The Human Factor: Assessing Ransomware Vulnerability in Developing Nations’ Governments

Abstract

Ransomware represents a critical and escalating threat to public institutions in developing nations, where cybersecurity is often underprioritized. While technical vulnerabilities are significant, this study investigates the under-explored socio-organizational dimensions of cyber resilience within Latin American local governments. Employing a qualitative exploratory approach, the research draws on semi-structured interviews with IT officials from Ecuadorian municipalities. The data were analyzed using Braun and Clarke’s thematic framework, applying a hybrid coding strategy that integrated deductive categories (institutional, human, technological) with inductive themes. The findings identify key vulnerability factors, including low risk perception among personnel, insufficient training, a lack of formal security policies, and weak regulatory enforcement. These human and institutional shortcomings often outweigh purely technological weaknesses, with social engineering serving as a predominant attack vector. Despite these challenges, the study also uncovers emergent resilience practices, including internal security committees, micro-training routines, AI-supported filtering, and informal troubleshooting networks. This research provides empirical evidence from a critically understudied context, underscoring the imperative for human-centric and context-sensitive cybersecurity strategies in the public sector. The conclusions establish a foundational understanding for developing adaptive security models, including future AI-driven solutions, tailored to the operational realities of developing nations. The study offers practical insights for policymakers and institutions aiming to bolster holistic cyber defense capabilities that address both human and technical factors.

1. Introduction

Today, cybercrime extends beyond mere technical threats; it frequently exploits the human element. Social engineering techniques, including phishing, deceive individuals into compromising their own systems, thereby increasing the effectiveness and prevalence of such attacks. It is estimated that over 90% of cyberattacks rely on social engineering to circumvent security defenses, rather than solely on technical vulnerabilities [1].

Ransomware persistently represents a significant and evolving threat to public sector organizations, particularly as cyberattacks targeting their digital infrastructure grow more sophisticated. A recent study [2] specifically investigated Clop ransomware and emphasized that Active Directory administrator accounts are often primary vectors for exploitation, especially within non-IT environments, leading to considerable operational disruptions. By concentrating on the socio-organizational aspects of vulnerability and resilience, this article investigates the nexus between human behavior and institutional procedures, along with their influence on municipal susceptibility to ransomware and socially engineered attacks. A rapid literature review published in [3] indicates that cybercrime mitigation within e-government services predominantly emphasizes technical and managerial considerations, while often overlooking behavioral aspects. This oversight highlights the necessity of adopting a socio-organizational perspective to formulate comprehensive and contextually suitable cybersecurity strategies.

Ransomware has emerged as one of the most disruptive forms of cybercrime, with a growing impact across diverse sectors and regions [4]. While considerable attention has been directed towards its effects on critical infrastructure and private corporations [5], public institutions, particularly in developing nations, have become increasingly vulnerable targets [6]. A substantial proportion of local governments, in particular, frequently lack the technical, financial, and human resources required to effectively counteract sophisticated social engineering tactics that often serve as entry points for ransomware attacks [7].

In this context, the human factor manifests as both a significant vulnerability and a potential source of resilience. The awareness, attitudes, and behaviors of public officials are pivotal in determining how institutions address threats [8]. Nevertheless, numerous cybersecurity strategies within the public sector persist in prioritizing technological solutions, thereby neglecting the socio-organizational dynamics that impact actual vulnerabilities [9].

While recent studies have underscored the importance of human-centered and context-aware approaches [10], there remains limited empirical evidence exploring these dimensions within the local governments of developing nations [11]. This research aims to bridge this gap by analyzing the perceptions and experiences of cybersecurity professionals in Ecuadorian municipalities, with the objective of identifying patterns of human vulnerability and institutional resilience in response to ransomware threats.

Within this context, empirical knowledge on cyber risk in the public sector is limited, making it difficult to design effective and sustainable local policies. This gap is revealed in the interaction between human, institutional, and technological factors that determine exposure to ransomware in local governments (Figure 1). This socio-technical perspective aligns with recent work by Vestad [7], which argues that sustainable cybersecurity requires integrating technology, people, and organizational frameworks beyond mere regulatory compliance.

Furthermore, Mushtaq Y Shah [9] demonstrates that numerous e-Government initiatives undervalue behavioral factors; rather, our model emphasizes the human element as a dual core: a source of vulnerability and a catalyst for resilience.

In accordance with the framework proposed by Safitra [12], which integrates technology, processes, and human factors to enhance resilience and adaptability to threats, the “Emergent Resilience” section of the diagram emphasizes the significance of informal practices, engagement, and contextual knowledge as essential components in addressing cyber crises.

This study aims to identify and understand the contextual factors contributing to unequal exposure to ransomware within local governments, as well as the organizational conditions that either facilitate or hinder the development of institutional resilience against such threats.

To accomplish this objective, the research seeks to address the following questions.

• RQ1. What are the most common human vulnerabilities to ransomware generated by social engineering techniques in local governments?
• RQ2. Which human vulnerabilities to ransomware attacks generated by social engineering techniques generate the greatest negative impact on local governments? And how?
• RQ3. What solutions exist to manage human vulnerabilities to ransomware attacks generated by social engineering techniques?
• RQ4. How can Artificial Intelligence help reduce human vulnerabilities to ransomware generated by social engineering techniques in local governments?

These research questions serve as the analytical backbone of this study, linking the objectives, methodological design, and interpretation of findings. Each subsequent section systematically addresses one or more of these questions to ensure conceptual coherence between the problem statement, data analysis, and conclusions.

The remainder of this article is organized as follows. Section 2 reviews related works on ransomware, cybersecurity resilience, and socio-technical approaches. Section 3 describes the research methodology, including the interview design and the weighted average model. Section 4 presents the results of the thematic analysis, supported by quotes from local government officials. Section 5 discusses the findings in relation to existing literature and highlights the methodological contribution. Section 6 concludes the paper with implications for policy and practice, as well as directions for future research.

