for in advance. This pertains to both in-person and online education. Accessibility requirements go beyond physical access provisions such as ramps (for physical accessibility) and should include provisions for sign language interpreters if possible. For online training and web content, ensure the content is also available in a format for people with learning disabilities and in formats that are compatible with software for the visually impaired.19 |
Implementing a flexible method of learning can be a positive way to accommodate the needs of students and teaching staff. A flexible approach to your teaching structure should address three areas: place, pace and mode of study. A flexible structure is beneficial for students, as it allows them to balance work, study, leisure, and childcare or other care commitments, domestic and family duties in a way that suits the needs of each individual.
Here are some tips for fostering EDI in the classroom environment:
The local community organizations (LCOs) you will engage with will vary significantly. Examples may include non-governmental organizations (NGOs), civil society organizations, public service organizations or educational institutions. There is no single solution for how you should choose which LCOs you will assist.
However, you may want to prioritize the following categories:
LCO engagement should be inclusive for both students and LCOs. It is important to consider what barriers students might face during LCO engagement, and to provide appropriate assistance and support.
When working with LCOs, be sure to emphasize a non-hierarchical learning environment and the importance of co-creation: ensuring that civil society and the diversity of stakeholders consulted as part of the program have a sense of ownership over the solutions they have identified. The program should apply equitable and accountable partnership principles to ensure that its work with civil society actors does not reinforce power asymmetries. This means that, ideally, LCOs should have opportunities to influence the design of the training material, outreach strategies and engagement approaches. It involves recognising the existing knowledge and capabilities present in LCOs, rather than employing a deficit-based approach to capacity development.
Some tips to help you foster partnerships with LCOs are:
The Google.org Cybersecurity Seminars are designed to assist LCOs with their cybersecurity needs. What this looks like will differ between the design of your cybersecurity seminars, and might include cybersecurity awareness, or vulnerability assessments.
Universities are well placed to help local communities. Student involvement with local communities can be seen in other academic disciplines. Law students at New York University participating in the clinical and advocacy program assist with real-world cases, as do students at universities in the US Consortium of Cybersecurity Clinics.20 21
Elements to consider include:
You can best serve LCOs by first understanding what the situation is in your own community; for example, through research or discussions with your LCO network. It is important to remember that each LCO will face different challenges and have different levels of cybersecurity awareness.
The Citizen Lab has compiled a list of good practice examples for inclusive community engagement.22 Some key practices include being mindful of language used, flexible and open to different methods of communication and engagement, and making sure to reach a diversity of organizations, not just the “usual suspects”.
The educational process for LCOs will continue after your student engagement, so ensure your LCOs continue to have access to relevant and up-to-date resources (for example, through maintaining a cybersecurity awareness site).
EQUALITY | Equality ensures that everyone, regardless of their personal characteristics, has access to the same opportunities. You might also come across the term Equity. Equity refers to acknowledging and resolving disproportionate barriers to opportunities and resources that someone might face.23 |
DIVERSITY | Diversity involves recognising and valuing the different backgrounds, experience and knowledge that an individual has.24 |
INCLUSION | Inclusion involves creating an environment where people can be themselves, voice and share opinions and where differences between individuals is welcomed and encouraged.25 |
“DO NO HARM” | Under ‘do no harm’ principles, an action is conducted in a way that avoids exposing already vulnerable people to additional risks and harms. This is done by actively seeking to mitigate negative impacts and designing interventions accordingly.26 |
GENDER EQUALITY | The state of being equal in status, rights and opportunities, and of being valued equally, regardless of gender identity and / or expression.27 |
GENDER-NEUTRAL / BLIND | Gender-neutral language is not gender-specific.28 Gender-neutral refers to scenarios, products, innovations, etc. that have neither a positive nor a negative impact when it comes to gender relations.29 |
GENDER-NONCONFORMING | A person who is gender-nonconforming does not align with the conventional traits attributed to any gender.30 |
GENDER-RESPONSIVE | Gender responsiveness refers to outcomes that reflect an understanding of gender roles and inequalities and which aim to encourage equal participation and equal and fair distribution of benefits.31 |
GENDER-SENSITIVE | Gender-sensitive language ensures gender is appropriately discussed.32 Relating to gender being considered in the research or program but where it is not a central aspect of the research. Gender-sensitive research sets out to ensure, where possible, that it does not perpetuate a damaging gender dynamic, (or is at the very least aware of that damaging dynamic but cannot influence it and must work within it for the sake of the project) or ensure that gender relationships in the context of a specific research project are not made any worse.33 |
GENDER TRANSFORMATIVE | Gender-transformative language changes biased thinking.34 |
INTERSECTIONALITY | Intersectionality recognizes that people’s lives are shaped by their identities, relationships and social factors. These combine to create intersecting forms of privilege and oppression depending on a person’s context and existing power structures such as patriarchy, ableism, colonialism, imperialism, homophobia and racism. It is important to remember the transformative potential of intersectionality, which extends beyond merely a focus on the impact of intersecting identities.35 |
LCO (abbreviation) | Local Community Organization |
NGO (abbreviation) | Non-Governmental Organization |
MALE-BY-DEFAULT DESIGN | Male-by-default design refers to the concept that the default gender – among and for which systems, concepts, ideas, policies and activities have been designed – is ‘man’. This is related to androcentrism, which is the practice of centering a masculine world view and marginalizing others.36 |
NON-BINARY | Non-binary refers to people who do not identify as ‘man’ or ‘woman’. This can also include people who identify with some aspects of the identities that are traditionally associated with men and women.37 |
SAFEGUARDING | Safeguarding is the act, process or practice of protecting people from harm, and the measures in place to enable this protection.38 |
The Google.org Cybersecurity Seminars program supports cybersecurity seminar courses in selected universities and other eligible higher education institutions in Europe, the Middle East, and Africa, to help students learn more about cybersecurity and explore pathways in the field. The program actively supports the expansion of cybersecurity training in universities, to build the diverse workforce needed to help the most vulnerable organizations prevent potential cyberattacks. It also addresses new risks from artificial intelligence (AI), providing students with an understanding of AI-based changes to the cyber threat landscape and helping them effectively integrate AI into practical cybersecurity measures.
Participating universities are expected to actively promote equality, diversity, and inclusion within their programs. They should encourage the strong participation of individuals from diverse backgrounds and create an inclusive environment for education, thereby enriching the overall learning experience and strengthening the cybersecurity community.
Loading…