Introduction
As part of the NATO force, Norwegian military personnel are vulnerable, plausible targets for adversaries (Frederick et al., 2022; Maciata, 2025; NATO Allied Air Command, 2025; Skjelland et al., 2025). NATO is currently developing and refining the concept of Cognitive Warfare (CogWar), aimed at strengthening defence mechanisms and resilience against disruptive influences targeting individuals in military institutions (Claverie et al., 2022; Masakowski and Blatny, 2023; Reding and Wells, 2022).
Despite increased attention to cyber defence, the human aspect remains largely overlooked, and empirical insight into how NATO personnel are targeted by cyberattacks and online manipulation is still limited. By focussing on the lived experiences of military personnel, the research presented here offers a distinctive contribution to the empirical literature and advances a human factor perspective on cybersecurity.
Cybersecurity is a critical issue that affects individuals, organisations, and society. The increasing reliance on technology and the growing sophistication of cyber threats emphasise the need for robust and effective cybersecurity measures (AL-Hawamleh, 2023; Enisa, 2023; Skopik et al., 2022). As the lines between physical and digital warfare blur, recognising and mitigating cyber threats has become imperative for military planners and decision-makers (Jøsok et al., 2016; Masakowski & Blatny, 2023). Cyber defence demands a comprehensive understanding of the evolving digital threat landscape, investment in advanced technology, development of robust defensive strategies, and personnel capable of distinguishing between different types of digital threats (Hoppa, 2021; Krasznay & Hámornik, 2019).
With such a broad field and concept, there are many diverse definitions. Here, “cybersecurity” is defined in accordance with von Solms & van Niekerk:
The protection of cyberspace itself, the electronic information, the ICTs1 that support cyberspace, and the users of cyberspace in their personal, societal and national capacity, including any of their interests, either tangible or intangible, that are vulnerable to attacks originating in cyberspace. (von Solms & van Niekerk, 2013, p. 101)
This definition aligns with the analytical focus of the article, capturing both technical and societal dimensions which shape contemporary security practices. It also reflects the way cybersecurity is understood in the empirical material, where technical vulnerabilities and user behaviour are understood as closely connected.
Research on cybersecurity and situational awareness is mainly technology orientated (Lif et al., 2017), and empirical material or qualitative social science studies on military cybersecurity awareness are few. As a result, these studies hardly ever include a human or behavioural perspective (de Bruijn & Janssen, 2017; Park et al., 2017; Sangwan, 2024; Young et al., 2018). Although human factors are often cited, they are rarely examined from the viewpoint of those directly affectted. Existing studies prioritize technical vulnerabilities, behavioural risks and attack vectors, often through abstract or system level analyses (Pollini et al., 2022), and they rarely incorporate bottom-up perspectives or empirically grounded insights into how users perceive and navigate cybersecurity challenges. The field remains dominated by technological approaches, with limited attention paid to lived experience and institutional context (Khadka & Ullah, 2025).
Similarly, a systematic review reveals that only a small fraction of cybersecurity research employs qualitative methods, and even fewer explore the social and organisational dimensions of security behaviour (Rohan et al., 2021). The absence of unified theoretical frameworks and user-centred methodologies continues to limit understanding of how human factors function in real-world cybersecurity contexts (Jeong et al., 2025). That gap is addressed here by highlighting the voices and experiences of military personnel, offering an empirically based contribution to the field.
The main goal for the research has been to scrutinize the phenomenon of cybersecurity awareness among recruits, conscripts, and military personnel within the Norwegian Navy concerning the use of smartphones, apps and social media. The focus is limited to cyber threats related to terms of use, social media content, applications and algorithmic influence, reflecting the central role these technologies play in everyday digital practices. Personal devices and platforms habitually blur boundaries between private and professional spheres, creating specific vulnerabilities in operational contexts.
In this article, the analysis is guided by three research questions: How do soldiers and other military personnel in the Norwegian Navy assess their own level of cybersecurity awareness? Are they less likely to comply with regulations when they disagree with them or do not understand their purpose? And to what extent do age, gender, unit, rank, or professional background shape their understanding of and awareness of cybersecurity?
First, the article introduces the research context and outlines the gap in existing studies, followed by a literature review and a theoretical framework that define key concepts and situate the study within a socio-technical perspective. Next, the analytical themes are presented, highlighting the domains that structure the analysis. The methods section then explains the ethnographic approach and coding process. The findings section provides empirical insights into everyday cybersecurity practices among naval personnel. Finally, the discussion interprets these findings in light of broader theoretical and practical implications. The paper concludes with recommendations, limitations and directions for future research.
Literature Review
As digital technologies increasingly permeate operational environments, cybersecurity must be considered a critical concern in military contexts (AL-Hawamleh, 2023; Skopik et al., 2022). NATO’s strategic focus on cognitive warfare emphasises the growing recognition that security threats are not only technical but also psychological and behavioural (Claverie et al., 2022; Giordano, 2023). Even so, technological perspectives continue to dominate research, often neglecting the human factors that shape compliance and vulnerability (de Bruijn & Janssen, 2017; Enisa, 2023; Khadka & Ullah, 2025).
Contemporary risks are increasingly diffuse, harder to control and less predictable. They are global in scope, shaped by human activity and marked by deep uncertainty. To avoid reproducing deterministic narratives, this analysis draws on critical perspectives underpinning the diversity of cyber risk logics and their implications for policy and practice (Backman & Stevens, 2024).
The gap between awareness and behaviour, where individuals recognise risks but fail to act accordingly, is well documented (Sulaiman et al., 2022). Similarly, self-assessments of security practices tend to be overly optimistic, which creates blind spots and weakens situational awareness (Malmedal et al., 2016; Notaker, 2023). Explanations for this gap vary. Non-compliance may be rational when rules are perceived as impractical or disruptive to operational efficiency (Tempestini et al., 2023). Compliance tends to increase when risks are immediate and personally relevant (Hansen, 2025). These findings resonate with military contexts, where operational demands frequently compete with security protocols.
