Anca Burgovszky – Marketing Manager, Arctic Stream

From my marketing role at Arctic Stream, within the Innovation and Partnerships department, I began to see cybersecurity as a topic that goes beyond the technical component and becomes a real need for education, behavior and organizational culture. In a company that operates as an infrastructure and IT security integrator, marketing has a broader role than communication and contributes to understanding the market, identifying real needs and turning them into relevant projects.

Throughout my professional journey, I have encountered cybersecurity procedures and trainings several times, with the most rigorous framework being the one in the banking sector. However, since I started working at Arctic Stream, I have understood more clearly how important it is for security rules to be understood, applied and turned into daily reflexes, beyond documents and mandatory briefings.

How the idea of a national Cyber Literacy study emerged

Having a strong cybersecurity component in our activity, we wanted, when talking about the need for cyber education, to start from measurable data, not only from assumptions. During internal discussions, including at board and management level, together with Diana Stafie, founder of Future Station and member of the Arctic Stream Board of Directors, we reached the conclusion that it was time to analyze more concretely the level of cyber literacy in Romania. Thus, together with the market research agency MKOR, we launched the first national Cyber Literacy study, an initiative through which we set out to understand how prepared Romanian employees are to recognize, avoid and report cyber risks in their professional activity. For us, this study is a way to better understand the market, the real level of preparedness and the type of cyber education that organizations need.

In marketing, a market study helps us understand whom we are addressing, what needs or fears the audience has, what it already knows about a subject, what messages are relevant and credible and where there are information gaps or behaviors that can generate risk. In the case of Cyber Literacy Audit 2026, the objective was to transform a general question, “Is there a need for cyber education?”, into a data-supported analysis.

What Cyber Literacy Audit is

Cyber Literacy Audit, or the cyber literacy audit, is an assessment of employees’ level of knowledge, behaviors and security reflexes in the use of technology. Unlike a technical IT security audit, which analyzes infrastructure, networks, systems or technological vulnerabilities, such an audit focuses on people. More specifically, Cyber Literacy Audit analyzes how well employees understand digital risks, how they manage company data, how they react to suspicious emails, how consistently they apply security rules and to what extent they follow procedures when they are under time pressure. The concept aligns with international directions regarding cybersecurity awareness, cyber hygiene and organizational security culture. NIST emphasizes the importance of cybersecurity and privacy learning programs for the development of a security culture, while ENISA treats cyber hygiene and awareness as important elements for reducing cyber risks. From this perspective, Cyber Literacy Audit provides organizations with a clearer picture of the existing technical measures, but also of the level of preparedness of the employees who need to apply them correctly in real situations. The results of such an audit establish a benchmark of digital safety and are essential for creating effective behavioral governance policies within any organization.

Sources:

• https://csrc.nist.gov/pubs/sp/800/50/r1/final
• https://www.enisa.europa.eu/topics/awareness-and-cyber-hygiene
• https://www.enisa.europa.eu/publications/cyber-security-culture-in-organisations

Why cyber literacy is becoming a priority for organizations

In recent years, cybersecurity has moved out of the strictly technical area and has become a topic of business, governance and organizational responsibility. Attacks no longer target only IT infrastructures, but increasingly exploit employees’ day-to-day behaviors, such as suspicious emails, weak passwords, the use of personal applications for work documents, connecting to unsecured Wi-Fi networks or using unauthorized tools. This change is also confirmed by international data:

• Allianz Risk Barometer 2026: cyber incidents represent the top global business risk for the fifth consecutive year, being considered the most important risk for large, medium-sized and small companies

Source: https://commercial.allianz.com/news-and-insights/reports/allianz-risk-barometer.html

• World Economic Forum – Global Cybersecurity Outlook 2025: two in three organizations face a moderate to critical cyber skills gap, while only 14% state that they currently have the people and skills needed to meet security requirements

Source: https://reports.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2025.pdf

