Targeted information strengthens Sweden's cybersecurity

Cybersecurity threats are increasing, and many attacks focus on exploiting human behaviour online rather than technical vulnerabilities. A new study from Jönköping University (JU) shows that different groups in society need to absorb cybersecurity information in different ways and explains how the information can be adapted to reach more people and to work more effectively in everyday life.

Sweden is one of the world's most digitised countries. This provides better opportunities but also means increased vulnerability. To strengthen people's ability to protect themselves online, a research project funded by the Swedish Civil Contingencies Agency (formally MSB and now MCF), led by Joakim Kävrestad, Associate Professor of Computer Science at the School of Engineering at Jönköping University, has investigated how cybersecurity information can be designed to work for different social groups within the population.

Examples of cybersecurity information include using strong and unique passwords for different services and being aware of phishing, and therefore not clicking on unknown links.

“Cybersecurity is no longer something that only concerns IT experts. The challenge is that the information be adapted for different people in order to actually work in everyday life,” says Joakim Kävrestad.

Cybersecurity absorbed in different ways

The study is based on three parts: an analysis of EU countries' national cybersecurity strategies, a survey of 2,049 people living in Sweden, and interviews with 24 people.

Together, they provide a clear picture of how cybersecurity information can and should be adapted.

The results show significant differences in how people want to receive cybersecurity information. Younger people prefer short, quick, digital formats, while older people more often want information via email with clear step-by-step instructions. People with low IT skills often find information difficult to understand and use in practice, while highly educated people are more motivated by the relevance of the information.

“Our results clearly show that one and the same message does not work for everyone. Digital skills and life situation play a greater role than, for example, gender or place of residence,” says Joakim Kävrestad.

The study also shows that the most structured cybersecurity information is received within the work environment. This means that groups outside the labor market, such as pensioners, students, and the unemployed, risk receiving less support.

Common needs and adaptation are the key to moving forward

Despite the differences, the study identifies several common needs. Most people want concise, understandable, and relevant information that can be absorbed when the need arises. Trust in the sender is crucial—authorities and established digital services, such as banks, are perceived as particularly credible. Almost 80 percent of those surveyed are willing to spend between five and fifteen minutes a week reading cybersecurity information.

“This shows that microlearning, in small and recurring doses, has great potential,” says Joakim Kävrestad.

At the same time, the interviews show that cybersecurity information is often perceived as too technical and overwhelming, which means it is easily ignored. The information works better when it is clearly linked to people's everyday lives, for example when creating a new password or starting to use a new digital service.

The project's conclusion is that cybersecurity information should not be designed as a single general message. Instead, broad information that reaches many people needs to be combined with targeted efforts for groups that need more support, such as pensioners or people with little IT experience.

“By combining short, easily accessible information with targeted efforts, we can strengthen digital security throughout society,” says Joakim Kävrestad.

The study in its entirety External link, opens in new window..