This study addresses core challenges in cybersecurity communication—including information overload, opaque technical terminology, risk-induced anxiety, and the security–comfort paradox—through a systematic literature review (SLR) encompassing over 3,400 publications, augmented by qualitative thematic analysis and cross-population comparison. It identifies critical research gaps for underrepresented groups (e.g., older adults, children, and non-U.S. populations), insufficient longitudinal designs, and poor protocol transparency. Based on empirical evidence, the work proposes seven evidence-based guidelines for effective security communication and introduces the first user-centered, customizable security notification framework. This framework enables adaptive notification strategies tailored to cultural context, age, and cognitive profile, thereby enhancing comprehension and trustworthiness while significantly reducing user anxiety and improving response rates.

Cybersecurity incidents such as data breaches have become increasingly common, affecting millions of users and organizations worldwide. The complexity of cybersecurity threats challenges the effectiveness of existing security communication strategies. Through a systematic review of over 3,400 papers, we identify specific user difficulties including information overload, technical jargon comprehension, and balancing security awareness with comfort. Our findings reveal consistent communication paradoxes: users require technical details for credibility yet struggle with jargon and need risk awareness without experiencing anxiety. We propose seven evidence-based guidelines to improve security communication and identify critical research gaps including limited studies with older adults, children, and non-US populations, insufficient longitudinal research, and limited protocol sharing for reproducibility. Our guidelines emphasize user-centric communication adapted to cultural and demographic differences while ensuring security advice remains actionable. This work contributes to more effective security communication practices that enable users to recognize and respond to cybersecurity threats appropriately.