Role-specific competence further shapes behaviour. Personnel in classified roles exhibit higher adherence, reflecting professional identity and training (Mattingsdal et al., 2024). This aligns with viewing cybersecurity as a socio-technical domain, where infrastructures and practices are mutually interdependent (Knox et al., 2018). Technology does not merely constrain behaviour; it interacts with organisational norms and informal logics that shape how rules are interpreted and enacted.
Governance mechanisms embedded in digital platforms add complexity. Terms of use regulate data collection and privacy, yet users rarely read them (Moallem, 2018; Yerby & Vaughn, 2022). This pattern appeared in the present study, where most interlocutors accepted them without scrutiny, echoing previous findings (Zwilling et al., 2022). Such behaviour introduces risks, as applications may access sensitive data, including geolocation, a vulnerability exploited in documented cases involving fitness apps such as Strava (Chirgwin, 2018; Dhondt et al., 2022; Skredderhaug, 2023). Algorithms add another layer by shaping content visibility and engagement while remaining opaque to users (Cobbe, 2021; Gillespie, 2014). In military settings, algorithmic processes can facilitate adversarial targeting and influence operations, amounting to a “weaponisation” of social media, as observed during the war in Ukraine (Primig et al., 2023; Singer & Brooking, 2018; Woolley, 2022).
Anthropological perspectives offer tools for understanding these dynamics. The concept of thick description underpins the interpretive processes through which norms gain meaning (Geertz, 1973b), while everyday interaction plays a central role in shaping institutional norms and practices (Eriksen, 2017; Hannerz, 2010). Studies of military life emphasise how informal practices and peer norms mediate compliance (Hellum, 2014; Rones, 2017). Concepts such as information environment and normative socialisation illustrate how digital technologies intersect with organisational routines, producing behavioural patterns that cannot be reduced to technical design alone (Floridi, 2018; Jain et al., 2021). Situating cybersecurity in its institutional and social context therefore helps explain why awareness does not consistently translate into compliance and how motivation is socially mediated (Frey, 2018; Sangwan, 2024).
Theoretical Framework
The analysis is based on a socio-technical perspective in which technological infrastructures and social practices are interdependent (Bergh, 2020; Knox et al., 2018). It challenges technological determinism by recognising that users interpret and negotiate security measures within institutional contexts. Technology structures possibilities for action, yet these structures are continuously adapted through human practice. To analyse these dynamics, the study employs an anthropological, interpretivist approach. Deep interaction through ethnographic fieldwork and participant observation provides access to the lived realities of naval personnel, following Geertz’s notion of thick description (Geertz, 1973b). Informal conversations constitute arenas for knowledge exchange and norm negotiation, revealing how institutional directives are reframed in everyday settings (Briggs, 2007). The concept of symbolic representation underscores the stakes of cybersecurity in military contexts: personnel are not merely technology users but embodiments of institutional values and national identity (Roelsgaard Obling & Victor Tillberg, 2021). Their digital conduct therefore carries institutional and reputational significance.
The information environment captures the digitally mediated space where platforms, algorithms and governance mechanisms shape behaviour (Floridi, 2018; Jain et al., 2021). Understanding cybersecurity within this environment requires attention to both technological capabilities and the social processes through which meaning is constructed. Normative socialisation explains how individuals internalise norms through formal training and informal peer interaction, embedding expectations within everyday practices and accounting for the persistence of behaviours that conflict with official regulations (Frey, 2018; Sangwan, 2024). There are two common explanations for people ignoring security rules: complacency, when a sense of safety leads to indifference, and inconvenience, when protocols feel like an unnecessary hassle that disrupts comfort. These dynamics illustrate how organisational routines and practical considerations mediate compliance, producing vulnerabilities that cannot be explained by technical design alone (Nobles, 2018; Pollini et al., 2022).
The phrase “information is motivation” reflects a common assumption that knowledge leads to compliance. However, empirical evidence suggests that the relationship is more complex; it is neither linear nor automatic. While information may be necessary, it is insufficient in isolation. Motivation emerges through cognitive, social and organisational mechanisms that mediate the translation of knowledge into action. This interpretation aligns with theories of the awareness–behaviour gap (Sulaiman et al., 2022) and rational non-compliance (Tempestini et al., 2023), as well as findings on threat proximity (Hansen, 2025). Information is understood as a resource that must be contextualised and made meaningful within the routines and constraints of military life.
Research Method
Studying military cybersecurity requires understanding people as well as systems. An anthropological approach accesses the everyday realities of those who live and work within these systems (Fangen, 2010; Hannerz, 2010). Through close interaction, participant observation, open-ended interviews and informal socialisation, it reveals practices and tensions often invisible to more distanced or technical approaches (Eriksen, 2017; Geertz, 1973a). This perspective shows how phenomena are experienced, negotiated and sometimes contested from within.
The term “interlocutor” is used in anthropology to emphasise the dialogic and co-constructive nature of ethnographic engagement. Unlike “respondent”, which implies a passive role in structured data collection, “interlocutor” reflects a reciprocal relationship in which meaning is shaped through ongoing interaction and interpretation (Briggs, 2007; Zhang & Zhan, 2025). To balance anonymity with the need to convey individuality, pseudonyms have been assigned to interlocutors in this paper, a common practice in anthropology that humanises the material and makes perspectives more accessible (McGranahan, 2021; Vorhölter, 2021). An overview of interlocutors cited in this article is provided in the Interlocutor Key (see Appendix A).
