Information Security Awareness of Librarians in the Baltic countries: A Comparative Analysis

. The aim of this study was to analyse the information security awareness of librarians in the three Baltic countries – Estonia, Latvia and Lithuania – in seven focus areas, which were password management, use of email, use of the Internet, use of social media, use of devices, handling of information and incident prevention and handling. The study was conducted among librarians in Estonia, Latvia and Lithuania. A total of 1,217 librarians from the public, special, school and research libraries of the three Baltic countries responded to the survey. Pearson correlation, average scores and descriptive statistics were used to achieve the research objective. The results revealed that Estonian librarians are more cyber-aware than their Latvian and Lithuanian colleagues, but everyone has their weaknesses. The chosen methodology is well suited for assessing the cyber awareness of not only library employees but also employees of all memory institutions (archives, museums) and identifying training needs.


Introduction
Cybersecurity has become one of the highest priorities for businesses and governments.Enhancing and strengthening strategic leadership is key to ensuring that the cybersecurity vision is achieved.There are several different definitions for "information security" and "cyber security" and the terms are often used as synonyms, even though they are not, according to von von Solms and van Niekerk (2013).Let's start with "security".Its definition gives good guidelines for the examination of cyber security and its definition of professional competence.Security can be divided into four areas.Security is a feeling of safety, knowledge that the chances of possible threats and risks being affected are small.Security is also about recognizing the facts and understanding the situation.Security also includes tolerance of uncertainty and harmful events, resilience.As the last area, security includes the models that make safety concrete and the values on which to rely security is being built.Based on these areas, it is easier to start defining information and cybersecurity (Hakkala et al., 2018, 175).According to Paulsen and Byers (2019), authors of NIST Glossary, "information security"1 is defined as -The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability, while "cybersecurity"2 has defined by the aforementioned institute with numerous of definitions as -Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation; -The process of protecting information by preventing, detecting, and responding to attacks; -The prevention of damage to, unauthorized use of, exploitation of, and-if needed-the restoration of electronic information and communications systems, and the information they contain, in order to strengthen the confidentiality, integrity and availability of these systems and -Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.There is also term "cyber security"3 -"The ability to protect or defend the use of cyberspace from cyber attacks"."Computer security" is replaced by the term "cybersecurity" -Measures and controls that ensure confidentiality, integrity, and availability of the information processed and stored by a computer.Rationale: Term has been replaced by the term "cybersecurity.We can only think abstractly about securing information regardless of its form, technical protection of devices that store or transfer information, planning the company's business processes, mathematical encryption, or everything in between.Cybersecurity can be defined to cover all these areas from protecting the abstract representation of information to the company's business processes, and to protect tangible and intangible resources and interests from risks caused by threats using information and communication technology (Hakkala et al., 2018, 175).
Strategic management of cybersecurity requires identifying and setting goals based on the protection of the digital operating environment.In addition, it requires the coordination of activities and preparedness and the management of large-scale disruptions.To ensure cybersecurity, society must be able to involve various parties and coordinate resources and activities as efficiently as possible.Cyber capability must be developed throughout society, which requires strategic coordination, leadership and executive capability (Lehto and Limnéll, 2020, 139).Recently, more attention has been paid to the role of individual behaviour in mitigating cyber threats.Understanding of how individuals differ in their awareness, knowledge, and cybersecurity behaviours

