We use some essential cookies to make this website work.
We’d like to set additional cookies to understand how you use GOV.UK, remember your settings and improve government services.
We also use cookies set by other sites to help us deliver content from their services.
You can change your cookie settings at any time.
Departments, agencies and public bodies
News stories, speeches, letters and notices
Detailed guidance, regulations and rules
Reports, analysis and official statistics
Data, Freedom of Information releases and corporate reports
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/mapping-informal-cyber-security-initiatives-for-young-people-aged-5-19/mapping-informal-cyber-security-initiatives-for-young-people-aged-5-19
Across the UK, there is a clear need for a larger proportion of the population to have sufficient cyber security skills. One strategy from the Department for Digital, Culture, Media and Sport (DCMS) is to ensure there are initiatives and educational opportunities available that encourage children and young people’s awareness of and engagement with cyber security. However, there is currently no accurate picture of what programmes exist.
This research aimed to provide a first mapping of informal cyber security-related initiatives aimed at children and young people aged 5-19.
A multimethod approach was taken, including: systematic desk research; 13 interviews with experts and oversight bodies; a survey of parents and young people aged 14-18 to understand awareness, perception and participation in initiatives (n=862 young people and n=862 parents); 26 interviews with initiatives across 8 regions;[footnote 1] and interviews with end users to understand their experience of initiatives.
We found 72 overarching initiatives across the UK. This excludes programmes that are exclusively funded and run by the UK government. The subset of 26 initiatives we interviewed reached approximately 230,000 young people per year.[footnote 2] This total number represents around 2% of the population of young people aged 5-19 in the UK.[footnote 3] Some other key features of the landscape are:
most initiatives were targeting ages 10-14
most were running sessions face-to-face in small groups (10-15 participants) and were free for end users
initiatives ranged from general technology to cyber security-focused content. From the 26 we interviewed, 9 were focused on technology, 14 in computer science and 14 in cyber security[footnote 4]
most initiatives were funded by private businesses, and many were a hybrid between being supported by businesses and the government or local authorities
it was unclear how initiatives were measuring success, and it was difficult to assess their effectiveness
Experts and initiatives agreed that cyber security can come across as very technical and that jargon can put young people off. Initiatives were promoting themselves in a way to counter this perception by focusing on fun activities and linking in with topics young people are interested in.
Programme designers felt the following approaches were effective in engaging young people:
connecting cyber security activities to the ‘real world’
taking young people out of the school environment
fostering interactions between young people and professionals working in the industry
tailoring the content and activities for different age groups
inviting speakers young people can relate to or look up to
making space for physical play and exploration of curiosity
There was little evidence of networking, signposting or learnings being shared between initiatives. Some initiatives talked about needing a concise strategy in their area, wanting to learn from other initiatives, or knowing where else they could refer their students to when they had finished their current programme.
Four outcomes should be met to support young people into a career in cyber security. Initiatives seemed to be trying to achieve four distinct outcomes: to develop awareness, inspiration, affinity, and knowledge and skills. Even though the activities initiatives were carrying out might only meet one or some of these outcomes, all of these outcomes need to be met at some point in a young person’s journey to move into a career in cyber security.
These outcomes were consolidated into a framework, and could be seen in terms of a journey:
Figure 1: Outcomes targeted by initiatives
This framework may prove useful in prompting initiatives to further define their objectives or for future analysis of initiatives.
Experts and organisations reflected there is a risk in focusing on cyber security too early. They felt that young people could be put off cyber security before they have had a chance to understand what is involved – which may prevent them from engaging with it at a later date. They expressed it would be beneficial to move from a broader ‘tech’ perspective to introducing cyber security later as young people specialise, as is the case in other disciplines such as medicine.
When looking at the subset of 26 initiatives, this did not seem to be the case. Programmes did not seem to focus more on cyber security as the age of the young people they served increased.
In the subset of 26 initiatives, although awareness, inspiration and affinity were covered, more initiatives explicitly focused on developing knowledge and skills.
From this point of view, it could be said that although various programmes with a wide offer for young people exist, they may not be concentrating on the right topic or outcome at the right time – or in the right order.
As one of the leading digital nations, and with a further reliance on digital networks and systems since the Covid-19 pandemic (for both personal and business use), there is a clear need for a larger proportion of the UK population to have sufficient cyber security skills.
Not only is the increase of digital skills essential for our safety, but basic digital skills are vital to propelling and enhancing the workforce to help companies work more efficiently, securely and in a cost-effective way.
The Department for Digital, Culture, Media and Sport (DCMS) works with partners across government and industry to develop a sustainable talent pipeline that meets the skills demand both now and in the future. This includes a programme of initiatives and educational opportunities that encourage children and young people’s awareness of and engagement with cyber security.
These programmes have proven popular, but there is currently no accurate picture of what exists or of planned developments for cyber security skills programmes for the youth sector by the wealth of players involved at national, regional and local levels.
This research aimed to fill this gap and provide a first mapping of informal cyber security-related initiatives aimed at children & young people aged 5-19.
It aimed to map characteristics of these initiatives, including geography, cost, format and channel, as well as explore what techniques and approaches are being used to engage young people.
To answer the above research objectives, a multi-method approach was taken.
Phase 1 of the project involved developing a broad overview of the sector and scoping out initiatives that exist in this space, as well as child and parent engagement with initiatives. It consisted of:
systematic desk research to identify relevant initiatives
13 interviews with experts and oversight bodies in this space to fill in gaps in knowledge from desk research and get a sense of good practice from their perspective
a survey of parents and young people (aged 14-18) to understand awareness, perception and participation in initiatives, n=862 young people and n=862 parents
Phase 2 of the project involved focusing on selected geographical areas to understand characteristics and the operation of selected initiatives in more detail. It consisted of:
shadowing events and gathering resources used by initiatives
interviews with end users to understand their experience of initiatives
The 8 geographical areas were decided based on conversations with DCMS to include areas with different demographics, levels of socio-economic diversity and activity around cyber security. These regions were Belfast, South Wales, Edinburgh, London, Cornwall (focusing on Plymouth), West Midlands, Yorkshire (focusing on Bradford), and initiatives that had nationwide reach.