The analytical process was interpretive, inductive and conducted manually, grounded in anthropological theory and the interpretivist tradition (Panourgiá, 2002; Turner, 1967). It approaches norms and practices as systems of meaning interpreted from within, through “thick description”, connecting interaction to context with sensitivity to setting (Geertz, 1973b). Although no predefined framework was applied, the approach aligns with reflexive thematic analysis (Braun & Clarke, 2019; Naeem et al., 2023), focusing on the researcher’s active and subjective role in knowledge production. Reflexive thematic analysis is not about coding reliability or consensus, but about producing meaningful, interpretive accounts that reflect the complexity of lived experience (Braun & Clarke, 2019).
In line with recent critiques of generative AI in reflexive qualitative research, all analytical work was conducted manually (Jowsey et al., 2025). This approach ensures that meaning-making remains a human-centred process, consistent with the interpretivist tradition and the anthropological emphasis on contextual sensitivity.2
The main method used for this study was ethnographic fieldwork, participant observation, and semi structured qualitative interviews (Table 1). Empirical data were collected during four multi-sited fieldwork periods within the Norwegian Navy in 2021 and 2022, each lasting between 7 and 15 days. The field sites were subject to varying security regimes and regulatory frameworks. Differences in responses among personnel with distinct operational roles and levels of security training highlight the importance of location as a contextual factor shaping cybersecurity practices.
Table 1
Chronological Overview of Interviews the Author Conducted with Navy Personnel/Soldiers in 2021/2022.
| YEAR | NAVY | NUMBER OF INTERVIEWS | FEMALE | MALE |
|---|---|---|---|---|
| 2021 | Key Personnel | 10 | 2 | 8 |
| 2021 | Frigate | 16 | 4 | 12 |
| 2021 | Recruit camp | 21 | 8 | 13 |
| 2021 | Frigate | 21 | 8 | 13 |
| 2022 | Coast Guard | 23 | 4 | 19 |
Interview guides, one for conscripts and one for staff, were developed regarding the overarching theme and the phenomenon to be explored, informed by prior field experience, consultations with key stakeholders and subject-matter experts, and a review of relevant literature. Interviews typically evolved into conversations; questions were integrated but not necessarily in the same order or phrased identically. Insights from the first interviews, as well as observations in the field, often brought new perspectives. These insights were incorporated into following interviews, making the interview process iterative and dynamic.
MAXQDA was employed solely as a software tool to organise, code and manage textual data. It facilitated systematic handling of large volumes of qualitative material but did not influence the analytical framework or introduce any quantitative elements. As such, its use does not constitute a mixed methods approach; rather, it supports a wholly qualitative methodology (Paulus, 2023; Woolf & Silver, 2017).
Coding process and Thematic Development
The material consists of 91 interviews in Norwegian with soldiers from various personnel categories. All interviews were recorded, transcribed, and imported into MAXQDA (Woolf & Silver, 2017). Approximately 2,000 pages of text were thematically coded into 18 parent categories derived from the interview guides and research themes (Figure 1). During transcript review, additional relevant themes emerged, resulting in 168 subcodes. Coding aimed to systematise and organise the data, enabling thematic exploration and identification of patterns across interviews.
Figure 1
Overview of Parent Codes in MAXQDA.3
For each code, all associated segments in MAXQDA were reviewed to identify recurring themes, key findings, and illustrative quotes. This iterative process refined the thematic structure and ensured that analysis remained closely tied to the empirical material.
Rigour was ensured through repeated engagement with the material, with codes and themes revisited and refined throughout. Themes were considered strong when they appeared in several interviews and across different personnel categories, and extensive fieldwork and contextual knowledge contributed to interpretive validity. The qualitative approach, supported by MAXQDA for data organisation, enabled nuanced insights into how cybersecurity is understood and practised among military personnel, insights difficult to obtain through quantitative methods alone. Quantified responses presented in the findings (e.g., “77 out of 91 perceive rules as fair”) are not statistically representative but serve as indicators of recurring themes. Numbers are indicative because one interlocutor may mention a topic several times, while another may not address it in a way that can be coded. Expressions such as “many say” or “several describe” convey patterns of meaning across interviews, even when articulated differently. Rather than a limitation, it reflects the strength of qualitative inquiry: its ability to capture complexity and variability in context (Saldaña, 2013).
Interview responses are understood as expressions of attitudes and perceptions shaped by institutional norms, professional identity, and the interview context, rather than as direct evidence of behaviour. The quotes represent what interlocutors say, not necessarily what they do (Briggs, 2007; Rinaldo & Guhin, 2022). By attributing rule violations to others, soldiers may present themselves as competent and loyal. This supports an analysis that privileges interpretation over taking statements at face value (Eldh et al., 2020).
Analytical Themes
The analysis focuses on three domains: social media, terms of use and algorithms, all critical components of the information environment in which military personnel operate (Bergh, 2020; Jain et al., 2021; Malmio, 2025). Social media blur boundaries between private and professional spheres, increasing vulnerabilities linked to information leakage and influence operations (Bay et al., 2019; Evans, 2022; Karasz, 2019; Skredderhaug, 2023). Such risks are well documented in NATO contexts, where adversaries exploit personal data for targeted messaging and operational disruption (Frederick et al., 2022; NATO, 2022). Practices on these platforms are shaped by both regulations and peer or unit norms, which may normalise behaviours that conflict with official guidelines (Berrefjord & Bjørstad, 2024; Hellum, 2014; Rones, 2017). The interplay between technical affordances and institutional social dynamics illustrates cybersecurity as a socio-technical phenomenon (Floridi, 2018; von Solms & van Niekerk, 2013).
Terms of use agreements function as governance mechanisms regulating data collection and privacy (Schubert & Barrett, 2024). Despite their significance, most users accept these agreements without reading them, a pattern confirmed by this study and documented elsewhere (Moallem, 2018; Yerby & Vaughn, 2022; Zwilling et al., 2022). In military contexts, such behaviour introduces specific risks, as personnel may unknowingly grant applications access to sensitive data such as geolocation, a vulnerability exploited in cases involving fitness apps (Chirgwin, 2018; Dhondt et al., 2022; Mink et al., 2022). The complexity and length of terms of use documents discourage engagement, leading to indifference that undermines informed decision making (Frey, 2018; Nobles, 2018). It reflects broader human-factor challenges in cybersecurity, where convenience and perceived irrelevance often override formal compliance (Pollini et al., 2022; Sangwan, 2024).
