Q&A with Martin Kraemer on Information Sharing in Cybersecurity

Recently, Dr. Martin J. Kraemer, Security Awareness Advocate at KnowBe4, and Dr. William Seymour, Lecturer in Cybersecurity at King’s College London released a Whitepaper called: “Cybersecurity Information Sharing as an Element of Sustainable Security Culture,” which examines how people consume and share cybersecurity information, revealing the role that workplace training plays in fostering information sharing among colleagues.

Off the back of this report we have asked Martin a few questions regarding the importance of information sharing and how it can be encouraged. 

Why is it important for people to share cyber information onward and how would you encourage people to do this? 

Sharing cybersecurity information is a key sign of a strong security culture. When employees actively share tips, updates, and warnings, it shows they’re engaged, supportive of one another, and understand the importance of keeping the organization secure.

Encouraging this behavior starts with making information easy to understand and share—think short guides, quick tips, or real-life examples. Recognizing employees who promote good security practices and fostering open communication channels can also motivate others to get involved. Communication in this way is key to fostering a sense of collective responsibility - for organizations, another way to do this is by making training real, relevant, and relatable. 

When people care enough to share, it creates a more informed and resilient organization.

What is your opinion on sources for cyber information? 

According to our research, employers were a key source of cybersecurity information across all age groups. However, 18-29 year olds gravitated towards social media for their cyber information in contrast to 50-59 year olds who relied on broadcast and podcasts. 

Social media, despite its flaws, can be a valuable source of cyber information—provided the content is accurate and comes from a credible source. In an era of deliberate disinformation and unintentional misinformation, users should approach everything they encounter on these platforms with healthy skepticism. It's essential to evaluate both the source and its intent. Is the post simply sharing a cyber-related news story, or is it pushing a particular opinion? Do you agree with that perspective? Are there alternative sources offering different viewpoints? These are critical questions social media users should consider.

Outside of employee training, other sources like reputable websites, publications, and podcasts generally offer more reliable information than social media. However, they still require scrutiny—who is providing the information, and what is their agenda? Unlike social media, traditional media outlets and official cybersecurity sources typically adhere to editorial standards and fact-checking processes, offering an added layer of credibility.

What is the most ‘shareable’ cyber content?

Keeping in mind that onward sharing is a desirable trait, the most ‘shareable content’ depends on who is sharing the information. For employers, beyond workplace training, they could introduce open communication channels like email, Slack, or Teams to share cybersecurity updates, including the latest trends, news, and practical tips, in an easily digestible format. This could include weekly newsletters, short videos, infographics, or even quick tips embedded within existing communication channels. For employees, content that feels directly relevant to their roles and also their wider personal experiences tends to be more engaging and shareable.

If the information is aimed at a broader audience, like customers or the public, interactive content such as quizzes ("Can you spot the phishing email?") or real-world case studies can encourage sharing. The key is to make the content accessible, visually engaging, and actionable, so people feel motivated to pass it on.

As referenced above, sharing on social media channels should be treated with caution, considering the credibility of the source and any underlying agendas.

In the report it highlights that only 38% of people in France and 55% of those in Germany undertake some form of cyber training, in your opinion why are these numbers objectively quite low?

It’s difficult to pinpoint an exact reason, but it’s fair to say that cybersecurity training in these European countries is less common than in the UK and the US. One reason may be the preference for native-language content may limit access to high-quality resources, as many are primarily available in English.

This isn’t the only research highlighting the training gap. A survey conducted by Eurobarometer in early 2024 revealed that nearly 75% of EU organizations have not taken any steps to train their employees on cybersecurity or raise awareness of it as an issue. Interestingly, the same study found that over 70% of organizations consider cybersecurity a high priority. With this growing awareness, Germany and France are clearly catching up, recognizing that managing human risk is essential.

What are your recommendations when it comes to information sharing in cyber? 

There has been a significant shift in mindset—people are now more aware of cybersecurity threats both at work and in their personal lives. However, many employers focus solely on workplace-specific training, leaving employees exposed to broader risks. My first recommendation: if employers devoted even a small part of their advocacy to personal cybersecurity, they would help create more security-aware individuals who can spot threats, practice safer habits, share knowledge, and reduce risks across all areas of their lives. To build on this, organizations should also consider the diverse cultural communities within countries—using surveys and interviews, and actively engaging with people to understand their unique needs and challenges.

My second recommendation may seem simple but could be challenging to execute: deliver the right content, in the right format, with the right experience to encourage sharing. This approach will vary for each organization, depending on the nature of the business, individual departments, and even specific roles. Therefore, it’s crucial to truly understand your employees—what they know, how interested they are in cybersecurity, and what they could learn. Tailoring content to meet these needs not only boosts engagement but also fosters a culture of proactive information sharing and stronger overall security. 

This is where Human Risk Management technology can really come into play. Having a deep understanding of individual risk in your organization is the only way to fully understand how to personalize the right kind of content that employees will want to share forward.