Understanding Dynamics in Security Awareness through ICT Diffusion using Microsimulation

With the ongoing diffusion of information and communication technologies (ICT) across large parts of Europe, security awareness is becoming increasingly important for mitigating societal security risks and long-term costs of cybercrime. At the macro-structural level, the diffusion of ICT is to a large extent shaped by institutional factors, such as legislative decisions at the national level, technological innovations, or considerations within larger organizational units. By contrast, macro-structural changes in security awareness cannot be governed in a comparable top-down manner. Instead, micro-founded models at the individual level are required, whose contextual conditions systematically change as a result of social-structural and demographic transformation processes.

In this context, security awareness is fundamentally linked to the use of ICT. At the macro-structural level, ICT use constitutes a diffusion process that shapes the socio-demographic contexts of exposure in which security awareness becomes relevant in the first place. At the individual level, ICT use acts as a predictor of security awareness, as only sustained engagement with ICT over time makes individual experiences with cybersecurity issues and cybercrime more likely and thus gives rise to security awareness as a dynamic, process-based phenomenon.

This leads to a macro-level research question that has so far remained unresolved: Is the expansion of ICT use associated with an increase, stagnation, or decline in security awareness within European populations, and to what extent can these changes be attributed to (a) shifts in the social and demographic composition of the user population and (b) differences in group-specific developmental trajectories? To date, population-level dynamics of security awareness have predominantly been examined from a univariate and descriptive perspective. An explanatory approach to the macro-structural dynamics of security awareness in country-specific populations that systematically links ICT diffusion with social structure and demography remains largely absent from the existing literature.

To address this gap, the presentation is structured around three components. First, it discusses the extent to which ICT, cybersecurity in general, and security awareness in particular are incorporated into existing microsimulation models. This review demonstrates that dynamic microsimulations constitute a well-suited yet largely underutilized instrument for analyzing population-level change in these phenomena. Second, a theoretical model is presented to understand macro-structural changes in security awareness, placing particular emphasis on the micro-structural relevance of exposure dynamics related to ICT use and composition dynamics related to demographic and social-structural factors. Third, the mechanisms derived from this model are empirically examined using Eurobarometer data for Germany as an illustration. They are then implemented in a dynamic microsimulation with modules on demography, social structure, ICT use and cybersecurity to simulate scenario-based developments in security awareness.

Overall, the analysis shows that dynamics in security awareness can only be fully understood through the simulation of temporal trajectories in ICT use, which are in an interdependent relationship with security awareness and follow socially unequal patterns of development. In this sense, the results provide an empirically grounded basis for discussing potential interventions aimed at improving security awareness within populations.