Haney, J.
and Lutters, W.
(2023),
From Compliance to Impact: Tracing the Transformation of an Organizational Security Awareness Program, arxiv, [online], https://doi.org/10.48550/arXiv.2309.07724, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=935669, https://arxiv.org/abs/2309.07724
(Accessed April 28, 2024)
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
From Compliance to Impact: Tracing the Transformation of an Organizational Security Awareness Program
Published
Author(s)
, Wayne Lutters
Abstract
There is a growing recognition of the need for a transformation from organizational security awareness programs focused on compliance -- measured by training completion rates -- to those resulting in behavior change. However, few prior studies have begun to unpack the organizational practices of the security awareness teams tasked with executing program transformation. We conducted a year-long case study of a security awareness program in a United States (U.S.) government agency, collecting data via field observations, interviews, and documents. Our findings reveal the challenges and practices involved in the progression of a security awareness program from being compliance-focused to emphasizing impact on workforce attitudes and behaviors. We uniquely capture transformational organizational security awareness practices in action via a longitudinal study involving multiple workforce perspectives. Our study insights can serve as a resource for other security awareness programs and workforce development initiatives aimed at better defining the security awareness work role.Citation
arxiv
Pub Weblink
Pub Type
Websites
Download Paper
Keywords
cybersecurity awareness, training, compliance, measures, case study
Citation
Created September 14, 2023, Updated September 15, 2023