Cybersecurity-as-a-Society

1. INTRODUCTION

In today’s hyper‑connected world, cybersecurity is no longer a niche concern for IT departments. It is a foundational element of national security, the economy,  and social cohesion. Yet a persistent gap remains between the people who design and operate digital systems and the decision‑makers who define the strategic goals those systems are meant to serve and the regulations those systems are required to follow.

My aim with this research/opinion article is to close that gap. I will examine how the technical niches of cybersecurity intersect with the broader societal objectives that governments, businesses, and citizens pursue, and I will identify which measures actually translate into tangible public benefits.

I am based in Gothenburg, Sweden – this report will therefore be written from a strategically European and locally Swedish perspective. Potentially biased – but with the research to back it up.

I currently study cybersecurity and have noted a clear disconnect between lawmakers/executives and technical professionals on IT and digital security matters.
This is something we’ve seen very clearly in recent examples such as the Chat Control fiasco in the European Council as well as the disastrous implementation of the “Millennium” system here in the Västra Götaland region of Sweden, and its associated signing of a terrible and expensive contract with Oracle.

Structure

The report is organized around three main phases:

Defining Cybersecurity-as-a-Society – To be able to determine which measures create tangible benefits and which issues have been preventing us from getting there, we need to first establish what our actual goals are.

Research & Analysis – A deep qualitative and quantitative dive into what challenges we face in regard to those goals, how those challenges work and take place, which issues are preventing us from effectively facing those challenges, and finally which practical technologies, measures and strategies, backed by research, can most effectively deal with these challenges and achieve our goals.

Conclusions & Recommendations – Based on the previous research, I will draw conclusions and make concrete suggestions towards 3 groups: individuals, organizations and politicians/lawmakers. These aim to fulfill our previously stated goals in the most efficient way possible and will be suited for our current global environment.

Let’s begin!

2. DEFINING CYBERSECURITY-AS-A-SOCIETY

To define Cybersecurity-as-a-Society as effectively as possible, we need to tangibly connect society-level issues to cybersecurity terminology. I believe that the best way to do this is by invoking the CIA Triad and simply scaling it up.

Confidentiality, Integrity and Availability are the three main goals usually used to structure cybersecurity strategies within organizations, products and standards.

• Confidentiality: within an organization this term generally centers around information security – ensuring that individuals only ever access information and resources that they are administratively intended to access through proper access controls. Adversaries include both curious insiders and external threat actors.
  
  On a societal level, the scope of Confidentiality continues to include proper storage standards, but is crucially broadened to also focus on infrastructure and privacy.
  
  According to a 2024 Eurostat article, over 80% of EU citizens actively use the internet for day-to-day communications, including e-mail, instant messaging and video calls. This places critical private information & logs directly in the hands of these providers. Those relying on the internet for critical communications is not limited to your average Joe – it also includes business communication, lawmakers & politicians and even military communication.
  
  Example: What happens when people (of all categories) are not informed of how exactly these technologies work and who has access to their private or work data? What happens when the intentions and practices of communications providers do not align with the interests of their customers or our societies?
  
  At the same time, despite the many warnings and complaints from information security professionals, politicians in many democratic countries continue to push privacy-shredding legislation such as ID verification laws and even mandatory backdoors into encrypted communications.
  
  Example: What happens when these public sector backdoors get compromised, leaking everyone’s private chats? Or worse, what happens when these same lawmakers and leaders start using these backdoors for unwise or outright malicious purposes?
  
• Integrity: within an organization this term generally centers around preventing unauthorized or unintended modifications to organization assets or data.
  
  On a societal level, this point becomes a whole lot more interesting. While it remains crucial to push secure standards and practices to prevent literal sabotage, it also introduces the major point of addressing the use of digital technologies by potentially malicious entities to disrupt the overall social fabric.
  
  To further define this, we can use the example of social media. According to the live data from Statcounter, non-European companies have almost 100% (!!) market share in Europe’s social media usage. The majority of this share is held by USA-based entities, with China-owned TikTok holding a notable position.
  
  Example: What happens if these foreign social media operators end up directly trying to nudge our populace into supporting policies or electoral options that directly work against Europe and in favor of that corporation’s home country?
  
  Secondly, foreign hostile actors remain a major adversary for blue teamers. “Cybersoldiers” aligned with Russia and its allies are constantly probing European organizations to steal technology, subvert our democracies and find ways to directly sabotage our infrastructure.
  
