Aarhus Universitets segl

New study: Cybersecurity education needs to go beyond passwords and phishing

Cybersecurity education for children and young people should be about more than passwords, phishing and technical skills. According to a new international research review, schools need a broader approach that also addresses ethics, digital citizenship and meaningful participation in digital society.

Professor Marianne Graves Petersen
Professor Marianne Graves Petersen. Photo by Søren Kjedgaard.

Researchers from Aarhus University have published a comprehensive review of international research on cybersecurity education in primary and secondary education (K–12) in ACM Transactions on Computing Education. The study was co-authored by Marianne Graves Petersen, Mille Skovhus Lunding and Karl-Emil Kjær Bilstrup, alongside colleagues from the Center for Computational Thinking & Design and the National Research Center for Technology Comprehension. 

The researchers reviewed 40 international studies to understand how cybersecurity is currently taught and what challenges schools face when integrating the subject into education. 

Cybersecurity is more than protection 

The review shows that cybersecurity education is often framed as protection against digital threats. However, the researchers argue that it should also help children and young people participate critically, responsibly and confidently in a world increasingly shaped by digital technologies. 

The study identifies three dominant rationales for cybersecurity education: digital protection, technical literacy and workforce preparation. While all three are important, socio-ethical and civic perspectives receive significantly less attention in existing educational initiatives. 

Five key challenges 

Across international literature, the researchers identified several recurring challenges: 

  • Cybersecurity is often taught through isolated projects rather than as a coherent part of school curricula. 

  • Technical skills receive far more attention than ethics, democracy and digital citizenship. 

  • Access to resources, expertise and learning opportunities remain uneven. 

  • Teachers are expected to teach cybersecurity but often lack training, materials and support. 

  • Many successful initiatives depend on temporary funding and struggle to become sustainable. 

These findings point to a need for stronger connections between curricula, teacher education, learning materials and policy initiatives. 

Towards sustainable cybersecurity education 

The researchers argue that cybersecurity education should be understood as part of a broader educational ecosystem involving students, teachers, technologies, institutions and policy frameworks. 

Rather than relying on stand-alone interventions, future efforts should focus on creating coherent and sustainable learning environments that support technical understanding alongside ethical reflection, critical thinking and active participation in digital society.