2. Related Works

Ransomware has emerged as one of the most persistent and disruptive cyber threats over the past decade [13], impacting both private and public institutions [14]. Its technological advancements, coupled with the strategic deployment of social engineering techniques, have enhanced its ability to penetrate systems, especially in environments where organizational and human defenses are deficient [15]. Although cybersecurity scholarship has extensively examined critical sectors such as finance and healthcare, the domain of local government, particularly in developing nations, remains understudied. Hossain and colleagues [4] emphasize that “very little research on cybersecurity issues from the local government perspective” exists, and that information concerning the complex and multifaceted nature of municipal cybersecurity is “scattered and fragmented”.

Numerous studies highlight the fact that cyber resilience cannot be comprehensively understood solely from a technological perspective [16]. “Cybersecurity has traditionally been regarded as a technological challenge; however, increasing evidence underscores the vital importance of human behavior, decision-making, and organizational culture. The IEEE-supported study [17] emphasizes how these human factors, particularly in the context of insider threats, are central to understanding and mitigating cybersecurity risks.” Human-related factors such as risk awareness, daily practices, institutional perceptions, and organizational culture play a decisive role in the capacity to respond to cyber incidents [18]. In municipal settings, where organizational structures tend to be more streamlined and resources more limited, these factors become even more critical [19]. Recent work by [7,12] highlights the importance of socio-technical approaches in understanding how dynamics of vulnerability or resilience emerge in response to threats such as ransomware.

The literature further indicates a persistent disparity between developed and developing nations in cybersecurity capabilities, regulatory frameworks, organizational culture, and incident reporting [20]. The Global Cybersecurity Index 2024 highlights a notable cyber capacity gap among numerous countries, acknowledging that although efforts are underway to bolster cybersecurity, these nations face significant resource limitations [20]. Similarly, research on the digital divide highlights that disparities in developmental progress hinder effective threat mitigation, with less developed countries facing distinct cybersecurity challenges [21]. Mugari and Kunambura [22] argue that, in African nations, diminished levels of formal digitalization do not necessarily denote reduced exposure; rather, they indicate decreased visibility of cyberattacks. Although these insights are valuable, the institutional and human factors influencing ransomware exposure variability are insufficiently analyzed empirically, especially at the local government level. As Harry [23] notes, researchers have identified a widespread deficiency in cybersecurity preparedness, awareness, training, and adequate funding within local government contexts; nonetheless, empirical investigations into these institutional and human factors remain notably limited. This survey uncovers ongoing deficiencies, including the underrepresentation of marginalized communities, limited investigation into non-digital social engineering, and unresolved ethical issues associated with AI-driven cybersecurity tools. Furthermore, current frameworks frequently lack a standardized, practical approach for evaluating cybersecurity culture [16].

This limitation underscores the importance of employing qualitative methodologies to investigate institutional perceptions, behaviors, and capabilities within real-world contexts. Consequently, the current study aims to address this gap through a thematic analysis of interviews with cybersecurity professionals from Ecuadorian local governments, with the objective of identifying the human, institutional, and technological factors influencing exposure to ransomware and examining the conditions that either reinforce or weaken organizational resilience.

Compared to existing studies, prior research on ransomware and human factors has predominantly relied on large-scale surveys, experimental phishing simulations, or quantitative risk models. While these approaches provide statistical generalizability, they often lack the contextual depth required to understand organizational and behavioral dynamics within local governments. In contrast, the present study adopts a qualitative expert-driven methodology, prioritizing interpretative depth over sample breadth. This design complements prior quantitative work by offering insight into decision-making practices, institutional constraints, and human vulnerabilities that are difficult to capture through large-N approaches.

3. Materials and Methods

This study employs a qualitative methodology rooted in Braun and Clarke’s thematic analysis. Semi-structured interviews are conducted with key stakeholders within local governments. The data were transcribed and systematically coded, adhering to the six phases outlined by the authors: familiarization, generation of initial codes, theme search, theme review, definition and naming, and report writing. This process facilitates the identification of patterns and categories that accurately reflect perceptions of cybersecurity risks and practices within the studied context. The results are compared with relevant regulatory frameworks and international best practices to validate the final proposal.

The data were transcribed verbatim and subsequently analyzed utilizing ATLAS.ti (version 23), a qualitative analysis software that facilitated systematic coding, categorization, and visualization of emerging patterns. The analytical procedure adhered to Braun and Clarke’s six-phase thematic analysis framework, encompassing familiarization with the data, generation of initial codes, theme search, theme review, theme definition and naming, and report composition. The use of ATLAS.ti facilitated the development of a systematic codebook aligned with the tripartite conceptual model of human, institutional, and technological factors, thereby guaranteeing analytical consistency and traceability throughout the research process.

3.1. Study Design

Our research utilizes an exploratory qualitative methodology to thoroughly examine the human, institutional, and technological factors that influence ransomware susceptibility within local government entities in a developing country. Considering the emphasis on organizational dynamics, individual perceptions, and particular sociopolitical contexts, semi-structured interviews were conducted to obtain comprehensive insights into the experiences and viewpoints of cybersecurity professionals at the municipal level.

The choice of a qualitative research methodology is substantiated by previous studies that have investigated similar contexts. For example, in a study of resource-limited Norwegian municipalities, the exploratory approach enabled a comprehensive examination of how structure, personnel, and technology work together to enhance cybersecurity resilience from a sociotechnical perspective [7].

Furthermore, systematic review studies have demonstrated that cybersecurity information within local governments is limited and fragmented, underscoring the importance of investigating this context through empirical research [4]. Additionally, preliminary literature reviews suggest that cybercrime strategies implemented within e-government services generally focus on technical aspects, while organizational and human factors—crucial to your approach remain ignored [9].

The study design is positioned within a predominantly inductive framework characteristic of the qualitative approach; however, it also incorporates a deductive component through a tripartite conceptual model (human, institutional, and technological), thereby enabling the exploration of reality on a solid, reasoned empirical basis.

3.2. Participants and Context

The research was conducted within the framework of local governments in Ecuador, specifically at the cantonal level. Participants were chosen in accordance with their roles pertaining to technical and strategic responsibilities related to information technology, cybersecurity, or digital transformation. The profiles included information security officers, technology directors, infrastructure coordinators, and systems specialists.

