Adopting digital product passports (DPPs) poses technical and organisational challenges. This paper outlines a research agenda co-developed with seven industry partners, three manufacturers and four digital/consultancy companies in the construction sector, as part of a 3.5-year project investigating how DPPs can support circular economy practices in real industrial settings. Drawing on a scoping literature review, interviews, and participatory goal- and problem-modelling workshops, the paper outlines current practices and emerging needs related to DPP adoption. The research agenda highlights three focus areas. First, it emphasises the importance of the product use and end-of-life phase, where real-time data can provide valuable insights into product performance, usage patterns, and environmental impact. These insights can inform decisions related to maintenance, reuse, and recycling. Second, it addresses the need for a cybersecurity-centred enterprise architecture and infrastructures that enable trusted and secure sharing of lifecycle data across organisational boundaries. Third, the agenda explores how DPP data can be used proactively to support sustainable product realisation. Taking a sociotechnical perspective, the initial findings reveal both challenges and emerging needs with respect to the DPPs adoption.

This book constitutes the refereed proceedings of the 20th International Conference on Critical Information Infrastructures Security, CRITIS 2025, held in Jönköping, Sweden, during October 21–23, 2025.

The 22 full papers presented in this volume were carefully reviewed and selected from 38 submissions. They were grouped into the following topics: Methods & Practice; Power Grids; Security and Safety Large and Small; Vehicles; Methods; Knowledge, Skills and Education; AI and Critical Infrastructures; Security Frameworks.

Raising cybersecurity awareness (CSA) of employees is crucial for all modern organisations. To meet the organisational need for CSA, activities aimed at increasing CSA have been the focus of both industry and research in the past. There are, subsequently, a plethora of CSA activities for organisations to choose from. Nevertheless, research consistently reports that organisations struggle to raise CSA to an appropriate level, and a core issue lies in their ability to select CSA activities and effectively adopt them. This paper used semi-structured interviews with practitioners working on CSA adoption in public-sector organisations to identify what practitioners perceive as success factors. The interviews were analysed through a socio-technical lens and resulted in a taxonomy that groups success factors for CSA adoption in the three socio-technical dimensions: organisational, user-centric, and technical. The taxonomy outlines ten success factors and demonstrates how the participants see success of CSA activities as not only dependent on technical factors but also, and perhaps even more important, user-adaptability and organisational readiness. The results were validated in a workshop with CSA experts across Europe, who highlighted the practical usefulness of the taxonomy as both a map of potential challenges and a teaching tool for educating new CSA practitioners.

While the prevalent use of digital devices has many benefits in a modern society, it has also increased the complexity of evidence acquisition in crime investigations. With a digital device being seized in almost all criminal cases, creating investigation backlogs, a need for investigating how this challenge affects victims’ willingness to report crimes is rising. Previous research show that victims are less inclined to report crimes when having to hand in a mobile phone for evidence acquisition. However, why that is remains unclear. Taking a quantitative approach, we investigate the assumed relation between the willingness to report crimes and the time a mobile phone is seized for evidence collection. A survey was sent out to 500 Swedish citizens inquiring how likely they are to report various crimes in relation to the time their mobile phone would be seized by the police. The results show a significantly reduced willingness to report crimes as the seizure times increase, consequently resulting in unreported crimes. The findings also indicate a variation in reporting willingness among various crimes, suggesting a reluctance to report crimes of less monetary consequence, ultimately accepting victimization and enabling unlawful behavior.

Denna rapport sammanfattar resultaten från projektet ICANP, som undersöker hur cybersäkerhetsmedvetenheten i Sverige kan stärkas genom att bättre anpassa information och utbildning till olika grupper i befolkningen. Den första delstudien visar att EU-länders nationella strategier lyfter medvetenhet som ett viktigt mål, men att de sällan erbjuder konkreta metoder för målgruppsanpassning. Den andra delstudien, en enkät med 2 049 personer, visar att faktorer som ålder, IT-kompetens och utbildningsnivå påverkar hur människor vill ta del avcybersäkerhetsinformation. Generella preferenser framträder också: kortfattad, enkel och situationsanpassad information föredras, och trovärdiga avsändare som särskilt myndigheter och tjänsteleverantörer värderas högt. Den tredje delstudien, baserad på intervjuer, bekräftar dessa mönster och visar att relevans, enkelhet och upplevd nytta är centrala för att människor ska ta till sig information om cybersäkerhet. Projektet drar slutsatsen att nationella program bör kombinera breda, generella insatser med riktade åtgärder mot grupper med särskilda behov och att livssituation, exempelvis familjeliv och livsfas, ofta är en viktigare utgångspunkt än traditionella demografiska kategorier att anpassa efter. Rapporten är skriven på svenska och innehåller en engelsk översättning skapad med Generativ AI.

This report summarises the results of the ICANP project, which examines how cybersecurity awareness in Sweden can be strengthened by better tailoring information and training to different groups within the population. The first sub-study shows that the national strategies of EU countries highlight awareness as an important objective, but they rarely offer concrete methods for adapting initiatives to specific target groups. The second sub-study, a survey of 2,049 participants, shows that factors such as age, IT competence, and educational background influence how people prefer to receive cybersecurity information. General preferences also emerge: brief, simple, and context-based information is preferred, and credible senders such as public authorities and service providers are highly valued. The third sub-study, based on interviews, confirms these patterns and shows that relevance, simplicity, and perceived usefulness are central for individuals to engage with cybersecurity information. The project concludes that national programmes should combine broad, general initiatives with targeted efforts aimed at groups with specific needs, and that life situation is often a more meaningful basis for adaptation than traditional demographic categories. The report is written in Swedish and includes an English translation created with Generative AI.