  It is therefore crucial to acknowledge that this threat can only be beaten through collective resilience, and therefore recognizing that ALL security efforts by individuals, organizations and governments collectively build this geopolitical defense.
  

• Availability: within an organization this term generally centers around making sure products, assets and systems remain online and available when needed. This often needs to  be balanced out with security measures, as excessive amounts of those leads to it being more inconvenient and difficult to use the intended assets.
  
  On a societal level, we need to scale this up by focusing on dependency and points of failure. In the modern age, most of our lives and critical services rely directly on online infrastructure to function.
  
  Example: We are not only reliant on these private providers to prevent downtime and crashing, but also that our dependency on certain services don’t start being used against us as a result of political shifts or changes in business strategies. What happens when this comes back to bite?
  

Finally: on top of all these additional cybersecurity concerns from a societal perspective, we also need to acknowledge that regular cybersecurity work is one of the most crucial parts of it all – our collective resilience builds on our individual resilience. The scope of our research will therefore take into account how the majority of regular cybersecurity incidents take place, what measures in hindsight would have prevented them, and which governance/lawmaking strategies would be most effective.

3. RESEARCH & ANALYSIS

3.1 – The Non-Malicious Human Element
Cybersecurity in organizations often gets bogged down in sensationalism, AI and fancy technologies, while often missing the very basics that actually cause most of the problems!

The 2024 edition of Verizon’s Data Breach Investigations report states that over 68% of reported cyber breaches involve a “non-malicious human element” – in other words someone with access unknowingly helped the malicious element breach their target. 

This non-malicious element is mainly divided into these two categories:

• Social Engineering: This active attack method accounted for about 40% of breaches. Phishing through email or telephone remains the primary delivery format, followed by pretexting (impersonation). Despite these organizations likely having fancy firewalls, access controls and encryption, the adversary still just ends up hacking the human rather than the technology!
  
• Simple Errors: These are honest mistakes, which accounted for about 28% of breaches in the 2024 DBIR. This includes accidentally sending sensitive data to the wrong destination (misdelivery) or, more commonly, misconfiguring cloud storage services, network settings, or application access, unintentionally leaving a digital “door” open for attackers.

Despite many organizations nowadays battering their employees with constant security training and procedures, this epidemic of mistakes and messups continues, with grave consequences for not only the immediate victim, but for our entire collective security.

It’s clear that our current strategy on this matter is not nearly enough. Digital systems can be just as dangerous as driving a vehicle, yet do not feature the same kind of legal deterrence or consequences when it goes wrong, and the requirements to be put in a position where you can potentially act as a gateway for attackers are significantly lower than to be able to drive a car.

To build collective resilience as a society, I believe we are going to need to introduce direct liability through legal repercussions when organizations and individuals fail to do their part. This is needed to truly deter mistakes and encourage extra caution and skepticism, despite potentially overpunishing minor mistakes. It’s a tough world.
We also need to start truly drilling cyberhygiene into regular people’s heads from the very start, just like we did physical hygiene during the COVID-19 pandemic. Our schools have been heavily digitalized with computers and tablets, yet our regular curriculums are almost completely devoid of basic IT or digital best practices education!

3.2 – Freemail
This section builds directly on the introductory research I wrote in the Confidentiality section of 2. Defining Cybersecurity as a Society. 

Chances are, you as the person reading this is probably a Gmail user. Oh, you’re not? In that case, you’re almost certainly with Outlook. They’re free! They’re convenient! Why would anyone doubt these borderline charity programs?

When it’s free, you’re usually the product. According to a 2024 Axeo estimate, about 85% of global e-mail market share is held by external providers that do not feature end-to-end encryption. What does this mean in practice?
The contents of any customer’s stored emails, whether enterprise or private, can be accessed either by the corporation or by a government ordering the corporation to do so.
In fact, providers like Gmail and Outlook are already known to actively scan the contents of your inbox to sell your data for personalized advertising!

Email is nowadays the default mode of transportation for official, private and confidential files & documents. You wouldn’t show these files to some of your closest friends, yet a supermajority of people show them willingly to these U.S Big Tech corporations that scan them for advertising.

Also concerning is that this situation isn’t limited to consumers. While I can’t find a definitive source due to enterprise data being more secret, It’s speculated that about 90% of companies and organizations also rely on these external, unencrypted email services, usually through larger enterprise subscriptions.

