What (if any) behaviour change techniques do government-led cybersecurity awareness campaigns use?

With the surge in cyber incidents in recent years, many linked to human error, governments are quite naturally developing security campaigns to improve citizens' security behaviour. However, it remains not only unclear how successful these campaigns are in changing behaviour, but also what established behaviour change techniques—if any—they employ in order to achieve this goal. To investigate this, we analysed 17 government-sponsored cybersecurity campaign materials. We coded the materials for their intervention functions according to the Behaviour Change Wheel and their behaviour change techniques in accordance with the Behavioural Change Technique Taxonomy (version 1). Our findings show that security campaigns are often focused on education and increasing awareness, under the assumption that as long as citizens are aware of the risk, and are provided with information on how to improve their security behaviour, behaviour will change. Additionally, there is a lack of published effectiveness studies investigating the direct effects of a governmental cybersecurity campaign. Proposed improvements to security campaigns are discussed.