From Compliance to Impact: Tracing the Transformation of an Organizational Security Awareness Program

Thumbnail Image


Publication or External Link




Haney, Julie M. and Wayne Lutters (2023) From Compliance to Impact: Tracing the Transformation of an Organizational Security Awareness Program, [cs.CR, cs.HC]


There is a growing recognition of the need for a transformation from organizational security awareness programs focused on compliance − measured by training completion rates − to those resulting in behavior change. However, few prior studies have begun to unpack the organizational practices of the security awareness teams tasked with executing program transformation. We conducted a year-long case study of a security awareness program in a United States (U.S.) government agency, collecting data via field observations, interviews, and documents. Our findings reveal the challenges and practices involved in the progression of a security awareness program from being compliance-focused to emphasizing impact on workforce attitudes and behaviors. We uniquely capture transformational organizational security awareness practices in action via a longitudinal study involving multiple workforce perspectives. Our study insights can serve as a resource for other security awareness programs and workforce development initiatives aimed at better defining the security awareness work role.



Attribution-NonCommercial-NoDerivs 3.0 United States