Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

"What Keeps People Secure is That They Met The Security Team": Deconstructing Drivers And Goals of Organizational Security Awareness

Jonas Hielscher, Simon Parkin

TL;DR

This study probes why security awareness is implemented as it is by interviewing 15 Security Awareness Managers across Europe, using thematic analysis to reveal drivers, constraints, and the fragile nature of success. It finds that security awareness is under-specified and split between conveying secure behaviors and connecting with employees, with regulators and vendors exerting strong external influences. The authors argue that current success metrics focus on reach and engagement rather than actual secure behavior, and that a lack of ownership for usable security hinders meaningful change. They propose shifting toward employee advocacy by SAMs, surface usability considerations in assurance measures, and establishing a stronger mandate for usable security within organizations. The work highlights practical pathways for researchers and industry to develop alternative success indicators and governance that better align awareness activities with genuine security outcomes.

Abstract

Security awareness campaigns in organizations now collectively cost billions of dollars annually. There is increasing focus on ensuring certain security behaviors among employees. On the surface, this would imply a user-centered view of security in organizations. Despite this, the basis of what security awareness managers do and what decides this are unclear. We conducted n=15 semi-structured interviews with full-time security awareness managers, with experience across various national and international companies in European countries, with thousands of employees. Through thematic analysis, we identify that success in awareness management is fragile while having the potential to improve; there are a range of restrictions, and mismatched drivers and goals for security awareness, affecting how it is structured, delivered, measured, and improved. We find that security awareness as a practice is underspecified, and split between messaging around secure behaviors and connecting to employees, with a lack of recognition for the measures that awareness managers regard as important. We discuss ways forward, including alternative indicators of success, and security usability advocacy for employees.

"What Keeps People Secure is That They Met The Security Team": Deconstructing Drivers And Goals of Organizational Security Awareness

TL;DR

This study probes why security awareness is implemented as it is by interviewing 15 Security Awareness Managers across Europe, using thematic analysis to reveal drivers, constraints, and the fragile nature of success. It finds that security awareness is under-specified and split between conveying secure behaviors and connecting with employees, with regulators and vendors exerting strong external influences. The authors argue that current success metrics focus on reach and engagement rather than actual secure behavior, and that a lack of ownership for usable security hinders meaningful change. They propose shifting toward employee advocacy by SAMs, surface usability considerations in assurance measures, and establishing a stronger mandate for usable security within organizations. The work highlights practical pathways for researchers and industry to develop alternative success indicators and governance that better align awareness activities with genuine security outcomes.

Abstract

Security awareness campaigns in organizations now collectively cost billions of dollars annually. There is increasing focus on ensuring certain security behaviors among employees. On the surface, this would imply a user-centered view of security in organizations. Despite this, the basis of what security awareness managers do and what decides this are unclear. We conducted n=15 semi-structured interviews with full-time security awareness managers, with experience across various national and international companies in European countries, with thousands of employees. Through thematic analysis, we identify that success in awareness management is fragile while having the potential to improve; there are a range of restrictions, and mismatched drivers and goals for security awareness, affecting how it is structured, delivered, measured, and improved. We find that security awareness as a practice is underspecified, and split between messaging around secure behaviors and connecting to employees, with a lack of recognition for the measures that awareness managers regard as important. We discuss ways forward, including alternative indicators of success, and security usability advocacy for employees.
Paper Structure (51 sections, 1 figure, 1 table)

This paper contains 51 sections, 1 figure, 1 table.

Table of Contents

  1. Introduction
  2. Contribution:
  3. Background & Related Work
  4. What is Security Awareness
  5. Goals of Security Awareness
  6. Awareness in Organizations
  7. Security Awareness Managers
  8. Methodology
  9. Instrument Development
  10. Recruitment
  11. Analysis
  12. Ethics and Data Privacy
  13. Limitations
  14. Results
  15. Demographics
  16. ...and 36 more sections

Figures (1)

  • Figure 1: Our data collection and analysis methodology.