Why South Africa’s cybersecurity policies struggle without public trust

A new academic study focusing on South Africa finds that public trust, often cited as essential in international cybersecurity strategy, remains largely absent from national policy design and implementation, raising questions about long-term effectiveness and public compliance.

The study, titled Cybersecurity Policy Adoption in South Africa: Does Public Trust Matter?, analyzes how trust, governance, and public perception intersect with cybersecurity policymaking in South Africa and compares this approach with international practices.

At a time when cyber threats increasingly target public infrastructure, financial systems, and personal data, the study argues that cybersecurity must be treated not only as a technical or legal challenge, but as a social and governance issue. Without public trust, even well-designed cybersecurity policies risk limited adoption, weak enforcement, and reduced cooperation from citizens and organizations.

Cybersecurity policy built without public trust

South Africa has experienced a sharp rise in cybercrime over the past decade, affecting government agencies, financial institutions, healthcare systems, and ordinary citizens. In response, policymakers have focused on strengthening legislative frameworks, regulatory institutions, and technical defenses. The study shows that these efforts largely mirror global best practices in terms of infrastructure, compliance, and enforcement mechanisms.

However, the literature review reveals a critical gap. Public trust, while frequently highlighted in international cybersecurity research, is rarely integrated into South African policy discussions. Most national strategies emphasize control, surveillance, and legal authority, with minimal attention to how citizens perceive these measures or whether they trust the institutions implementing them.

The study identifies cybersecurity and cybercrime as dominant themes in South African research and policy documents, while trust, public opinion, and privacy concerns receive far less emphasis. This imbalance contrasts with approaches in other regions, where trust is increasingly treated as a prerequisite for successful cybersecurity adoption. In countries such as Australia and several European states, citizen engagement, transparency, and communication are embedded into cybersecurity strategies to encourage voluntary compliance and cooperation.

In South Africa, the absence of trust-focused policy design may reflect broader governance challenges. Historical inequality, concerns over corruption, and uneven service delivery have contributed to low levels of institutional trust. The study suggests that cybersecurity policies developed in such an environment face inherent legitimacy risks, regardless of their technical sophistication.

Why public trust shapes cybersecurity outcomes

The research highlights that cybersecurity policies rely heavily on public participation, whether through compliance with data protection rules, reporting cyber incidents, or adopting secure digital practices. When trust in government is low, citizens may resist sharing information, ignore official guidance, or perceive cybersecurity measures as intrusive rather than protective.

International literature reviewed in the study shows that trust influences how people respond to digital governance initiatives, including e-government platforms, data sharing systems, and national identity frameworks. High-trust environments tend to see higher adoption rates and smoother implementation, while low-trust contexts experience resistance, avoidance, or non-compliance.

In South Africa, the study finds little evidence that policymakers systematically assess public trust or perception when designing cybersecurity initiatives. This omission weakens feedback loops between government and citizens, limiting opportunities to identify concerns, correct misunderstandings, or adjust policy messaging.

Privacy emerges as a related concern. Without trust, cybersecurity measures aimed at monitoring or data collection can be viewed with suspicion, particularly in societies with a history of state overreach or inequality. The study warns that ignoring these perceptions can erode confidence further, creating a cycle in which stronger controls lead to lower trust and weaker cooperation.

The authors argue that cybersecurity effectiveness depends not only on deterrence and enforcement but also on voluntary engagement. Citizens who trust institutions are more likely to follow security guidance, report cyber incidents, and support national strategies. Without that trust, policies may exist on paper but fail in practice.

A trust-centric framework for cybersecurity adoption

To address these gaps, the study proposes a Trust-Centric Cybersecurity Adoption Framework tailored to the South African context. This framework places public trust at the center of cybersecurity policy design rather than treating it as a secondary or indirect factor.

The framework focuses on transparency as a starting point. Clear communication about cybersecurity goals, risks, and safeguards is presented as essential for building confidence. When citizens understand why certain measures are necessary and how their data will be protected, resistance is more likely to decrease.

Public engagement is another key component. The study argues that cybersecurity policies should be shaped through consultation with multiple stakeholders, including citizens, private sector actors, civil society organizations, and technical experts. This inclusive approach helps ensure that policies reflect real concerns rather than purely institutional priorities.

Feedback mechanisms play a key role in sustaining trust. The framework calls for continuous evaluation of public perception through surveys, digital platforms, and participatory governance tools. By monitoring trust levels over time, policymakers can adjust strategies before dissatisfaction translates into widespread non-compliance.

The authors also highlight the potential of e-government platforms to support trust-building. Secure, transparent digital services can demonstrate government competence and accountability, reinforcing confidence in broader cybersecurity initiatives. However, the study cautions that such platforms must themselves be trustworthy, accessible, and inclusive to avoid reinforcing existing divides.

Importantly, the framework does not replace technical or legal measures. Instead, it integrates trust as a complementary dimension, aligning social legitimacy with institutional capacity. The study asserts that cybersecurity policies are most resilient when technical defenses, governance structures, and public trust reinforce each other.