Skip to main content

NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

From Compliance to Impact: Tracing the Transformation of an Organizational Security Awareness Program

Published

Author(s)

Julie Haney, Wayne Lutters

Abstract

There is a growing recognition of the need for a transformation from organizational security awareness programs focused on compliance  measured by training completion rates  to those resulting in behavior change. However, few researchers or practitioners have begun to unpack the organizational practices of the security awareness teams tasked with executing program transformation. We conducted a year-long case study of a security awareness program in a United States (U.S.) government agency, collecting data via observations, interviews, and documents. Our findings reveal the challenges and practices involved in the progression of a security awareness program from being compliance-focused to emphasizing impact on workforce attitudes and behaviors. We capture transformational organizational security awareness practices in action from multiple workforce perspectives. Our study insights can serve as a resource for other security awareness programs and workforce development initiatives aimed at better defining the security awareness work role.
Citation
Cyber Security: A Peer-Reviewed Journal
Volume
8
Issue
2

Keywords

cyber security, awareness, training, compliance, measures, case study

Citation

Haney, J. and Lutters, W. (2024), From Compliance to Impact: Tracing the Transformation of an Organizational Security Awareness Program, Cyber Security: A Peer-Reviewed Journal, [online], https://doi.org/10.69554/NJYA9034, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=935669 (Accessed October 10, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created November 26, 2024, Updated December 2, 2024
Was this page helpful?