Algorithms represent a less visible but equally influential dimension of the information environment. These computational systems structure content visibility and user engagement, shaping what individuals see and how they interact online (Bundtzen, 2022; Cobbe, 2021; Gillespie, 2014). While most interlocutors had heard of algorithms, few demonstrated a clear understanding of their function or implications for security, echoing findings from other studies on the hidden nature algorithms (Almansoori et al., 2023). This lack of comprehension is significant, given that algorithms can be exploited for surveillance, profiling and influence operations (Bergh, 2020; Deppe, 2023). In military contexts, algorithmic processes may facilitate adversarial targeting or amplify vulnerabilities through personalised content delivery (Bay et al., 2019; Martínez et al., 2023). Automated decision-making systems also raise ethical and operational concerns, as overreliance can reduce human oversight and critical thinking (Allhoff et al., 2016; Broussard, 2018; Knox et al., 2018). The theme of algorithms thus underscores the importance of technical literacy as a component of cybersecurity awareness (Chandarman & van Niekerk, 2017; Sangwan, 2024).
The term “weaponisation” is used here to describe the deliberate use of algorithmic systems in influence operations, not to suggest that algorithms are hostile in themselves. In military and geopolitical contexts, weaponisation involves manipulating algorithmic processes to amplify disinformation, micro-target individuals or distort information flows, undermining trust and operational security (Primig et al., 2023; Singer and Brooking, 2018; Woolley, 2022). The point is socio-technical: ordinary functions shape everyday interaction, yet their misuse exposes vulnerabilities that are not purely technical. This perspective acknowledges real risks while avoiding an overstatement of threat (Backman & Stevens, 2024).
Although these domains appear distinct, they are interconnected through the ways information is produced, circulated and acted upon. Social media operate under terms of use that govern data practices, while algorithms determine visibility and reach of content. Together they form an information environment influencing risk perception and behavioural norms, which is essential for understanding how information relates to motivation (Floridi, 2018; Jøsok et al., 2016). The assumption that information alone produces secure behaviour is challenged by my empirical findings, which reveal that knowledge must be contextualised and relevant to operational realities (Hansen, 2025; Squires & Shade, 2015; Zwilling et al., 2022). Motivation emerges through social and cognitive processes, mediated by institutional norms and technological affordances (Hellum, 2014; Rones, 2017; Sangwan, 2024).
Ethics
Interviews were conducted with conscripts and employees, with diversity in age, rank, gender and roles. Verbal consent was recorded, full anonymity was assured, and no names were recorded on tape, only numbers known to the researcher. Interlocutors received written information about their rights, including the option to withdraw at any time, and researcher contact details. Approvals were granted by the Defence Research Board and the FFI Ombudsman, in line with GDPR.
Findings
Key findings from the study are guided by these research questions: How do individuals in military contexts perceive and respond to cybersecurity rules? What factors influence their compliance and awareness? The results reveal a complex relationship between knowledge, motivation, and behaviour. While most interviewees express general cybersecurity awareness and view the rules as fair, their understanding of specific threats is often limited. Professional background, age, and access to tools shape attitudes and practices. The findings highlight a gap between formal regulations and everyday routines, where complacency, inconvenience, and social dynamics contribute to security vulnerabilities.
“Information Is Motivation”: Understanding Rules and Compliance
A central premise examined is whether individuals are less likely to comply with rules they do not understand or support. A common military phrase, cited by several interlocutors, was “information is motivation”, suggesting that knowledge promotes compliance.
Although 77 out of 91 interviewees consider the rules fair and not overly strict, their narratives reveal a gap between principle and practice.
Most rules seem to be thought through and normally have a well-founded rationale behind it. What I don’t approve are rules without justifications. (Idunn)
Lack of understanding of potential consequences can lead to risky behaviour. As the next interlocutor notes, knowledge encourages motivation to comply:
The quote “information is motivation is actually a very good one, because the more you understand of what these algorithms do, the more understanding you have of it actually mattering when taking a picture of a damaged system to show off to someone. (Njord)
Rules may also be perceived as too complex or inaccessible to engage with:
No, I don’t break the rules as such. When I say “as such”, I mean I don’t break any rules I know about. Gotta say that these regulations are some long dry sheets, though. I can’t be bothered. Life is too short to spend a day on that. I’ll be that honest. I read the introduction, and then I just use my common sense. (Ask)
Aboard frigates, smartphones are restricted to cabins and lounges. Yet these spaces are not free from operational discussions, as one interlocutor explains:
We talk freely about whatever we want there. That’s because we see the lounge as our safe space. It feels natural to talk about those things there. For me, working in logistics, I don’t see much of operations or the bridge, for example. So instead of going up there and asking, “Hey, what’s coming up? Where are we going?” I usually just ask in the lounge, like, “Where are we anchoring tonight?” … The lounge is where we talk across departments, share information, and where we have our smartphones. But it’s also not something I’d bring up myself, because then we might lose phone access there too, right? (Liv)
This example illustrates how informal norms and blurred boundaries between work and leisure can normalise risky practices. Although personnel are aware of the rules, they may disregard them when convenience or routine takes precedence. Such behaviour reflects both complacency and the perception that rules are impractical or inconsistently enforced.
Terms of Use: Awareness, Acceptance and Risk
Most of the interviewees report a general awareness of cybersecurity, with 77 out of 91 perceiving the applicable rules as “fair” and “not too strict”. Nonetheless, such self-reported awareness often coexists with a notable gap between knowledge and practice (Zwilling et al., 2022). A clear example is the widespread acceptance of terms of use or terms of service without review, indicating a disconnect between perceived awareness and actual behavioural adherence. Failure to read terms can grant applications access to contacts, microphones or location, which increases exposure to surveillance and data leaks, with potential disciplinary and organisational consequences in military settings (Moallem, 2018; Yerby and Vaughn, 2022; Bhatnagar and Pry, 2020; Zwilling et al., 2022).