Activities and strategies of the Baltic states in enhancing the cyber protection of the state and the population
Each Baltic country deals with its own field.For example, for Latvia it is strategic communication, for Estonia it is cyber defence and for Lithuania it is energy security.
The NATO Cooperative Cyber Defence Centre of Excellence 6 in Tallinn is an international centre, think tank and training institution accredited by NATO.Established in 2008, the centre has grown into an important source of knowledge in the field of cyber defence for both NATO and its member states.The security and defence sector of the Baltic States has established partnerships with the private and academic sectors, all of which must cooperate with each other to maintain situational and technological awareness.
The Information System Authority (ISA) 7 , operating in Estonia, in addition to registering and handling cyber incidents on Estonian computer networks, also supervises information systems used to provide vital services, as well as ensuring security through awareness raising, i.e. organising training for information security managers and regular users of institutions.
The work of the Latvian Safer Internet Centre (SIC)8 established in Latvia is coordinated by the Latvian Internet Association together with the State Inspectorate for the Protection of Children's Rights and the Latvian Municipal Training Centre.The Latvian SIC promotes safer and better use of Internet and mobile technology among children and young people.It develops informative and educational activities, organises awareness-raising activities and ensures the operation of the information and hotline.Every year, the Latvian SIC organises a campaign promoting Safer Internet Day (SID).As part of the campaign, schools, youth centres and libraries are invited to organise various events on this day and throughout the month of February.The Latvian Awareness Centre informs and educates children, teenagers, teachers and parents about the safety of Internet content and possible dangers on the Internet (hate speech, racism, child pornography and paedophilia, emotional harassment on the Internet, identity theft and data abuse, etc.).The main activities implemented and coordinated by the centre are the celebration of the SID in Latvia, the development of educational materials on Internet security for all target groupschildren, adolescents, parents, teachers and social workers, the organisation of various seminars, trainings and other activities, the organisation of social campaigns on current topics, the training of teachers, librarians, involvement of kindergartens and universities in Internet security activities, development of closer cooperation with mobile operators and Internet service providers.
All three countries have also developed their own cybersecurity strategy, which is linked to the strategies of other fields.In particular, the digital strategies of the three Baltic countries should be highlighted, which aim to create a basis for lifelong learning of digital and cyber literacy.In addition, the need to increase the awareness of both residents and organisations about the dangers of cybercrime and the ways to avoid them is emphasised, while the State Digitisation Development Programme 2021-2030 of Lithuania also emphasises the development of digital literacy of people with disabilities (SDDP, 2021).In this way, the priority activities established in the cybersecurity strategy are amplified in the development plans of various fields and the safety of cyber space is increased.
Estonia's new eternal society development plan Estonian Digital Agenda until 2030 highlights the set goals and planned directions of action in three areas: 1) developing a digital state, i.e. the use of digital solutions, 2) developing electronic communication, i.e. connectivity, and 3) developing national cybersecurity.The sub-goal of cybersecurity contributes directly to the realisation of the vision of the digital society in 2030 because the goal is to ensure the protection of the digital country, economy and, more broadly, the digital way of life in the public sector.The development plan states that the need to deal with broader digital literacy of the population will continue.There is less and less need to "bring" people to the Internet.Instead, it must be ensured that they have up-to-date skills to deal with digital solutions usefully and safely.By 2030, all Estonian adults should be regular Internet users.This gives an opportunity to ensure their sufficient capacity, including the corresponding basic level of awareness, so that they can use the services of the digital state better and better (EDA, 2021).
Latvia's Digital Transformation Guidelines for 2021-2027 represents a comprehensive strategy for Latvia's digital transformation and includes, among others, ICT education and digital skills, Internet access, modern and efficient public administration, e-services and digital content for society.The Latvian Cabinet of Ministers adopted the policy document in July 2021.The main objectives of the digital skills pillar are 1) basic digital skills for all citizens, 2) digital skills of citizens, and public administration employees to use the latest technologies and digital services, 3) digital skills to create and offer innovative digital services and products, 4) digital skills in the education system, and 5) digital skills in the healthcare system.The goal is that 70% of citizens have at least basic digital knowledge, 45% of citizens' digital skills exceed the level of basic knowledge, and at least 3% of employment is made up of ICT specialists (LDTG, 2021).
The purpose of the Lithuanian State Digitisation Development Programme 2021-2030 is to promote national digitisation in order to increase the opportunities of the public sector, companies and academia for the efficient and safe development and use of innovative products and services.Another aim is to strengthen the digital competence of the population by creating an understanding of the development and importance of emerging technologies.The main goal of developing digital skills is to provide support to vulnerable groups: 1) to enable disabled people to live independently and participate fully in all areas of life, 2) to create an efficient and functioning lifelong learning system for adults to match skills to the needs of the labour market.The goal of the programme is to increase the level of citizens who regularly use the Internet to 90%, and to 60% for citizens with disabilities who use public services and are satisfied with them.One of the goals of the changes is to create an effective lifelong learning system that adapts new technologies and ensures the acquisition and development of knowledge and skills necessary for an active society (SDDP, 2021).
The National Cyber Security Centre under the Ministry of National Defence (NCSC)9 is the main cybersecurity agency in Lithuania, which is responsible for the unified management of cyber incidents, monitoring and control of compliance with cybersecurity requirements.NCSC's mission is to be a centre of expertise in cybersecurity and a strong cybersecurity incident prevention system in the country.According to the regulations approved by the NCSC, the main operational goals of the institution are to implement the national cybersecurity policy, to perform the tasks of the cybersecurity service, to perform the tasks of the national communications protection service, to carry out information dissemination, research and analysis in the field of cybersecurity.Since 2018, NCSC provides assistance to the state, companies and residents, and makes decisions within its competence together with state institutions and organisations and other economic entities.
The cybersecurity strategies of all three Baltic states emphasise that it is impossible to avoid cyber incidents, even if all available cybersecurity measures are implemented.For this reason, representatives of the public and private sectors must improve the cybersecurity culture of their employees.According to an IBM report published in 2017, the number of cyber incidents caused by employee negligence has increased (in 2017, it was more than 20%, up from 15% in 2016).More than 30% of these cyber incidents happened because employees opened malicious links or documents emailed to them.Routine and regularly updated training for private and public sector employees would increase both employee due diligence and the general cybersecurity culture.

