Next Article in Journal
An Evidence-Based Architecture for Trustworthy Asset Discovery in Cybersecurity-Critical IT Environments
Next Article in Special Issue
Tracking the Gaze of Secure Coders: Behavioral Insights into Attention, Transitions, and Training
Previous Article in Journal
An Examination of LPWAN Security in Maritime Applications
Previous Article in Special Issue
Hybrid-Pipeline-Based Detection and Classification of HTTP Slow Denial-of-Service Attacks Using Radial Basis Function Neural Networks
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
JCP
Volume 6
Issue 2
10.3390/jcp6020066
jcp-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Deciding on Cybersecurity Awareness Initiatives: Insights from the Public Sector

by
Joakim Kävrestad
*,
Erik Bergström
,
Rebecca Gunnarsson
,
Ali Mazeh
and
Linus Stenlund
School of Engineering, Jönköping University, 553 18 Jönköping, Sweden
*
Author to whom correspondence should be addressed.
J. Cybersecur. Priv. 2026, 6(2), 66; https://doi.org/10.3390/jcp6020066
Submission received: 4 February 2026 / Revised: 28 March 2026 / Accepted: 3 April 2026 / Published: 6 April 2026
(This article belongs to the Special Issue Cyber Security and Digital Forensics—3rd Edition)
Browse Figures
Versions Notes

Abstract

Raising cybersecurity awareness (CSA) of employees is crucial for all modern organisations. To meet the organisational need for CSA, activities aimed at increasing CSA have been the focus of both industry and research in the past. There are, subsequently, a plethora of CSA activities for organisations to choose from. Nevertheless, research consistently reports that organisations struggle to raise CSA to an appropriate level, and a core issue lies in their ability to select CSA activities and effectively adopt them. This paper used semi-structured interviews with practitioners working on CSA adoption in public-sector organisations to identify what practitioners perceive as success factors. The interviews were analysed through a socio-technical lens and resulted in a taxonomy that groups success factors for CSA adoption in the three socio-technical dimensions: organisational, user-centric, and technical. The taxonomy outlines ten success factors and demonstrates how the participants see success of CSA activities as not only dependent on technical factors but also, and perhaps even more important, user-adaptability and organisational readiness. The results were validated in a workshop with CSA experts across Europe, who highlighted the practical usefulness of the taxonomy as both a map of potential challenges and a teaching tool for educating new CSA practitioners.

1. Introduction

In cybersecurity, the public sector plays a crucial role in protecting essential public services from constantly evolving threats. As governments around the world increasingly digitalise their operations, the risk of cyberattacks targeting the public sector grows [1]. These attacks can disrupt critical services such as healthcare, transportation, energy, and water supply, exposing vulnerabilities in local cybersecurity practices and potentially causing significant harm to society. Despite the importance of cybersecurity in the public sector, previous research suggests both that the domain is understudied and that public-sector organisations struggle to maintain a sufficient level of cybersecurity [2,3].
Cybersecurity is a socio-technical property that relies on the interplay between technology, its users, and the organisation that uses it [4]. Public-sector organisations, therefore, need to balance technical and social cybersecurity measures to achieve an adequate level of cybersecurity [5]. As showcased in [6], the social measures are understudied. Given that a majority of all cyberattacks involve exploiting user behaviour by, for instance, using password attacks or social engineering, more research into the social side of cybersecurity is much needed [7,8]. Even with the availability of technical countermeasures, the social layer of cybersecurity remains important. This is, for instance, showcased by [9], who implemented AI to detect cyberattacks. Even though 99% of evaluated cyberattacks were mitigated, some attacks remained undetected, underscoring the importance of social countermeasures.
The first line of defense for cyberattacks targeting users is cybersecurity awareness (CSA) [10]. CSA plays an important role in reducing the success of cybersecurity attacks by equipping employees with the knowledge and skills to identify, mitigate, and respond to them effectively [8]. Previous research has explored how to develop activities to raise organisational CSA [11]. Khan et al. [12] identified four key components to achieve effective CSA activities: knowledge, attitude, social norms, and intention. The basis of this model is the combination of the knowledge–attitude–behaviour (KAB) model and the theory of planned behaviour (TPB) [12]. In essence, KAB proposes that behaviour changes over time and increased knowledge leads to changes in attitudes, which in turn lead to a changed behaviour [13]. Similarly, TPB describes that behaviour is formed from a person’s attitudes, norms, and perceived self-efficacy [14].
Several different CSA activities are described in the existing literature. These include providing lectures, text-based warnings, video instructions sent out via email at regular intervals, instructive games, and training automatically provided to users in risky situations [15,16,17,18,19]. Recent research has further emphasised the importance of informal, context-aware, and embedded learning strategies for cybersecurity awareness, arguing that effective awareness is often developed through everyday work practices rather than solely through formal training programs [20]. The general problem, however, is that many CSA activities fail to support users in adopting secure behaviour to a sufficient degree [21,22]. Suggested reasons include that it is hard to engage users in on-demand training, that acquired knowledge is not retained for long enough, and that knowledge does not necessarily translate into correct behaviour [23,24]. Consequently, the challenge is to choose the activity or set of activities most suitable to the organisation and its users [25].
Previous research has identified a lack of understanding of how the public sector adopts CSA activities [26]. To address this gap, this research seeks to increase understanding of how practitioners in the public sector choose between CSA activities and what they perceive as important for successfully adopting them. Successful adoption, in this research, means procurement and deployment of CSA activities in a way that enables those activities to improve the cybersecurity behaviour of the organisation’s members. Consequently, the goal of this research is to support CSA adoption in public-sector organisations by developing a taxonomy of factors that contribute to their successful adoption in public sector organisations.
This study adopts an exploratory qualitative approach and, rather than aiming for statistical generalisation or the identification of entirely novel adoption factors, seeks to provide empirically grounded insight into how established CSA-related factors are interpreted and operationalised by practitioners in a public-sector context. The research involved interviews with twelve professionals working on CSA adoption across different Swedish public-sector organisations. The result is a taxonomy of factors that contribute to the successful adoption of CSA activities. The taxonomy was also validated in a workshop with eight practitioners from European companies and public-sector organisations.
The contribution of this work lies in developing a socio-technical taxonomy that structures these factors across individual, technical, and organisational dimensions, grounded in practitioners’ lived experience. The taxonomy should therefore be understood as a practice-informed framework intended to support reflection and decision-making, rather than as an exhaustive or universally validated model of CSA adoption. In doing so, the paper responds to calls for more empirical research on the social and organisational dimensions of cybersecurity in the public sector, complementing existing work on usable security, security awareness training methods, and informal learning by providing a contextualised, practitioner-oriented perspective on CSA adoption.