The selection process employed purposive sampling, prioritizing individuals with demonstrable experience in incident management, technology policy development, or cyber-risk assessment. A total of ten professionals from municipalities across the Coast, Sierra, and Amazon regions participated, thereby ensuring substantial territorial diversity and aggregating both technical and organizational insights pertinent to the study.

It is important to clarify that the qualitative thematic analysis strictly relied on interviews with ten expert participants occupying technical and strategic roles in municipal cybersecurity. The inclusion of non-technical end users was designed as a complementary component for triangulation purposes and was not part of the formal thematic coding process.

The sample size was determined through an iterative process rather than solely relying on statistical representativeness. Following multiple rounds of interview coding and review, it was observed that further interviews predominantly produced redundant information and did not contribute significantly to new thematic codes. This operational saturation, in conjunction with the high level of domain expertise among informants, substantiates the adequacy of the sample according to contemporary qualitative standards, where depth and relevance of cases can justify a smaller yet analytically comprehensive dataset.

The procedure followed is summarized in Figure 2, which schematically presents the methodological design adopted in this research.

To enhance robustness and credibility, the qualitative findings were fortified through the implementation of methodological safeguards, including transparent coding procedures, triangulation with documentary sources, and inter-coder verification. All fieldwork adhered to standard ethical protocols, including informed consent and data protection measures. Limitations regarding statistical generalizability are acknowledged, and it is recommended that larger-scale quantitative validation be conducted as a follow-up to further extend and test these findings.

The institutional context is characterized by limited budgets, fragile governance frameworks, and emerging levels of cybersecurity maturity. This aligns with evidence indicating that numerous local governments lack comprehensive regulatory frameworks consistent with standards such as NIST, thereby resulting in substantial operational deficiencies in addressing cyber threats [4].

According to Hossain et al. [4], local governments face increased risks due to emerging digitalization when there is a lack of comprehensive regulatory or technical support.

Conversely, risk management within public environments necessitates a systemic approach that accounts for resources, processes, and human capabilities, as demonstrated by studies on digital governance in municipalities with budgetary constraints [24].

3.3. Data Collection Instrument

A semi-structured interview guide, specifically developed to investigate ransomware exposure from human, institutional, and technological perspectives, was employed for data collection. The instrument was organized into three thematic sections: (1) perception and awareness of cyber risks, (2) organizational capabilities in responding to incidents, and (3) prior experiences and institutional responses to similar attacks or threats.

Each block consisted of open-ended questions intended to encourage participant reflection, accompanied by subsidiary questions that sought to extract detailed contextual or technical information from respondents.

The instrument underwent peer review by experts in cybersecurity and public administration and was piloted through two preliminary interviews to ensure semantic clarity and thematic relevance. The interviews were conducted virtually via Zoom and recorded with prior informed consent using a secure, access-controlled storage environment exclusively for verbatim transcription. No material was ever uploaded to public platforms.

3.4. Interview Protocol and Ethical Considerations

Table 1. Demographics of the IT experts interviewed in the cybersecurity study in Ecuadorian municipalities.

ID	Position/RolePosition/Role
Participant 1	Chief of Information Technology
Participant 2	Software Security Specialist
Participant 3	Chief of Information Technology
Participant 4	Chief of Information Technology
Participant 5	Technology Support Specialist
Participant 6	Chief of Information Technology
Participant 7	Computer Security Specialist
Participant 8	Chief of Technological Innovation
Participant 9	Chief Information Security Officer
Participant 10	CEO IT Municipality

delineates the positions of the informants interviewed, who represent various municipalities, including individuals with high-level responsibilities in national digital governance of Ecuador.

The fieldwork was conducted in June and July 2025. Participants were initially identified and contacted through electronic mail and institutional correspondence, which encompassed an invitation letter outlining the objectives of the study, emphasizing the voluntary aspect of participation, and delineating confidentiality commitments.

The interviews were conducted remotely via Zoom. Each session lasted approximately 30 to 50 min and was recorded with the participant’s explicit consent. These recordings were subsequently transcribed verbatim for analytical purposes. Throughout the process, ethical principles concerning confidentiality, anonymity, and informed consent were rigorously upheld. Participants’ names and their respective municipalities were coded to ensure anonymity, and all data were securely stored in encrypted digital environments.

The pilot interview was excluded from the final dataset and did not influence the conceptual or operational structure of the instrument.

3.5. Applying a Braun and Clarke Inspired Mixed-Methods Framework

Data analysis was conducted using the thematic analysis technique, following the six-phase approach proposed by Braun and Clarke [25]. This methodology enables the identification, organization, and interpretation of significant patterns in a qualitative dataset. Each stage of the methodological process is described below:

• Problem delimitation and research questions: Based on a preliminary literature scan and exploratory consultations with subject-matter experts, we defined the study boundaries and formulated specific research questions focused on ransomware vulnerability in local governments. These decisions guided the scope of the interview and the selection criteria for participants.
• Interview instrument design (semi-structured): A semi-structured interview guide was developed, aligned with the study objectives, and included items designed to probe human, institutional, and technical dimensions. The guide comprised opening prompts, thematic blocks, and follow-up probes, and was reviewed by two colleagues to ensure clarity and coverage.
• Exploratory literature review: A targeted search of academic and technical sources was conducted to contextualize the research questions and to operationalize key indicators (e.g., phishing metrics, technical controls, institutional maturity). Outcomes from this review informed both the interview guide and the conceptual framework.
• Validation and pilot testing: Before commencing fieldwork, the guide underwent a pilot test that included a mock interview with an IT director from a municipal public entity. The feedback from this pilot test was used to refine the wording, the sequence of questions, and the estimated duration. In addition, the pilot test served to verify the consent and remote recording procedures.
• Participant selection: Purposive sampling was utilized to recruit professionals possessing experience in incident management, technology policy, or cyber-risk assessment. Recruitment and invitations were documented through institutional email correspondence; the roles and origins of participants are summarized in Table 1.
• Interview conduct and transcription: Interviews were conducted remotely via Zoom, lasting between 30 and 50 min, and were recorded with explicit consent and transcribed verbatim. Transcripts were anonymized by coding participant and municipality information and securely stored in encrypted repositories in accordance with approved ethical protocols.
• Coding and thematic analysis: The analysis adhered to Braun and Clarke’s six-phase framework: (1) familiarization through iterative reading, (2) generation of initial codes, (3) searching for themes, (4) reviewing themes, (5) defining and naming themes, and (6) producing the report. Coding was conducted independently by two coders; any discrepancies were resolved through discussion and the use of analytical memos. Thematic saturation was evaluated iteratively and was considered achieved when two consecutive interviews produced no significant new codes.