Libraries as cooperation partners of the state in raising cyber awareness
Online security has always been one of the key topics in library user training, and it became especially relevant due to the Covid pandemic.Denisenko (2020) emphasises in the publication Lithuania in the Global Context: National Security and Defence Policy Dilemmas that "In terms of important subspecies of information security, cybersecurity is understood in terms of the technological, state critical information infrastructure and its protection.Psychological security is understood as the need to protect one's information space (public sphere) from harmful effects, i.e. the flow of propaganda narratives and fake news", while also recognising that when dealing with "information wars", one must talk about cyber war as much as psychological war.It is assumed that different countries prefer different types of "information warfare"so the US focuses more on the cyber dimension of information warfare, while Russia focuses on psychological warfare.However, it seems that nowadays these differences are gradually disappearing, and in reality, different types of information wars can complement each other (Denisenko, 2020, 235).For libraries, user education has now become as much a part of daily work as lending books.Technologies evolve and risks change.Internet users need to learn every day.The rapid development of digital technologies requires new approaches to education.Formal education systems are not ready to provide citizens with the necessary digital skills to cope with these changes.Informal, non-formal and lifelong education are becoming a more important source of knowledge in this field, and libraries and librarians are expected to play an important role in promoting digital and cyber literacy (Spurava et al., 2021).Libraries thus play an important role in an aspect that has not been discussed in the scientific literature so farnamely, in promoting national security and preventing cybercrime.Above all, these activities must ensure that all citizens have access to information and effective participation in democratic processes.For this, however, the librarians themselves must be ready to acquire new cybersecurity knowledge and continue to raise their cyber awareness.Technological protection can be maximally strong, but information security is only as strong as its weakest link.Therefore, managing the human side of information security is as important as the technical side, it is equally important to continuously strengthen the security awareness culture of organisations and transform this culture into actual security-aware behaviour (Abawajy, 2014).The main reason for increasing security awareness is the need to manage the change in employees' behaviour and attitude towards information security.Information security awareness programmes are designed to create security-oriented cultures throughout the organisation so that people work more securely and protect their organisation's assets.Information security awareness is the establishment, promotion and maintenance of good security habits.The main goal of information security awareness is to change attitudes to bring about a general change in organisational culture.The culture change is the realisation that information security is critical because a security breach can have negative consequences for anyone.
Information security awareness also aims to increase users' understanding of how to follow responsible computer usage practices and why this is necessary.Increased employee awareness should reduce the likelihood of accidental violations and increase the likelihood that suspicious activity will be recognised and reported.The libraries of Estonia, Latvia and Lithuania are important cooperation partners for their countries in bringing cyber awareness closer to the population.Promoting digital literacy, including the basics of online safety and privacy, has long been an important part of many library services.
For example, in Latvia, every year in February, libraries celebrate SID and organise events dedicated to this day for a large number of stakeholdersfrom parents and teachers to media professionals and policy makerswho come together to support awareness raising and skills development to ensure the safety and well-being of young people online.Individual consultations and training, and group training are organised, visitors are given various media literacy and Internet safety-related tasks, games and competitions, quizzes, drawing competitions for the youngest, knowledge tests, lectures, seminars, information leaflets, posters are distributed, young people are taught to develop and implement various projects, as well as how to do awareness campaigns, live broadcasts, library classes and shared film viewings, in addition to organising creative workshops and storytelling events.The target group is widechildren, young people, adults and seniors.By working with their users on a daily basis, librarians know the target audience and know how to approach which audience to achieve the best possible result.An adult learner finds motivation and interest in learning useful and feels happy about newly acquired skills or knowledge that they can immediately apply in everyday life.Children and young people are motivated by the opportunity to compete with each other and maybe get a prize, something tangible or tasty.Campaigns that involve a larger number of people simplify the daily work of library staff because less time has to be spent on daily digital skills support and training for users.Information about exciting activities spreads by word of mouth and is therefore the best marketing for library services (Niedra, 2021).
The Lithuanian Librarians' Association monitors and coordinates the initiatives, creativity and ideas of libraries on how to make the use of the Internet safer, how to spread this knowledge to communities and how to involve groups experiencing cultural, informational or social exclusion in these activities.Safer Internet Day has been celebrated in Lithuania since 2006.The celebration of the day has become a week-long event that aims to highlight current digital issues and promote safer use of the Internet and digital technology, especially for children and young people.There are some great examples of unique library activities for Safer Internet Week.One of them is at Kaunas County Library, where attention has been paid to hearing-impaired people and 12 video lectures with sign language interpretation have been prepared for them, the purpose of which is to help critically evaluate and analyse information shared through traditional and modern media, be safer on the Internet, and develop their own skills to create new information and media content.The videos with sign language translations deal with topical topics for everyone: "Modern Internet and its dark side", "Consumer rights and their protection in electronic commerce.What is useful to know?", "Safe e-banking", "Fake news and its distribution", "Report hate speech" and many others (Steponaitiene, 2021).
The Estonian Librarians Association does not coordinate or celebrate Safe Internet Day on the same scale as its southern neighbours, but individual libraries organise various events within the framework of this day.According to the Information System Authority (RIA), "Since 2007, Estonia has been actively engaged in ensuring cybersecurity at the national level in order to ensure the safety and availability of state institutions and vital services in all situations" (Vaks, 2013).RIA's Cyber Security Service monitors and handles incidents, analyses trends in cyberspace, and writes summaries and threat assessments; cybersecurity prevention activities are carried out, the population is informed about the risks lurking in cyberspace, etc. Prevention activities are carried out systematically, monthly, quarterly and annual summaries are issued, and trainings are organised both one-on-one and through a cyber hygiene test where anyone can check their knowledge.People's cyber hygiene improves year by year, but the application of good practices starts to decrease from the age of 45.There are several campaigns for companies, e-voting (vote safely!), seniors and non-Estonians.The Estonian Librarians Association is a cooperation partner in cybersecurity campaigns organised by the Information System Authority.In the autumn and winter of 2019, RIA organised the awareness campaign "Be IT vigilant!", which continued in 2020.Cooperation with Tallinn Central Library has been very successful in order to bring good practices in cybersecurity to people.In 2020, three online training sessions were held for 44 library employees, the topics of which were good practices, secure passwords, changing settings in different browsers, and examples of the most common frauds.In addition, an information line was opened, where employees of the foreign language department of the Tallinn Central Library gave advice.RIA will continue to see libraries as an irreplaceable partner and their invaluable role in reaching the target audience.