Why, then, do users typically refrain from reading the terms of use before agreeing to them? Once again, complacency and perceived inconvenience emerge as key factors (Frey, 2018; Nobles, 2018; Sangwan, 2024). Terms of use documents are often deliberately long, dense and written in inaccessible legal language (Yerby & Vaughn, 2022), discouraging engagement and promoting indifference. This reluctance is exemplified by a conscripted soldier:
I don’t, but I’ve heard from the communication officer several times that we should read them and look through everything. But I, as most of us young people, we just press ‘OK’. (Sol)
Sol’s comment reflects a casual attitude toward adherence, acknowledging the prescribed behaviour while simultaneously dismissing it as irrelevant in practice.
As shown in Figure 2, most interviewees accept terms of use without reading them. When asked about their understanding, a majority admit they do not know what the terms actually entail, and only a few claim partial knowledge.
Figure 2
Number of Interviewees Reading and Accepting Terms of Use. N = 91.
Although the importance of both physical and digital security is emphasised in military training and communication, the data suggest a divergence between general awareness and specific knowledge. Soldiers are informed about risks and regulations, yet many accept terms with little scrutiny. For instance, several interviewees reported using the fitness app Strava without reviewing its terms of use, unaware of how their data might be collected and used by the company. The use of such apps has been linked to documented security breaches involving military personnel (Dhondt et al., 2022; Mink et al., 2022; Skredderhaug, 2023).
Rule Clarity Versus Behavioural Adherence
Although most of the interviewees claim to follow the rules, several report sharing photos from military settings, violating the regulations. Figure 3 (below) indicates that 75 interviewees report “following the rules” while three state they “do not always follow the rules”. Additionally, 29 say “I follow the rules but can see that others do not”, which does not align with the number claiming full compliance. Several soldiers recount witnessing cybersecurity violations, particularly the sharing of service-related images on social media. A non-commissioned officer reflects with the researcher:
Skade: We have certain rules and all that, for example, you’re not allowed to post certain things, like with TikTok, but then again, we can sit in the barracks in the evening and see all the TikToks that the other recruits are posting from the barracks and stuff. I totally get that there are rules for a reason and all that, but I don’t really get why we have rules if no one actually does anything about it when they’re broken.
Researcher: So, there are no consequences for those actions?
Skade: No, like, at the last course a couple of platoons got a bit of a scolding from their officers because they’d shared some TikToks and stuff. But it seems like it wasn’t made clear enough from the start, especially since the recruits at this course had already started posting. And the way we do things here, it’s like, once we teach the recruits something and they’ve actually been told, then they follow it. But if the rules aren’t made clear, we can’t really expect them to follow them either.
Figure 3
Numbers of Interviewees Following the Rules. N = 91.
As many as 77 interlocutors find the rules reasonable; 13 say they are easy to understand. Only 15 consider the rules too strict; 13 find them difficult. Conversely, 16 interviewees believe the rules should be stricter. The figure below illustrates that most interlocutors consider the rules reasonable and easy to understand, while a smaller group view them as either too strict or too lenient.
These responses are particularly noteworthy when considered alongside the interviewees’ descriptions of their own awareness of digital risks. Despite a high level of cybersecurity awareness and a general tendency to comply with regulations, even experienced soldiers may overlook the rules in certain situations. As one officer explains:
The problem is, well, that people are very good at leaving their phones outside, going to the meetings. But then things happen after the meetings – people keep talking outside in the hall, after retrieving their phones. Then it’s a complete waste. At that point people are so involved in the discussions that they can’t just drop it when they leave the meeting room. (Skjold)
This example demonstrates how easily routines can break down, even among those with strong awareness of security procedures. At the same time, there are less visible risks associated with the digital tools and technologies that are part of soldiers’ everyday environments, like algorithms and apps.
Algorithmic Influence and App Usage in Military Settings
An algorithm is a systematically organised set of procedural instructions or rules designed to solve a defined problem or perform a specific function. It is typically implemented within computational systems to enable data processing and informed decision-making (Gillespie, 2014). In this context, algorithms refer to automated software that selects content to retain the user’s attention on a given social media platform (Bundtzen, 2022; Gillespie, 2014). Algorithms may be misused to enable third parties to track individuals or target them with information manipulation (Bergh, 2020; Cobbe, 2021). In such cases, the individual is not a specific person, but rather a type, such as military recruits, identified through behavioural or demographic profiling (Dhondt et al., 2022; Mink et al., 2022).
Algorithms pose significant security risks for soldiers and military personnel by enabling targeted surveillance, data manipulation, and adversarial attacks (Bay et al., 2019; Skredderhaug, 2023). They may be exploited to track troop movements, deceive AI systems, or disrupt operations through corrupted data, as well as being used in targeted influence operations (Deppe, 2023). Automated decision-making can reduce human oversight, leading to unintended actions or increased vulnerability (Allhoff et al., 2016; Broussard, 2018). Overreliance on algorithmic systems may also diminish critical thinking (Frey, 2018; Knox et al., 2018). In military contexts, these risks can compromise missions, endanger lives, and threaten national security (Hansen, 2025; Martínez et al., 2023). Understanding how algorithms function is therefore linked to digital self-protection (Almansoori et al., 2023; Sangwan, 2024).
Among the interviewees, 73 report having heard about algorithms, while only one had not. Regarding their understanding, 38 claim to know how algorithms work, whereas 37 indicate they do not (Table 2).
