Share these talks and lectures with your colleagues
Invite colleaguesCase study
From compliance to impact: Tracing the transformation of an organisational security awareness programme
Cyber Security: A Peer-Reviewed Journal,
8
(2),
110-130
(2024)
Abstract
There is a growing recognition of the need for a transformation from organisational security awareness programmes focused on compliance, measured by training completion rates, to those resulting in behaviour change. Few researchers or practitioners, however, have begun to unpack the organisational practices of the security awareness teams tasked with executing programme transformation. The authors of this paper conducted a year-long case study of a security awareness programme in a US government agency, collecting data via observations, interviews and documents. Their findings reveal the challenges and practices involved in the progression of a security awareness programme from being compliance-focused to emphasising impact on workforce attitudes and behaviours. The authors capture transformational organisational security awareness practices in action from multiple workforce perspectives. The study insights can serve as a resource for other security awareness programmes and workforce development initiatives aimed at better defining the security awareness work role.
Keywords: cyber security; awareness; training; compliance; measures; case study
The full article is available to subscribers to the journal.
Author's Biography
Julie Haney Dr Julie Haney conducts research about the human element of cyber security, including the usability and adoption of cyber security solutions, work practices of cyber security professionals and people’s perceptions of privacy and cyber security. She has been an invited speaker at numerous cyber security forums spanning industry, government and academia, and has published peer-reviewed articles in both research and practitioner publications. Prior to joining National Institute of Standards and Technology (NIST) in 2018, Julie spent over 20 years working in the U.S. Department of Defense as a cyber security professional and technical director, where she conducted vulnerability assessments, wrote widely used cyber security guidance and advocated for the adoption of cyber security mitigations. She earned a PhD in human-centred computing from University of Maryland, Baltimore County, an MSc in computer science from University of Maryland and a BSc in computer science from Loyola University, Maryland.
Wayne Lutters Dr Wayne Lutters is a Professor and Associate Dean for Strategic Initiatives in the College of Information Studies at the University of Maryland. His research interests are at the nexus of computer-supported cooperative work (CSCW), social computing and social informatics. He specialises in field studies of IT-mediated work from a socio-technical perspective, to better inform the design and evaluation of collaborative systems. Recent projects have focused on the human side of information infrastructure. Wayne has served as a Program Director for Human-Centered Computing at the National Science Foundation. He earned his MSc and PhD in information and computer science from the University of California, Irvine.
