P18. Inform and educate users about potential risks

The company should publish information to help users defend themselves against cyber risks.

Elements
  1. Does the company publish practical materials that educate users on how to protect themselves from cyber risks relevant to their products or services?
Research guidance

Companies hold significant amounts of user information, making them targets for malicious actors. We expect companies to help users protect themselves against such risks. This can include materials on how to set up advanced account authentication; adjust privacy settings; avoid malware, phishing, and social engineering attacks; avoid third-party tracking; avoid or address bullying or harassment online; and what “safe browsing” means. Companies should present this guidance to the public using clear language, ideally paired with visual images, designed to help users understand the nature of the risks companies and users can face. These can include tips, tutorials, how-to guides, or other resources and should be presented in a way that users can easily understand (for instance with visuals, graphics, bullet points, and lists).

Potential sources:

  • Company security center
  • Company help pages or community support page
  • Company blog