This research represents the best available mapping of the current landscape of cyber security initiatives and goes some way to understanding what exists, but it is unlikely to be a complete picture. It should be noted that:
not all data the research team wanted to capture was publicly available – so there are some gaps in knowledge
it was decided that 8 geographical areas would be focused on to give some boundaries to scoping activities – so it is likely there are other initiatives that aren’t captured
more information was recorded on the initiatives that were interviewed in-depth
some conclusions are drawn from the data the research team gathered on all initiatives identified across the UK, but some are drawn from data on the subset of 26 initiatives that were interviewed in more depth (this is clearly marked where relevant — these numbers may not fully represent the full picture of the cyber security landscape)
from the survey conducted as part of this research, we know that young people may participate in more than one informal initiative (however, initiatives interviewed were not able to account for potential overlap in their ‘reach’ data, all of which assumes unique participants)
The above considerations should be taken into account when reflecting on the data set out in this report.
The first research activity involved mapping the current informal learning opportunities in cyber security skills available across the UK. We focused on collecting evidence from desk research and interviewing stakeholders from the sector.
We focused on initiatives that are not exclusively funded by the government, and we broadened our search to include initiatives that included tech or computer science rather than limiting the scope to cyber security-only initiatives.
We looked into specific details about the format and delivery of these programmes. However there are gaps in the data we have been able to collect, which limited the calculations we were able to make. For example, not all data was publicly available and some of the attempts to get in touch with the initiatives were unsuccessful.
As a result, some overall conclusions are drawn from the data we have from all programmes we have found when scoping or from the initiatives we could talk to in more detail. But it might mean that the numbers do not represent the full picture of the cyber security landscape.
For example, it was sometimes unclear which initiatives were active. Covid-19 impacted the continuity of some programmes too. Three out of 26 initiatives we spoke to had been paused since the pandemic, but was not possible to know this for some initiatives by only looking at the websites. From trying to contact initiatives to speak with, many were unresponsive, which could be an indication that they were no longer active.
Reach calculations were done taking into account the size of the groups or courses they run, their duration and number of times they run per year. We assumed that these are unique participants, that the group sizes are consistent, and they run the programmes in the frequency that they told us.[footnote 7] We estimated the cumulative reach of theses 26 initiatives to be approximately 230,000 young people per year, which is equivalent to around 2% of the population of young people aged 5-19 in the UK.[footnote 8]
Based on our desk research, we believe 64 initiatives to be active. However, we understand the 26 initiatives interviewed to be the larger active initiatives, based on their visibility – how well advertised and well known they are – and the reach figures they were able to provide. As such, we do not believe it would be accurate to assume the 38 initiatives we did not interview have equal reach to the 26 engaged. To ensure we are not over-claiming potential annual reach, therefore, we are conservatively estimating that the remaining 38 smaller initiatives have a reach of approximately half that of the larger, higher profile initiatives we interviewed (average of ~4,400 rather than ~8,800). Based on this assumption, we believe a reasonable estimate for the reach of all 64 active initiatives would be approximately 400,000+ per year (230,000 from the 26; ~170,000 from the remaining 38). This represents approximately 3.4% of the population of young people aged 5-19 in the UK.
In the survey we conducted as part of this research, 17% of all 12–18-year-olds surveyed reported having ‘ever’ (i.e. at any time in the past) participated in an informal cybersecurity-related programme. This is broadly consistent with our estimated annual reach of between 2-4% of young people potentially participating in cyber security initiatives per year.
How this looks across different geographical areas is set out below.
Table 1: Number of programmes and their reach per geographical area [footnote 9]
Across the 72 programmes, the ages targeted the most appeared to be 11 and 12, with late primary and early secondary students having the most exposure to some initiatives. This engagement trails off slightly later in their educational journeys and slightly increases again at around age 16. As young people are deciding A Levels and potential careers, initiatives try to re-engage young people at this stage.
However, because this calculation is based on data from the list of 72 programmes, it leaves out ones where we are unsure of their target audience. Additionally, this doesn’t account for reach and impact, therefore this information only indicates which ages most initiatives supposedly cater for, as opposed to the ages and groups that are receiving more teaching.
If we look at the reach of the subset of the 26 programmes we spoke to by age, it appears that the 10-14 age group is also the group that is being targeted the most.
As mentioned above, initiatives that weren’t solely ‘cyber security’ were also included during scoping, as we noticed that some included certain disciplines related to cyber security. Some programmes had intentionally focused their initiatives towards general tech instead of specific cyber security as an entry level for younger people.
We categorised these disciplines as tech/digital, computer science and cyber security. There is a slight overlap in the definitions – and some programmes were targeting more than one of these disciplines, particularly when they had different activities or courses and each had a different focus.
Figure 2: Type of content initiatives were focusing on
From the programmes we scoped, 27 covered tech content, 45 computer science and 30 cyber security.[footnote 12] From the 26 we interviewed, 9 were focused on technology, 13 in computer science and 14 in cyber security.[footnote 13]
Most initiatives were funded by private businesses. However, many initiatives were a hybrid between being supported by businesses and the government or local authorities. Charity-funded programmes also appeared within the landscape, although these were sometimes sponsored by a business. For a few programmes, it was unclear how they were funded or how they were operating.
Figure 3: How initiatives were funded (where known)[footnote 14]
The format and delivery of sessions varied across initiatives, and some were using more than one format. Most organisations ran their sessions in small groups, and face-to-face – with many running a hybrid model since the pandemic. Small groups were usually comprised of around 10-15 participants.
Out of these smaller initiatives, many would have at least one event throughout the year targeted at larger groups of young people.
