From Compliance to Impact: Tracing the Transformation of an Organizational Security Awareness Program
Julie Haney, Wayne Lutters
There is a growing recognition of the need for a transformation from organizational security awareness programs focused on compliance -- measured by training completion rates -- to those resulting in behavior change. However, few prior studies have begun to unpack the organizational practices of the security awareness teams tasked with executing program transformation. We conducted a year-long case study of a security awareness program in a United States (U.S.) government agency, collecting data via field observations, interviews, and documents. Our findings reveal the challenges and practices involved in the progression of a security awareness program from being compliance-focused to emphasizing impact on workforce attitudes and behaviors. We uniquely capture transformational organizational security awareness practices in action via a longitudinal study involving multiple workforce perspectives. Our study insights can serve as a resource for other security awareness programs and workforce development initiatives aimed at better defining the security awareness work role.
and Lutters, W.
From Compliance to Impact: Tracing the Transformation of an Organizational Security Awareness Program, arxiv, [online], https://doi.org/10.48550/arXiv.2309.07724, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=935669, https://arxiv.org/abs/2309.07724
(Accessed October 1, 2023)