3.6. Integration of a Complementary Quantitative Component

To complement the qualitative design, an exploratory quantitative formulation was incorporated. Based on the frequency and salience of thematic categories, a weighted average model was constructed to represent the relative contribution of human (F_h), institutional (F_i), and technological (F_t) factors to ransomware exposure.

This integration follows a mixed methods logic of “quantitizing” qualitative data, transforming coded insights into proportional weights to facilitate conceptual synthesis without altering the interpretive foundation of the study.

3.7. Ethical Statement

This research was conducted in accordance with the ethical principles governing studies involving human participants. All interviewees were informed of the study’s objectives, the voluntary nature of their participation, and the confidentiality of the information they provided.

Informed consent was secured from each participant prior to conducting the interviews, either in written form or through verbal recording, depending on the employed method. The collected data were anonymized and encrypted to safeguard the identities of the informants and stored in secure digital environments accessible solely to the research team.

3.8. Expanded Methodological Approach and Integration of End-User Data

To strengthen the empirical robustness of the study and gain a more comprehensive understanding of human exposure to ransomware, the research design was expanded to incorporate the perspectives of end users (non-technical users), alongside the qualitative information previously collected from technical and managerial staff. This enhancement addresses the recognized need to analyze the behaviors and perceptions of municipal employees, who frequently constitute the initial attack vector exploited in ransomware incidents.

In addition to semi-structured interviews, a structured instrument was administered to 30 municipal employees (excluding technology users) from various administrative roles. The survey included questions about digital security practices, password management, email verification, prior exposure to security incidents, organizational culture, and ransomware risk perception. These questions aligned with the thematic dimensions explored in the qualitative phase, facilitating methodological integration and comparative analysis.

The incorporation of this quantitative component enabled the adoption of a mixed-methods explanatory approach, in which qualitative findings provided the conceptual foundation and quantitative data offered empirical validation. To consolidate both perspectives, a triangulation procedure was implemented, allowing identification of convergences, such as the centrality of human error, insufficient training, and structural inequalities among municipalities, and divergences, such as differences in perceived risk severity and inconsistencies between self-reported awareness and actual behavior.

This methodological separation prevents the conflation of expert analytical perspectives with user-level experiences and aligns the qualitative design with established thematic analysis practices, this complementary component was intentionally designed to address concerns frequently raised in the literature regarding the role of non-technical users as primary ransomware entry points, while preserving the methodological rigor of the qualitative thematic analysis.

4. Results of the Thematic Analysis on Ransomware Vulnerability

It is important to clarify that the qualitative thematic analysis presented in Section 4.1, Section 4.2, Section 4.3, Section 4.4, Section 4.5, Section 4.6, Section 4.7, Section 4.8, Section 4.9 and Section 4.10 is based exclusively on interviews with ten expert participants (directors, coordinators, and information security specialists). This expert-focused corpus was intentionally selected to ensure analytical depth, interpretative consistency, and methodological rigor. Data collected from 30 non-technical municipal employees were obtained through a separate process and were used solely for triangulation and contextual validation, rather than for primary thematic extraction.

The analysis conformed to the six-phase framework proposed by Braun and Clarke, which enabled the identification of recurring patterns and the classification of results into six principal categories: ransomware perception; human factors and social engineering; training and organizational culture; structural limitations of local governments; resilience mechanisms; and future perspectives.

Before presenting the thematic narratives,

Table 2. Summary of thematic categories, key findings, and representative quotes.

Category	Key Finding	Representative Quote
Perception of ransomware	Considered a critical threat affecting both operations and public trust	“The damage to public trust is severe” (Participant 10)
Social engineering—human factors	Phishing and weak passwords identified as main vulnerabilities	“Some employees still fall for phishing emails” (Participant 8)
Training—organizational culture	Initiatives exist but remain fragmented and lack continuity	“We need continuity in training” (Participant 4)
Structural limitations	Smaller municipalities lack resources and depend on external support	“Small ones can barely afford antivirus software” (Participant 2)
Resilience—incident response	Security committees established and advanced monitoring measures introduced	“We have created internal reporting channels for suspicious activity” (Participant 6)
Future vision	Emerging technological solutions seen as central for monitoring and prevention	“Artificial intelligence will help us detect unusual behaviors” (Participant 10)

summarizes the six thematic categories identified through the analysis, together with their key findings and representative quotations. Subsequently,

Table 3. Qualitative traceability of themes identified through thematic analysis.

Theme	Key Codes	Coded Segments (n)	Participants	Representative Quote
Human vulnerabilities	phishing, weak passwords, unsafe clicking	42	9/10	“Some employees still fall for phishing emails.”
Institutional gaps	lack of policies, fragmented training	31	8/10	“We need continuity in training.”
Technological limitations	outdated systems, weak detection	18	6/10	“Small municipalities can barely afford antivirus solutions.”
Emergent resilience practices	committees, advanced filtering measures	22	7/10	“We use automated spam filters to detect suspicious activity.”

Note: “Coded Segments (n)” indicates the number of coded text fragments associated with each theme across all interviews.

provides explicit traceability between coded segments, thematic categories, and participant coverage, showing analytical density and recurrence between participants to ensure that the results are grounded in repeated patterns rather than isolated statements.

Section 4.1, Section 4.2, Section 4.3, Section 4.4, Section 4.5, Section 4.6, Section 4.7, Section 4.8, Section 4.9 and Section 4.10 report exclusively the results of this qualitative thematic analysis based on ten expert participants, as described in Table 1. The interviews conducted with thirty non-technical municipal employees were analyzed separately and are incorporated only for triangulation purposes, which are presented in Section 4.11. These end-user data were not subjected to thematic coding and do not alter the qualitative results reported in this section.