Figure 4: How initiatives were delivered[footnote 15]
In line with the trend of a face-to-face format, after school clubs were the most popular format for the programmes recorded in scoping. Those who were self-directed were usually providing online resources or immersive labs that young people could complete at their own pace. Only a handful of initiatives were offering apprenticeships or work experience.
The duration of these programmes varied considerably. The most common format was regular/ongoing sessions (i.e. weekly, fortnightly, monthly), and one-off activities – the latter due to the large events most organisations would offer at some point during the year.
On the other hand, a few organisations had options for intensive courses during school breaks or longer holidays.
Approximately 60% of the initiatives are free for end-users. From those who charge money to their users, prices ranged from £11 per hour to £500+ per week for an intensive course. The cost rate was sometimes presented per hour or class, for the duration of the course (a few months, school term).
For most programmes, it was unclear how they were measuring success. Even among those we spoke to in more detail, we didn’t find any formal evaluations of programmes. Some had indicators of success, mainly via attendance to sessions or completion rates. Some asked for verbal feedback from schools that they work with about how students were performing at school or behaviours that had changed since taking part in their activities.
Not many initiatives track young people to see if they go into formal education routes. For most of them, feeding into education pathways is not one of their focuses (see next section). Therefore, it is hard to assess which initiatives are working better than others in motivating young people to follow a career in cyber security.
Some experts and organisations reflected that it would be beneficial to move from a broader ‘tech’ perspective to introducing cyber security later as young people specialise. In other disciplines, such as engineering or medicine, we do not expect young people to specialise early in their educational pathways but instead provide a broader foundation of skills that will enable them to specialise later on.
There’s a desire to get kids to choose cyber security early, but we don’t do that in any other type of subject, like medicine.
When they have the general skills, all you have to do is change the focus.
Experts also felt that ‘cyber security’ is not always a term that means something to young people – they may come up with their own assumptions about what cyber security could mean which may or may not be accurate. There is a risk therefore that young people could be put off cyber security before they have had a chance to understand what is involved.
People don’t understand the jargon and are scared of the industry as a whole, so we need to break that down and teach the basics.
I think ‘hacking’ has this perception that it’s only for people who have committed some kind of crime, as opposed to a career. So they haven’t even realised [ethical hacking] can be a career.
Taking this thinking forward, if we broke the initiatives identified in this study down into the three disciplines, we could expect that at the younger ages programmes would be more heavily driven towards technology, then developing through computer science and then to cyber security as we reach the higher age ranges.
In reality it is much more of a mixed picture. There was little pattern found in the initiatives.
When they talked about what they were trying to achieve, initiatives stated that they had a range of different aims and desired outcomes.
trying to support young people to develop tech or cyber security-related skills earlier on in their lives
inspiring young people to feel enthusiastic about the topic area of tech or cyber security
making young people aware of what it is like to work in tech and cyber security
attracting more diverse audiences to the field of tech and cyber security
Initiatives did not always have a clear language to talk about what they were trying to achieve, but from what initiatives said, there appeared to be four distinct outcomes for end-users of initiatives, as outline in the figure below.
Figure 5: Outcomes initiatives were targeting
The activities that initiatives were carrying out might meet only one or several of these outcomes – but all of these outcomes need to be met at some point in a young person’s journey in order for them to move into a career in cyber security.
These outcomes could be seen in terms of a journey:
Figure 6: Outcomes initiatives were targeting along a journey
We could expect initiatives to initially aim at increasing awareness, building on this to inspire and create affinity. Once all three have been achieved the initiatives would then teach the necessary skills and knowledge. So we might expect to see more awareness-focused activities at young ages and more skills-focused activities at older ages.
Instead, it was a much more mixed picture.
When looking at the subset of 26 initiatives, more initiatives focused on developing knowledge and skills.
Figure 7: Heat map showing outcomes initiatives were targeting across age groups.
The figure above demonstrates the concentration of programmes, across ages and the four outcomes. There is an obvious darker concentration of initiatives targeting knowledge and skills. Most initiatives were targeting ages eight to eighteen, across all outcomes.
Many stated increasing knowledge and skills as their aim. The other outcomes were being covered in some initiatives – and undoubtedly whilst not explicitly identified, some initiatives were probably meeting other outcomes through activities targeted on skills development.
From this point of view, it could be said that although various initiatives with a wide offer for young people exist, they may not be concentrating on the right outcome at the right time – or in the right order.
We spoke with an international initiative with a particularly large user base in Scotland, offering online activities and engaging children between the ages of 10-14 in cyber security. They run activities which can either be self-led or conducted in small group sessions.
Awareness - This initiative talks about different roles and courses students can do, and how much they could earn. Talking about careers and roles in cyber security is part of a criteria for this initiative to receive their funding.
Inspiration - The sessions are often linked back to real world scenarios such as the LinkedIn data breach, or the importance of setting up secure web addresses, highlighting the importance of tech and protecting the digital world. The organisation finds huge benefit in basing the activities around fun and exciting sounding topics, and using eye catching titles to gain children’s attention.
Affinity - The initiative will often have speakers of different backgrounds and genders who work in cyber security industry attending the sessions. This enables the children to have a variety of role models and individuals to look up to and aspire to be. The avatars available during the online sessions are also representative of a variety of backgrounds.
Knowledge & Skills - The sessions teach processes which replicate those which would be used in real-life. The students are able to work through activities related to penetration testing, digital forensics, and ethical hacking in simulator style environments.
Initiatives were addressing each of these outcomes in a variety of ways. In this section we set out some common approaches that programmes were taking.
Because of the lack of evaluation data, it was hard to say which approaches were more effective in leading to better outcomes for young people. The following points reflect trends that were observed and which the initiative designers felt were most effective for young people.
Programmes offered activities or projects that young people could relate with real life situations, and platforms with which they were already familiar – for example, simulating a hacking attempt so that young people could identify what was not working well and how it could be fixed.