2. Materials and Methods

To address the goal of developing a taxonomy of factors that contribute to successful adoption of CSA activities in public-sector organisations, this research was conducted using semi-structured interviews with participants working with CSA adoption in public-sector organisations. The interviews were transcribed and analysed with thematic coding. The analysis resulted in a taxonomy that was validated in a workshop with practitioners from European public-sector organisations and companies. Figure 1 shows an overview of the research process, and the remainder of this section provides details on data collection, analysis, and validation.

2.1. Data Collection

This research aims to provide an understanding of the success factors for adopting CSA activities in public-sector organisations. Semi-structured interviews were selected to collect insights, experiences, and motivations from practitioners, as suggested in [27]. The target group for the interviews was individuals working with CSA adoption in public-sector organisations. We used a purposive sampling approach combined with snowball sampling [28,29]. In practice, participants were recruited through the researcher’s professional networks. We then asked participants if they knew more people from the public sector who could be relevant to interview. This focus reflects the fact that individuals responsible for deciding on or coordinating CSA activities in public-sector organisations constitute a small, specialised group whose roles are often embedded within broader IT, security, or managerial responsibilities, making them inherently difficult to identify and access at scale. Twelve respondents were interviewed, and an overview of the respondents is provided in Table 1. To ensure the participants’ anonymity, their experience is described as follows:
  • Junior—less than 2 years of experience
  • Associate—between 2 and 5 years of experience
  • Mid-level—between 5 and 10 years of experience
  • Senior—more than 10 years of experience
Table 1. Participant overview.
Table 1. Participant overview.
RespondentRoleExperience
R1IT managerSenior
R2CIO and IT managerMid-level
R3CIO and IT managerAssociate
R4IT managerSenior
R5IT strategistAssociate
R6IT managerSenior
R7Information security coordinatorMid-level
R8Information security managerSenior
R9Team leader for information security teamAssociate
R10Unit manager at the IT departmentMid-level
R11Cybersecurity specialist and coordinatorJunior
R12Operations managerAssociate
Upon agreeing to participate in the research, participants were asked to sign an informed consent form that detailed the purpose of the research and the conditions of their participation. All interviews were conducted in Swedish and recorded. The interviews were then transcribed in Swedish. No data that could identify the participants were collected during this research.
The interviews followed an interview guide developed to capture respondents’ experiences with the successful implementation of CSA activities. The research team first developed the interview guide and then refined it by holding trial interviews. The interview guide was constructed to begin with broader questions about their current practices and decisions regarding CSA activities, then gradually moved to more specific questions about their adoption. This was conducted to avoid imposing any potential bias from the researchers. The interview guide, available in full in Appendix A, contained the following interview themes:
  • Introduction—Explanation of the study purpose and procedure;
  • Background—Questions about the participants professional background;
  • General CSA—Questions about how the participant is currently working with CSA;
  • Implementation of CSA—Questions about how the participants work with the implementation of CSA activities;
  • Selection of CSA—Questions about how the participants decide on what CSA activities to implement.

2.2. Data Analysis

The collected data were in Swedish and analysed using a three-step thematic analysis approach [30]. In the first analysis step, passages relevant to the research aim were marked and extracted. In the second analysis step, the meaning of the extracted passages was interpreted, and similar passages were grouped into themes. Steps one and two were carried out individually by three researchers, who then compared their results. The research team lastly reviewed the results. Once the paper was written, the terms and quotes were translated into English.
In the third step, the resulting themes were iteratively organised into a taxonomy using a socio-technical perspective [31]. This perspective conceptualises cybersecurity as emerging from the interaction among individuals, technologies, and organisational structures, and can be explained as follows.
  • Individual factors that consider CSA from the viewpoint of the end users.
  • Technical factors that refer to the technical conditions of deploying and using CSA within the existing technical ecosystem.
  • Organisational factors that refer to the organisational readiness and conditions for using CSA.
Themes were therefore clustered into individual, technical, and organisational dimensions based on (1) the context in which they operate and (2) their role in enabling or constraining CSA adoption in practice. The categorisation was developed through consensus in a dedicated analysis workshop involving the whole research team in an iterative process. Categories and sub-categories were included when they were clearly grounded in the empirical material and contributed meaningfully to understanding CSA adoption decisions.