The presentation of results is organized in accordance with the four research questions introduced in Section 1. Section 4.1, Section 4.2, Section 4.3, Section 4.4, Section 4.5 and Section 4.6 address RQ1–RQ3 by evaluating the most prevalent human vulnerabilities to ransomware, their implications for municipal operations, and the strategies presently implemented to mitigate these issues risks. Section 4.9 and Section 4.10 concentrate on RQ4, examining how Artificial Intelligence can assist in mitigating human vulnerabilities and fortifying institutional resilience via predictive and adaptive mechanisms. Collectively, these aspects offer a comprehensive view of human vulnerability to ransomware attacks and the development of emerging strategies to improve cybersecurity within municipal contexts.

4.1. Perception of Ransomware in Local Governments

The interviewees consistently characterized ransomware as one of the most significant threats confronting local governments, emphasizing both its operational and reputational ramifications.

• “An attack can completely block institutional processes; in some cases, email servers were blacklisted and paralyzed the communication of the entire municipality” (Participant 4—Chief of Information Technology).
• “The main vulnerability is not technology; it is the people who click on malicious links or install unauthorized programs” (Participant 5—Technology Support Specialist).
• “Beyond the loss of data, the damage to public trust is severe. Citizens lose confidence when they see their municipality in the news due to cyberattacks” (Participant 10—CEO IT Municipality).

4.2. Social Engineering and Human Factors

Social engineering emerged as the most common attack vector, particularly through phishing.

• “We receive at least three or four phishing attempts per week; unfortunately, some employees still fall for them” (Participant 8—Chief of Technological Innovation).
• “Even with awareness campaigns, weak passwords persist: dates of birth, children’s names, things like that” (Participant 7—Computer Security Specialist).
• “There are still cases where officials share accounts and passwords among themselves, which opens the door to greater risks” (Participant 2—Software Security Specialist).

4.3. Training and Organizational Culture

Capacity building efforts were considered a key line of defense, though interviewees agreed they remain fragmented and inconsistent.

• “We have started cyber hygiene training with international support; we send email capsules with good practices” (Participant 10—CEO IT Municipality).
• “We are implementing phishing simulations so that employees can learn to identify fake messages” (Participant 2—Software Security Specialist).
• “In my institution, password changes are mandatory and we have carried out awareness talks, but we need continuity” (Participant 4—Chief of Information Technology).

4.4. Local Governments and Structural Limitations

Interviewees from larger municipalities reported the use of more advanced monitoring tools (e.g., automated log analysis, centralized dashboards), whereas smaller municipalities rely predominantly on national platforms or complementary detection services provided by third parties.

The interviews highlighted significant disparities between large and small municipalities in terms of resources and technological capacity.

• “Large municipalities can invest in artificial intelligence tools, but smaller ones can barely afford a basic antivirus” (Participant 5—Technology Support Specialist).
• “Bureaucracy delays the purchase of software licenses; many times we are forced to rely on free tools” (Participant 7—Computer Security Specialist).
• “We depend heavily on national entities such as MINTEL for support; alone, it is very difficult to implement adequate protection” (Participant 8—Chief of Technological Innovation).

4.5. Resilience and Incident Response

Despite limitations, several municipalities reported initiatives that demonstrate an emerging culture of resilience.

• “We created a Security Committee to address these issues with the highest authorities” (Participant 7—Computer Security Specialist).
• “We use spam filters with artificial intelligence to block malicious emails” (Participant 8—Chief of Technological Innovation).
• “Every week we remind staff about the importance of changing passwords and reporting suspicious messages” (Participant 5—Technology Support Specialist).
• “We are piloting anomaly detection with AI to prevent unauthorized access” (Participant 2—Software Security Specialist).

Across municipalities, several emergent resilience practices were consistently reported. These include: (a) the creation of internal Security Committees that escalate cybersecurity incidents to senior authorities; (b) the institutionalization of weekly reminders, phishing simulations, and basic cyber hygiene routines; (c) the adoption of AI-based spam filtering and anomaly detection tools even in resource-constrained settings; and (d) the consolidation of informal troubleshooting networks where technically skilled staff share knowledge across departments. These practices demonstrate that resilience is not exclusively dependent on technological capacity but can also emerge from human engagement and local improvisation.

Several participants indicated emerging use of AI-assisted tools, primarily in the form of spam filtering, anomaly detection, and automated alerts integrated into institutional email gateways.

4.6. Vision for the Future

When inquired about the future, the majority of respondents identified artificial intelligence as a pivotal instrument in municipal cybersecurity.

• “Artificial intelligence will help us detect unusual behaviors before an attack happens” (Participant 10—CEO IT Municipality).
• “I believe that training should be personalized with AI support; each employee has a different risk profile” (Participant 7—Computer Security Specialist).
• “Continuous monitoring with AI will be the only way to anticipate ransomware attacks in the coming years” (Participant 4—Chief of Information Technology).

4.7. Salient Concepts of Ransomware Vulnerability in Local Governments

During the analysis phase, ATLAS.ti generated a word cloud based on the interview corpus, as illustrated in Figure 3. To improve clarity, frequently occurring structural terms such as “municipality”, “officials”, and “system” were incorporated into the stop word list so that the visualization would highlight conceptually meaningful patterns rather than generic contextual vocabulary.

Beyond showing word frequency, the cloud reveals how interviewees cognitively frame ransomware exposure. The most salient terms ransomware, attack, phishing, passwords, institutional, processes, and trust appear prominently because they were consistently repeated across multiple participants. Their prominence reflects a clear interpretive pattern: respondents perceive ransomware not as an isolated technical event but as the result of intertwined human and institutional weaknesses.

Human-related terms such as passwords, emails, phishing, spam, and malicious align with the vulnerabilities discussed in Section 4.2 and Section 4.3, highlighting weak cyber hygiene, susceptibility to social engineering, and inconsistent awareness practices. Likewise, institutional terms—processes, public, committee, and trust correspond directly to the organizational constraints and governance limitations described in Section 4.4 and Section 4.5, indicating that officials consider structural factors to be integral components of their exposure.