Table 2
The Number of Interlocuters Who Understand How Algorithms Work. N = 91.
| ALGORITHMS | YES | NO |
|---|---|---|
| Have you heard of algorithms? | 73 | 1 |
| Do you know what algorithms are? | 18 | 1 |
| Do you know how algorithms work? | 38 | 37 |
Although most have heard of algorithms, many struggle to explain their function.
Lyng: It’s not like I can actually put it into words or explain what it means.
Researcher: Do you know what it involves? Algorithms, do you know what they do?
Lyng: Umm… no. Like, I mean… I kind of know, but…
Researcher: Can you give any examples, maybe, of how… what they do?
Lyng: Heh… no.
In addition to algorithms, the use of various data applications also presents cybersecurity risks with potential negative consequences (Hern, 2018; Mink et al., 2022; Skredderhaug, 2023). Most of the interviewees report having geotracking apps installed on their phones, including those that track geolocation data. While many allow tracking, a substantial number actively disable geolocation services. The data suggest that app usage and location tracking are common, but practices vary (Table 3). These variations are explored further in relation to military service and cybersecurity awareness.
Table 3
Interlocuters use of apps. N = 91.
| SMARTPHONE APPLICATIONS (APPS) | YES | NO |
|---|---|---|
| Do you have apps on your phone? | 89 | 1 |
| Do you have apps that track geolocation data? | 77 | – |
| Do you have social media apps? | 67 | – |
| Do you allow apps to track you? | 39 | 19 |
| Do you disable geolocation services? | 47 | 37 |
Several soldiers explain that their decision to disable tracking is influenced by their military service:
Several of those apps use location services, but especially over the past two years, since I started working on board this vessel, I’ve become more conscious about turning off geolocation services. Before that, I didn’t really think about it and just left it on without questioning it, assuming it wasn’t a problem. (Njord)
This finding suggests that military service may influence cybersecurity behaviour and awareness. The next section explores how roles and personal characteristics further shape such practices.
The Influence of Personal and Professional Characteristics on Mindset and Behaviour
One of the research questions concerns whether professional background or personal characteristics influence cybersecurity awareness and protective behaviour. The most notable contrast is between personnel working with security-related tasks and those without daily exposure to classified information. Interviewees demonstrating the highest levels of cybersecurity awareness, knowledge and cautious behaviour were typically those already engaged in security work. As one young conscript working within a classified domain explains:
I’m not gonna put the engine unit too much on the spot here, but that’s just reality, when you’re not working with classified information on a daily basis, well, then you won’t have the same attitude to it as I do. I’m not saying it’s a bad culture, necessarily, in the engine unit, or in the ship engineering department, but … eh … the awareness isn’t as high .. eh … as for example in the operations department, that is. (Tind)
Some interviewees also mention a difference in cybersecurity awareness between personnel on board and those stationed on land. They report that the security regime is stricter at sea, due to operational demands and the nature of the tasks. The findings indicate a variation in security practices, with the most stringent regime found on board frigates, and the least strict in recruit camps. These differences reflect the specific mandates and operational contexts of each unit, and it is therefore reasonable that they follow distinct tasks, objectives and security procedures.
Gender and Age in Cybersecurity Behaviour
Since the introduction of gender-neutral conscription screening in 2009 and its full implementation in 2015 (Køber, 2015; Steder, 2025; Österberg et al., 2020), the Norwegian Armed Forces have increasingly promoted gender equality (Hellum, 2014, 2017; Strand, 2021). Despite persistent challenges such as bullying and masculine norms (Kaspersen, 2023; Rones, 2017), research shows that personality is generally valued over gender (Hellum, 2017; Steder, 2025; Strand, 2021). Gender-mixed accommodations are standard, and both sexes are generally seen as equally capable (Ellingsen et al., 2016; Hellum, 2014; Jonsson et al., 2024). Among the interviewees, gender was largely viewed as irrelevant to digital security.
Age revealed greater complexity. While no consistent patterns emerged regarding cybersecurity risks, generational differences in attitudes and understanding were evident. These may impact motivation and compliance. Age groups also expressed biased perceptions of one another (Finkelstein et al., 2015; Weiss & Zhang, 2020). One senior officer comments:
It is challenging for the conscripts especially, maybe, who come from that culture where they grew up with this since they were three years old. So, it’s much more wide-ranging now than it was for us who are used to calling home every third week, thinking that was good enough. Therefore, I think, we, the more senior ones, need to have a little respect for the younger ones when we are making the rules. (Embla)
Another officer highlights younger personnel’s digital competence:
I think the younger generation (…) have more knowledge about IT telephone systems and things like that than people my age. (Saga)
The officer describes the younger generation as “tech savvy”, yet younger soldiers report that rules are enforced more strictly for them than for senior personnel:
I feel like the people higher up, since they are responsible for security and maybe went to the Naval Academy together, think: “It’s probably fine if I take a picture here.” Like on the shooting range, we were given strict instructions: “no videos or photos of the shooting!”. And then we saw an officer filming. He didn’t get told off at all. … I think I saw his Snapchat open. So, I feel like there’s a bit of a difference between us conscripts and the officers. (Dis)
Conscripts are subject to stricter disciplinary structures due to compulsory service, which likely contributes to perceived inequality. Older personnel often view younger soldiers as digitally fluent but unaware of risks, while younger soldiers see seniors as either more security-conscious or technologically naïve.
Awareness of foreign influence operations is generally low among the youngest interlocutors. Those most aware worked in classified or strategic communication roles. Few younger soldiers consider themselves potential targets, as illustrated by this recruit:
No, not in the position I’m in now because I don’t matter very much. I’m lowest in rank, right? But the higher up you are, well, yeah, then it’s relevant. (Skogul)
Another conscript soldier adds:
Eh, like in my head, I believe that we, who are just operating this ‘ferry’, we’re not gonna be first priority. If anyone comes after anyone, they’re coming after the intelligence people, he he he. (Glør)
Many interviewees perceive the rules as fair. However, they were not asked whether they had access to the necessary digital tools to comply. Fieldwork revealed that training and access to practical tools is limited. A cybersecurity briefing for new personnel on one of the frigates is described as informative and eye-opening, yet most education appears to stem from isolated sessions rather than a systematic framework.