Methodology and sample characteristics
The complexity of human nature in relation to information security has long been the subject of research in various branches of science.Their goal has been to understand and analyse how the employee's feelings, beliefs, behaviour, attitude and actions can directly or indirectly, intentionally or unintentionally affect and possibly threaten the organisation's information security.Understanding the root of the problem helps to develop effective security policies and rules and training programmes that could contribute to the development of a security culture (Georgiadou et al., 2022).The knowledge-attitude-behaviour (KAB) model was first proposed by Kruger and Kearney (2006) to measure information security awareness.It is based on the three interrelated components of the social psychological model, namely affect, behaviour and cognition (MacKinnon and Hoey, 2021), which correspond to attitude, behaviour and knowledge.The KAB model has been widely used to explain cybersecurity awareness and behaviour (Parsons et al., 2014;Zwilling et al., 2020).As previous research showed that knowledge alone is not sufficient to produce behavioural change, attitude was added to the KAB model as a necessary mediator to alleviate cognitive dissonance between knowledge and action.Evidence that individuals who possess the necessary information security knowledge and skills may not effectively apply them in their daily work routines has led researchers to focus on bridging the gap between awareness and actual behaviour (Siponen et al., 2007;Workman et al., 2008).The main claim of the KAB model is that knowledge can change behaviour, attitude is often a necessary mediator between knowledge and behaviour.Increased knowledge improves attitudes, resulting in better information security behaviours (Parsons et al., 2014).Thus, knowledge is what (declarative), how (procedural), when and why (conditional) (Schrader and Lawless, 2004).Parsons et al. (2014) claim that an important foundation for the KAB model to be used correctly is that the variables involved must be clearly specified and that they must be connected to the other variables associated with behavior change.Within research concerning information security awareness, the KAB model is said to constitute a stable theoretical foundation with high validity as a high correlation between knowledge, attitude and behaviour have been proven (Parsons et al., 2014;Parsons et al., 2017).In order for the KAB model to be evaluated correctly, it is required that the variables knowledge, attitude and behaviour are defined with the greatest possible clarity, while these variables are related to each other (Parsons et al., 2014;Parsons et al., 2017).To measure the relationship between the three variables, Parsons et al. conceptualised (2014) the Human Aspects of Information Security Questionnaire (HAIS-Q) based on the KAB model (Table 1).A recurring problem in research using the KAB model has been that the knowledge variable has not been sufficiently specified (Baranowski et al., 2003).Within HAIS-Q, knowledge is defined as knowledge of information security behaviour with reference to "best practice", which is often found in information security standards (Parsons et al., 2017).Parsons et al. (2014) defines knowledge as "knowledge of policy and procedures".The HAIS-Q is based on the two dependent variables attitude and behaviour, and the independent variable knowledge.Prior to the HAIS-Q, survey questionnaires focused narrowly on Information Security Awareness (ISA), such as the use of passwords and smartphone applications.
All seven focus areas used during the current study are derived from Parsons et al. (2017) validation study of the HAIS-Q.In that study, 63 statements linked to seven different focus areas were used, divided into three sub-areas with three statements per sub-area where each statement was linked to either knowledge, attitude or behaviour.That way the HAIS-Q is more comprehensive in capturing the most typical Internet behaviours.The statements are relatively neutral in that they do not highlight intentional positive behaviour or intentional risk behaviour (Parsons et al., 2014).As this study examines librarians, a revision of the questionnaire statements was necessary considering that librarians in general have no specific information security policy to relate to.In order not to completely depart from the previous studies carried out by Parsons et al. (2014) and Parsons et al. (2017), it was considered relevant to choose the statements from Parsons' studies that were considered most appropriate as well as statements based on existing literature, and IT-expert opinions of Tallinn Central Library.This resulted in the selection of statements shown in Table 1.The current survey took place in Estonia from 14.06.2022 to 10.09.2022, in Latvia from 07.10.2022 to 01.12.2022 and in Lithuania from 29.12.2022 to 06.02.2023.The survey questionnaire was distributed by the Estonian Librarians Association, National Library of Latvia, Lithuanian Librarians' Association and Lithuanian Research Library Consortium member lists.The questionnnaire was in the respondent's native language so those librarians whose work does not require intermediate or advanced English language skills could also answer.For this purpose, the Estonian questionnaire was translated into Latvian and Lithuanian and the representatives of the professional organisations of the respective countries were asked to test them.There were 388 respondents from Estonia, 352 from Latvia and 477 from Lithuania.One of the most reliable methods of measuring attitudes is a scale developed by Likert in 1932, which consists of statements, each of which is accompanied by a multi-point scale.When answering, the interviewees were asked to express their opinion on a 4-point scale: "I completely agree", "I agree", "disagree", "not at all" in the questions of knowledge and attitude, and "always", "often", "sometimes" or "never" in the questions of behaviour."The answers obtained by this method are easy to quantify and analyse.Some researchers argue that it would be more efficient to number such scales so that the respondent can better understand the negative and positive response options.However, Adams et al. (2013) find that most questionnaires ask questions about which the respondent is rather neutral.The same authors recommend using odd-numbered answer options.This makes the analysis process more convenient.On the other hand, there are also opinions (e.g.Brown, 2006;Nunes, 2021) that recommend using an even-numbered scale.It is also called a forced scale because the exclusion of the neutral answer option forces the respondent to take a certain position, and so-called convenience answers are avoided, where one does not bother to delve into the question, but automatically chooses the neutral "don't know" or "can't answer".
Estonians and Latvians have been slightly more diligent daily Internet users than Lithuanians: the average number of users in Estonia only exceeded the 70% limit in 2014, while this limit was exceeded in Latvia in 2017 as well.It can be assumed that due to the pandemic, the number of daily Internet users increased even more, and those people who had managed to avoid it until March 2020 were also forced to go online.The majority of respondents were women (Table 2), which perfectly characterises the gender inequality of library workers to the strong disadvantage of male workers.Most respondents from Estonia, Latvia and Lithuania were in the age group 51-60 (32 per cent, 33 per cent and 38 per cent respectively).We can see that more librarians answered in the age groups 21-30, 31-40 in Lithuania, and there were significantly more respondents from Lithuania in the age group 51-60.There seems to be an interesting tendency that in the age groups 41-50 and 61-70 there are significantly fewer library workers from Estonia, Latvia and Lithuania among the respondents, and there are no respondents from Lithuania in the age group 70+.We can probably draw conclusions here about the demographic situation of library workers in general, but it raises questions as to where 51-60-year-old workers suddenly come to libraries, when there are so many fewer of them in the previous and subsequent age groups.