Many coding clubs would include pathways about game design and programming that could show children how to programme for the particular actions they wanted to happen with each movement. This was aimed at moving young people from a passive use of technology to a more active one. As an example, an initiative talked about how they wanted to teach young people who liked gaming how the specific actions they could see were designed, which software was being used and how it worked.
Others were trying to solve problems that were occurring in real life, bringing the sessions to life. For example, simulations around stealing data based on incidents that happened in real life.
These types of activities were aimed at not only teaching new skills and processes, but at showing young people how important or useful training in cyber security could be. Many initiatives went further to show them the kind of jobs they could be doing in the future. Some people we spoke to mentioned that only when students had real experiences of what it is like to work in cyber security, did they consider pursuing a career in the sector.
In Digital Technology at GCSE, we learned about the names of the programmes of the malware and the viruses, and we learned about what they are and how they do it, but I never actually had a look, and was never shown what it actually looks like. But I was [when I went along to the initiative]. So it opened my eyes to that.
They need to come up with digital solutions to real world problems.
This strategy was targeting Inspiration, Affinity and Knowledge & Skills.
Some initiatives were addressing outcomes such as inspiration and affinity by taking young people to company sites or universities. Initiatives wanted to make the experience more fun and memorable than being in a school environment.
Some initiatives mentioned this was very important as it was evident that some teachers lacked the digital skills they were trying to foster in young people, and so there was a risk that teachers, lacking confidence, could make the topic sound complicated or uninteresting.
A few programmes emphasised the importance of a change of scenery, not only to make it more engaging, but also as a more effective way of showing children the space they could work in. Particularly for underserved groups, this was an opportunity to bring them closer to this world and to visualise the kind of environment they could work in.
The kids don’t think university or careers are for them. So, we bring them to the space to inspire them… We’ve found that most impactful.
End users, particularly girls, talked about having a great experience while on competitions outside school. Several end users from Northern Ireland we spoke to had participated in competitions. An end user in Wales talked about how the younger girls she had mentored won a competition and how satisfied she was to have pushed the school to apply.
Even though the competitions were sometimes during weekends, one end user we talked to was happy they took part and said they would do it again as it is something different and it was a fun experience.
Actually doing some courses or going to some talks or competitions, you can see how you might take that leap from the theory on computer science to applications of computer science.
I just thought ICT [information communication technology] and technology was just a class you took at school. But I realised it’s a much wider broader term.
This strategy was targeting Inspiration and Affinity.
Many initiatives were raising young people’s awareness of the type of jobs they could do in cyber security, by providing opportunities to interact with people who work in tech. For example, some organisations had guest speakers who were professionals in the field, sharing what a workday looks like for them. Different initiatives talked about how important it is to demystify what type of activities a tech or cyber security role involves, showing that it can be more diverse than what people think.
We talk about the different careers in cyber security and we show them they don’t have to be a coder… They can be from an account manager to a solutions architect, so we bring different people doing these different jobs. We include the creatives too, the gamers, the designers, user experiencers, because they are also trained in tech.
Some initiatives were sponsored by industry partners who were acting as mentors for young people’s projects and would come to the sessions. In some cases, participants would visit the offices these professionals worked in, having exclusive access into real-life work environments.
We partnered with a space agency for our programme and the children made some code that linked to a sensor and detected how much moisture there was in the air.
The projects are set by people working in the industry, and the kids present back to those people at the end.
Several end users agreed that interacting with industry partners influenced developing their interest in tech and cyber security. Also, working with industry partners informed them about opportunities to work in tech they weren’t aware of before.
In GCSE I did digital technology and multimedia, where we learned about cyber security. But nowhere near to the extent that I learned about it in the [programme] workshop…all the people that were teaching us actually work for the company and actually did all this stuff for their jobs, so it gave us a bigger insight.
You see the inner workings of the company because they have to tell you about what happens in the company to actually design the product.
End users talked about how much they liked doing practical learning and doing internships in real companies. For some, this motivated them to pursue a career in the industry.
I think ideally I would do an apprenticeship of some sort. I think that’s the main thing I’m lacking, because even though I do think universities are valuable, I think a lot of the things you learn through university, you can teach yourself. Whereas getting professional experience working for a company, you can’t really do.
An end user from England told us that working with a real company specialised in cyber security had changed their perspective on what it was like from their self-teaching.
I’ve always focused on offensive cyber security and never defensive. Before, I would just want to hack things and not actually understand my motive…now I’m setting up networks or adding people to the networks, or hacking a client, which is probably the most fun that you’re ever going to have.
This strategy was targeting Awareness, Inspiration, and Affinity.
There were a handful of initiatives who instead of teaching specific skills to specific age groups, would take skills such as cryptography and slowly build that into the activities they were doing with the young people.
One programme in particular would start with children in year 3 and 4 by encouraging non-cyber security activities, e.g., sending secret messages using glow in the dark or water pens. As the children grow older in year 5 and 6, the initiative would invite the local rugby team in their sessions. The team would explain to the children how they send secret messages across the pitch to each other during games. The children would be able to experiment and make up their own signals themselves. It is only when the children get to the end of primary school that the club introduces more ‘cyber security’ focused activities, using pig pen diagrams to create games and challenges introducing basic cryptography techniques.
This strategy was targeting Inspiration.
The initiatives we spoke to often had guest speakers aimed at presenting role models and positive examples for the children in the clubs to aspire towards. Particularly those programmes targeted at specific target audiences (i.e. girls, disadvantaged groups) would invite speakers of similar gender, characteristics and background who are already working in the industry, so the young people can relate to them more easily.
One club we spoke to ran girls-only networking events, where students were able to interact and ask questions to the women working in the industry. The events would demonstrate to the girls that the career path is both possible and enjoyable for people like them.
