Cybersecurity policy adoption in South Africa: Does public trust matter?

This study examines how public perception influences the implementation and adoption of cybersecurity frameworks in South Africa. Using the PRISMA methodology, a systematic literature review was conducted across reputable scholarly databases, yielding 34 relevant sources aligned with predefined inclusion criteria. Cybersecurity, governance, trust, privacy, cybercrime, and public opinion emerged as dominant thematic clusters. Bibliometric and thematic analyses, supported by network visualisations, revealed that while trust and public sentiment affect cybersecurity policy adoption globally, these factors have minimal influence within the South African policy landscape, despite the country’s high cybercrime prevalence. In response, the study proposes a trust-centric policymaking framework designed to integrate public perception as a proactive dimension of cybersecurity governance. This framework seeks to prevent trust deficits from obstructing policy effectiveness and provides guidance for restoring trust where it has eroded.

💡 Research Summary

This paper investigates whether public trust influences the adoption and implementation of cybersecurity policies in South Africa. Using the PRISMA (Preferred Reporting Items for Systematic Reviews and Meta‑Analyses) protocol, the authors performed a systematic literature review across major scholarly databases (Web of Science, Scopus, ScienceDirect, SciELO, Taylor & Francis). An initial pool of 7,523 records was reduced through duplicate removal, language and document‑type filters, title/abstract screening, and full‑text eligibility checks, ultimately yielding 34 peer‑reviewed English‑language articles that met the inclusion criteria (focus on public trust, mistrust, or distrust and their impact on cybersecurity policy success in South Africa).

The review employed both bibliometric and thematic analyses. Bibliometric mapping showed a concentration of relevant publications between 2020 and 2024, with South Africa accounting for 44 % of the country‑level sample. Thematic coding (Braun & Clarke, 2006) identified six dominant clusters: Cybersecurity, Government, Trust, Privacy, Cybercrime, and Public Opinion. Network visualisations revealed strong linkages between “Cybercrime” and “Cybersecurity” (e.g., legislation, data protection) but weak or absent connections involving “Trust” and “Government” within the South African corpus. This suggests that, unlike global trends where trust is a key driver of policy uptake, South African scholarship has largely treated trust as a peripheral concern.

Two hypotheses were articulated: H0 – negative public perceptions of government hinder cybersecurity policy adoption; H1 – integrating public trust, technical expertise, and multi‑stakeholder participation enhances policy effectiveness, sustainability, and public acceptance. The authors did not conduct quantitative hypothesis testing; instead, they used the qualitative synthesis to argue that the evidence supports H1, insofar as trust is currently under‑represented and its systematic inclusion could improve outcomes.

Guided by Institutional Trust Theory (Godefroit, Langer & Meuleman, 2017) and the Cyber‑Policy Framework (Joubert & Wa Nkongolo, 2025), the paper proposes a Trust‑Centric Cybersecurity Adoption Framework (TCCAF). TCCAF envisions four interlinked boards – National Communications Board, National Security Board, Policy Formulation Board, and Policy Approval Board – each mandated to incorporate public opinion mechanisms (citizen forums, online surveys, feedback loops) at every stage of policy design, enactment, and evaluation. The framework aims to institutionalise trust‑building activities (transparency, accountability, continuous public engagement) to prevent trust deficits from becoming barriers to policy effectiveness.

The study acknowledges several limitations: the modest sample size (34 articles) may not capture the full breadth of global or regional research; reliance on English‑language, peer‑reviewed sources excludes potentially relevant grey literature; the absence of meta‑analytic or statistical testing limits the robustness of hypothesis validation; and the proposed TCCAF remains conceptual, lacking pilot implementation or empirical assessment.

In conclusion, the authors find that while public trust is a decisive factor for cybersecurity policy adoption worldwide, it appears marginal in South Africa’s current policy discourse despite high cybercrime rates. They argue that integrating trust systematically—through the TCCAF—could strengthen policy legitimacy, improve compliance, and enhance overall cybersecurity resilience. Future work should expand the literature base, employ quantitative methods to test the hypothesised relationships, and conduct field trials of the trust‑centric framework to evaluate its practical impact on South African cybersecurity governance.