Figure 2. Demographic distribution of respondents by age
Most respondents were among those library employees with less than 5 years of experience in the library (26 per cent in Estonia, 22 per cent in Latvia and 28 per cent in Lithuania).Most of the respondents with 40+ working years work in Latvian libraries, as much as 9 per cent.
From Figure 4, we can see that 62 per cent of Estonian library employees have participated in cybersecurity trainings, Latvia and Lithuania still have room for improvement here.At the same time, the desire to participate in the training is very differentonly 21% of Estonian library employees definitely want to participate in the training if possible, increasing to 27% in Latvia and as many as 29% in Lithuania.Certainly, such a percentage of responses shows that on the one hand, a large part of those who wish to do so have already been able to complete cyber training in Estonia, but on the other hand, library associations and employers in all Baltic countries should invest much more strongly in the training of their employees than before.Firstly, so that the staff can protect the library's resources and also the privacy of the users, secondly, in order to be a community centre, where the residents can come for cybersecurity training.The characterisation of the sample shows a cross-section of library workers in Estonia, Latvia and Lithuania.We can conclude that the average Baltic librarian is aged 51-60 and has less than 5 years of experience.According to an Oxford University Press study, 83% of librarians working in the US today are women.The only point at which male librarians were the majority was in the 1880s, when men just tipped the scales at 52% of the librarian workforce (Nuttall, 2021).Our survey shows an even greater preponderancein the Baltic countries, more than 90 per cent of librarians are women.

