Applying the Ubuntu Philosophy to Cybersecurity at NMU
The African philosophy of Ubuntu roughly translates to “I am because we are.” At Nelson Mandela University in Port Elizabeth, South Africa, Kerry-Lynn Thomson, professor and director of the university’s Centre for Research in Information and Cybersecurity, said her team taps into this philosophy when delivering cybersecurity awareness training to students.
“It’s not about how we protect the university assets,” she said. “That's part of it, but it’s more to promote it as, you need to protect yourself, but how do you also protect other people in the student community and university staff?” The university offers completion certificates as an incentive for students to make it through the training.
To implement the training, Thomson had to get buy-in from senior management at the university. She said that because cybersecurity is seen as a highly technical topic, administrators automatically think it’s not in their purview. But since the goal was to make this a universitywide endeavor, Thomson had to adjust the narrative.
DISCOVER: Organizations tackle cybersecurity in a variety of ways.
“We reframed cybersecurity into ‘digital resilience,’” she said. “A big push is for all of our graduates to have certain key attributes when they graduate — social responsibility, Ubuntu, social justice — and we said digital resilience should be included in that, giving our students what they need to survive in the digital world. We found when we spoke in a language that our senior management understood, that changed the conversation and got them on board.”
The university focuses the bulk of its efforts on first-year students who typically don’t have a lot of exposure to technology and need the foundational awareness, Thomson said. From there, her team reaches out faculty to find out what students need to learn about and gathers feedback from students to find out what topics they want to engage with.
“I think sometimes with cybersecurity awareness training, we want to push it out from the top and tell students what they need to know,” she said. “But for us, it's really important to engage with the students, to dialogue with them, to really find out where they’re at.”
Prioritizing Mental Health in Incident Response at BU
Cybersecurity incidents can take a toll on individuals’ mental health, from feelings of guilt and shame over successful attacks to burnout experienced from hours of extra work recovering from incidents. At the U.K.’s Bournemouth University, Cybersecurity Professor Vasilis Katos said ransomware is an inherently emotional experience, whether you’re an IT professional or not.
“The objective of ransomware is to get money, and computers can’t give them money. Humans give them money,” he said. “There is something in psychology called amygdala hijacking, your rational decision-making switches off and you're emotional. That's what the attackers are trying to get. It's psychological power, it's not a technical game.”
LEARN MORE: Incident response is key to cyber resilience.
Katos said he focuses on incident response in his training, allowing his students to learn from real cyberattacks. He also seeks to remove the stigma from cyberattacks and the resulting mental health concerns.
“The training starts with me saying, in a safe space, ‘I am Vasilis, a professor of cybersecurity, and I was hacked,’” he said. “And you can feel the tension relief in the room.”
The university has developed a cyber mental health first aid certification to further eliminate this stigma.
“It can happen to anybody,” Katos said. “It's a matter of how you respond to it. You need to instill that culture of, OK, we've done it. You shouldn't have clicked that link. Now let's see how we're going to deal with it. This requires engagement by everybody, starting from the top with the provost to the last user of the system.”
Hood College Provided Training for Students After Cyber Incidents
Eric Bender, systems administrator for Hood College in Frederick, Md., said that the institution had success using KnowBe4’s tools with faculty and staff, but when students began falling prey to phishing emails that advertised fake jobs and lost money to scammers, the college saw this as an opportunity to implement the student edition of the training.
UP NEXT: Social engineering attacks compromise user credentials.
“It was a good introduction for us to roll out the cybersecurity training because we had a relevant incident,” he said. “We showed them the value of the training.” Additional ransomware incidents at the college and its health system provided more opportunities to promote the training.
“The obligation we have at Hood is to arm our users, our students, with the information and the tools necessary to navigate these challenges,” Bender said. “They're very real, and as they embark upon their careers, they'll find them everywhere.”
Bender and his team operate under an assumption that incoming students as a whole have not been exposed to much cyber training.
“This is an introduction to it,” he said. “We started something called the First Year Experience, which is a first-year seminar with just that kind of content, and we’ll introduce more as they go along and measure the success along the way. But we're starting from a very rudimentary level.”
As students progress, the cybersecurity training content is tailored to their interests and their majors, offering more relevant examples of how they might encounter cybersecurity challenges in their future careers.
None of this training is mandatory, however.
“Cybersecurity training and awareness is an opportunity that we provide those students with,” Bender said. “It's a tool. It's an opportunity for you to be a better cyber citizen. Our obligation to you is to deliver this training. It's also your obligation, as a student, to use this training and become a more cyber-aware citizen who can also help protect our networks. That's your obligation to us.”
Bookmark this page to catch up on all of our EDUCAUSE 2025 coverage, and follow us on the social platform X @EdTech_HigherEd for a behind-the-scenes look at our coverage.
