P18. Inform and educate users about potential risks

The company should publish information to help users defend themselves against cyber risks.

Elements
  1. Does the company publish practical materials that educate users on how to protect themselves from cyber risks relevant to their products or services?
Research guidance

Because companies hold such vast amounts of data about users, they are often targets of malicious actors. We expect companies to help users protect themselves against such risks. This can include publishing materials on how to set up advanced account authentication, to adjust privacy settings, tips for avoiding malware, phishing, and social engineering attacks, how to avoid or address bullying or harassment online, and what “safe browsing” means. Companies should present this guidance using clear language, ideally paired with visual images, designed to help users understand the nature of the risks companies and users can face. These can include tips, tutorials, how-to guides, or other resources and should be presented in a way that users can easily understand (for instance with visuals, graphics, bullet points, and lists).

Potential sources:

  • Company security center
  • Company help pages or community support page
  • Company blog