Cybersecurity Awareness in Government Institutions: A Systematic Review of Behavioral Strategies and Policy Readiness
DOI:
https://doi.org/10.30871/jaic.v9i5.10041Keywords:
Cybersecurity Awareness, Cybercrime Prevention, Cybersecurity Training, Government Institutions, Protection Motivation Theory, Theory of Planned Behavior, NIST Cybersecurity FrameworkAbstract
This study presents a systematic literature review of cybersecurity awareness in government institutions, focusing on how public agencies perceive, implement, and sustain awareness initiatives. It critically examines behavioral strategies, training methods, and policy frameworks that influence employee engagement and institutional readiness. Findings highlight the fragmentation of awareness efforts, gaps in policy coordination, and the need for behaviorally informed, role-specific interventions to build cyber resilience in the public sector. Recommendations include strengthening institutional infrastructure, leadership engagement, and adaptive learning strategies to enhance cybersecurity awareness and long-term resilience.
Downloads
References
[1] J. Balkin et al., Cybercrime: Digital Cops in a Networked Environment, vol. 3, no. 1. 2007. doi: 10.1080/15536548.2007.10855811.
[2] D. Loundy, “Computer Crime, Information Warfare and Economic Espionage,” Public Policy, 2003.
[3] Y. Zhang, Y. Xiao, K. Ghaboosi, J. Zhang, and H. Deng, “A survey of cyber crimes,” Security and Communication Networks, vol. 5, no. 4, pp. 422–437, 2012, doi: 10.1002/sec.331.
[4] National Institute of Standards and Technology, “Guide for conducting risk assessments,” Gaithersburg, MD, 2012. doi: 10.6028/NIST.SP.800-30r1.
[5] G. Mwansa, R. Ngandu, and O. Khala, “Cyberbullying Prevalence at a Rural Based University in the Eastern Cape, South Africa,” International Journal of Social Science Research and Review, vol. 6, no. 12, pp. 361–386, Dec. 2023, doi: 10.47814/ijssrr.v7i1.1783.
[6] D. Galinec, D. Moznik, and B. Guberina, “Cybersecurity and cyber defence: national level strategic approach,” Automatika, vol. 58, no. 3, pp. 273–286, 2017, doi: 10.1080/00051144.2017.1407022.
[7] K. Schwab, “The Fourth Industrial Revolution: what it means and how to respond,” World Economic Forum, pp. 1–7, 2016.
[8] Ewan Sutherland, “Governance of Cybersecurity - The Case of South Africa,” The African Journal of Information and Communication (AJIC), no. 20, 2017, doi: 10.23962/10539/23574.
[9] NCPF, “The National Cybersecurity Policy Framework (NCPF) For South Africa - 2015,” Government Gazette, no. 39475, pp. 1–30, 2015.
[10] M. Gercke, “Cybercrime Understanding Cybercrime :,” Understanding cybercrime: phenomena, challenges and legal response, no. ITU, p. 366, 2012, doi: 10.1088/1367-2630/11/1/013005.
[11] Z. Dlamini and M. Modise, “Cyber security awareness initiatives in South Africa: A synergy approach,” 7th International Conference on Information Warfare and Security, ICIW 2012, pp. 98–107, 2012.
[12] R. Boateng, O. B. Longe, and V. W. A. Mbarika, “Cyber Crime and Criminality in Ghana: Its Forms and Implications,” 2010. [Online]. Available: https://www.researchgate.net/publication/220889824
[13] M. Grobler, J. Jansen van Vuuren, and J. Zaaiman, “Preparing South Africa for Cyber Crime and Cyber Defense,” Systemics, Cybernetics and Informatics, vol. 11, no. 7, pp. 32–41, 2013.
[14] D. C. Rowe, B. M. Lunt, and J. J. Ekstrom, “The role of cyber-security in information technology education,” SIGITE’11 - Proceedings of the 2011 ACM Special Interest Group for Information Technology Education Conference, pp. 113–121, 2011, doi: 10.1145/2047594.2047628.
[15] L. Fourie, B. Sarrafzadeh, S. Pang, T. Kingston, H. Hettema, and P. Watters, “The global cyber security workforce - an ongoing human capital crisis,” Global Business and Technology Association Conference, pp. 173–184, 2014.
[16] NAO, “Threat of cyber-attacks on Whitehall ‘is severe and advancing quickly,’” 2025. Accessed: Feb. 02, 2025. [Online]. Available: https://www.theguardian.com/technology/2025/jan/29/cyber-attack-threat-uk-Government-departments-whitehall-nao
[17] M. Nkongolo, “Navigating the complex nexus: cybersecurity in political landscapes,” Aug. 2023.
[18] G. Mwansa, M. R. Ngandu, and Z. Mkwambi, “Bridging the digital divide: exploring the challenges and solutions for digital exclusion in rural South Africa,” Discover Global Society, vol. 3, no. 1, p. 54, Jun. 2025, doi: 10.1007/s44282-025-00189-2.
