Deciding on Cybersecurity Awareness Initiatives: Insights from the Public Sector

Raising cybersecurity awareness (CSA) of employees is crucial for all modern organisations. To meet the organisational need for CSA, activities aimed at increasing CSA have been the focus of both industry and research in the past. There are, subsequently, a plethora of CSA activities for organisations to choose from. Nevertheless, research consistently reports that organisations struggle to raise CSA to an appropriate level, and a core issue lies in their ability to select CSA activities and effectively adopt them. This paper used semi-structured interviews with practitioners working on CSA adoption in public-sector organisations to identify what practitioners perceive as success factors. The interviews were analysed through a socio-technical lens and resulted in a taxonomy that groups success factors for CSA adoption in the three socio-technical dimensions: organisational, user-centric, and technical. The taxonomy outlines ten success factors and demonstrates how the participants see success of CSA activities as not only dependent on technical factors but also, and perhaps even more important, user-adaptability and organisational readiness. The results were validated in a workshop with CSA experts across Europe, who highlighted the practical usefulness of the taxonomy as both a map of potential challenges and a teaching tool for educating new CSA practitioners.