Correlation analysis of knowledge-attitude-behaviour components
We can confirm that there was a positive relationship between all variables in the knowledge-attitude-behaviour components in all Baltic countries, with correlations ranging from 0.382 to 0.683, indicating a strong relationship but not indicating multicollinearity (Table 3).For example in Magdalinou et al (20123) study Pearson correlations supported that practices of the staff were strongly and positively correlated with knowledge on the organization's policies (0.659) as well as with the attitude of staff towards the organization's policies (0.740).The attitude of staff towards the organization's policies is strongly and positively correlated with the knowledge on the organization's policies (0.692) (Magdalinou et al., 2023, 50).Table 3 shows that Pearson correlations of Estonian librarians are positively correlated with knowledge on the information security (0.498, p=0000<0,05), and the behaviour is positively scorrelated with attitude on the information security (0.491, p=0000<0,05).The behaviour of the employees is strongly and positively correlated with information security knowledge (0.654, p=0000<0,05).Latvian librarians' behavior has a stronger positive correlation with information security knowledge than Estonian and Lithuanian colleagues (0.505, p=0000<0,05), the correlation of the behavior with the attitude towards information security is also positive (0.484, p=0000<0.05)and the employees' attitude towards information security is once again more strongly positively correlated with knowledge than Estonian and Lithuanian colleagues (0.683, p=0000<0,05).The behavior (0.382, p=0000<0.05)and attitude (0.534, p=0000<0.05) of Lithuanian librarians have a weaker positive correlation with information security knowledge compared to Estonian and Latvian colleagues, and the staff's attitude towards information security is also more weakly positively correlated with knowledge (0.461 , p=0000<0.05)compared to counterparts in neighboring countries.
Although comparing with Magdalinou et al (2023) study the correlations were weaker, this provides additional reliability support for the HAIS-Q questionnaire.

The average scores of the results
The average results in focus areas are shown in Figure 5 and Figure 6 where Figure 5 shows respectively results for knowledge, attitude and behaviour and Figure 6 shows results of the focus areas.

Figure 5. Average scores for knowledge-attitude-behaviour constructs
Figure 5 clearly shows that Estonian librarians' knowledge, attitude and behaviour is stronger than their Latvian and Lithuanian counterparts.In the case of Latvian and Lithuanian librarians, attitude is the weakest area.However, for example, the library staff's overall behaviour is stronger than knowledge and attitude.
For all librarians in Baltic countries, information handling and password management are the strongest focus areas.The weakest areas are use of devices and for Lithuanian librarians, Internet use, and in use of devices and incident prevention and reporting.Incident prevention and handling, which received the second-lowest average score, is probably not a significant problem in small libraries either.However, employees should still be aware of possible dangerous situations and also know how to behave in such situation.
Employees feel that there is little knowledge in the cyber field, both for themselves and for teaching and guiding users.There are complaints about the absence of an IT department or, if there is one, about the lack of cooperation.At the same time, the responsibility for the cyber behaviour of the readers using the computers located in the library and the lack of tools and sufficient rights to control the activities of the users on the Internet are recognised: We lack not only the knowledge, but also the tools to ensure cybersecurity.We don't have an IT department for cybersecurity training, but we would attend if we could.
I would like more active cooperation and training from the IT service.I don't think I know enough about cybersecurity.I've only recently started working at the library, so I'm hoping to learn the basicssomething like how to check USB devices for malware before inserting them into the computer; how the password manager works, etc.
I believe the librarian is responsible for what users view and has the right to both reprimand and expel someone from the library.
It is necessary to continue training the library staff.This questionnaire is very necessary to draw conclusions about their knowledge and conduct training.
Library staff do not have tools to help control which websites library patrons visit.Anyone can come to the library and browse all kinds of propaganda portals of the enemy state, comment, and incite riots online.