2.3. Formative Validation with Practitioners

Finally, the taxonomy was validated in a workshop setting involving a network of European CSA experts from public and private-sector organisations. All members of the network are engaged in conducting CSA activities within their respective sectors. The network comprises 18 participants from Sweden, Finland, Germany, Ireland, England, Croatia, Romania, Belgium, The Netherlands, Spain, Italy, Greece, and Portugal. Eight members participated in the workshop, while the remaining members were invited to provide feedback via email. The validation workshop was conducted using Microsoft Teams, which is the network’s standard meeting platform. The session began with a presentation of the taxonomy, followed by a group discussion guided by the following three questions:
  • What is your impression of the taxonomy?
  • What would you like to change?
  • How can the taxonomy be useful?
Participants who provided feedback via email received a written description of the taxonomy along with the same three questions. In accordance with the network’s rules of engagement, the workshop session was not recorded, and no background information about the participants was collected. Instead, the researcher who attended the workshop took contemporaneous notes and subsequently produced a written summary of the discussion.
The purpose of this formative validation was not to statistically validate the taxonomy, but to assess its perceived completeness, plausibility, and practical usefulness from the perspective of experienced practitioners. Furthermore, a cross-European sample was used to validate the results in a broader scope than Sweden, where all original participants were recruited. The feedback was used to reflect on the adequacy of the taxonomy as a practice-oriented framework rather than to confirm its generalisability or predictive power.

3. Results

This section outlines the development and validation of the taxonomy.

3.1. Taxonomy Development

The taxonomy was developed using semi-structured interviews with twelve CSA practitioners. The taxonomy is outlined in Figure 2. The taxonomy was developed by using thematic analysis to identify success factors for the adoption of CSA activities. Once a corpus of factors was identified, the factors were classified using a socio-technical approach. The remainder of this section describes the factors in the taxonomy.

3.1.1. Individual Factors

The individual factors consider CSA from the end-user perspective. Subsequently, the factors categorised as individual are those that directly impact the users of CSA. A majority of participants described users’ perception of CSA activities and their ability to correctly use them as essential to the success of CSA activities. The individual factors also present a conundrum where the participants described that users are inherently reluctant to participate in CSA activities but must do so nonetheless. A big challenge is to implement CSA initiatives in a way that makes them appreciated by users while maintaining their purpose, which is to provide sufficient knowledge and skills to the users. Three factors were classified as individual, and those are described next.
User adaptability means that CSA activities are adapted to their users and stem from the notion that users learn better when the information they receive is tailored to their level of understanding. Respondents report that users with higher levels of security knowledge are more accepting of new and even more demanding security rules. As one example, respondent 1 stated that “When we introduced the need to change the password every three months, […] there was a lot of fuss when we introduced the requirement to have at least eight characters […]. Today it wouldn’t be the same fuss, today they would understand why”.
Content quality considers quality aspects of the CSA activities as a factor of crucial importance for users. As evidenced by respondent 4’s response, the term ’content quality’ is broad. “I believe in short, iterative education to try and keep them interested. Ramming long educational courses down their throats, very few are interested in that, and you don’t want to get tired of it. You must consider how they work. If you work in home care with mobile units, you can’t stare at a video course or webinar for an hour; in that case, you might use daily tips or ‘don’t forget this’”. The factor was further divided into relevance, realism, and length, the three most prominent topics identified as necessary for content quality. They are described as follows:
  • Relevance is somewhat similar to user adaptability but is rather concerned with how realistic the content in a CSA activity is to the user’s role and environment. One aspect is to ensure that the provided information aligns with internal security controls, such as suggesting password rules that can be applied within the internal systems. A second aspect is to ensure relevance to the user’s work environment by, for instance, not informing users who are only working on-site about remote working routines.
  • Realism is about making the content in CSA seem realistic. Respondent 9 exemplified the following: “I’ve made customisations in the scenarios so that it feels relevant. We were partially affected by the [removed to preserve respondent anonymity] ransomware, so I used that as an example because it… it worked well”.
  • Length was described in the interviews as the last content quality factor and refers to how much time users need to spend to complete a CSA activity. The general notion was that it is important to enable users to complete CSA activities within short timeframes to ensure they have time to engage with them.
Ease of use as described by respondent 1 as “incredibly important, any minor difficulty and you won’t do it. It should be difficult to mess up”. Ease of use was described as how easily users can understand and participate in a CSA activity.

3.1.2. Technical Factors

The technical factors consider the technical environment in which the CSA activity will take place. The interviews showed that the importance of the technical factors is highly situated. Some CSA activities could benefit from being integrated into the existing environment. One example is phishing information, which could be integrated into email platforms. Other CSA activities are not meant to be integrated at all, and then the importance of the technical factors is non-existent. An example of the latter could be posters reminding users to close the doors behind them. The factors of implementation and the vendor support team were classified as technical factors.
Implementation is how easy it is for a CSA activity to be implemented and adapted to the own environment. Several participants noted that minimising the effort required by the organisation to use a CSA activity was important, since they lacked the resources to spend a lot of time on it. The implementation factor was further subdivided as follows:
  • Customisation was described as an enabler of content quality. While several respondents stated that it was hard for them to spend time customising tools, they also emphasised that tailoring the content of CSA activities to their own organisation is crucial to user engagement. As one example, respondent 1 stated “It’s about the way you construct the education, i.e., the content and how you write it. To be able to reach out and build an understanding when they sit in their everyday life and visit users or take care of students or what it could be… […] It’s an important factor to adapt the language”.
  • Integration was found to be a factor several participants desired, but nevertheless one that is not currently used to any large extent by the participants. Participants noted that some CSA activities could be integrated into the technical environment, but others were unnecessary. In essence, integration was described as something the participants wanted, but it was not among the most important factors in deciding which CSA activity to adopt. Respondent 9 expressed the following: “We would wish for it, as we have an LMS, and if there were education that could integrate with it, then we wouldn’t need a new product. It would be better. When we set requirements, we usually have integration as one of the requirements”.
  • The factor ease of implementation is derived from many participants’ statements about the importance of it being easy for them to use a CSA activity in their organisation. The participants frequently mentioned a lack of time and staff for CSA and expressed a willingness for easy implementation. Respondent 9 said, “That, however, we are prepared to pay for,” which shows a willingness to pay more if that means less work. However, other respondents suggested a lack of monetary resources.
Vendor support team was derived from a discussion about support from external providers that proved to be a factor with differences of opinion. In essence, the participants agreed that access to a vendor support team is excellent, but not something that they can always afford. Respondent 1 highlighted the value of a vendor support team, by stating “We are very dependent on (having) that. The person we have working on this education, for example, only has 20% of her working hours to devote to it. If and when an issue arises, she needs someone she can exchange ideas with quickly and easily”. The quote suggests a will to have help from external parties due to a lack of internal staff. On the other hand, Respondent 11 said “[…] but there is a catch in the public sector because as soon as you need help, it will generally cost you, and because of that, you typically lean towards using internally managed solutions. At least, if you host it yourself, you can change or maintain it yourself. But yes, it does matter”. While Respondent 11 acknowledges that having a vendor support team is great, they also indicate that they are not always able to carry the associated cost.