Cybersecurity awareness (CSA) is widely recognized as a critical component of digital resilience, complementing technical safeguards by influencing users’ knowledge, behavior, and decision-making. Despite substantial investment in awareness initiatives, their effectiveness remains inconsistent, prompting increased interest in how individual factors shape engagement with and uptake of cybersecurity information. Among these factors, gender has been discussed in prior research, yet findings remain mixed and often lack attention to learning and delivery preferences. This study investigates whether and to what extent gender differences exist in cybersecurity awareness preferences within a national, Swedish, context. A large-scale survey was conducted with 2,149 respondents in Sweden using a stratified sampling approach to ensure representativeness across age and gender. The survey examined preferences related to CSA delivery methods, timing, sources of information, time willingness, and desired characteristics of awareness content. Statistical analyses compared responses from men and women using significance testing and effect size measures, with additional analyses excluding IT professionals to control for occupational bias. The results indicate that while many gender-based differences are statistically significant, the observed effect sizes are consistently small. Both men and women express similar overall preferences, particularly favoring flexible and on-demand access to cybersecurity information, such as email-based communicationand digital lectures. Notable but limited differences include women showing stronger preferences for information from governmental sources and email delivery, while men more frequently favor IT companies and on demand materials. Across both groups, interest in engaging with CSA is generally high.

With the continuous digitalization of all societies, the skills to securely access and use digital systems are crucial for everyone. This is recognized in both research and practice where researchers search for efficient ways to raise cybersecurity awareness (CSA), and both organizations and states are launching initiatives to build aware and skilled populations. An emerging theme in recent research is that of target group adaption and it is suggested that CSA initiatives need to be tailored to the needs and preferences of different groups of recipients. Nevertheless, target group adaption is an underdeveloped aspect of CSA and research indicates that current initiatives fail to address the diverse needs of different populations. This research investigates how national-level CSA initiatives within the European Union are adapted to various target groups through an analysis of member state national cybersecurity strategies. The results show that EU member states acknowledge the need for target group adaption and that a focus on vulnerable groups such as children and seniors is common. However, how to adapt to those groups remains unresolved in both the strategies and related research.

With the increasing use of smartphones and smartwatches, these devices have become vital sources of digital evidence in forensic investigations, as they often act as “silent witnesses” to events. Thus, it is important to understand the unique challenges they pose—individually and in combination.

This paper reports on a systematic literature review to examine how these devices relate to current forensic challenges, identify potential differences between the devices and future research needs. From 73 relevant articles, thematic analysis identified four main themes and related sub-themes for each device. The review considers not only technical constraints, but also the broader context in which these devices are used and investigated, offering a socio-technical lens on digital forensics.

The findings shows that challenges related to smartphones are more frequently discussed than those to smartwatches. This may be due either to smartphones’ greater complexity or to limited research on smartwatches—the latter being more likely based on the volume of published work.

This review provides a structured overview of the forensic landscape and identifies key gaps for future study.

Purpose: Developing cybersecurity awareness (CSA) is becoming a more and more important goal for modern organizations. CSA is a complex sociotechnical system where social, technical and organizational aspects affect each other in an intertwined way. With the goal of providing a holistic representation of CSA, this paper aims to develop a taxonomy of factors that contribute to organizational CSA.

Design/methodology/approach: The research used a design science approach including a literature review and practitioner interviews. A taxonomy was drafted based on 71 previous research publications. It was then updated and refined in two iterations of interviews with domain experts.

Findings: The result of this research is a taxonomy which outline six domains for importance for organization CSA. Each domain includes several activities which can be undertaken to increase CSA within an organization. As such, it provides a holistic overview of the CSA field.

Practical implications: Organizations can adopt the taxonomy to create a roadmap for internal CSA practices. For example, an organization could assess how well it performs in the six main themes and use the subthemes as inspiration when deciding on CSA activities.

Originality/value: The output of this research provides an overview of CSA based on information extracted from existing literature and then reviewed by practitioners. It also outlines how different aspects of CSA are interdependent on each other. 

As cybersecurity education continues to evolve, the need for curricula that effectively balance the capabilities of generative Artificial Intelligence (AI) tools with the development of critical thinking and active learning skills has become increasingly urgent. This study addresses this challenge by proposing a curriculum for postgraduate cybersecurity education that focuses on developing transferable skills, particularly critical thinking and written communication. These skills are essential for cybersecurity professionals to excel in both their technical and communicationoriented responsibilities, meeting the growing demand of the cybersecurity industry in the age of AI. The proposed curriculum emphasizes the integration of constructivist learning principles and Bloom's taxonomy, two widely applied pedagogical models, to enhance learners' critical thinking and written communication skills. Designed for a penetration testing module, the curriculum follows a structured, step-by-step approach to build the necessary competences and empower aspiring cybersecurity professionals to meet the expectations of the cybersecurity industry. Through targeted activities, learners develop foundational knowledge while refining advanced written communication skills, equipping them to produce professional-level documentation, such as penetration testing reports. Generative AI is incorporated in the curriculum, providing opportunities for learners to experiment with AIgenerated content while fostering the cognitive skills needed to critically assess its accuracy, relevance, and alignment with professional standards. This study contributes to cybersecurity education by presenting a replicable curriculum model that equips learners with vital skills, preparing them to navigate the complexities of written communication responsibilities in cybersecurity roles and adapt to the evolving demands of the AI era.