• ENISA Threat Landscape 2024: confirms the increasing complexity of threats, from ransomware, malware and social engineering to attacks on data, availability and the supply chain

Source: https://securitydelta.nl/media/com_hsd/report/690/document/ENISA-Threat-Landscape-2024.pdf

• DNSC – 2024 Annual Activity Report: indicates, for Romania, a 286.8% increase in malware attacks and a 40.2% increase in reported cyber fraud

Source: https://www.dnsc.ro/vezi/document/dnsc-raport-anual-2024

• SME Cyber Resilience – State of the Sector 2025: shows that 78% of SMEs in Ireland have a low or very low level of cyber resilience, while only 6% reach a high or very high level

Source: https://zenodo.org/records/17779560

These data show that internal policies, formal trainings and technical solutions need to be complemented by a clear understanding of employees’ real level of preparedness: how well they identify, avoid and report digital risks.

How we measured the level of Cyber Literacy in Romania

The study was conducted on a sample of 1000 respondents, of whom 200 were managers and entrepreneurs. The data were collected through an online questionnaire, applied through MKOR’s own panel, with an average completion time of 15 minutes and the collection period was February 2026. The objective of the research was to assess the level of cyber literacy among Romanian employees and to establish a national Cyber Literacy benchmark, which would provide a reference point for analyzing the level of preparedness, behaviors and vulnerabilities associated with the human factor in cybersecurity.

What Cyber Literacy Audit 2026 shows: key results

The results of Cyber Literacy Audit 2026 indicate an important reality for organizations in Romania: cyber vulnerability is not only related to infrastructure, technical solutions or internal policies, but also to the level of preparedness, behaviors and reflexes of employees in their day-to-day activity. The study shows that there is a significant gap between the security measures declared at organizational level and the way they are understood, applied and respected in practice.

• Digital Romania has, first and foremost, a human security problem, not a technical one

The first major signal of the study is that cyber risk is closely linked to human behavior. Although companies in Romania have implemented basic technical measures, 3 in 4 employees with digital exposure, namely 74%, have an insufficient level of cyber literacy and act inconsistently or riskily in day-to-day practice. Using its own methodology based on a combination of answers, the study defines four literacy categories:

• Cyber-Resilient: advanced level, consistent good practices, correct reaction, favorable organizational context
• Cyber-Vigilant: good level, generally healthy behaviors, but gaps may exist (especially in scenarios / incident response)
• Cyber-Basic: basic level, has notions, but applies them inconsistently, “typical mistakes” frequently appear (passwords, clicks, procedures)
• Cyber-Vulnerable: critical level, maximum exposure: both elementary notions and protection reflexes are missing

The results show that only 4% of respondents are Cyber-Resilient, 21% are Cyber-Vigilant, 45% fall into the Cyber-Basic category and 29% are Cyber-Vulnerable. The data prove that most employees have either critical gaps or basic notions applied inconsistently. At organizational level, the reactive approach dominates: 49% of organizations are in the “Reactive & Fragmented” area, 17% are “Compliant & Documented” and only 22% are “Proactive & Optimized”. In other words, security is frequently treated as a response to incidents, not as a continuous process of prevention, testing and improvement.

• Hybrid infrastructure is the segment with maximum risk and minimum control

Almost half of employees work in a hybrid environment, in which they combine personal devices and accounts with company devices and accounts. This model creates a risk area, because company data end up circulating through tools that are more difficult for the organization to control. In this segment, the study identifies the highest level of risk: 69% of employees transfer documents through personal applications, 48% connect personal storage spaces to the company computer, while reporting to IT is only 37%, compared with 55% in the case of exclusively formal infrastructure. These data show that hybrid infrastructure is not risky only by its technical nature, but especially through the behaviors it favors: quick transfers, improvised solutions, the use of personal applications and a weaker reporting culture.