[19] CSIR, “National survey results on the state of cybersecurity in South Africa,” 2024. Accessed: Feb. 02, 2025. [Online]. Available: https://www.csir.co.za/csir-issues-national-survey-results-on-state-cybersecurity-south-africa
[20] CISA, “The Attack on Colonial Pipeline: What We’ve Learned & What We’ve Done Over the Past Two Years ,” 2023. Accessed: Feb. 02, 2025. [Online]. Available: https://www.cisa.gov/news-events/news/attack-colonial-pipeline-what-weve-learned-what-weve-done-over-past-two-years
[21] C. Packham, “Exclusive: Australia concluded China was behind hack on parliament, political parties – sources ,” Sydney, 2019. Accessed: Feb. 02, 2025. [Online]. Available: https://www.reuters.com/article/world/exclusive-australia-concluded-china-was-behind-hack-on-parliament-political-pa-idUSKBN1W106H/
[22] Reuters, “Brazil health ministry website hit by hackers, vaccination data targeted,” 2021. Accessed: Feb. 02, 2025. [Online]. Available: https://www.reuters.com/technology/brazils-health-ministry-website-hit-by-hacker-attack-systems-down-2021-12-10/
[23] D. Galinec, D. Možnik, and B. Guberina, “Cybersecurity and cyber defence: national level strategic approach,” Automatika, vol. 58, no. 3, pp. 273–286, Jul. 2017, doi: 10.1080/00051144.2017.1407022.
[24] C. McGowan, “Social Media as a Growing Threat to the Workplace ,” ISACA. Accessed: Feb. 02, 2025. [Online]. Available: https://www.isaca.org/resources/news-and-trends/industry-news/2023/social-media-as-a-growing-threat-to-the-workplace
[25] I. Ajzen, “From Intentions to Actions: A Theory of Planned Behavior,” in Action Control, Berlin, Heidelberg: Springer Berlin Heidelberg, 1985, pp. 11–39. doi: 10.1007/978-3-642-69746-3_2.
[26] R. W. Rogers, “A Protection Motivation Theory of Fear Appeals and Attitude Change1,” J Psychol, vol. 91, no. 1, pp. 93–114, Sep. 1975, doi: 10.1080/00223980.1975.9915803.
[27] M. Siponen, M. Adam Mahmood, and S. Pahnila, “Employees’ adherence to information security policies: An exploratory field study,” Information & Management, vol. 51, no. 2, pp. 217–224, Mar. 2014, doi: 10.1016/j.im.2013.08.006.
[28] A. Vance, M. Siponen, and S. Pahnila, “Motivating IS security compliance: Insights from Habit and Protection Motivation Theory,” Information & Management, vol. 49, no. 3–4, pp. 190–198, May 2012, doi: 10.1016/j.im.2012.04.002.
[29] P. Ifinedo, “Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory,” Comput Secur, vol. 31, no. 1, pp. 83–95, Feb. 2012, doi: 10.1016/j.cose.2011.10.007.
[30] NIST, “Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1,” Gaithersburg, MD, Apr. 2018. doi: 10.6028/NIST.CSWP.04162018.
[31] N. Kshetri, Cybercrime and Cybersecurity in the Global South. London: Palgrave Macmillan UK, 2013. doi: 10.1057/9781137021946.
[32] ACMA, “Inadequate Funding Biggest Barrier to Local Governments Achieving high Levels of Cybersecurity,” WASHINGTON, D.C, 2017. Accessed: Feb. 02, 2025. [Online]. Available: https://icma.org/articles/press-release/inadequate-funding-biggest-barrier-local-Governments-achieving-high-levels-cybersecurity
[33] C. Teale, “Funding for local cybersecurity efforts is insufficient,” Route Fifty. Accessed: Feb. 02, 2025. [Online]. Available: https://www.route-fifty.com/cybersecurity/2023/11/funding-local-cybersecurity-efforts-insufficient-survey-says/392280/
[34] J. Haney, J. Jacobs, S. Furman, and F. Barrientos, “Federal cybersecurity awareness programs :,” Mar. 2022. doi: 10.6028/NIST.IR.8420A.
[35] T. van Steen and J. R. A. Deeleman, “Successful Gamification of Cybersecurity Training,” Cyberpsychol Behav Soc Netw, vol. 24, no. 9, pp. 593–598, Sep. 2021, doi: 10.1089/cyber.2020.0526.
[36] D. C. Streeter, “The Effect of Human Error on Modern Security Breaches,” 2013. [Online]. Available: http://www.economist.com/node/1389553.
[37] S. Kamiya, J. K. Kang, J. Kim, A. Milidonis, and R. M. Stulz, “Risk management, firm reputation, and the impact of successful cyberattacks on target firms,” J financ econ, vol. 139, no. 3, pp. 719–749, Mar. 2021, doi: 10.1016/j.jfineco.2019.05.019.
[38] T. van Steen, E. Norris, K. Atha, and A. Joinson, “What (if any) behaviour change techniques do Government-led cybersecurity awareness campaigns use?,” J Cybersecur, vol. 6, no. 1, Jan. 2020, doi: 10.1093/cybsec/tyaa019.