3.1.3. Organisational Factors

The organisational factors refer to the conditions for adopting CSA within the organisation and the organisational readiness for CSA activities. The organisational factors were considered very important because they enable or disable CSA activities at multiple levels. Out of the ten factors identified in this paper, five are categorised as organisational factors, and their importance is summarised by respondents 1 and 9, who were asked about the most important enablers for CSA activities. Respondent 1: […] convincing the management group or people in a leading position to be in on the idea and speak warmly about the solution and get employees engaged, I would say. Respondent 9 stated the following: “I would say the greatest difficulty is to get the organisation to agree to dedicate time to it, get management to actually make sure that the employees carry through and spend the necessary time”. The rest of this section describes the five organisational factors identified in this research.
Process integration is summarised in a quote by Respondent 3: Yes, it is important for it to be a part of the daily work. It means that for CSA to be successful, it should be a part of existing work practices so that it can be integrated into the users’ daily routines.
Compliance was frequently discussed during the interviews, but more as the goal of CSA than a success factor for it. Respondent 3 expressed the following: “Well, it is one of the primary purposes. The basis is not to test or hang someone out to dry, but to create awareness and curiosity”, when asked about how important CSA was for user compliance with internal policies and procedures. Some participants also described external guidelines as a complicating factor for CSA activities and argued that there are too many bodies in Sweden that provide cybersecurity rules and guidelines. Consequently, there is a risk that different recommendations will add confusion by conflicting with each other, or that the multitude of rules will create a work situation in which the security staff struggles to keep up. Respondent 6 expressed the latter as follows: “There are too many recommendations, and in that way it can get a bit difficult. Small municipalities don’t have the resources to do everything at once, and sometimes it’s urgent. In those cases, it can get a bit difficult since we are so few.”
Top management support was found to be an important factor, but also one that was often missing. Several participants expressed a lack of resources as a hindrance to other success factors and a general lack of interest from managers within their organisations. Respondent 8 described their general view as follows: “[…]. It’s my understanding that this is generally the case across all organisations. I have seen so many organisations not have leaders on their side. Then it’s challenging to get anywhere. If you’re sitting in my role far down in the organisation and try to… you don’t get much done.” Top management support was further divided into the following four factors.
  • Money allocated for CSA activities to enable procurement of appropriate tools and support functions, as described in previous factors.
  • Time refers both to having enough time for IT staff to implement and follow up CSA activities and for time for all staff to engage with the activities. The respondent 9 argued that the allocation of time was a major problem: “I would say the greatest difficulty is to get the organisation to agree to dedicate time to it, and to get management to actually make sure that the employees carry through and spend the necessary time”.
  • Several respondents also discussed how the organisation’s decision-making processes could be a success factor for CSA activities. The interview consensus was that having processes that enable swift descriptions is important. However, some respondents cited a lack of such processes as a complicating factor, which sometimes led them to make decisions on their own. Respondent 2 said, “Regarding cybersecurity initiatives in general, it’s me driving the question forward in the management groups. Sometimes I’m under the impression that I have the authority to make my own decisions, […] if I perceive that this needs to be done, I think I can decide that we’ll do it”.
  • Security champion means that managers at all levels actively support CSA activities both by allocating the above-described resources and by encouraging the CSA activities in the organisation. Several participants describe that a large part of their job is to convince managers about the importance of security, or as expressed by Respondent 1, “[…] convincing the management group or people in a leading position to be in on the idea and speak warmly about the solution, and get employees engaged, I would say.”
Dedicated CSA staff was described by the participants as having someone completely dedicated to CSA activities or having someone with an outspoken responsibility for CSA as part of their duties. The consensus of the interviews was that having dedicated CSA staff was an absolute success factor, but also something that was almost seen as utopian. With all the tasks assigned to the security staff, finding time for someone to devote to CSA was often problematic.

