The State of eLearning in IT Security 2025
How Swedish organisations use eLearning to strengthen their information security - and where the challenges lie.
Executive Summary
IT security is the area where eLearning has the greatest penetration among Swedish organisations. Nearly everyone we spoke with has some form of digital training around information security, but the quality and impact vary significantly.
This report is based on interviews with training managers at 17 Swedish organisations conducted during 2024-2025. We identified three clear patterns:
- **Compliance drives the investment** - regulations (NIS2, GDPR, ISO 27001) are the biggest driver, not genuine learning - **Short formats work best** - organisations with modules under 5 minutes report higher completion rates - **Generic content is not enough** - those who create industry- and role-specific content see better results in phishing tests
Background
Cyber attacks against Swedish organisations increased by over 30% in 2024 according to MSB. At the same time, our interviews show that most organisations still use generic training packages that have barely been adapted since they were purchased.
[AWAITING DATA - Specific statistics from MSB and interview quotes from participating organisations]
Those we spoke with represent both private and public sectors, from manufacturing to municipalities. What they share is an increasing pressure to train, but few are satisfied with how it works today.
Current State
## What organisations do today
Most organisations we interviewed have an annual mandatory IT security training programme. The format varies from short videos to longer interactive modules, but the patterns are clear:
- Most purchase ready-made packages from international providers - Training is rarely adapted to the organisation's own risks - Follow-up is primarily through completion rates, not knowledge measurement - Phishing simulations exist at roughly half of the organisations
[AWAITING DATA - Detailed breakdown from interviews]
## Where it falls short
The biggest problem is not a lack of content - it is a lack of relevance. Generic scenarios about Nigerian prince emails do not convince an engineer at Sandvik or a nurse in Region Vasternorrland. When content feels unrealistic, motivation drops.
The Biggest Challenges
From our interviews, four main challenges emerge:
## 1. Fatigue with generic content
What Actually Works
The organisations reporting the best results share some common traits:
- **Short, frequent modules** instead of one large annual training. 3-5 minutes per week beats 60 minutes once a year. - **Real scenarios from your own industry** - not generic examples. A manufacturer showing how a ransomware attack affects the production line gets more impact. - **Combination of video and interactivity** - passive video is not enough, but pure text works even worse. The mix is key. - **Regular phishing tests** linked directly to training. Those who click get targeted follow-up training.