European governments also fall victim to the same mistake – about two/thirds (again very scattered sourcing unfortunately) seem to rely on US-based enterprise solutions for their official communications. There is an ongoing trend to switch to self-hosting and open source solutions, which I hope continues and that it also addresses this communications issue.

Finally, let’s address the availability aspect.

3.3 – “Why change what still works?”

The major issue of the continued use of unsecured legacy systems spans the entire globe. For example, a 2025 Saritasa article includes data from a U.S-based survey of IT professionals on the matter.

62% of the organizations surveyed still use legacy systems. These are systems that no longer receive security updates and are not considered secure from vulnerability exploitation.
50% of these state that their main reason for not upgrading is that “the current system still works”. Secondary limits include budget constraints and a desire to avoid downtime during migration despite the long-term security concerns.

The key word here is complacency. Rather than take a short-term risk of downtime and complications to invest in long-term collective resilience, many organizations, driven by complacent employees and decision-makers, simply keep these old and unoptimized systems running – until the day when the big incident occurs.

By having waited for the “working” system to stop working, they now need to both remedy the immediate consequences of the fact that the system is no longer working, but also immediately begin the implementation of a new, updated system – this time without any prior preparation!

While yes, it is understandable for for-profit corporations and tired employees to not always take the initiative to bolster long-term resilience, especially when the previous system is still “working” and the profits are still rolling in – but this is not enough if we want societal resilience.

A smaller but very important part of this process is also automatic patch management. This is easier to implement but also requires well-organized connection of systems on the organization level, such as Active Directory or equivalent.

Similar to the previous section on deterring mistakes & social engineering, I believe our lawmakers need to be introducing direct legal incentives and deterrents to actively push everyone to immediately phase out legacy systems and always remain up-to-date. Continuing on this in 4. Concrete Recommendations.

3.4 – Chat Control & more: Why are politicians “like that”?

Throughout the last couple of years, but especially during 2025, the subject of stricter digital regulation has become significantly more accepted among politicians and lawmakers. The common theme of these initiatives usually revolves around “protecting children from the dangers of the internet”.

Yet another just as recurring theme is how cybersecurity professionals always HATE these proposals. Citing loss of privacy and the free internet, concerns with enforcement and the potential to drive users to illegal sites as well as in some cases the potential for hackers, foreign actors and abusive governments to abuse implemented backdoors, it seems like it would be damning that those with in-depth technical knowledge completely oppose these laws? Unfortunately not.

In late 2024, Australia passed its social media age restriction law. During 2025, the exact scope and methods of the ban have been established and made clear. All even remotely social media-like platforms now require mandatory ID or face scans, including Snapchat, YouTube, Discord, Reddit and similar.

Meanwhile, here in Europe, a “compromise” version of the long debated Chat Control proposal is on the verge of being signed into law. This version actually addresses some of the main concerns of the cybersecurity community, while remaining ambiguous on some parts.
The previous version of the proposal, pushed by the Danish EU Council presidency, faced significant protest and backlash, mainly over its clause to force mandatory backdoors in all encrypted messaging software – which would be used to automatically scan all private communication for illegal content.

The proposal has now finally been revised after immense concern regarding the potential for these backdoors to be breached by hackers or even misused by the government – completely neutralizing the benefit and use of encrypted messaging. The new, mostly accepted proposal only includes a legal obligation for high-risk services to take concrete steps to prevent illegal content such as child sexual exploitation on their platform, and creates legal precedent to instead allow platforms to voluntarily establish these backdoors and automated scanning. This is considered legally vague, but has neutralized the largest security concern: mandatory backdoors.

But how does this keep happening? Why do the lawmakers clash with the professionals?

Simply put, to become a politician, IT and technical knowledge is completely optional.

As an example to strengthen this point, a study was conducted on the common educational backgrounds of German elected lawmakers in the Bundestag. Out of these, around 27 % studied law, around 21 % studied economics and around 17 % studied political science. In total, only about 2% had an IT background!

Instead, politicians influencing this issue are instead affected by the fact that protecting children is by itself a very popular agenda to push, and can often assist their PR and re-election prospects. After all, why listen to those who actually know the issue when you can instead get popular with other groups?

In short, we desperately need more tech and IT professionals in elected political office to avoid further legislative debacles.

3.5 – Social Media
This section builds directly on the introductory research I wrote in the Integrity section of 2. Defining Cybersecurity-as-a-Society. 

