Stimulating a new kind of cybersecurity awareness:The development of a dilemma board game

Context

Cybersecurity poses a technological, socio-technical and organisational challenge. Prior research has investigated tactics for practising cybersecurity in larger organisations, leaving cybersecurity practices of small- and medium-sized enterprises (SMEs) less explored despite their central role in the global economy and local communities. According to the Danish Cyber and Information Security Strategy 2022-2024, only 40% of Danish SMEs have an inadequate level of digital security, and SMEs are identified as a key vulnerability in the digitised Danish society. The Danish Business Authority has acknowledged a repeated difficulty in reaching a large and diverse audience of SMEs through traditional channels and information campaigns, even though SMEs constitute almost 99 per cent of all Danish companies.

Several surveys and interview studies have indicated a worrying lack of basic cybersecurity measures in many SMEs, leading to the suspicion that a substantial number of SMEs may simply take no interest in cybersecurity. In Denmark, SMEs comprise more than 90 % of all businesses and more than 50% of private sector employment.

Laura Kocksch and Torben Elgaard from Aalborg University’s Techno-Anthropology Lab (TANTLab) have investigated the practices of SMEs rather than evaluating them against defined standards set by the security industry and national authorities. The aim of the project was to understand how SMEs deal with cybersecurity, guided by the following research questions:

• How do SMEs organise cybersecurity responsibilities?
• What types of everyday knowledge do SMEs have of cybersecurity?
• How do SMEs handle cybersecurity issues in everyday practice?
• How can the specific situation of SMEs be taken into account when facilitating future dialogue and communication?

The study

To investigate how cybersecurity is practised in SMEs, the research team conducted a multisited ethnographic study consisting of visits to 30 SMEs across Denmark spanning a variety of products and services. The study included interviews with people responsible for cybersecurity, observations of on-site security practices, and stakeholder workshops. The multi-sited ethnographic study has given new insights into the cybersecurity practices, circumstances, and rationalities of Danish SMEs. To analyse cybersecurity
practices, the research team focused on the mundane art of practising cybersecurity and developed the notion of dilemma thinking to articulate the types of practices SMEs use to address cybersecurity issues, as well as to describe how SMEs manage to deal with many relevant and important cybersecurity issues they face in their everyday.

By applying this term to the analysis of cybersecurity practices, the study offers a unique insight into SMEs’ own solid logic for handling everyday cybersecurity issues. Furthermore, the study articulates what the authors call ‘good’ organisational reasons for ‘bad’ cybersecurity.

Danish Business Authority (later the Agency for Digital Government)

In August 2021, the research team at TANTLab Aalborg University was contacted by the Business Forum for Digital Security and the Danish Business Authority’s office for cyber- and information security (the office moved later to the Agency for Digital Government) with the intention of establishing a research collaboration aiming at conducting an in-depth qualitative investigation of cybersecurity practices of SMEs. The aim of the collaboration was also to supplement and challenge the prevailing perception of cybersecurity in SMEs by providing evidence of everyday cybersecurity practices.

The Agency for Digital Government’s overall work is to strengthen companies’ digital safety levels through various channels, e.g., through information campaigns. As SMEs constitute over 90% of all companies in Denmark, the agency was interested in how cybersecurity practices are working in SMEs.15 They have a lot of quantitative data on SMEs but no systematic qualitative data on how everyday cybersecurity is practised and integrated into the small- and medium-sized companies. The agency‘s goal in this collaboration was to gain new insights and inspiration for tackling and securing the digital safety of SMEs.

Pathways to impact

The subproject’s pathways to impact are grounded in the collaborations with the Danish Business Authority and productive engagement with the small- and medium-sized enterprises across Denmark. A key impact pathway was the development of a dilemma board game used in stakeholder workshops.

Building relationships and transforming cybersecurity dialogue
A core driver of the project’s impact was the strong, trust-based collaboration between the research team, the Danish Business Authority, and the 30 small- and medium-sized enterprises (SMEs). This engagement not only enabled the collection of in-depth empirical data but also shaped how cybersecurity is understood, discussed, and communicated both by Danish authorities and cybersecurity experts.