3.2. Validation

Following the development of the taxonomy outlined in Figure 2, the research process continued with a validation step focused on the completeness and usefulness of the taxonomy. The validation process leveraged a professional network of 18 CSA experts in companies and public organisations across Europe. The validation was conducted as a workshop, with eight participants, and an invitation to comment on the taxonomy via email was sent to the other ten participants who did not attend. The validation was intended to refine the taxonomy, but participants agreed it was complete. Therefore, the validation became about the practical application of the taxonomy. A summary of the validation based on the pre-defined themes:
  • Completeness of the taxonomy—The workshop participants agreed that the taxonomy covered the important success factors and had nothing to add. Several participants, especially, highlighted the importance of the organisational aspects and stated that it was good that the taxonomy covered them.
  • Usefulness of the taxonomy—The workshop participants described the taxonomy as useful for practitioners in two ways. First, it shows the challenges to be expected when executing CSA activities. Understanding the challenges ahead of an activity can help prioritise which challenges to focus on in one’s own organisation. Second, participants noted that presenting factors as a map was useful, as this makes the taxonomy a tool that helps practitioners understand CSA. As such, the taxonomy can be used as an educational tool for teaching and learning about CSA in practice.

4. Discussion

The aim of this research was to develop a taxonomy of factors that contribute to the successful adoption of CSA activities in public-sector organisations. To address that aim, semi-structured interviews were conducted to gather insights from practitioners working with CSA adoption in Swedish public-sector organisations. The interviews were recorded and transcribed before analysis using a thematic coding approach. The analysis identified ten factors important for the successful implementation of CSA activities. The factors were categorised into individual, technical, and organisational factors using a socio-technical lens. The taxonomy, which was the result of this analysis, was validated in a workshop with practitioners from organisations across Europe. The final taxonomy is an outline of factors that CSA practitioners can use when procuring or adopting CSA activities. The taxonomy includes factors that participants and practitioners deem important success factors and therefore presents a snapshot of current practice.
Several of the factors identified in the taxonomy, such as ease of use, content quality, and process integration, align with long-standing themes in the cybersecurity awareness and usable security literature. This overlap reflects the field’s maturity and the persistence of these challenges in practice. Here, the contribution lies in empirically demonstrating how such factors are understood and constrained by public-sector practitioners, and in structuring them explicitly through a socio-technical lens.
In the interviews, CSA adoption was described as taking place in organisational settings with fragmented responsibilities, limited formal authority over end users, and compliance obligations. Rather than hierarchical enforcement, participants emphasised informal coordination, persuasion, and legitimacy as central mechanisms for advancing CSA initiatives. This is somewhat expected as Swedish public-sector organisations are independent in their security work, leading to different adoption strategies across the sector [32].
The findings are consistent with prior work on informal learning and usable security. Several of the identified factors, such as content relevance, realism, and length, align with principles of informal and situated learning, where learning is embedded in everyday work practices and occurs through short, contextually meaningful interventions rather than formal training sessions. This perspective is further supported by recent work on game-based and informal cybersecurity awareness initiatives, which demonstrates how experiential and context-sensitive learning approaches can improve engagement and awareness outcomes without relying on traditional, formal training formats, particularly among non-expert users [20]. Recent work has highlighted the importance of micro-learning, just-in-time prompts, and experience-based learning approaches for cybersecurity awareness, particularly in organisational settings where time and attention are limited [10,23,33].
Similarly, factors such as ease of use and ease of implementation closely correspond to the usable security literature, which emphasises that security mechanisms and interventions must be compatible with users’ cognitive capabilities, workflows, and organisational constraints to be effective. Prior research has shown that even well-designed security measures fail when they impose excessive friction or do not align with users’ everyday practices [33].
As suggested by participants in the validation workshop, the taxonomy can be used as a tool to display possible challenges during CSA activities or to learn about them. It is an outline of factors that are all good to have, but as shown by the conducted interviews, not always possible to have. Often, an organisation needs to prioritise, and the taxonomy can help it identify the factors most important to it.
Previous research on success factors for organisational CSA adoption is scarce. As such, this research adds new knowledge about what is important for organisations when adopting CSA activities from a public-sector perspective. The results are similar to those reported by [34] in their analysis of online reviews for CSA tools. Top management support is mentioned in several papers, such as Renaud [35] and Chaudhary et al. [7], but here we provide nuance about what is needed in terms of support. In a broader sense, this research contributes to the understudied area of cybersecurity governance [36].
Both this research and the results presented by [34] emphasise the importance of ease of use and implementation as absolutely crucial. Ease of implementation is important to enable IT staff to easily implement a CSA activity within their organisation, alongside other urgent tasks. Ease of use ensures that the intended targets of CSA activities actually participate. In contrast to [34], the emphasis in this research is on the importance of the organisational factors. The taxonomy highlights that organisational factors not only cover the allocation of money and time, but also require that security initiatives be promoted and championed at all levels of the organisation.
This study has several limitations that should be considered when interpreting the results. First, the taxonomy was developed based on interviews with twelve practitioners involved in cybersecurity awareness decisions in Swedish public-sector organisations. While this number does not allow for statistical representativeness, this study does not aim for statistical generalisation. Instead, it seeks to provide analytically grounded insight into how CSA adoption is reasoned about and enacted in practice by those responsible for such decisions. Importantly, this target group—individuals who decide on, procure, or coordinate CSA activities in public-sector organisations—is inherently small and challenging to reach, as these roles are often specialised, distributed, and combined with other responsibilities. As such, a qualitative approach is particularly appropriate for studying this population. Furthermore, the focus on Sweden can impose limitations on the results, which may be shaped by Swedish cultural norms. We have mitigated this effect by conducting a validation with experts from across Europe, but further studies focusing on other cultural contexts may still be relevant.
Second, the taxonomy should not be interpreted as exhaustive. Instead, it highlights the most salient success factors articulated by the participating practitioners. Furthermore, it can be observed that the depth in which the factors are discussed is uneven, and this is because the depth of the collected data was uneven. This can be interpreted as indicating that participants regard some factors as less important, or that increased knowledge about them is needed. Although the formative validation with CSA experts from a broad European context did not identify missing factors, cultural, political, and institutional conditions may shape CSA adoption. These aspects were not explicitly articulated as distinct themes in the interviews and represent important areas of focus for future research. Further studies could therefore examine how political decision-making processes, societal attitudes toward security, and regulatory environments influence CSA practices across different public-sector contexts.
Third, it is likely that the identified factors are interdependent. In fact, a foundation of socio-technical theory lies in the interplay among the technical, individual, and organisational dimensions. The aim of this research has not been to examine the interplay between factors but rather to identify the factors, across the three socio-technical dimensions, that practitioners perceive as important for CSA adoption. Taking the developed taxonomy as a starting point, a logical next step would be to research the interplay among factors to fully understand the dynamics that shape organisational CSA.