We also spoke to an end user who went to a similar tech talk organised around International Women’s Day. She said that speaking to women in the industry was hugely encouraging and made her much more comfortable picturing herself in the industry, although she still found the idea of entering the industry very daunting due to the biases and barriers women still face.
Female representation in tech is something I’ve become really passionate about since attending the International Women’s Day event in 2021. It is something that is discussed at many of the talks I go to. All of this has helped me become more comfortable with being a minority. We are two girls and six boys in my A Level class and around 20% of the students on the uni courses I have signed up for are girls. It has given me a great support network.” (End user, 18, Wales)
This strategy was targeting Awareness, Inspiration, and Affinity.
Some clubs were capitalising the fact that children are known to enjoy physical play, by introducing technology and cyber security in more hands-on activities.
We use a lot of non- computer-based activities, the kids like tactile things and getting up and moving.
The very youngest group is very much physical, moving around, acting out algorithms, singing, dancing. Bringing nursery rhymes to life so they sing it, draw it and they animate it.
Programmes would try and keep the topic ‘light’, especially in younger age groups, allowing children to explore their passions and interest in the subject, building their confidence in a safe and fun environment.
Tech is about problem solving, learning from your mistakes, and making progress through failure. We need to get more people ‘doing’ and not overthinking it.
This strategy was targeting Inspiration.
Programmes were using a wide variety of channels to reach out to teachers, parents, and children. This included:
Social media. Initiatives were using platforms such as Instagram and TikTok to reach out to young people. Some were trying to use features of the platforms that are popular with younger people. For example, one initiative was using Instagram Live.
Promoting through schools / teachers. A large number felt that reaching out through schools and teachers was effective and enabled them to reach a large audience.
Networks / links with other community groups. A minority were using connections they had in the community to engage young people. One club was accessing what they felt were underserved groups through their links with the local authority and other leaders in the area.
Events / school fairs. Some were setting up stalls at events and fairs.
Experts interviewed as part of the research expressed concern that cyber security can come across as very technical. Often there is complicated jargon associated with cyber security which can put people off, especially if they don’t already have an interest in the topic. This was supported by an experience from an end user in Wales, who signed up to receive emails and newsletters from several tech programmes, but appreciated that the language would not be accessible to those who aren’t already interested in and knowledgeable about tech.
From the perspective of a Year 8 student, you’ve never seen any of those words before…why would I want to look at digital forensics – it doesn’t mean anything to me.
There was also an indication that cyber security jobs which require very technical skills are actually quite a small proportion of the cyber security sector. For example, roles can be based around sales, governance, human factors and innovation. However, there’s little awareness about these types of jobs.
There is a risk that an overfocus on technical roles (e.g. coding) can put many young people off, resulting in the sector not having the skills balance it needs.
From the survey data it appeared that young people did not think that cyber security came across as technical. This indicates that initiatives were taking this into account when promoting their programmes.
Naturally, the way programmes were marketed depended on the audience they were trying to attract. Those aiming to develop the skills of young people who are already interested in cyber security were more often using more technical language that might already be familiar to their audience. Those which were trying to inspire new young people to get involved with cyber security were more likely to make their initiatives sound fun and avoid technical concepts.
Some examples of how initiatives framed their programmes are set out below.
Focusing on ‘fun’ – using games and interactive activities
Many initiatives were using activities or displays that emphasised the fun nature of the activities young people could expect to do if they were to join the programme. Showing the type of activities they would do instead of the content they would cover seemed to make it easier for initiatives to explain this too.
We sometimes have a stall with circuit boards and Minecraft on it. These function as cues to attract people. There is a slight element of dumbing it down to attract young people.
We are actually doing activities rather than just being on the stall [at school fairs] – whether it’s a quiz, or showing a simulated example of a hacking attempt…
Linking in with other topics young people may be interested in
Some initiatives were trying to tap into topics that young people are interested in in their wider life – for example, gaming, design or sustainability. These topics were sometimes decided based on the partners that were funding the programmes. This was a technique to make it easier for young people to see the programme as relatable and useful to them.
Our interventions are reactive to the partner who is funding them…we’ve done ones around sustainability, or fashion for example.
Similarly, some introductory talks were emphasising how technology and cyber security would be included in any type of industry.
One of the things we try is to show them there isn’t a single industry that doesn’t have technology in it these days. So if they think about anything they’re interested in, from sport to health, everybody’s looking for a cyber analyst for example.
An end user had been to a talk by a tech professional working for a publishing company and it opened her eyes how the digital skills were transferred to different sectors. This end user felt the speaker was able to combine her own love of books and tech in a way that other more tech-specific initiatives had not done previously. This experience encouraged her to think of the opportunities available in tech outside of the ‘usual’ bigger tech giants.
So that opens up a lot more opportunities that you might not think about. Because if you think about tech, you think about Google and Amazon, your typical big companies, but there are so many opportunities out there.
In line with using familiar topics, some initiatives were using well-known names and brands to attract young people’s attention. They found that including the sponsors or partnerships with brands young people would recognise and admire, proved a useful strategy to attract young people.
We’ve got so many good brands involved… You’ve got to find names to engage them.
Not mentioning ‘cyber security’ or related technical terms
Some initiatives that were more cyber security-focused than others chose to avoid using the term ‘cyber security’. Instead, they emphasised making activities sound fun. Some chose to use phrases such as ‘creative digital projects’ or framing programmes around the outcome users would be trying to achieve, e.g. ‘how to steal a pizza’.
One of our sessions is based on the LinkedIn data breach. But if we’d called it something like ‘Using Python to explore passwords from a LinkedIn data breach’…nobody would sign up for that.
Programmes were sharing testimonials to attract young people, especially targeting those who might be doubting whether or not they were the ‘right’ person to get involved in the programme. Some initiatives were combining emphasising the enjoyable nature of the activities and showing the skills they would learn. On occasions, these testimonials were more of an effort to appeal to teachers or parents to sign up.
