Department-Specific Security Awareness Campaigns: A Cross-Organizational Study of HR and Accounting

TL;DR

This study highlights the importance of department-specific security awareness campaigns, revealing distinct threats and preferences in HR and accounting, and proposes tailored strategies to improve effectiveness.

Contribution

It provides empirical evidence that security training should be customized to departmental needs, addressing overlooked vulnerabilities and employee preferences.

Findings

HR faces threats like malware-laden job applications and impersonation.

Accounting is vulnerable to invoice fraud, credential theft, and ransomware.

Employees prefer shorter, scenario-based training formats over traditional long sessions.

Abstract

Many cyberattacks succeed because they exploit flaws at the human level. To address this problem, organizations rely on security awareness programs, which aim to make employees more resilient against social engineering. While some works have suggested that such programs should account for contextual relevance, the common praxis in research is to adopt a "general" viewpoint. For instance, instead of focusing on department-specific issues, prior user studies sought to provide organization-wide conclusions. Such a protocol may lead to overlooking vulnerabilities that affect only specific subsets of an organization. In this paper, we tackle such an oversight. First, through a systematic literature review, we provide evidence that prior literature poorly accounted for department-specific needs. Then, we carry out a multi-company and mixed-methods study focusing on two pivotal departments: human resources (HR) and accounting. We explore three dimensions: threats faced by these departments; topics covered in the security-awareness campaigns delivered to these departments; and delivery methods that maximize the effectiveness of such campaigns. We begin by interviewing 16 employees of a multinational enterprise, and then use these results as a scaffold to design a structured survey through which we collect the responses of over 90 HR/accounting members of 9 organizations. We find that HR is targeted through job applications containing malware and executive impersonation, while accounting is exposed to invoice fraud, credential theft, and ransomware. Current training is often viewed as too generic, with employees preferring shorter, scenario-based formats like videos and simulations. These preferences contradict the common industry practice of annual sessions. Based on these insights, we propose recommendations for designing awareness programs tailored to departmental needs and workflows.