According to Statista, 63.9% of the global population are social media users. In the European Union, specifically in ages 16-29, that number swells to about 88%. This gives the operators of these platforms a disproportionate amount of power to subtly influence the users of their service.

As stated previously, almost all of this social media activity is ultimately controlled by Meta and ByteDance. Yes – in the current multipolar geopolitical climate, where China, Russia and the United States are all vying to gain dominating influence over Europe, almost all of our social media is directly subordinated to these rival powers.

Somewhat thankfully, these companies have so far been mostly concerned with making money in our lucrative market, which requires them not to pick too much of a fight with the EU regulatory agencies. Some major EU regulations affecting these platforms are the Digital Services Act (DSA), the General Data Protection Regulation (GDPR) and the Audiovisual Media Services Directive (AVMSD). These regulations mandate, for example, a minimum quota of European-made content shown to European users, advertising limits, moderation requirements, risk assessments for children and mandatory data collection opt-outs.

Yet at the end of the day, most of our internet would grind to a halt if we are cut off from these non-European services. This could be due to political conflict with the platform’s ownership country, or even for business reasons to pressure us into rescinding some or all of our regulations for their platforms.

So why are there so few alternatives? New users go where the existing users are. Actually diversifying our social media market requires a combination of several efforts: the private sector actually developing high-quality competitive alternatives, more EU regulations requiring easier migration and duplication across several platforms, and a concerted effort by the informed part of the populace to actually create activity in other places.

3.6 – Infrastructure

What’s your favorite website? Chances are, it directly runs on services like AWS, Azure or Cloudflare. In fact, as stated in this Tom’s Hardware article, AWS and Azure account for about 55% of global web traffic, while a non-mutually exclusive 20% of traffic is routed through Cloudflare’s security service.

So, what is the problem here? Isn’t the market simply choosing the most convenient and secure options for their business?

On October 20th, 2025, thousands of AWS-hosted websites and services across the world went completely offline, following a major failure in AWS’s internal DNS service, where a localized issue on its North American servers ended up cascading into a global meltdown. Affected services included Snapchat, Fortnite, Ring, Duolingo, Discord and Reddit.

Less than 10 days later, on October 29th, Microsoft Azure experienced a similar disaster. A misconfigurated change made to the Azure Front Door (AFD) service resulted in yet another global outage, where a large number of edge nodes stopped functioning, leading to drastically reduced service capacity for users trying to access services hosted by Azure. Major issues were reported for customers trying to access Microsoft 365, Xbox Live, their Azure dashboards, and even the Scottish Parliament.

Finally, on November 18th, it was Cloudflare’s turn to handicap the global internet for the third time in a month. A misconfiguration of Cloudflare’s “Bot Management” system resulted in the mass overload  of Cloudflare’s proxy network, leading to the service no longer functioning for end users. This resulted in the mass unavailability of websites, including X, ChatGPT, Spotify, Canva and ironically even DownDetector itself, which uses Cloudflare for its own website.

On three occasions within a single month, minor issues within oversized hyperscalers resulted in the total obliteration of global internet accessibility.

Our web infrastructure simply turns out to be greatly overconcentrated. Not only does it remind us that even European websites could be completely shut down whenever a U.S Big Tech corporation makes a mistake (or potentially decides to shut us down maliciously), it also reminds us of the need to stop outsourcing all of our web security to centralized providers like Cloudflare.

Whether through more cloud hyperscaling competitors to Azure and AWS, more self-hosted open source equivalents to Cloudflare or even just spreading your needs between different providers for redundancy, the internet desperately needs infrastructure diversification.

3.x – the document will be expanded further with more parts for when i release it publicly, this is the assignment deadline version

4. CONCRETE RECOMMENDATIONS
4.1 – For Individuals

To achieve collective cyber-resilience, everyone needs to learn collective cyber-hygiene. Just like everyone prioritized handwashing, mask-wearing and social distancing during COVID-19, individuals going forward need to also realize that their personal cyber-hygiene is part of a much larger cause – our collective resilience as a society.

For this to happen, people need to understand the fundamentals of the technologies and applications they are using, who controls them and which alternatives could be preferable. With AI chatbots rampant and information more available than ever, we’re quickly running out of excuses for not making informed choices for our online services & applications.