Descriptive statistics of the results
Responses were arranged in columns in order of the main three constructs and focus areas.Each line with the respondents' answers was summarised.Based on these summed responses, descriptive statistics were calculated using the Microsoft Excel data analysis tool function.The results are presented in tables 4 and 5. Kurtosis, skewness and the mean have been examined in more detail.
Skewness is a measure of symmetry, or more precisely, the lack of symmetry.In a symmetric distribution, the median and mode coincide.If the mode is to the right of the axis of symmetry (median), it is negative asymmetry.If the maximum is to the left of the axis of symmetry, it is a positive or asymmetry.For a very high positive or negative skewness, the coefficient is below -1 or greater than 1 (Yeng et al., 2021, 474-475).
Table 4 identifies among Estonian, Latvian and Lithuanian librarians knowledge risk (-0.806, 0.036 and -0,902 accordingly) with a moderate skewness (between -1, -0.5 and 0.5, 1), attitude (-0.374, 0.382 and -0.101 accordingly) and behaviour (-0.424, -0.074 and -0.338 accordingly) had a fairly symmetrical skewness coefficient (between -0.5 and between 0.5).Table 5 reveales a moderate coefficient of skewness in password management among Estonian, Latvian and Lithuanian librarians (-0.700, -0.247 and 0.141 accordingly), Internet use (-0.722, -0.157 and -0.845 accordingly) and information handling (-0.755, -0.123 and -0.501 accordingly).From the point of view of compliance with the normal distribution, in addition to the skewness, the kurtosis or steepness coefficient is an important indicator.In statistics, kurtosis is used to describe the shape of a probability distribution.The kurtosis can be negative, equal to zero, or positive.If the kurtosis is 0, then it is equal to the normal distribution.If the kurtosis is positive, it simply means that fewer data values lie near the mean, and if the kurtosis is negative, it means that more data values lie near the mean.Table 3 shows that the kurtosis of knowledge among Estonian, Latvian and Lithuanian librarians (1.126, 0.134 and 2,265), attitude in the case of Estonia and Latvia is negative (-0.796 and -0.352) and in the case of Lithuania is positive (0.506).Behaviour among Estonian librarians is positive (0.322), and the kurtosis of behaviour of Latvian and Lithuanian librarians is negative (-0.720 and -0.035).
Table 5  The mean scores of Estonian librarians' in knowledge, attitude and behaviour is higher than Latvian and Lithuanian librarians', followed by Lithuania in knowledge and behaviour and by Latvia in attitude.Behaviour seems to be a strongest area of all Baltic librarians' (see table 4).Answers by focus areas show the highest awareness in information handling (32.22), password management (32.14),social media use (30.3) and Internet use (30.3), while the awareness in the other focus areas is below 30.This shows that the average Estonian librarian's cyber awareness is quite good, but there are also areas that need improvement, especially the use of devices (27.6)There is no IT department, we buy a service and the company can only be contacted in case of a very extraordinary problem (the excuse to the employee: we save money).
There is no such thing as an IT department in the school library, where you can turn to in case of a problem, doubt or some other gut feeling.You have to be competent enough for that.

