Survey shows: Cybersecurity is a shared responsibility

How well is ETH Zurich equipped to deal with cyber risks ¨C and how aware are employees of these risks? The aim of last year's survey of ETH employees (see Internal news from 19 August 2025) was to gain an overview of behaviour with regard to cyber security, existing knowledge on this topic and possible measures. Knowledge and behaviour in the following five areas were examined: 

• ¡®Authorisation, control and handling of access rights¡¯, e.g. password management 
• ¡®Communication and exchange of data¡¯, e.g. checking links in emails 
• ¡®Use of software, Computers and Networks¡¯, e.g. meeting security requirements when working from home 
• ¡®Dealing with incidents and reporting them¡¯, e.g. reporting suspicious emails 
• ¡®Prevention and protection of IT infrastructure¡¯, e.g. software updates 

The survey was rounded off with organisational questions, such as support from the service desk, awareness of the responsible Information Security Officer and ETH Zurich's classification system for information. 

Good overall scores ¨C strong sense of responsibility 

The survey results paint a very positive picture: across all five survey areas, ETH employees achieved an average score of 3.86 on a five-point scale. A score of 1 corresponded to low security, while a score of 5 corresponded to high security.  

With high average scores of 4.53 and 4.57, survey participants agreed that the university's cybersecurity is ¡®also my responsibility¡¯ and the ¡®collective responsibility of all employees¡¯. ¡®This is a pleasing result for us,¡¯ says Johannes Hadodo, Chief Information Security Officer (CISO) at ETH. ¡®This collective understanding of cyber security shows us that employees are aware of the relevance of the issue and are motivated to work towards a secure university.¡¯ 

Uncertainty regarding internal structures 

There is room for improvement when it comes to university-specific questions: with average scores between 2.8 and 3, the responses regarding awareness of the responsible Information Security Officer or internal ETH guidelines fell in the middle of the scale. This suggests that many employees may be uncertain about ETH's central security guidelines and structures. To increase awareness of this important information, the Cyber Security and Information Security Section (CISEC) is working to make it easily understandable and accessible in a central location. 

Furthermore, the survey results show potential in areas such as password managers, for example. Here, the average score is 3.19 on a five-point scale. 

Results also interesting for research 

The survey also provides valuable insights from a research perspective: ¡®The results help us to better understand the relationships between organisational factors and human cybersecurity behaviour,¡¯ says Verena Zimmermann, assistant professor of Security, Privacy & Society at ETH. ¡®In the long term, the aim is to better align security measures, everyday work and human behaviour ¨C and to make it easier to act securely in everyday life.¡¯ 

What happens next 

A detailed analysis of the responses revealed exciting insights that the Cyber Security and Information Security (CISEC) section will use in the coming months to design a new cybersecurity awareness campaign. Among other things, this will include specific recommendations and support services, for example on the topic of password managers.