5. Conclusions

This paper set out to investigate how CSA activities are selected and adopted in public-sector organisations, with a particular focus on the perspectives of practitioners responsible for making such decisions. Through semi-structured interviews and a socio-technical analysis, this study resulted in a taxonomy of factors that shape the successful adoption of CSA activities across individual, technical, and organisational dimensions.
Rather than proposing new awareness mechanisms or training formats, this work’s contribution lies in empirically grounding and structuring CSA-related factors in a manner that reflects public-sector practice. The taxonomy highlights that the effectiveness of CSA initiatives depends not only on the design of individual activities but equally on organisational readiness, resource allocation, decision-making processes, and managerial support. In this sense, the findings reinforce the view of CSA as a socio-technical challenge that cannot be addressed solely through technical or educational measures.
For practitioners, particularly those tasked with deciding on or coordinating CSA activities in public-sector organisations, the taxonomy provides a practice-informed framework for reflecting on potential challenges and trade-offs when procuring or implementing awareness initiatives. By making explicit the range of factors that influence adoption, the taxonomy can support more informed decision-making and serve as a pedagogical tool for developing competence among new or less experienced CSA practitioners.
From a research perspective, this study contributes to the relatively limited empirical literature on CSA adoption in the public sector and highlights the value of qualitative, practice-oriented approaches for studying hard-to-reach decision-making roles. Future research could build on this work by examining how the identified factors interact over time, how political and institutional contexts influence CSA adoption, or how the taxonomy applies across different national or organisational settings. Together, such efforts can further advance understanding of how cybersecurity awareness initiatives can be effectively embedded in complex public-sector environments.

Author Contributions

Conceptualisation, J.K. and E.B.; methodology, R.G., A.M., L.S. and E.B.; validation, J.K.; formal analysis, J.K., E.B., R.G., A.M. and L.S.; investigation, R.G., A.M., L.S. and E.B.; data curation, R.G., A.M., L.S. and E.B.; writing—original draft preparation, J.K.; writing—review and editing, R.G., A.M., L.S. and E.B. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Informed consent was obtained from all subjects involved in the study.

Data Availability Statement

Data available on request due to restrictions (to maintain the anonymity of the participants).

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
CSACybersecurity awareness
KABKnowledge–attitude–behavior
TPBTheory of planned behavior

Appendix A. Interview Guide

Appendix A.1. Introduction

  • Explained the purpose and scope of the research project to the respondent.
  • Informed the participants that the interview was recorded and that they may stop at any time.
  • Informed the participants that names and organisational names would remain anonymous.
  • Only the paper authors would see the complete data collection, which will be removed after publication.

Appendix A.2. Background

  • What is your title/role?
  • How long have you worked in this role?
  • Do you have any formal education?

Appendix A.3. General Cybersecurity Awareness

  • How is cybersecurity prioritised within your organisation?
  • Do you consider cybersecurity as an important part of your operations?
  • How do you currently work to increase cybersecurity awareness?
    -
    What do you use today (e.g., newsletters, emails, nano-learning, lectures, …)?
    -
    If training or lectures are used, what types of training do you offer?
    -
    Which factors influence your choice of method?
    -
    If no specific measures are used, why not?

Appendix A.4. Implementation of Cybersecurity Awareness Measures

  • Do you follow any recommendations/frameworks for CSA measures (e.g., NIST, MSB)?
    -
    If yes—Which ones?
    -
    If no—Where do you obtain information about risks and countermeasures?
  • Do you find it difficult to access current recommendations?
    -
    If yes—Why?
  • Do you feel that the CSA measures you use are effective?
    -
    If yes—How can you tell?
    -
    If no—Why not?
    -
    Is the issue employee engagement, or do you use underperforming measures?
  • Describe an awareness-raising initiative that worked very well.
    -
    What factors contributed to its success?
    -
    Did you take any lessons from it for future projects? What? Describe.
  • Describe an awareness-raising initiative that worked poorly.
    -
    What factors contributed to its failure?
    -
    Did you take any lessons from it for future projects?
  • Do you have specific training aimed at managers and leaders?
    -
    If yes—What type of measures?
    -
    Do they receive training on developing a better security culture?
    -
    If no—Why not?
  • Who is involved in the decision-making process for awareness measures?
    -
    Are employees involved? Why/why not?
    -
    Can employees give feedback afterward?
    -
    Do you have an example where feedback has been implemented?
  • How often do you evaluate existing measures to determine if they need changes or updates?
  • What does your process look like when analysing which measures to implement?
  • Do you have a fixed budget for awareness-raising measures?
    -
    How is this determined?
  • Is it more difficult to obtain funding for training compared to hardware/software measures?
  • What are the major challenges when implementing a new awareness-raising initiative?
  • Is there a measure you wish you could implement but have not been able to?
    -
    What specific difficulties prevent this?

