Blog
08.10.2025
min read

Norwegians and digital security culture 2025: When private habits become corporate risk

A new national report from NorSIS and the Norwegian National Security Authority (NSM) reveals that more Norwegians are taking digital risks in their daily lives. This is concerning — not only for individuals, but for the organisations they work for. The digital habits we bring from home often shape how we behave at work. Sicra explains why building a stronger security culture matters for both society and the workplace.

<span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text" >Norwegians and digital security culture 2025: When private habits become corporate risk</span>

For years, Norwegian organisations have focused on technology and systems to protect against cyberattacks. Yet new data from NorSIS and the Norwegian National Security Authority (NSM) suggests that the real challenge may not lie in the technology — but in the people using it.

The report Norwegians and Digital Security Culture 2025 paints a clear picture: an increasing number of Norwegians admit to taking digital risks even when they know it’s unsafe. One in four say they “take chances online” — up from 16 percent just five years ago.

It’s tempting to think this only applies to personal life. But these same people — with the same attitudes and reflexes — bring their digital behaviour to work every day.

A cultural challenge, not a technical one

A key finding of the report is that digital security is increasingly a question of culture rather than purely technical defences.
The data shows that:

  • Use of two-factor authentication has increased (59%), but progress is slow.

  • More than 400,000 Norwegians have experienced some form of online fraud in the past two years.

  • Concern about cybercrime is rising, yet behavioural change remains limited.

These are not just societal numbers — they represent everyday risks inside organisations. If only six out of ten people secure their accounts at home, the same pattern likely repeats at work. And when so many experience scams privately, it highlights how threat actors exploit human trust — in both personal and professional settings.

That’s why building security culture is about human values, not just IT controls. It’s about how we think, act, and collaborate — as colleagues, leaders, and citizens.

When private risk-taking becomes corporate exposure

The report also shows that young adults (18–34) are the most likely to take digital chances. This is the same demographic that makes up a growing share of today’s workforce.

Organisations must therefore understand the cultural transfer between private and professional behaviour.

If it feels normal to click, share or “just check” something in private life, that instinct often carries over to the workplace.

For employers, the real question is not just:

“Do we have strong security systems?”

but rather:

“How do we help our people make good decisions — even when they’re not thinking about security?”

Security awareness, then, becomes a matter of organisational culture, not merely compliance.

A leadership responsibility: Building confidence, not fear

A strong security culture always starts with leadership. When top management treats security as part of the organisation’s core values — not just a compliance topic — it becomes easier for everyone to engage.

It’s not about creating fear; it’s about building confidence through understanding.
People need to know why security matters, and they need space to learn, ask questions, and grow.

Security leadership is cultural leadership. That means training, communication, and policy must reinforce each other. A good security programme doesn’t just distribute information — it creates shared ownership and purpose.

Sicra’s reflections: From society to workplace

At Sicra, we see the same gap between awareness and action — both in society and within organisations.
We believe a resilient digital culture rests on three layers:

  1. Knowledge: People must understand threats and recognise warning signs.

  2. Culture: Security must be a natural part of how we work together.

  3. Continuity: Security training must be ongoing, not a once-a-year event.

Our experience in awareness training and strategic security advisory shows that this works:

When education is relevant, engaging, and human, behaviour truly changes. Employees become more aware — and organisations become more resilient.

We view the NorSIS and NSM report as an invitation to collaboration — between individuals, organisations, and society at large.

Because digital security isn’t a zero-sum game; it grows stronger when we build it together.

Measures that strengthen security culture – at work and in society

Based on the findings of the report and Sicra’s experience from Norwegian organisations, we believe the following measures have the greatest impact:

  1. Make security concrete and relevant
    People learn best when they understand how it affects them. Use real examples and realistic scenarios in training – not generic guidelines.
  2. Create a low threshold for speaking up
    Security culture is strengthened when employees feel safe reporting mistakes and incidents without being met with blame or shame.
  3. Make training continuous
    One annual workshop changes little. Learning must happen regularly and be part of everyday work.
    (Training platforms such as Nimblr and Arctic Wolf’s Managed Awareness Training are designed for exactly this purpose.)
  4. Provide employees with technological support
    No one can keep up with everything. Most security incidents don’t happen because people want to make mistakes, but because they’re left alone in complex situations.
    Technology that supports people – rather than monitors them – is therefore crucial.
    Solutions such as Proofpoint and Data Loss Prevention (DLP) systems act as a safety net, helping employees make the right decisions in real time without slowing down their work.
  5. Link security to organisational goals
    When employees see that security supports the organisation’s core mission – not just prevents risk – engagement grows.
  6. Elevate security leadership
    Management should receive support and competence in leading cultural change, not just IT processes.
    Services like security leadership as a service or CISO as a Service can provide strategic anchoring at the leadership level.

Shared responsibility, shared confidence

Norway’s digital security culture is maturing — but the numbers show we still have work to do. That’s not a sign of failure; it’s a sign of awareness. We’re learning that technology alone is not enough.

True digital resilience must be built on human understanding — at home, at school, at work, and in leadership.

At Sicra, we believe in the power of shared responsibility and curiosity.
When people understand, care, and participate, security becomes more than a policy — it becomes part of who we are.

Sources

Need Assistance?

We are happy to have a non-binding conversation. 
Contact us

Explore more

Psychological safety and cybersecurity: How safety strengthens business decisions
Blog

Psychological safety and cybersecurity: How safety strengthens business decisions

Culture at Sicra: How we face today’s workplace challenges
Blog

Culture at Sicra: How we face today’s workplace challenges

The Digital Security Act entered into force on October 1, 2025 – what does it mean for businesses?
Blog

The Digital Security Act entered into force on October 1, 2025 – what does it mean for businesses?

Cyber threats in 2025: Insights from Arctic Wolf and what it means for Norwegian businesses
Blog

Cyber threats in 2025: Insights from Arctic Wolf and what it means for Norwegian businesses

Tailored cybersecurity for institutions and enterprises that allows for innovation, growth, and fearless performance.

Get in touchCall us +47 648 08 488