'Encryption doesn't matter': Pitfalls in cybersecurity communications

Abstract

Due to digitalisation, cybersecurity is becoming increasingly important for citizens. In Germany, the Federal Office for Information Security (BSI) is the authority responsible for 'digital consumer protection'. Its aim is to use social media to communicate with the public about cybersecurity. Precisely, this area is an uncharted scientific territory. Theoretical approaches such as protection motivation theory (PMT) and framing provide useful guidelines for effective communication on protective behaviours. Our study explores the basic characteristics of BSI’s social media communication and analyses to what degree BSI's posts on Twitter (X) published in 2021 and 2022 correspond with these guiding principles. Based on a computational analysis of n = 3,058 tweets and a qualitative in-depth analysis of the most prominent n = 34 tweets, the results show that BSI's social media communication is often self-referential and discusses current events related to digital security only to a limited degree. When mentioned, cyber threats and countermeasures are typically presented in a vague manner. Similarly, it is often unclear who might be (potentially) affected by a threat. We conclude that applying a model for designing risk messages that draw on the dimensions of PMT could help cybersecurity-related social media communication.