Appendix A.5. Selection of Cybersecurity Awareness Measures

  • Which factors influence your choice of specific awareness-raising measures?
  • Follow-up factors (if not mentioned by the respondent):
    -
    Ease of use for the organisation or users.
    -
    Availability of help or guidance after implementation.
    -
    How employees receive support in using new measures.
    -
    Ease of implementation.
    -
    User adaptation or customisation.
    -
    Availability of support if problems arise.
    -
    Importance of integration with existing workplace software.
    -
    Importance of encouraging employees to help and talk to each other about cybersecurity.

References

  1. Paigude, S.D.; Pangarkar, S.C.; Dari, S.S.; Patil, M.; Gujar, S.N. A review of cybersecurity policies in the public sector: Challenges and solutions. Comput. Fraud Secur. 2024, 2024, 7–12. [Google Scholar] [CrossRef]
  2. Szczepaniuk, E.K.; Szczepaniuk, H.; Rokicki, T.; Klepacki, B. Information security assessment in public administration. Comput. Secur. 2020, 90, 101709. [Google Scholar] [CrossRef]
  3. Wirtz, B.W.; Weyerer, J.C. Cyberterrorism and cyber attacks in the public sector: How public administration copes with digital threats. Int. J. Public Adm. 2017, 40, 1085–1100. [Google Scholar] [CrossRef]
  4. Malatji, M.; Marnewick, A.; von Solms, S. Validation of a socio-technical management process for optimising cybersecurity practices. Comput. Secur. 2020, 95, 101846. [Google Scholar] [CrossRef]
  5. Frandell, A.; Feeney, M. Cybersecurity threats in local government: A sociotechnical perspective. Am. Rev. Public Adm. 2022, 52, 558–572. [Google Scholar] [CrossRef]
  6. Kävrestad, J.; Nohlberg, M.; Furnell, S. A taxonomy of SETA methods and linkage to delivery preferences. ACM SIGMIS Database DATABASE Adv. Inf. Syst. 2023, 54, 107–133. [Google Scholar] [CrossRef]
  7. Chaudhary, S.; Gkioulos, V.; Katsikas, S. Developing metrics to assess the effectiveness of cybersecurity awareness program. J. Cybersecur. 2022, 8, tyac006. [Google Scholar] [CrossRef]
  8. Zwilling, M.; Klien, G.; Lesjak, D.; Wiechetek, Ł.; Cetin, F.; Basim, H.N. Cyber security awareness, knowledge and behavior: A comparative study. J. Comput. Inf. Syst. 2022, 62, 82–97. [Google Scholar] [CrossRef]
  9. Dontu, S.; Addula, S.R.; Pareek, P.K.; Vallabhaneni, R.; Adnan, M.M. Attack detection from Internet of Things using TPE based self-attention based bidirectional long-short term memory. In Proceedings of the 2024 International Conference on Intelligent Algorithms for Computational Intelligence Systems (IACIS), Hassan, India, 23–24 August 2024; IEEE: Piscataway, NJ, USA, 2024; pp. 1–6. [Google Scholar]
  10. Khando, K.; Gao, S.; Islam, S.M.; Salman, A. Enhancing employees information security awareness in private and public organisations: A systematic literature review. Comput. Secur. 2021, 106, 102267. [Google Scholar] [CrossRef]
  11. Prümmer, J.; van Steen, T.; van den Berg, B. A systematic review of current cybersecurity training methods. Comput. Secur. 2024, 136, 103585. [Google Scholar] [CrossRef]
  12. Khan, B.; Alghathbar, K.S.; Nabi, S.I.; Khan, M.K. Effectiveness of information security awareness methods based on psychological theories. Afr. J. Bus. Manag. 2011, 5, 10862. [Google Scholar] [CrossRef]
  13. Parsons, K.; Calic, D.; Pattinson, M.; Butavicius, M.; McCormac, A.; Zwaans, T. The human aspects of information security questionnaire (HAIS-Q): Two further validation studies. Comput. Secur. 2017, 66, 40–51. [Google Scholar] [CrossRef]
  14. Sommestad, T.; Hallberg, J. A review of the theory of planned behaviour in the context of information security policy compliance. In Proceedings of the Security and Privacy Protection in Information Processing Systems: 28th IFIP TC 11 International Conference, SEC 2013, Auckland, New Zealand, 8–10 July 2013; Proceedings 28. Springer: Berlin/Heidelberg, Germany, 2013; pp. 257–271. [Google Scholar]
  15. Reinheimer, B.; Aldag, L.; Mayer, P.; Mossano, M.; Duezguen, R.; Lofthouse, B.; von Landesberger, T.; Volkamer, M. An investigation of phishing awareness and education over time: When and how to best remind users. In Proceedings of the Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), Boston, MA, USA, 10–11 August 2020; pp. 259–284. [Google Scholar]
  16. Lastdrager, E.; Gallardo, I.C.; Hartel, P.; Junger, M. How effective is anti-phishing training for children? In Proceedings of the SOUPS’17: Proceedings of the Thirteenth USENIX Conference on Usable Privacy and Security, Santa Clara, CA, USA, 12–14 July 2017; pp. 229–239. [Google Scholar]
  17. Junglemap. Nanolearning. Available online: https://junglemap.com/nanolearning (accessed on 31 January 2026).