Discussion
This study explores how Norwegian naval personnel understand and enact cybersecurity, focusing on the interplay between awareness, knowledge and behaviour. Findings reveal a complex relationship in which awareness and knowledge reinforce each other, yet do not always lead to compliance. While most interlocutors reported high awareness and considered the rules fair, their practices often diverged from formal regulations. This reflects the awareness–behaviour gap (Sulaiman et al., 2022) and has also been observed in other military contexts (Enisa, 2023; Malmedal et al., 2016; Zwilling et al., 2022). It aligns with the view that awareness involves knowledge, attitudes and behaviour (Chandarman & Van Niekerk, 2017).
Several factors help explain this gap. First, compliance is shaped by perceptions of convenience and operational relevance. Interlocutors often cited the impracticality of certain rules and the disruption they caused to routine tasks, supporting the view that non-compliance may be rational when regulations are seen as misaligned with operational priorities (Tempestini et al., 2023). Similar patterns have been documented in NATO forces, where operational demands compete with security protocols (Frederick et al., 2022; NATO, 2022). In such cases, personnel balance compliance against efficiency, showing that cybersecurity decisions are shaped by organisational priorities rather than individual awareness alone. Research on human factors supports this, showing that convenience and complexity often overrule formal rules (Frey, 2018; Nobles, 2018; Pollini et al., 2022).
Second, social dynamics strongly influence behaviour. Peer norms and group dynamics normalise rule breaking, as reflected in statements such as “everyone does it”, suggesting that compliance is negotiated socially rather than imposed through formal directives. This supports research arguing that cybersecurity depends on leadership and social reinforcement, not technical controls alone (Berrefjord & Bjørstad, 2024). While formal training promotes compliance, informal interactions often undermine these messages, creating tension between institutional expectations and everyday practice (Hellum, 2014; Rones, 2017; Squires & Shade, 2015).
The assumption that information leads to motivation is problematic, as willingness to comply depends on how knowledge is contextualised and embedded in everyday routines. For example, personnel who understood algorithmic risks were more likely to adjust their behaviour, yet even among this group, convenience and peer influence often prevailed. This underlines research showing that abstract risks fail to generate lasting behavioural change (Hansen, 2025), and that awareness must be embedded in attitudes and norms to influence behaviour (Chandarman & Van Niekerk, 2017; Sangwan, 2024). Studies on human factors support the view that information is necessary but insufficient for compliance, shaped by cognitive, social and organisational factors (Frey, 2018; Nobles, 2018; Pollini et al., 2022; Zwilling et al., 2022).
Generational and professional differences add further complexity. Younger personnel were frequently described as tech-savvy yet also perceived as more casual in their approach to security. Older personnel sometimes displayed stronger rule adherence but lacked technical literacy. These contrasts did not map neatly onto rank, suggesting that professional background and exposure to classified tasks influence behaviour more than hierarchy.
Personnel in security-sensitive roles demonstrated higher awareness and compliance, underpinning the importance of role-specific competence (Hong et al., 2023; Mattingsdal et al., 2024). Generational stereotypes observed here reflect broader patterns where age groups hold biased views of each other’s digital competence and risk awareness (Finkelstein et al., 2015; Weiss & Zhang, 2020).
The findings also highlight the limits of technical approaches. While regulations and monitoring are necessary, they cannot address the social and motivational dimensions of behaviour. Informal practices, such as discussing operational matters near smartphones, show that breaches are embedded in routines rather than isolated acts. Similar vulnerabilities have been documented in NATO contexts, where social media and app-based geolocation have compromised security (Bay et al., 2019; Chirgwin, 2018; Knight et al., 2023; Skredderhaug, 2023). Addressing these risks requires strategies that combine human factors and technical measures with social interventions, leadership and continuous training (Khadka & Ullah, 2025; Sangwan, 2024; Squires & Shade, 2015).
Finally, the strategic use of algorithms and social media in conflicts such as the Ukraine war illustrates how digital platforms can be exploited to influence information flows and public perception (Primig et al., 2023; Singer & Brooking, 2018; Woolley, 2022). These practices underline the importance of understanding everyday digital behaviour as part of broader information strategies and hybrid threats (Bergh, 2020; Berrefjord & Bjørstad, 2024; Cobbe, 2021; Gillespie, 2014). Military personnel are not only technology users – they symbolic representatives of national institutions (Roelsgaard Obling & Victor Tillberg, 2021); their online behaviour carries implications beyond individual risk, linking personal actions to wider questions of trust and resilience in democratic societies.
To summarise, cybersecurity in military contexts is not merely a technical challenge, but a socio-technical phenomenon shaped by norms, identities and organisational structures (Floridi, 2018; Jøsok et al., 2016; Von Solms & Van Niekerk, 2013). Awareness alone does not guarantee compliance; motivation emerges through interactions between information, convenience and social norms.
Conclusion
The findings highlight the relationship between cybersecurity awareness, knowledge and behaviour among Norwegian naval personnel, focusing on everyday practices shaping digital security. Evidence suggests that awareness, in isolation, is insufficient to secure compliance. Although most interlocutors expressed awareness and viewed the rules as fair, their behaviour often diverged from formal regulations. This gap reflects the complexity of cybersecurity as a socio-technical phenomenon, influenced by convenience, operational priorities and social norms.
Motivation is not an automatic result of information. Knowledge must be contextualised and relevant to military routines. Peer norms and informal practices strongly influence behaviour, sometimes undermining formal training. Professional background and exposure to classified tasks appear more influential than rank, underlining the importance of role-specific competence. Generational differences add nuance: younger personnel often show technical fluency but casual attitudes, while older personnel tend to follow rules more strictly but lack algorithmic literacy.