A third cluster of terms, including AI, simulations, monitoring, and support, illustrates that discussions about vulnerabilities frequently coexist with references to emergent resilience practices. This pattern reinforces the dual finding of this study: although human error remains the primary vulnerability vector, municipalities are beginning to adopt procedural reforms and AI-enabled monitoring tools to strengthen their defenses.

Overall, Figure 3 does more than visualize repeated words: it corroborates the thematic structure identified in the qualitative analysis. The distribution of terms confirms that municipal cybersecurity perceptions are shaped by the interaction of human, institutional, and technological dimensions, thereby reinforcing the broader analytical narrative of this study.

4.8. Pareto Analysis of Interview Keywords—Prioritizing Human Risk Factors for Ransomware

Figure 4 presents a Pareto analysis of the interview keywords, where the bars represent absolute frequencies and the red line illustrates the cumulative percentage. The six dominant terms—Ransomware (76), Phishing (25), Weak Passwords (13), Spam (11), Resilience (11), and Ecuador (10)—collectively exceed 80% of all coded mentions, evidencing that a small set of concepts concentrates the majority of the discourse.

It is worth noting that only the term “ransomware” appears above the dashed reference line of approximately 80%. This result does not imply that the threshold is too high; rather, it reflects the overwhelming prominence of ransomware as a central concept organizing participants’ narratives. Since the remaining terms represent secondary but complementary aspects, such as entry vectors (phishing), human weaknesses (passwords), and contextual constraints (institutional resilience), their frequencies are naturally lower and thus fall below the high consensus threshold.

The approximately 80% threshold serves as an analytical reference point to distinguish concepts that generate very strong consensus from those that, while relevant, do not dominate the discourse with the same intensity. In qualitative risk analysis, these high thresholds help identify the most relevant factors perceived by stakeholders, which in this case indicates that ransomware overwhelmingly influences the way municipal officials conceptualize cyber risk.

The Pareto curve reinforces the principle that a limited number of factors drive most vulnerability perceptions. Practically, this supports prioritizing resources toward the small set of themes with the largest relative impact: AI-assisted detection mechanisms, targeted anti-phishing strategies, and improved password management policies.

Overall, the chart quantitatively substantiates the qualitative finding that ransomware functions as the primary cognitive and operational concern among local government IT officials, whereas the remaining high-frequency terms represent the underlying human and institutional contributors to exposure.

Table 2 reinforces the patterns delineated in Section 4, emphasizing ransomware as a prominent threat, the persistent presence of human vulnerabilities such as phishing and weak passwords, the fragmented status of cybersecurity training, the structural disparities between large and small municipalities, the emerging resilience strategies, and the elevated expectations attributed to artificial intelligence as a crucial component for future prevention.

The categories, findings, and quotations presented in Table 2 were derived through the six-step thematic analysis described in Section 3. After transcribing the interviews, all statements were coded in ATLAS.ti, generating an initial set of semantic and latent codes. These codes were iteratively grouped into broader themes during the theme-search and theme-review phases. For each theme, the research team synthesized the meaning of the underlying coded segments into a concise key finding. Representative quotations were selected based on their clarity in illustrating the core idea of the theme and their recurrence across multiple interviewees, ensuring they reflected shared perceptions rather than isolated comments. Thus, Table 2 constitutes a structured synthesis of the qualitative evidence rather than a numerical calculation, summarizing how repeated patterns in the data were organized into coherent thematic categories.

4.9. A Weighted Average Model for Cyber Exposure

The incorporation of a weighted average model within this study functions as an exploratory quantitative supplement to the thematic analysis. While the primary methodology was based on semi-structured interviews and Braun and Clarke’s qualitative framework, the identification of three predominant dimensions—human, institutional, and technological prompted the development of an integrative index. The aim of this formulation is not to supplant qualitative evidence but to synthesize it into a singular, interpretable indicator of exposure that reflects the relative significance attributed by interviewees to each dimension.

The values of the human factor (F_h), institutional factor (F_i), and technological factor (F_t) used in Equation (1) were derived directly from the thematic coding process conducted in ATLAS.ti. After completing the six phases of Braun and Clarke’s thematic analysis, each coded segment was assigned to one of the three dimensions of the conceptual model.

For each dimension, we calculated the proportion of coded segments associated with that category relative to the total number of analytical codes generated in the dataset. For instance, all coded references linked to weak password practices, phishing susceptibility, risk perception, and unsafe behaviors were grouped under the human factor ($F_h$). Codes related to governance, policies, training continuity, and organizational processes were grouped under the institutional factor ($F_i$), while codes representing infrastructure obsolescence, detection capabilities, and technological constraints were grouped under the technological factor ($F_t$).

These proportions were then normalized to the interval [0, 1] using a min–max scaling procedure, allowing the three dimensions to be comparable and suitable for integration in the weighted average model. The resulting normalized values represent the relative prominence of each dimension in the interview data, based on the frequency and salience of coded segments associated with each factor.

Thus, ($F_h$), ($F_i$), and ($F_t$) are not arbitrary values, but reflect the empirical distribution of human, institutional, and technology related vulnerabilities as expressed by the interviewees. Their normalized proportions provide the basis for the composite exposure index presented in Equation (1).

Accordingly, the study employs the weighted average technique, a standard method for constructing composite indices, which is adapted herein to assess the vulnerability of local governments to ransomware. The resulting Cyber Exposure Index (E) integrates the three complementary dimensions: the human factor ($F_h$), the institutional factor ($F_i$), and the technological factor ($F_t$), thereby providing a context-specific quantitative representation of the overall exposure in the Equation (1),

$$E={\displaystyle \frac{W_h{F}_h+W_i{F}_i+W_t{F}_t}{W_h+W_i+W_t}}$$

(1)

where $W_h,W_i,W_t$ are the weights assigned to each dimension according to their relative importance. Each component is normalized to $[0,1]$ prior to aggregation. Interview evidence indicates that human error is the predominant vulnerability in local governments, which motivates assigning a larger weight to $F_h$. Sensitivity analyses on the weights and validation against historical incidents were performed to support threshold selection and operational recommendations.