Collaborative engagement with key stakeholders
From the outset, the research team adopted a partnership-oriented approach, positioning themselves not as external evaluators but as partners in collaboration with the Danish Business Authority.

As written above, the Danish Business Authority reached out to the TANTLab, inviting the research team to partner to get a picture of the landscape of cybersecurity practices in SMEs. The research team’s approach of not promising or claiming that they would have all the answers laid the groundwork for a constructive partnership with the Danish Business Authority. The partnership was evident in that an office at the Danish Business Authority took responsibility for the very significant task of finding, contacting, and arranging dates for the researchers’ visit to the 30 SMEs included in the study. The Business Authority was also instrumental in organizing a stakeholder workshop at the end of the project. Throughout the project, several meetings were held between the TANTlab researchers and their collaborators at the Business Authority to discuss preliminary findings, potential ways to specify the study’s focus, and the study’s relevance to the Business Authority’s processes.

The 30 SMEs became active contributors, and the collaboration with the research team showed an engagement from the SMEs’ side, which was crucial for obtaining relevant information. Their willingness to share detailed accounts of their cybersecurity practices yielded rich, grounded insights that challenged conventional narratives of cybersecurity practices in SMEs.

The willingness to engage was facilitated by the research team’s non-judgmental approach, which emphasised understanding over compliance. This became evident in the way that the researchers experienced some of the people in the SMEs asked them to “not judge” them as they initially saw the researchers as experts who were there to judge and evaluate their cybersecurity practices. This shows that SMEs are used to being judged by authorities for not strictly adhering to cybersecurity guidelines and rules. Knowing that the research team was not there to judge, trust grew, and the SMEs shared detailed accounts of their cybersecurity practices, revealing rich, grounded insights challenging conventional narratives. The collaboration with the SMEs yielded five key insights that help reshape the understanding of how everyday cybersecurity is practised in SMEs:

1. SMEs care about cybersecurity but have intricate practical challenges that would even be hard to crack for experts.
2. SMEs build with what they have locally (not what they could have).
3. SMEs build on local expertise, not cybersecurity professionals.
4. Fixing things is easy; living with almost broken things is hard.
5. A less moralistic conversation is needed.

These insights challenge dominant assumptions about SMEs’ inadequate level of cybersecurity and underscore the importance of designing communication strategies that reflect the everyday lives of SMEs, not how their everyday cybersecurity is expected to work.

Transformative use of Dilemma Games
To share findings and initiate practical reflection, the research team designed participatory dilemma board games, presented at the final stakeholder workshop attended by 22 representatives from public authorities, trade unions, employer organisations, and SMEs.

The dilemma games presented participants with realistic cybersecurity dilemmas present in the empirical material. Players used colour-coded “resource cards” representing technical fixes, management changes, people involvement, and knowledge gathering to explore possible solutions, and were moreover encouraged to add their own “resource cards” in order to solve the problem.

The significant outcome of the dilemma games was how experts and stakeholders engaged actively in discussing the different dilemmas, reflecting on how the dilemmas were tackled in their own organisations while gaining insights from how dilemmas could be tackled differently. The stakeholders’ takeaways from the workshop were the following opportunities for facilitating and improving the dialogue with SMEs about cybersecurity issues:

1. Engaging formats
   The game’s format should be developed further and used to drive and facilitate cybersecurity dialogues with SMEs.
   
2. New collaborators
   The stakeholders identified key actors in SMEs who need to be in the centre of attention for
   cybersecurity advice and dialogue: Accountants and board members.
   
3. New approach and understanding
   A general need to customise communication and take the diversity of SMEs into account.

By ending the presentation of insights with a hands-on game, the project disrupted expert-driven discourses and created a space for more inclusive, situated reflections on how cybersecurity is practised.

Policy and communication: “good” organisational reasons for “bad” cybersecurity
The research collaboration between TANTLab and the Danish Business Authority culminated in the publication of the report “Good” Organizational Reasons for “Bad” Cybersecurity”, providing the authority with qualitative evidence and five actionable recommendations for improving cybersecurity communication for SMEs:

1. Involving local cybersecurity figures in cybersecurity campaigns.
2. New vocabulary is needed to relate to everyday cybersecurity knowledge.
3. Understand “good” practical reasons for “bad” cybersecurity.
4. SMEs are heterogeneous; hence, communication tactics should be customized.
5. Moral high grounds have a negative effect on SMEs.