These findings point to the need for integrated strategies combining technical measures with social and organisational interventions. Leadership is critical in modelling secure behaviour and reinforcing norms, while continuous training and practical tools are essential for enabling compliance. Cybersecurity must be understood not only as a technical challenge but as a social and behavioural issue embedded in human relations and institutional structures.
By focussing on the lived experiences of military personnel, this study contributes to research emphasising human factors in cybersecurity. Future efforts should move beyond the assumption that information automatically produces secure behaviour and instead address the social and organisational processes through which motivation is generated. Recognising these dynamics is vital for designing adaptive, context-sensitive strategies that strengthen resilience in an increasingly digital battlespace.
Implications for Practice
Cybersecurity in military contexts requires more than technical solutions. Organisational and social measures are needed to address the awareness–behaviour gap. Continuous, scenario-based training should be prioritised to make rules relevant to operational routines. Leadership plays a key role in modelling secure behaviour and reinforcing norms through everyday practice. Simplifying regulations and providing practical digital tools can reduce perceptions of inconvenience that undermine adherence. Enhancing algorithmic literacy and critical reflection on social media use will help personnel navigate the information environment more securely. These measures support a security practice that integrates technical, organisational and human factors.
Limitations and Future Research
While the research contributes to understanding the social dimensions of cybersecurity, certain limitations must be acknowledged. The analysis relies primarily on self-reported practices and perceptions. Although interviews provide rich qualitative data, they do not constitute direct evidence of behaviour. Observations during fieldwork helped contextualise responses, but systematic behavioural measurement was beyond the scope of this study. Future research could combine ethnographic methods with digital trace analysis or behavioural experiments to capture discrepancies between reported and actual practices.
The study focuses on the Norwegian Navy and therefore reflects the organisational social norms and regulatory framework of a specific national context. While some results may be applicable to other military environments, any attempt to generalise should be undertaken with considerable care. Comparative studies across different branches of the armed forces or across countries would provide a broader understanding of how institutional norms and technological infrastructures shape cybersecurity behaviour.
The research design emphasised depth through a qualitative, ethnographic approach. While 91 interviews form a substantial dataset, the absence of quantitative measures limits the ability to identify statistical relationships between demographic variables and security practices. Future studies could combine qualitative insights with survey-based data to support broader generalisation and preserve contextual depth.
The research was conducted during a period of relative stability. Behaviour may shift under operational stress or conflict. Longitudinal research tracking changes over time, especially during crises, would offer valuable insight into how motivation and compliance evolve in response to perceived threats.
Future research should also explore interventions aimed at bridging the awareness–behaviour gap. Experimental approaches examining training, feedback and leadership may help identify evidence-based methods for strengthening compliance. In addition, further investigation into algorithmic literacy and its role in shaping behaviour would be valuable, given the growing influence of automated systems on decision-making.
Data Accessibility Statement
The data underlying this article consist of audio recordings and transcripts from qualitative interviews with human participants. Due to the sensitive nature of the material and the risk of identification, even with pseudonymisation, the data cannot be shared. Participants were guaranteed anonymity as part of the informed consent process, and sharing the data would violate ethical standards and institutional guidelines.
Appendices
Appendix A: Interlocutor Key
This table lists all interlocutors cited in the article, anonymised through pseudonyms in line with anthropological tradition. Each interlocutor has an internal code for organisational purposes:
Codes beginning with Int.nr. refer to interviews with key personnel in security, leadership and communication, conducted via Microsoft Teams video meetings.
Codes in the format J2088 refer to interviews carried out in the field using an audio recorder.
This coding system is for internal use only and does not compromise anonymity in published material. The full Interlocutor Key consists of 91 codes (interviews).
| INTERVIEW | PSEUDONYM | INTERLOCUTOR CODE |
|---|---|---|
| Idunn | J2088.2 0002 | |
| Njord | J2088.31 0009 | |
| Embla | Int. Nr. 4 | |
| Ask | Int. Nr. 3 | |
| Liv | J2088.6 0006 | |
| Sol | J2088.82 0023 | |
| Ravn | J2088. 63 0004 | |
| Skade | J2088.46 0008 | |
| Skjold | Int. Nr. 9 | |
| Lyng | J2088.41 0003 | |
| Tind | J2088.25 0003 | |
| Saga | Int. Nr. 10 | |
| Dis | J2088.34 0012 | |
| Skogul | J2088.52 0014 | |
| Glør | J2088.12 0012 |
Notes
[2] The artificial intelligence large language model (LLM) Copilot (https://copilot.microsoft.com/) was used as a tool for language editing, linguistic support, and for designing Figures 2 and 3 during the preparation of this paper, in accordance with the Policy on the Use of Generative AI Tools in the Publication Process (https://ubiquitypress.com/site/ai-policy/). All research activities, including fieldwork, empirical data collection, coding in MAXQDA, table creation, writing and analytical development, were conducted solely by the author.
[3] The parent codes translated into English are as follows: (a) informant [interlocutor] group, (b) gender, (c) anecdotes, (d) willingness to sacrifice and take life, (e) access to the internet, (f) terms of use/cookies, (g) service position, (h) smart phone, (i) smart watch, (j) cybersecurity awareness, (k) the security regimes’ influence on motivation, (l) unwanted digital behavior, (m) Huawei, (n) social media, (o) description of rules, (p) apps, (q) algorithms, and (r) age.
Ethics and Consent
Ethical approval for this study was granted by the Norwegian Defence Research Board and the FFI Ombudsman. Informed consent was obtained from all participants. For full details, see the Ethics section.
Acknowledgements
I would like to express my sincere gratitude to all the interlocutors who generously shared their time, experiences and reflections. Without their openness and trust, this research would not have been possible. I am also grateful to my colleagues in Norway and Sweden for their thoughtful feedback and constructive comments on earlier drafts of this article.
Competing Interests
The author has no competing interests to declare.