A few initiatives were using social media platforms to share videos or quotes of students’ feedback, sharing what they thought and liked about the programmes.
We post a lot about what is the course about and we try to be really transparent about what they’re going to learn on the course. Sometimes we ask students to create a video clip that we can share on social media.
Including diverse people in marketing materials
Most initiatives wanted to attract a diverse range of end users, and were aware of the poor representation of some groups in tech and cyber security. Some were trying to counter this by using photographs or imagery of a wide range of end users, or even including avatars or characters in their materials. Initiatives were also promoting a range of speakers at events to make it more relatable to young people from different backgrounds.
You can pick an avatar that represents you, and we try and use diverse characters in our stories.
Emphasising links to the curriculum
In some nations, initiatives were trying to advertise the links that their programmes had to the school curriculum. This was mainly in an effort to appeal to teachers and parents and to make it feel worthwhile investing time and, potentially, money in.
In Wales, digital literacy is now the same level as numeracy and literacy [as they are mandatory cross-curricular skills]. So the clubs link into the curriculum.
We try and hit certain key words or touch points with the education system, just so that it has some extra relevance for the teachers, but also the young people have something to kind of link in to what they’re doing in the classroom.
Not many initiatives had collaborative relationships with other initiatives. There was little evidence of networking, signposting or learnings being shared between different initiatives.
This disconnection was evident particularly after large events or competitions, where a large number of young people take part and the positive experience generates great interest. However, we heard from both initiatives and end users that there wasn’t always clear signposting of where they could go next. Despite some end users being interested in taking part in further programmes to continue developing the skills they have learned in the competitions, they did not know if there were initiatives available in their area, or where to find out more about them.
In Scotland and Wales, programmes were most likely to signpost young people on to doing formal qualifications at their schools. Some initiatives have links to apprenticeship programmes or jobs that young people can apply for. Some initiatives were signposting onto programmes like CyberFirst.
Those initiatives who were working with the older cohort of young people were better linked with businesses. For example, partnerships between businesses and initiatives meant they were working together in the design of their programmes to ensure young people were trained in the skills that businesses were finding harder to find. Five initiatives were linked with companies to secure opportunities for apprenticeships and work experiences to their students.
Some initiatives talked about needing a concise strategy in their area, wanting to learn from other initiatives, or knowing where else they could refer their students to when they had finished their current programme.
During phase 1 of the project a survey was conducted with young people and their parents. This survey aimed to:
Understand broad awareness of ‘cyber security’ and related concepts (e.g. computing) as an area of work or learning.
Explore perceptions of cyber security and related concepts/areas as a potential career option.
Understand people’s engagement with informal cyber security initiatives.
Capture awareness and perceptions relative to other career paths/options.
The online survey was conducted with 862 parents and 862 young people aged between 12 and 18 in February 2022 (n=1,724 people surveyed in total).
Respondents were recruited into the survey via a commercial survey panel consisting of people who complete market and social research surveys in return for an incentive. Children were reached through each parent respondent, who gave permission (where required) for their child to complete the second half of the survey.
Sample for the survey was divided into two child age groups:
N=431 12–14-year-olds (plus parent/guardian): to learn about a ‘pre-GCSE’ cohort who have opportunities to study subjects related to cyber security such as computer science.
N=431 15–18-year-olds (plus parent/guardian): to learn about a ‘pre-university’ cohort who are slightly closer to university and starting to think about the world of work.
Having explored the landscape of cyber security and related programmes, the survey presents an opportunity to add useful context from the perspective of children and parents and provide a sense of scale.
It is important to note the survey sample is not perfectly representative of all children in the UK but provides a useful sense of awareness and participation that is indicative of the wider population. The sample included an even split of boys and girls, and a spread across regions, socioeconomic groups, and ethnicity groups.[footnote 17]
While the questionnaire was developed with the intention of being as objective and clear as possible, it is important to note that there will be some level of subjectivity in how people respond to questions. For instance, what is meant by ‘I know a little about cyber security’ will differ from person to person. Therefore, we are predominantly interested in the relative differences between answers and certain groups in our sample, or whether reported awareness and participation is consistent across factors such as age and gender. Furthermore, it is important to note that in some questions, respondents were permitted to select more than one option. Therefore, the percentages for certain sections may add up to more than 100%.
Respondents were asked about key subjects they study at school that relate to cyber security. There were some differences between the older and younger cohort as some subjects are compulsory for younger students.
33% of our sample of young people said that they study ICT. Small gender differences appear here, with 36% of males studying the subject compared to 30% of females. Unsurprisingly the younger cohort were more likely to be studying this than the older cohort (46% compared to 19%), given that the subject may stop being compulsory at older ages.
36% of young people in our sample reported studying Computer Science, but there is a notable gender divide: 42% of boys reported studying the subject, compared to 31% of girls.
Of those studying Computer Science (36% of the total sample), 51% said that they ‘find the subject interesting’ while 39% said they thought it would help with finding a job in the future. 36% of Computer Science students also said they study it because it is compulsory at their school.
Figure 8: Graphic illustrating young people’s reasons for studying computer science
BASE: All young people study computer science, n = 311
Of those studying ICT (284 respondents), 49% said they study it because it is compulsory at their school. 42% said that they ‘find the subject interesting’ while 31% said they thought it would help with finding a job in the future.
Figure 9: Graphic illustrating young people’s reasons for studying ICT[footnote 18]
BASE: All young people study ICT, n = 284
Physics was studied by 47% of the sample of young people. A larger proportion of the younger cohort were studying physics (59%) compared to older cohort (37%)
Participants were asked about their awareness of cyber security, whether they had learnt about it and whether they had taken part in any informal initiatives.
When asked about familiarity with concepts related to technology and computing (including ‘cyber security’, ‘hacking’, ‘software development’, ‘computer viruses’), 95% of young people said they ‘knew a little’ or ‘knew a lot’ about at least one of these concepts.