Each component ($F_h$, $F_i$, $F_t$) was derived from the thematic categories previously identified in the analysis. The human factor ($F_h$) aggregates themes such as weak password practices, low risk awareness, and exposure to phishing; the institutional factor ($F_i$) encompasses governance, policy enforcement, and continuity of training programs; and the technological factor ($F_t$) includes infrastructure obsolescence and detection capabilities. The relative weights ($W_h$, $W_i$, $W_t$) were determined through proportional reasoning based on the frequency and salience of these themes in the coded data. Specifically, human-related codes accounted for approximately 50% of all coded segments, institutional codes for 30%, and technological codes for 20%. These proportions were normalized to produce the final weights applied in the equation ($W_h$ = 0.5, $W_i$ = 0.3, $W_t$ = 0.2), aligning the model’s quantitative structure with the empirical prominence observed in the interviews.

This weighting approach accurately represents the empirical significance and perceived importance of each dimension within participants’ narratives, rather than relying on external presumptions, thereby ensuring that the model remains entirely anchored in qualitative evidence.

4.10. Weight Average Model for Ransomware Exposure

Figure 5 illustrates the weighted average model employed in this study. The model synthesizes the human ($F_h$), institutional ($F_i$), and technological ($F_t$) dimensions using designated weights ($W_h$, $W_i$, $W_t$), yielding a composite Exposure Index (E). This visualization elucidates how the formulation operationalizes the interaction among the three factors, thereby emphasizing the relative significance of the human dimension.

The composite exposure value (E = 0.63) was obtained by applying the weighted-average formulation described in Equation (1), where the normalized scores of the human, institutional, and technological dimensions were aggregated according to their relative weights derived from the thematic analysis. This result indicates a high overall susceptibility to ransomware across the municipalities analyzed.

The magnitude of E highlights the dominant contribution of the human dimension to overall exposure, corroborating the qualitative evidence that consistently identifies human error, limited cybersecurity awareness, and resistance to digital transformation as primary vulnerabilities. Rather than serving as a statistical test, the Exposure Index functions as an illustrative and integrative mechanism that translates qualitative insights into a structured quantitative representation, supporting theory development and informing future validation efforts.

Accordingly, this metric is exploratory and conceptual in nature, intended as an internal interpretive aid, and is not suitable for benchmarking or direct statistical comparison with external studies.

4.11. Triangulation of Qualitative and Quantitative Findings

To synthesize the perspectives obtained from technical staff and non-technical municipal employees, a triangulation model was developed. This figure integrates the main themes of the qualitative analysis with the behavioral patterns identified in the quantitative data, highlighting areas of convergence and divergence that shape human vulnerability to ransomware in local governments.

Figure 6 presents a triangulation model that integrates qualitative insights from IT experts with quantitative evidence from non-technical end users. This visual synthesis operationalizes the three analytical layers of the study: the technical perspective, the end-user perspective, and the interpretive integration, enabling a consolidated view of human exposure to ransomware. The model highlights key convergences such as human error, limited training continuity, and structural inequalities among municipalities, while also revealing divergences in risk perception and self-reported behavioral practices. Together, these complementarities reinforce the mixed-methods contribution of this research.

Table 3 provides an explicit traceability of the qualitative analysis, addressing the relationship between interview data, thematic coding, and the conclusions drawn in this study. The table summarizes the main themes identified through thematic analysis, the key codes associated with each theme, the number of coded segments, and the number of participants in which each theme emerged.

The column “Coded Segments (n)” reflects the analytical density of each theme across the interview corpus, indicating how frequently a given issue recurred in the data rather than relying on isolated statements. In parallel, the number of participants mentioning each theme demonstrates the breadth of agreement among interviewees. Together, these two indicators ensure that the analysis is grounded in recurring patterns shared across multiple participants, reinforcing the robustness of the qualitative findings.

By explicitly linking themes, codes, empirical density, and representative quotations, this table strengthens the analytical transparency of the study and demonstrates how the conclusions regarding human vulnerabilities, institutional gaps, technological limitations, and emergent resilience practices are directly supported by the interview data.

5. Discussion

This discussion is organized in direct relation to the four research questions. The empirical evidence collected through thematic analysis addresses RQ1 and RQ2 by identifying phishing, weak password practices, and limited awareness as the most prevalent human vulnerabilities, with significant operational and reputational impacts. RQ3 is addressed through the emergence of institutional resilience mechanisms such as awareness campaigns, security committees, and procedural reforms. Finally, RQ4 is explored through the integration of Artificial Intelligence as an enabling factor for proactive monitoring, adaptive training, and the design of data-driven mitigation policies.

As evidenced in Table 3, human-related vulnerabilities exhibit the highest analytical density (42 coded segments) and appear in 9 out of 10 expert interviews. This concentration empirically supports the conclusion that human factors constitute the dominant source of ransomware exposure in local governments, rather than being anecdotal or context-specific observations.

The analysis emphasizes ransomware as a significant threat within local governments, with human error acknowledged as the primary vulnerability. This observation corroborates prior research emphasizing the critical role of human factors in cybersecurity. For instance, Khadka and Ullah [16] assert that cybersecurity should no longer be regarded solely as a technological issue, highlighting the critical influence of human behavior, decision-making, and organizational culture. Our research further extends this perspective by providing empirical evidence from municipalities in Ecuador, illustrating how inadequate password practices, susceptibility to phishing, and insufficient awareness initiatives persist in undermining resilience in practical implementations.

Pollini et al. [26] proposed a comprehensive Human Factors framework in which individual, organizational, and technological dimensions collectively influence cybersecurity outcomes. While their findings underscore the importance of organizational culture, our interviews have indicated that institutional policies, in isolation, are insufficient. Respondents noted that written regulations and committees lack effectiveness unless they are supported by consistent awareness initiatives and continuous training. This indicates that culture is not solely a structural determinant; rather, it must be cultivated through sustained human-centered investment.

The literature further documents disparities between developed and developing contexts regarding capabilities, regulatory frameworks, and incident reporting, as noted by the International Telecommunication Union (ITU) [27]. Hossain [4] emphasizes that local governments remain particularly vulnerable due to limited budgets, shortage of specialized personnel, and insufficient prioritization authorities. Our findings substantiate this perspective: smaller municipalities in Ecuador were heavily dependent on external support and encountered difficulties in implementing fundamental security measures. This exemplifies the paradox identified by Mugari and Kunambura [22] in African contexts: diminished formal digitalization does not necessarily imply reduced exposure, but rather limited visibility of incidents.