[39] C. Vu, “Policy Report Cyber Security In Singapore,” 2016.
[40] D. Mahlobo and M. David, “The National Cybersecurity Policy Framework (NCPF),” 2015. [Online]. Available: www.gpwonline.co.za
[41] CSIRT, “Cybersecurity Hub,” 2012. Accessed: Feb. 02, 2025. [Online]. Available: https://www.cybersecurityhub.gov.za/
[42] H. Pieterse, “The Cyber Threat Landscape in South Africa: A 10-Year Review,” The African Journal of Information and Communication, vol. 28, 2021, doi: 10.23962/10539/32213.
[43] D. Chudasama and R. S. Deora, “Brief Study of Cybercrime on an Internet,” Journal of Communication Engineering & Systems, 2021.
[44] J. Prümmer, T. van Steen, and B. van den Berg, “A systematic review of current cybersecurity training methods,” Comput Secur, vol. 136, p. 103585, Jan. 2024, doi: 10.1016/j.cose.2023.103585.
[45] N. Dludla, “Microsoft to train 1 million South Africans on AI skills,” Microsoft, 2025. Accessed: Feb. 02, 2025. [Online]. Available: https://www.reuters.com/technology/artificial-intelligence/microsoft-train-1-million-south-africans-ai-skills-2025-01-23/
[46] S. Mishra, “Integrating Cybersecurity Education into the Curriculum: Best Practices and Implementation Challenges,” 2024.
[47] H.-J. Kam, P. Menard, D. Ormond, and R. E. Crossler, “Cultivating cybersecurity learning: An integration of self-determination and flow,” Comput Secur, vol. 96, p. 101875, Sep. 2020, doi: 10.1016/j.cose.2020.101875.
[48] A. M. Alnajim, S. Habib, M. Islam, H. S. AlRawashdeh, and M. Wasim, “Exploring Cybersecurity Education and Training Techniques: A Comprehensive Review of Traditional, Virtual Reality, and Augmented Reality Approaches,” Symmetry (Basel), vol. 15, no. 12, p. 2175, Dec. 2023, doi: 10.3390/sym15122175.
[49] T. O. Abrahams, O. A. Farayola, S. Kaggwa, P. U. Uwaoma, A. O. Hassan, and S. O. Dawodu, “Cybersecurity Awareness And Education Programs: A Review Of Employee Engagement And Accountability,” Computer Science & IT Research Journal, vol. 5, no. 1, pp. 100–119, Jan. 2024, doi: 10.51594/csitrj.v5i1.708.
[50] Z. Dlamini and M. Modise, “Cyber Security Awareness Initiatives in South Africa: A Synergy Approach,” 2012.
[51] T. Mashiane, Z. Dlamini, and T. Mahlangu, “A rollout strategy for cybersecurity awareness campaigns,” in 14th Inter- national Conference on Cyber Warfare and Security (ICCWS 2019), Stellenbosch, South Africa, 2019, pp. 243–250.
[52] D. Van Tran, P. Van Nguyen, D. Vrontis, S. T. N. Nguyen, and P. U. Dinh, “Unraveling influential factors shaping employee cybersecurity behaviors: an empirical investigation of public servants in Vietnam,” Journal of Asia Business Studies, Nov. 2024, doi: 10.1108/JABS-01-2024-0058.
[53] P. Rama and M. Keevy, “A comparative review of South Africa’s Government-led cybersecurity awareness measures to those of world-leading countries,” Southern African Institute of Government Auditors , 2022.
[54] S. S. Tirumala, M. R. Valluri, and G. Babu, “A survey on cybersecurity awareness concerns, practices and conceptual measures,” in 2019 International Conference on Computer Communication and Informatics (ICCCI), IEEE, Jan. 2019, pp. 1–6. doi: 10.1109/ICCCI.2019.8821951.
[55] L. Bagui et al., “The impact of COVID‐19 on cybersecurity awareness‐raising and mindset in the southern African development community (SADC ),” The Electronic Journal Of Information Systems In Developing Countries, vol. 89, no. 4, Jul. 2023, doi: 10.1002/isd2.12264.
[56] Ewan Sutherland, “Governance of Cybersecurity - The Case of South Africa,” The African Journal of Information and Communication (AJIC), no. 20, Dec. 2017, doi: 10.23962/10539/23574.
[57] A. M. Alelayani, F. M. Al Zahrani, A. M. Munshi, R. M. Monshi, and S. A. Al-Sofyani, “Cybersecurity Regulation and Governance,” 2020.
[58] A. Vafaei-Zadeh, D. Nikbin, K. Y. Teoh, and H. Hanifah, “Cybersecurity awareness and fear of cyberattacks among online banking users in Malaysia,” International Journal of Bank Marketing, 2024, doi: 10.1108/IJBM-03-2024-0138.
[59] M. Khader, M. Karam, and H. Fares, “Cybersecurity Awareness Framework for Academia,” Information, vol. 12, no. 10, p. 417, Oct. 2021, doi: 10.3390/info12100417.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Gardner Mwansa
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License (Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) ) that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