80% reported that they ‘knew a little’ or ‘knew a lot’ specifically about cyber security.
65% of young people in our sample said that they had learnt about cyber security before. Looking into the differences between the age groups, the older cohort were slightly more likely to tell us they had learnt about cyber security before – 68% among 15–18-year-olds vs. 61% among 12-14 year olds.
Among those who had learnt about cyber security before, 89% (57% of total sample) said they had learnt about it in school lessons while 30% (19% of total sample) had learnt about it on the internet.
Only 6% of those who had learnt about cyber security before (4% of the total sample) said they had learnt about cyber security in an after-school club while only 2% of these children (1% of the total sample) said they had learnt about it in a holiday camp.
Those in the older cohort (15-18 years) were slightly more likely to report having learnt about cyber security on the internet. 33% among the 15–18-year-olds who had learnt about cyber security before, had learnt about it online, compared to 26% of the same group from the younger cohort (12-14 year olds).
Figure 10: Graphic illustrating where did young people learn about cyber security
BASE: All young people who have learnt about cybersecurity before, n=557
Participants were presented with some tech and cyber security-related initiatives, which included CyberFirst, Cyber Discovery, Raspberry Pi and FunTech.
41% of young people told us they had heard of one or more of these informal programmes. 14% said they had heard specifically of CyberFirst and 9% of Cyber Discovery.
Among those children who reported being aware of cyber-security related initiatives, most reported learning about them through their school. The second most commonly cited channel was through their friends, while social media was the third.
Figure 11: Graphic showing awareness of informal programmes
BASE: All young people, n = 862
Figure 12: Graphic showing where respondents have heard about programmes
BASE: All young people who had heard of informal interventions, n = 352
17% of the young people in our sample (150 respondents) had ever participated in one or more informal programmes. Raspberry Pi and CyberFirst were the programmes most commonly cited (by 7% and 6% of the total sample of young people respectively).
It appears that across each of the initiatives, there is roughly a 1 in 3 conversion rate from children having heard about it to children participating. These conclusions are based on small numbers of respondents who report participating in an informal programme. We cannot conclude with certainty whether one initiatives participants differ from another’s.
If we exclude participation in CyberFirst and Cyber Discovery as they are beyond the scope of this work, the proportion of our sample of young people who have ever participated in an informal programme reduces to 14%
A very small cohort (6% of the total sample) had taken part in more than one programme. While 3% of the young people in the sample had taken part in 2 initiatives, 3% had taken part in 3 or more programmes.
There appears to be a correlation between taking part in informal initiatives and studying related subjects. Over 64% of young people who had taken part in informal programmes reported studying Computer Science and/or ICT. In contrast, 47% of those who hadn’t taken part in an informal programme reported studying these subjects.
17% of young people surveyed said they had taken part in selected programmes. The reach of the initiatives identified during scoping activities suggests that 2% of young people are reached – which is obviously much lower.
There are some important notes here:
The survey asked about participation in initiatives ever, whilst our reach estimation is a per year estimation.
Our estimated reach calculation doesn’t include CyberFirst or Cyber Discovery. If we exclude participation in CyberFirst or Cyber Discovery from our survey data calculations, 14% of our sample had taken part in informal programmes.
But similarly, the list of initiatives in the survey doesn’t include some that are included in the scoping (although there was space for respondents to enter additional programmes that they had participated in).
As we mentioned, our reach estimation is very much a best guess and likely an underestimate. The survey data suggests that the estimation is indeed likely to be an underestimate.
83% of the parents in our sample said they ‘knew a little’ or ‘knew a lot’ about cyber security, compared to 80% of young people. But when asked about informal programmes, only 37% of parents had heard of one or more informal programmes, compared to 41% of young people – showing that young people are slightly more likely to hear about these programmes than their parents.[footnote 19]
Most parents had come across informal programmes on social media. School was the second most popular channel.
14% of the sample of young people had heard of CyberFirst. 6% had participated in it.
9% of the sample of young people had heard of Cyber Discovery. 3% had participated in it.
Among those who had heard about CyberFirst and Cyber Discovery, over half reported that they had heard of it from their school. Many had also heard of the programmes through friends and social media.
Note: Cyber Discovery was also branded CyberFirst, so respondents may have conflated participation in one programme with participation in the other
Those who had taken part in informal programmes (n=150) reported having a positive experience, as the graph below shows.
Figure 13: Graph showing young people’s perception of the programmes they took part
BASE: All young people who had taken part in an informal intervention, n= 150
Respondents were asked to report how pleased they would be if their child pursued a career in a variety of areas. Parents ranked cyber security (as a career field) quite favourably, with 81% saying they would be pleased if their child pursued it (assigning it 6-10 points on a 10-point scale). It is important to note that parents’ view of most skilled professions was favourable, with 82% viewing professional services (e.g. law, finance etc.) favourably, and 68% viewing healthcare favourably. In contrast, retail (36% pleased) and hospitality (45% pleased) fared the worst.
Generally, fewer young people reported all career fields as being less appealing when compared to parents. 61% of young people said they found a career in cyber security appealing (assigning it 6-10 points on a 10-point scale) – 20 percentage points lower than parents. Much like parents, young people also looked upon retail and hospitality as the least appealing career fields.
Respondents were given a set of opposing statements related to working in cyber security. These statements were placed on either end of a spectrum from 0 to 10 and people were asked to pick a number indicating which statement they leaned towards.
Among young people, cyber security was felt to be an interesting and valuable field to work in with 67% of young people leaning towards saying that cyber security was ‘interesting’ and 81% thinking that it ‘makes a positive difference to people’s lives.’
Table 2: Young people’s perceptions of working in cyber security[footnote 20]
However, 1 in 4 young people thought that there are few jobs available in the field.