In this study, the integration of qualitative and quantitative evidence strengthens these observations and provides a more granular understanding of how such vulnerabilities manifest in day-to-day municipal operations. The triangulated findings show that the human-driven weaknesses reported by technical personnel are not only perceived risks but measurable behaviors among non-technical staff. For example, while IT personnel consistently identified unsafe clicking, password reuse, and credential sharing as recurrent causes of incidents, quantitative data revealed that 33.3% of municipal employees admitted to clicking on unverified links and 26.7% reported sharing their credentials. These patterns empirically confirm that behavioral vulnerabilities are widespread and persist despite existing institutional controls.

The triangulation further illustrates that risk perception is unevenly distributed across the organizational hierarchy. Technical staff described ransomware as a severe and systemic threat, whereas end users perceived it as only moderately concerning. This misalignment between expert assessment and everyday user awareness reflects a critical gap that undermines organizational readiness. While 90% of surveyed users claimed to verify email senders before opening messages, one third still engaged in unsafe clicking behavior, revealing a disconnect between security awareness and actual security practices.

Moreover, both data sources converge in highlighting the weakness of the institutional security culture. Interviewees emphasized that policies and committees have limited impact without continuous human-centered investment, a finding reinforced by quantitative data showing that 67% of users had not received cybersecurity training in the last two years, and that perceptions of policy clarity and IT communication remained moderate. These gaps suggest that municipalities are working within structurally constrained environments where technological solutions alone cannot mitigate risk.

The triangulated model also reinforces the role of inequality in shaping vulnerability. While larger municipalities had access to firewalls, AI-based email filtering, and trained personnel, smaller ones relied on outdated equipment or external support, increasing the reliance on risky behaviors such as accessing systems through personal devices or unsecured networks. Quantitative evidence supports this: 33% of employees reported using personal devices for institutional work, and 93% accessed systems remotely, expanding the attack surface.

Taken together, these integrated findings underscore that vulnerability to ransomware in local governments is fundamentally a human problem, determined by behaviors, perceptions, organizational culture, and structural inequalities.

A limitation of this study is the relatively small number of expert participants (n = 10), which constrains statistical generalization. However, this sample size is consistent with qualitative research practices that prioritize analytical depth and thematic saturation over representativeness. Future research could enhance external validity by extending the study to larger and more diverse samples across regions, combining expert interviews with large-scale surveys of non-technical users or controlled phishing simulations, while preserving the interpretative rigor achieved in this work.

6. Conclusions

The research revealed that susceptibility to ransomware within local governments is not solely attributable to technological deficiencies, but is also significantly influenced by human factors. The interviews revealed that social engineering, inadequate password security, and unsafe operational practices remain primary vectors for attacks, underscoring the need to prioritize training and awareness initiatives as strategic imperatives.

These conclusions are directly supported by the empirical traceability presented in Table 3, which demonstrates that human vulnerabilities recur consistently across the majority of expert interviews and account for the highest proportion of coded qualitative evidence. The expert-based qualitative focus does not exclude non-technical users; rather, it allows their perspectives to be incorporated through triangulation without diluting the analytical coherence of the thematic framework.

The study also provides concrete evidence of emergent resilience practices within Ecuadorian municipalities. These include the establishment of cybersecurity committees, continuous micro-training routines, internal reporting channels for suspicious activity, and the progressive incorporation of AI-assisted monitoring tools. Although informal and unevenly implemented, these practices show that local governments can generate adaptive, human-centered responses to ransomware threats even when technological infrastructure is limited.

The findings also emphasized a notable disparity between large and small municipalities. While certain municipalities are capable of implementing advanced detection and monitoring tools, others depend predominantly on national support or complimentary solutions. AI-supported filtering and anomaly-detection tools were also mentioned as emergent practices, although their adoption remains uneven.

This disparity undermines organizational resilience and underscores the necessity for public policies tailored to enhance municipalities with limited resources. The application of a weighted average to evaluate exposure yielded a more precise depiction of the relative significance of each dimension, assigning greater importance to the human factor in accordance with the collected testimonies. Ultimately, respondents uniformly recognized artificial intelligence as an essential resource for developing digital resilience, both in early anomaly detection and in customizing cybersecurity training.

These findings offer practical implications for local governments in developing contexts, where human-centered investment is as vital as technological acquisition. Simultaneously, this study is constrained by the sample size (10 participants) and its focus on Ecuadorian municipalities, which may limit the generalizability of the results. Nevertheless, the depth of qualitative insights provides valuable transferability to similar contexts within developing countries.

Building on these findings, the proposed future work directly addresses the patterns of human vulnerability and institutional limitations identified throughout the thematic analysis. Because the interviews consistently highlighted phishing susceptibility, limited awareness, and inconsistent governance practices as the predominant factors shaping ransomware exposure, a structured validation mechanism becomes necessary to operationalize the Exposure Index model developed in this study. For this reason, we outline a pilot methodology that integrates controlled phishing simulations and standardized institutional indicators to empirically test and calibrate the model in real municipal environments.

This future phase does not constitute a disconnected research avenue; rather, it represents the logical continuation of the present work. The qualitative results demonstrated the central role of human behavior and organizational culture in shaping cyber-risk exposure, and the weighted-average model translates these qualitative insights into a measurable framework. The proposed pilot study will therefore allow the Exposure Index (E) to evolve from a conceptual formulation into a validated, actionable tool for local governments, completing the methodological progression initiated in this article.

Overall, the study provides coherent and evidence based responses to the four research questions. The results confirm that human factors constitute the primary source of vulnerability within local governments but also represent the foundation for resilience when effectively managed through institutional commitment and technological support. Artificial Intelligence emerges as a strategic catalyst that can translate these findings into operational prevention frameworks, thus closing the conceptual loop between the research questions, the empirical evidence, and the future development of explainable AI models for cybersecurity training.