• There is a gap between formal security and operational reality

The report highlights a contrast between what formally exists in organizations and what actually happens in day-to-day activity. At declarative level, companies seem to have a solid foundation: 91% of respondents declare the presence of security measures, 87% declare the existence of procedures for incidents and 84% have signed internal documents. However, operational reality is more nuanced: 71% have antivirus, but measures such as VPN, MFA and USB restrictions are below the 50% threshold. In addition, 49% of managers acknowledge that they act only when an incident occurs, while only 36% have signed a remote work policy. An organization may have signed documents, rules and technical tools, but if these are not applied consistently, tested and understood by employees, their real impact remains limited.

• Leaders expose the organization more than execution-level employees

One of the strongest results in the report is the leadership paradox. People with greater access to sensitive data and decision-making power are, in certain situations, those who adopt riskier behaviors, often to save time or to solve a task quickly. The study shows that 31% of leaders use public Wi-Fi networks without VPN, compared with 23% of execution-level employees. Also, 33% enter internal documents into AI tools, compared with 24% at execution level, while 43% frequently install unauthorized software on the company laptop, compared with 36% among execution-level employees. These data change the way cyber education should be viewed in organizations. Cyber literacy must be addressed both to operational employees and to managers, team leaders and senior management.

• Cyber education ensures compliance, but does not automatically change reflexes

Although training exists in many organizations, its format is often passive and insufficient to produce real behavioral changes. Most companies tick the cyber education component, but do not necessarily turn it into a practical, repeated and applied process. According to the report, 55% of employees receive only quick briefings in meetings, only 34% have participated in practical attack simulations and only 2% of mandatory trainings have an exclusively practical format, based on hands-on simulations or applied exercises. This result explains why information is not sufficient. Employees may hear about phishing, passwords or incident reporting, but without practical exercise they are unlikely to form correct reflexes in real situations. In cybersecurity, the correct reaction must be trained, not only explained.

What these results mean for companies

The results of the study show that cybersecurity can no longer be viewed only as a technical responsibility. It depends on the way employees understand risks, apply rules, report incidents and make decisions in concrete situations. Policies and technical measures are necessary, but not sufficient. Organizations need exercises, simulations, applied scenarios and a culture of rapid reporting, so that employees move from “I know what I should do” to “I know how to react correctly in practice”. At the same time, the study shows that cyber education must be built in a differentiated way. Employees who use hybrid infrastructure, managers with access to sensitive data and teams that work with critical digital tools have different needs and different levels of exposure.

Cyber Arena approach: learning through realistic simulations

For us, Cyber Literacy Audit 2026 is a tool that shows how prepared employees and organizations are in the face of digital risks, where the greatest behavioral vulnerabilities appear and what type of cyber education is needed. The results of the study confirm that information has an impact when it is complemented by practical exercise. In this context, Cyber Arena proposes a practical approach to cyber education, based on realistic simulations that integrate the technological, psychological and behavioral components. The programs are dedicated to all levels of knowledge, from awareness sessions and basic cybersecurity notions to advanced trainings in areas such as Incident Response, Digital Forensics, Threat Intelligence or Cyber Crisis Management. The learning process is built gradually, through a combination of an introductory component, practical exercises and simulations carried out in the cyber range laboratory. Participants work on realistic scenarios, in which both IT networks and OT/SCADA areas are attacked and learn how an attack is investigated, how the affected systems are identified and what steps are necessary to isolate and stop an incident. Thus, cyber education moves from theory to practice, helping employees understand the correct steps and react effectively in concrete situations.

Cyber Literacy Audit 2026 shows that Romania needs more than awareness. It needs applied education, adapted to the roles, infrastructure and operational reality of organizations. For companies, cyber literacy today represents an essential component of organizational resilience, with a role that goes beyond the sphere of training initiatives.

Discover the full conclusions of the study

For more data, conclusions and recommendations, the full Cyber Literacy Audit 2026 report can be downloaded free: https://www.cyberarena.ro/cyber-literacy-audit-2026/.