Examples for individuals:

– Embrace cyber-patriotism. Valuing your own security and cyber-hygiene builds our collective security. For each digital service or solution you use, make sure you are informed on which alternatives exist and who controls it.
– Choose services featuring end-to-end-encryption for e-mail communications and cloud storage. With corporations growing bolder and with potential breaches becoming ever more likely, it is crucial that we all take steps to actually protect our private and personal information. A prominent provider featuring all of these services is Proton, a non-profit security-focused developer whose services include Proton Mail, Proton Pass and Proton Drive.
– Consider choosing independent, free and open-source over locking yourself into expensive and restrictive U.S Big Tech monopolies. Examples include Firefox, Codeberg and LibreOffice. This reduces dependence, improves confidentiality. and makes everyone individually more resilient.

4.2 – For Organizations

An organization’s digital security choices usually revolve around its own, sometimes short-term business needs. With executives focused on improving the coming quarter and exhausted employees focused on keeping the day-to-day availability up, optimization and long-term resilience often take a back seat.

For collective resilience, this isn’t enough. While it may seem like the consequences for a cybersecurity incident mainly apply to the affected company, they are rather much more widespread. The damage spreads further downstream to customers who now may have had their data leaked or important services disrupted, and upstream by compromising our collective resilience – the adversary may have been a hostile government or a politically motivated group.

Examples for organizations:
– Proactively phase out legacy systems. While it may result in a short period of downtime while executing the replacement, a planned and orderly transition is better than a rushed and forced transition resulting from the previous system failing or being compromised.

– Embrace long-term resilience over short-term convenience. When choosing software, digital solutions or partners to work with, take into account political factors, societal strategic goals and diversification to avoid being crippled by one single actor having issues. Try to use open source or locally controlled solutions to avoid overdependence on foreign conglomerates while also saving money.

4.3 – For Politicians

As was stated previously, only an extremely minor share of lawmakers have any kind of background in IT or information security. Rather, they mostly come from law, economics and political science. This has often resulted in badly informed legislative proposals, expensive contracts where there were more responsible alternatives and an overall disconnect between lawmakers and professionals in the tech field.

There also needs to be legal, administrative and regulatory changes enacted by governments and lawmakers in order to push individuals and organizations in the right direction. This includes changes to school curriculums, introduction of additional liability and penalties, and additional regulations targeting certain types of digital service providers.

Examples for politicians:

– Bring more people with an IT background into politics! This group’s perspective seems to be consistently missing from government policy in many places, and by bringing professionals from the field into the room we can make sure our digital policy is based on competence and facts, not hysteria and short-term vote buying.
– We need to include fundamental IT education for everyone in schools. This is currently mostly featured in specifically technical programs – but everyone uses and works with digital technologies, not just those educated in them. To truly enable people to make proactive choices and achieve collective cyber-hygiene, we need everyone to know the fundamentals of what they are using.

– Consider introducing actual liability when an employee or company has made decisions that enable a serious cyber breach, just like when you crash your car or sell a faulty product that leads to a serious incident. Examples include falling for social engineering or delaying updates of legacy systems or software. This would not be about punishment – rather about deterrence, encouraging everyone to take extra caution

5. OUTRO

Congrats – you made it to the end!

In this paper I tried to pull the classic CIA‑triad out of the server room and stretch it to the societal level, showing how confidentiality, integrity and availability turn into privacy, democratic stability and basic everyday functioning when you look at the bigger picture.

What the facts keep telling us is that the biggest holes aren’t exotic zero‑days or insufficient AI integration – they’re the plain‑vanilla human mistakes and the structural lock‑ins that stay in place because they’re cheap, familiar or politically convenient. The “non‑malicious human element” accounts for more than two‑thirds of breaches, legacy systems still run in almost two-thirds of organisations, and a handful of US‑based cloud and social media giants control the bulk of our digital lives. All of that adds up to one simple conclusion: collective cyber resilience can only be achieved when every stakeholder accepts a shared responsibility.

The three targeted recommendation groups are deliberately linked. An individual who checks which mail provider actually offers end‑to‑end encryption creates market pressure, an organisation that actually retires legacy systems and spreads its reliance across several providers cuts systemic risk,  a government that puts basic IT literacy into school curricula and backs it up with liability rules is one step closer to having a populace making informed digital choices and eradicating the social engineering epidemic. When those actions reinforce each other the society‑wide “cyber‑immune system” gets stronger.

So the path forward is clear: educate yourself, diversify your digital stack, defend the free internet, push sensible legislation backed by security professionals and hold every actor in society accountable for our collective resilience. Let’s turn cybersecurity from a reactive after‑thought into a proactive pillar of a free, secure and thriving society.