‘It’s Confusing, Insecure, and Messy’ — Mapping the Gaps Between Stakeholders’ Cybersecurity Mental Models in the Danish Defence Sector

Key findings from this study

This research indicates that:

• Policymakers assume strategic cybersecurity readiness that SMEs do not operationalize, treating security instead as a compliance exercise.
• Risk perception diverges between policymakers and industry associations, who frame threats strategically, versus SMEs, who identify localized vulnerabilities within resource constraints.
• SMEs experience regulatory frameworks as burdensome complexity without corresponding clarity on implementation pathways or support.

Overview

This qualitative study examined cybersecurity mental models among three stakeholder groups in Denmark's defence sector: policymakers, industry associations, and small and medium-sized enterprises. The research maps misalignments in how these groups perceive cybersecurity risk, threat severity, organizational readiness, and policy requirements. Structural complexity in regulatory frameworks compounds implementation challenges across the sector.

Methods and approach

Researchers conducted focus groups with 6 policymakers, 11 policy promoters representing industry associations, and 12 SMEs implementing defence sector regulations. Qualitative analysis identified divergences in stakeholder perceptions across risk assessment, threat recognition, cyber readiness evaluation, and policy interpretation dimensions.

Results

Key misalignments emerged across all examined dimensions. Policymakers presume strategic cybersecurity readiness at the organizational level, whereas SMEs operationalize cybersecurity primarily as a compliance obligation with limited strategic integration. Risk perception diverges significantly: policymakers and industry associations frame cybersecurity threats in broad strategic terms, while SMEs identify more localized, resource-constrained vulnerability patterns. Policy interpretation gaps indicate that regulatory language intended to drive substantive security posture change often translates into procedural checkbox exercises within SME contexts.

The study reveals that governance framework assumptions frequently misalign with organizational capabilities and priorities. SMEs report experiencing regulatory complexity as burdensome without corresponding support mechanisms or clarity on implementation pathways. Policymakers and industry associations demonstrate limited understanding of the operational constraints that shape cybersecurity decision-making in smaller organizations. These gaps perpetuate disconnects between regulatory intent and actual security outcomes.

Implications

Regulatory effectiveness in the defence sector depends on bridging stakeholder perception gaps. Governance frameworks require redesign to account for organizational scale, resource availability, and implementation realities rather than presuming uniform strategic capacity. Policy communication channels should explicitly address how regulatory requirements translate to actionable security measures within resource-constrained environments.

Future policy development benefits from structured stakeholder engagement that surfaces competing mental models early in regulatory design processes. Industry associations occupy a strategic position to translate policy intent into implementable guidance tailored to SME contexts. Policymakers require mechanisms to validate that cybersecurity outcomes align with regulatory objectives across heterogeneous organizational types.

Scope and limitations

This summary is based on the study abstract and available metadata. It does not include a full analysis of the complete paper, supplementary materials, or underlying datasets unless explicitly stated. Findings should be interpreted in the context of the original publication.