These findings and recommendations have directly influenced the authority’s approach towards cybersecurity practices for SMEs. In an interview with the think tank Monday Morning, authority’s representatives praised the project for revealing how cybersecurity is embedded in the everyday routines of SMEs and for expanding their understanding of roles and responsibilities within them. To increase awareness of the everyday cybersecurity challenges SMEs face, the authority has launched a LinkedIn campaign highlighting everyday cybersecurity dilemmas focused on everyday cybersecurity dilemmas based on the report’s findings. In the interview, the authority also highlights its focus on developing new digital tools for SMEs to self-assess their cybersecurity levels, with tailored recommendations based on the SMEs’ responses. Furthermore, the authority acknowledged the need for alternative communication
formats targeted at SMEs, rather than only big companies with cybersecurity units.

Conclusion

The case study shows that cybersecurity is neither absent nor ignored by SMEs. Rather, it is actively practised, though often in informal, locally adapted ways that fall outside the scope of traditional frameworks and therefore remain under-recognised by authorities and in their communication efforts. Viewing SMEs as spaces where cybersecurity is actively negotiated opens new opportunities to rethink how communication strategies and tools are designed and delivered.

The project has contributed to a new vocabulary and set of empirical insights that support more constructive, relevant, and resonant cyber-security communication strategies targeted at small- and medium-sized enterprises. Crucially, the study challenges the use of moralising narratives or “shaming” tactics, which often alienate SMEs and hinder meaningful engagement and communication.

A key takeaway from the project is the importance of partnering with stakeholders who are open to alternative approaches and can appreciate the complexity of empirical insights. Such collaborations lay the groundwork for impactful, societal interventions – enabling the ADD project to generate tangible, context-specific outcomes.

To sustain and expand the project’s impact, the research team is exploring ways to further develop and publicly share the dilemma game as a practical engagement tool. By inviting diverse stakeholders into participatory spaces, such as the dilemma games, the project has fostered an alternative dialogue rooted in real-world practices rather than formalised standards targeted at big companies. This shift represents a more inclusive, pragmatic approach to strengthening cybersecurity culture across the SME landscape.

References

Kocksch, L. & Jensen, T. E. (2023). “Good” organizational reasons for “Bad” cybersecurity (2023).
Research Report. Aalborg University. Accessible from the homepage of Digital Security, The Danish
Resilience Agency: https://www.sikkerdigital.dk/virksomhed/publikationer/good-organizational-reasons-for-bad-cybersecurity

Kocksch, L. & Jensen, T. E. (2024). The Mundane Art of Cybersecurity: Living with Insecure IT in Danish Small- and Medium-Sized Enterprises. Proceedings of the ACM on Human-Computer Interaction, 8(CSCW2), 1-17. https://doi.org/10.1145/3686893

Interview with Torben Elgaard Jensen from TANTLab and Eva Elisabeth Roland from the Agency for Digital Government, moderated by ADD senior advisor Jakob Kaastrup Sørensen (05.07.2023): https://algoritmer.org/cybersikkerhed-i-smver-interview-med-digitaliseringsstyrelsen-og-tantlab/

Interview with Laura Kocksch at Monday Morning (2024): https://algoritmer.org/exit-interview-med-laura-kocksch-smver-har-bedre-cybersikkerhedspraksis-end-hvad-man-umiddelbart-tror/

Campaign on LinkedIn in collaboration with the Agency for Digital Government (June 2024): https://algoritmer.org/add-projektet-bidrager-til-ny-kampagne-for-cybersikkerhed-hos-danske-smver/

Read more about the project
Kocksch, L. & Jensen, T. E. (2023): “Good” Organizational Reasons for “Bad” Cybersecurity: Ethnographic Study of 30 Danish SMEs Jensen, T. E., Kocksch, L. & Wagenknecht, S. (2026): The cybersecurity dilemma game: moving cybersecurity beyond solutionism Kocksch, L. & Jensen, T. E. (2025): The Cybersecurity Dilemma Game: Collaborative Boardgame for Organizational Cybersecurity