  18. Gokul, C.J.; Pandit, S.; Vaddepalli, S.; Tupsamudre, H.; Banahatti, V.; Lodha, S. PHISHY—A Serious Game to Train Enterprise Users on Phishing Awareness. In Proceedings of the 2018 Annual Symposium on Computer-Human Interaction in Play Companion Extended Abstracts; Association for Computing Machinery: New York, NY, USA, 2018; pp. 169–181. [Google Scholar] [CrossRef]
  19. Lim, I.K.; Park, Y.G.; Lee, J.K. Design of Security Training System for Individual Users. Wirel. Pers. Commun. 2016, 90, 1105–1120. [Google Scholar] [CrossRef]
  20. Tempestini, G.; Merà, S.; Palange, M.P.; Bucciarelli, A.; Di Nocera, F. Improving the Cybersecurity Awareness of Young Adults through a Game-Based Informal Learning Strategy. Information 2024, 15, 607. [Google Scholar] [CrossRef]
  21. Hatfield, J.M. Social engineering in cybersecurity: The evolution of a concept. Comput. Secur. 2018, 73, 102–113. [Google Scholar] [CrossRef]
  22. Renaud, K.; Zimmermann, V. Ethical guidelines for nudging in information security & privacy. Int. J. Hum.-Comput. Stud. 2018, 120, 22–35. [Google Scholar]
  23. Bada, M.; Sasse, A.M.; Nurse, J.R. Cyber security awareness campaigns: Why do they fail to change behaviour? arXiv 2019, arXiv:1901.02672. [Google Scholar] [CrossRef]
  24. Gjertsen, E.G.B.; Gjaere, E.A.; Bartnes, M.; Flores, W.R. Gamification of Information Security Awareness and Training. In Proceedings of the Icissp 2017, Porto, Portugal, 19–21 February 2017; pp. 59–70. [Google Scholar] [CrossRef]
  25. Abawajy, J. User preference of cyber security awareness delivery methods. Behav. Inf. Technol. 2014, 33, 237–248. [Google Scholar] [CrossRef]
  26. Vestad, A.; Yang, B. Municipal Cybersecurity—A Neglected Research Area? A Survey of Current Research. In Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media; Springer: Berlin/Heidelberg, Germany, 2023; pp. 151–165. [Google Scholar]
  27. Busetto, L.; Wick, W.; Gumbinger, C. How to use and assess qualitative research methods. Neurol. Res. Pract. 2020, 2, 14. [Google Scholar] [CrossRef]
  28. Etikan, I.; Bala, K. Sampling and sampling methods. Biom. Biostat. Int. J. 2017, 5, 00149. [Google Scholar] [CrossRef]
  29. Campbell, S.; Greenwood, M.; Prior, S.; Shearer, T.; Walkem, K.; Young, S.; Bywaters, D.; Walker, K. Purposive sampling: Complex or simple? Research case examples. J. Res. Nurs. 2020, 25, 652–661. [Google Scholar] [CrossRef]
  30. Clarke, V.; Braun, V.; Hayfield, N. Thematic analysis. Qual. Psychol. Pract. Guide Res. Methods 2015, 3, 222–248. [Google Scholar]
  31. Mumford, E. The story of socio-technical design: Reflections on its successes, failures and potential. Inf. Syst. J. 2006, 16, 317–342. [Google Scholar] [CrossRef]
  32. Bergström, E.; Karlsson, F.; Åhlfeldt, R.M. Developing an information classification method. Inf. Comput. Secur. 2020, 29, 209–239. [Google Scholar] [CrossRef]
  33. Di Nocera, F.; Tempestini, G.; Orsini, M. Usable Security: A Systematic Literature Review. Information 2023, 14, 641. [Google Scholar] [CrossRef]
  34. Dahabiyeh, L. Factors affecting organizational adoption and acceptance of computer-based security awareness training tools. Inf. Comput. Secur. 2021, 29, 836–849. [Google Scholar] [CrossRef]
  35. Renaud, K. How smaller businesses struggle with security advice. Comput. Fraud Secur. 2016, 2016, 10–18. [Google Scholar] [CrossRef]
  36. Magnusson, L.; Iqbal, S.; Elm, P.; Dalipi, F. Information security governance in the public sector: Investigations, approaches, measures, and trends. Int. J. Inf. Secur. 2025, 24, 177. [Google Scholar] [CrossRef]
Jcp 06 00066 g001
Figure 1. Research process overview.
Figure 1. Research process overview.
Jcp 06 00066 g001
Jcp 06 00066 g002
Figure 2. Taxonomy of factors for successful implementation of CSA activities.
Figure 2. Taxonomy of factors for successful implementation of CSA activities.
Jcp 06 00066 g002
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Kävrestad, J.; Bergström, E.; Gunnarsson, R.; Mazeh, A.; Stenlund, L. Deciding on Cybersecurity Awareness Initiatives: Insights from the Public Sector. J. Cybersecur. Priv. 2026, 6, 66. https://doi.org/10.3390/jcp6020066

AMA Style

Kävrestad J, Bergström E, Gunnarsson R, Mazeh A, Stenlund L. Deciding on Cybersecurity Awareness Initiatives: Insights from the Public Sector. Journal of Cybersecurity and Privacy. 2026; 6(2):66. https://doi.org/10.3390/jcp6020066

Chicago/Turabian Style

Kävrestad, Joakim, Erik Bergström, Rebecca Gunnarsson, Ali Mazeh, and Linus Stenlund. 2026. "Deciding on Cybersecurity Awareness Initiatives: Insights from the Public Sector" Journal of Cybersecurity and Privacy 6, no. 2: 66. https://doi.org/10.3390/jcp6020066

APA Style

Kävrestad, J., Bergström, E., Gunnarsson, R., Mazeh, A., & Stenlund, L. (2026). Deciding on Cybersecurity Awareness Initiatives: Insights from the Public Sector. Journal of Cybersecurity and Privacy, 6(2), 66. https://doi.org/10.3390/jcp6020066

Article Metrics

Back to TopTop