Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Systematic Review of Security Communication Strategies: Guidelines and Open Challenges

Carolina Carreira, Alexandra Mendes, João F. Ferreira, Nicolas Christin

TL;DR

This paper addresses the problem of ineffective security communication amid rising data breaches and social engineering. It conducts a systematic review of over 3,400 papers, coding 97 primary studies to derive a taxonomy of security communication strategies and gaps. The authors propose seven evidence-based guidelines organized around Design/Presentation, Understanding, Personalization, and Behavior Change, and identify critical open problems including limited longitudinal research and reproducibility concerns. The work highlights a US- and text-heavy bias, urges cultural tailoring and broader demographics, and advocates for greater artifact sharing to improve reproducibility. Overall, the findings offer practitioners concrete, context-aware actions to improve users' recognition and response to cybersecurity threats, with implications for policy, design, and further research.

Abstract

Cybersecurity incidents such as data breaches have become increasingly common, affecting millions of users and organizations worldwide. The complexity of cybersecurity threats challenges the effectiveness of existing security communication strategies. Through a systematic review of over 3,400 papers, we identify specific user difficulties including information overload, technical jargon comprehension, and balancing security awareness with comfort. Our findings reveal consistent communication paradoxes: users require technical details for credibility yet struggle with jargon and need risk awareness without experiencing anxiety. We propose seven evidence-based guidelines to improve security communication and identify critical research gaps including limited studies with older adults, children, and non-US populations, insufficient longitudinal research, and limited protocol sharing for reproducibility. Our guidelines emphasize user-centric communication adapted to cultural and demographic differences while ensuring security advice remains actionable. This work contributes to more effective security communication practices that enable users to recognize and respond to cybersecurity threats appropriately.

A Systematic Review of Security Communication Strategies: Guidelines and Open Challenges

TL;DR

This paper addresses the problem of ineffective security communication amid rising data breaches and social engineering. It conducts a systematic review of over 3,400 papers, coding 97 primary studies to derive a taxonomy of security communication strategies and gaps. The authors propose seven evidence-based guidelines organized around Design/Presentation, Understanding, Personalization, and Behavior Change, and identify critical open problems including limited longitudinal research and reproducibility concerns. The work highlights a US- and text-heavy bias, urges cultural tailoring and broader demographics, and advocates for greater artifact sharing to improve reproducibility. Overall, the findings offer practitioners concrete, context-aware actions to improve users' recognition and response to cybersecurity threats, with implications for policy, design, and further research.

Abstract

Cybersecurity incidents such as data breaches have become increasingly common, affecting millions of users and organizations worldwide. The complexity of cybersecurity threats challenges the effectiveness of existing security communication strategies. Through a systematic review of over 3,400 papers, we identify specific user difficulties including information overload, technical jargon comprehension, and balancing security awareness with comfort. Our findings reveal consistent communication paradoxes: users require technical details for credibility yet struggle with jargon and need risk awareness without experiencing anxiety. We propose seven evidence-based guidelines to improve security communication and identify critical research gaps including limited studies with older adults, children, and non-US populations, insufficient longitudinal research, and limited protocol sharing for reproducibility. Our guidelines emphasize user-centric communication adapted to cultural and demographic differences while ensuring security advice remains actionable. This work contributes to more effective security communication practices that enable users to recognize and respond to cybersecurity threats appropriately.

Paper Structure

This paper contains 45 sections, 5 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Scope and Research Questions
  3. Research Questions
  4. RQ1. What key recommendations does the literature provide for improving security communication?
  5. RQ2. What techniques are used to study users' understanding of technical concepts?
  6. RQ3. Which communication techniques are used to communicate about security?
  7. RQ4. What are the security communication problems identified?
  8. Empirical Studies
  9. Previous Surveys
  10. Method
  11. Search String
  12. Databases
  13. Selection of Relevant Articles
  14. Data Extraction and Analysis
  15. Communication Category
  16. ...and 30 more sections

Figures (5)

  • Figure 1: Visual representation of the main research questions.
  • Figure 2: Visual representation of the keywords included in the individual search strings.
  • Figure 3: Flow diagram for study selection process based on Moher et al. prismaguidelines
  • Figure 4: Paper distribution by year of publication with linear trend line.
  • Figure 5: Heatmap of the cross-section between Communication Domain and Methodology.