It was a similar story for parents. They leaned towards saying that cyber security is ‘interesting’ (73% agree), ‘makes a positive difference to people’s lives’ (85% agree) and pays well (85%). Similarly to young people, approximately a quarter of the parents also thought that it is difficult to find a job in cyber security.
Table 3: Parents’ perceptions of working in cyber security
This project was the first attempt to map the landscape of informal cyber security programmes aimed at ages 5-19. Whilst there are undoubtedly gaps in the data set out in this report, some tentative conclusions can be made.
There are a fair number of initiatives aimed around tech, computer science and cyber security in the UK. It is currently unclear how many are still active. The Covid-19 pandemic had an impact on the operation of some initiatives – causing some to stop or to move from face-to-face to online.
Most initiatives were targeting ages 10-14, given this is the age group where decisions are being made around subjects to study further.
A very approximate estimation of reach is 230,000. The survey data suggests that this estimation is likely to be an underestimate.
In terms of format, most were running sessions face-to-face in small groups and were free for end users.
It was unclear how initiatives were measuring success. Some had some KPIs and data that they were recording but it was difficult to assess effectiveness of many of the programmes.
In terms of promotion and activities, there was an awareness that being overly technical could risk putting potential end users off. Many were using games or interactive activities, linking to other interests that young people had, and sometimes not even mentioning cyber security until later on in the programme. Connections with schools and social media appeared to be the most used promotional channel.
Some expressed interest in building better links with other programmes in their area. Some talked about needing a concise strategy in their area, wanting to learn from other initiatives, or knowing where else they could refer their students to when they had finished their current programme.
Initiatives did not always have a clear language to talk about what they were trying to achieve, but from what initiatives said, there appeared to be four distinct outcomes for end-users of initiatives, which were consolidated into a framework:
Figure 14: Outcomes targeted by initiatives
The activities that initiatives were carrying out might meet only one or several of these outcomes – but all of these outcomes need to be met at some point in a young person’s journey in order for them to move into a career in cyber security. These outcomes could be seen in terms of a journey.
This framework may prove useful in prompting initiatives to further define their objectives or for future analysis of initiatives.
Some experts and organisations reflected there is a risk involved in focusing in on cyber security too early. They felt that it would be beneficial to move from a broader ‘tech’ perspective to introducing cyber security later as young people specialise, as is the case in other disciplines such as medicine. They also felt that young people could be put off cyber security before they have had a chance to understand what is involved – which may prevent them from engaging with it at a later time.
The focus of initiatives we looked at did not reflect this idea. There was not a pattern of initiatives focused on younger age groups being more tech-focused and those focused on older age groups being more cyber security-focused.
When looking at the subset of 26 initiatives, although awareness, inspiration and affinity were covered, more initiatives explicitly focused on developing knowledge and skills.
From this point of view, it could be said that although various programmes with a wide offer for young people exist, they may not be concentrating on the right topic or outcome at the right time – or in the right order.
Please note: the table below lists all the initiatives identified through desk research, undertaken between October 2021 and March 2022. It is not a live list, and therefore, some initiatives may not have been identified.
Belfast, South Wales, Edinburgh, London, Cornwall (focusing on Plymouth), West Midlands, Yorkshire (focusing on Bradford), and programmes that had nationwide reach.↩
Reach calculations were carried out considering the size of the groups or courses the organisations were running, their duration and number of times they run per year. This estimation assumes attendees are unique people, assumes the group sizes are consistent and run in the frequency that they told us.↩
Based on a population of 11,876,207 (ONS 2020 data).↩
Some covered more than one discipline.↩
27 interviews were carried out but one was discounted due to being a government-funded initiative.↩
Where there were multiple programmes run by one overarching organisation, we have only counted the organisation once. For example, there are multiple Code Clubs under the Code Club brand, but we have only counted this once.↩
The average number of young people these initiatives reached was approximately 11,000 while the median was significantly lower at approximately 280 young people. The reach of the initiatives varied a lot, with one reaching 15 per year, and another over 80,000 per year.↩
Based on a population of 11,876,207 young people (ONS 2020 projections)↩
The asterisks in this reach table denote those programmes or reach calculations where reach data was incomplete or unknown, and thus the consequent reach data calculations are based on the programmes that are not asterisked in that area↩
This is using the population of young people in Plymouth, as Bluescreen IT is only active in Plymouth, and we do not have the reach data for TECGirls.↩
For simplicity, we have used the term nationwide to mean any programme that operates in multiple regions. across the UK, or globally.↩
Some covered more than one discipline↩
Some covered more than one discipline↩
For some initiatives, it was unclear how they were funded. These figures therefore do not add up to the total number of scoped initiatives.↩
For lots of initiatives, there were multiple options for types of classes and direction they offered, and the numbers here represent totals for all types of direction available. These numbers therefore far exceed the number of scoped initiatives, due to the multiplicity of direction available.↩
This data is calculated from the initiatives we were able to evaluate in terms of payment. Some initiatives were not clear about whether they were free or paid, and a couple had free online resources that you could upgrade to a paid premium package to access more exclusive content.↩
A full sample breakdown can be found in appendix 1.↩
It is possible that some respondents understood Computer Science and ICT to be the same things.↩
It is hard to determine what level of knowledge respondents may associate with the option ‘know a little.’ From experience, it can be as little as having heard the term a few times.↩
High numbers of children and parents reported that they did not think that technical computing skills were needed to start working in cyber security. However, several experts highlighted that one barrier to entry for many people was a perception that cyber security did require a level of technical knowledge. It is possible that the framing of the question in the survey – explicitly highlighting “entry level” roles – had an impact on how people responded, setting an expectation that there are not significant pre-conditions to entry.↩
Don’t include personal or financial information like your National Insurance number or credit card details.
To help us improve GOV.UK, we’d like to know more about your visit today. We’ll send you a link to a feedback form. It will take only 2 minutes to fill in. Don’t worry we won’t send you spam or share your email address with anyone.