Conclusions
The cybersecurity cooperation of the Baltic states is close, and libraries have an important role to play as cooperation partners of the state in bringing cybersecurity knowledge to the population, raising their awareness and protecting the population from cyber threats.
The role of the library as a public service institution in ensuring cybersecurity could be to create opportunities and conditions for users to get the necessary materials safely while maintaining their privacy and confidentiality.The role of a librarian in ensuring information security and cyber protection is to be aware, to act responsibly, to be helpful when library users need help, and to use the equipment and equipment entrusted to them for the intended purpose.Self-improvement is extremely necessary.It is important to realise that if librarians see a place of risk, they inform the relevant people in the institution, and do not look away.They can raise their awareness through training, and reading relevant literature.Since complete privacy and user security cannot be guaranteed in an online information environment, one of the most important tasks of librarians is to ensure that users are provided with adequate information and understanding of threats to their privacy and security online and how to protect themselves from that.These types of knowledge and skills are important components of digital literacy, which is reflected in the ability to use information and communication technologies to find, evaluate, create and communicate information.It requires both cognitive and technical skills.
The survey conducted among librarians in the Baltic countries was based on a methodology that has gained wide recognition in the world, where an information security questionnaire based on the KAB model (Human Aspects of Information Security Questionnaire -HAIS-Q) was conceptualised to measure the relationship between three variables (knowledge, attitudes and behaviour).The questionnaire consisted of 63 questions and was adapted perfectly for libraries.
One of the great positive aspects of the HAIS-Q survey is that if a person has not previously paid much attention to cybersecurity threats in the context of libraries, the questions force the respondent to think about these important and topical issues.Thus, answering the questionnaire alone can increase the cyber awareness of library staff.Increasing knowledge, however, is known to improve attitudes, which results in better information security behaviour.
The respondents in all three Baltic countries are characterised by the fact that the majority of employees are aged 51-60.This indicator would need further investigation because there are significantly fewer workers in the previous and subsequent age groups.It is also common that there were most respondents with less than five years of work experience.The results of the survey revealed that the information security awareness of Estonian library staff is better than their Latvian and Lithuanian colleagues.This may be due to the fact that 62 per cent of Estonian library employees have participated in cybersecurity training, while in Latvia and Lithuania, the percentage of those who have participated in the training is only 43% and 40%, respectively.The desire to participate in the training is highest in Lithuania, followed by Latvia and Estonia.Probably, a large part of the applicants in Estonia have already been able to complete cyber training.
Both the average scores and the mean of the scores showed that Estonian librarians' knowledge, attitudes and behaviour in the field of information security are stronger than those of their Latvian and Lithuanian colleagues.At the same time, in all three Baltic countries, librarians' strongest point is their behaviour.This shows that although there may have been little training and the attitude may be repulsive, instinctively one still behaves correctly.This does not support Siponen et al. (2007) and Workman et al. (2008) evidence that individuals who have the necessary information security knowledge and skills may not be able to effectively apply them in their daily work routine.On the other hand, if there were more cybersecurity training, knowledge would increase, attitudes would also improve, and thus their information security behaviour would improve even more.It would be especially necessary to raise awareness in the use of devices.Currently, this focus area shows the lowest awareness among the library staff of all three Baltic countries.The focus area of email use also needs raising of awareness, and in the case of Latvia and Lithuania, prevention and handling of cases is also necessary.
Further recommendations for policy makers, local governments and library management would be to realise that the cyber awareness of library staff is a key issue for the country.All libraries, but especially public libraries, stand on the front line of the information war.Every ordinary citizen who wants it or who, in the opinion of a library employee, needs it, must receive cyber defence training from libraries.Libraries play an important and active role in disseminating information about specific threats to the country's citizens (for example, cyber awareness campaigns, but also crisis management campaigns, etc.).The ever-widening gap between those who have digital literacy and those who do not, and are therefore unable to protect themselves online, further emphasises the role of libraries in closing this gap.Libraries are not only cultural centres but also regional community centres where residents can receive free digital and cyber literacy training.The library is the heart of the community, and people come there willingly.A librarian should be an educator and a leader in the basics of cyber awareness.

Figure 1 .
Figure 1.The overview of Estonian, Latvian and Lithuanian everyday Internet users according to the Eurobarometer statistics

Figure 3 .Figure 4 .
Figure 3. Distribution of respondents by years worked in the library

Figure 6 .
Figure 6.Average scores for focus areas

Table 2 .
Demographic distribution of respondents by sex

Table 3 .
Pearson Correlation for Knowledge, Attitude and Behaviour

Table 4 .
Descriptive statistics of knowledge-attitude-behaviour components

Table 5 .
Descriptive statistics of components of focus areas

LITHUANIA Password management Email use Internet use Social media use Use of devices Information handling Incidents preventing and handling Mean 30.566 27.979 28.987 29.042 27.103 29.939 27.591
. The mean scores of Latvian librarians' answers by focus areas show the highest awareness also in information handling (30.14), password management (29.88),Internet use (29.27) and social media use (29.0).Use of devices (26.4) show quite low awareness.The mean scores of Lithuanian librarians' answers by focus areas show the highest awareness in password management (30.56) and the lowest awareness in use of devices (27.10).Some comments from respondents: It's not my job to complain about others, the IT department has anyway made multiple downloads and program installs impossible.If the link sent is familiar to me, my colleague and I have talked about forwarding it in advance, etc., it is safe to open it.But about the strange link that comes from familiar sender with no comment, I've asked a few times using other communication channels, so far they've been safe too.I have not received separate cybersecurity training from my employer every year.I got some instructions only when I came to work and the rest is what I learned/previous experience.