"What Keeps People Secure is That They Met The Security Team": Deconstructing Drivers And Goals of Organizational Security Awareness

TL;DR

This paper explores the motivations, practices, and challenges of security awareness managers in organizations, revealing mismatched goals and underspecified practices that impact effectiveness and suggesting new directions for improvement.

Contribution

It provides an empirical analysis of security awareness management through interviews, highlighting the gaps, restrictions, and potential improvements in current practices.

Findings

Success in awareness management is fragile and complex.

There are mismatched drivers and goals affecting awareness strategies.

Security awareness practices are underspecified and split between messaging and employee connection.

Abstract

Security awareness campaigns in organizations now collectively cost billions of dollars annually. There is increasing focus on ensuring certain security behaviors among employees. On the surface, this would imply a user-centered view of security in organizations. Despite this, the basis of what security awareness managers do and what decides this are unclear. We conducted n=15 semi-structured interviews with full-time security awareness managers, with experience across various national and international companies in European countries, with thousands of employees. Through thematic analysis, we identify that success in awareness management is fragile while having the potential to improve; there are a range of restrictions, and mismatched drivers and goals for security awareness, affecting how it is structured, delivered, measured, and improved. We find that security awareness as a practice is underspecified, and split between messaging around secure behaviors and connecting to employees, with a lack of recognition for the measures that awareness managers regard as important. We discuss ways forward, including alternative indicators of success, and security usability advocacy for employees.