Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
149 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

"What Keeps People Secure is That They Met The Security Team": Deconstructing Drivers And Goals of Organizational Security Awareness (2404.18365v1)

Published 29 Apr 2024 in cs.CR

Abstract: Security awareness campaigns in organizations now collectively cost billions of dollars annually. There is increasing focus on ensuring certain security behaviors among employees. On the surface, this would imply a user-centered view of security in organizations. Despite this, the basis of what security awareness managers do and what decides this are unclear. We conducted n=15 semi-structured interviews with full-time security awareness managers, with experience across various national and international companies in European countries, with thousands of employees. Through thematic analysis, we identify that success in awareness management is fragile while having the potential to improve; there are a range of restrictions, and mismatched drivers and goals for security awareness, affecting how it is structured, delivered, measured, and improved. We find that security awareness as a practice is underspecified, and split between messaging around secure behaviors and connecting to employees, with a lack of recognition for the measures that awareness managers regard as important. We discuss ways forward, including alternative indicators of success, and security usability advocacy for employees.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (80)
  1. Jemal Abawajy. User preference of cyber security awareness delivery methods. Behaviour & Information Technology, 33(3):237–248, 2014.
  2. Users are not the enemy. Communications of the ACM, 42(12):40–46, 1999.
  3. Reviewing cyber security social engineering training and awareness programs—pitfalls and ongoing issues. Future Internet, 11(3):73, 2019.
  4. Moneer Alshaikh. Developing cybersecurity culture to influence employee behavior: A practice perspective. Computers & Security, 98:102003, 2020.
  5. A conceptual analysis of information security education, information security training and information security awareness definitions. In The 9th International Conference for Internet Technology and Secured Transactions (ICITST-2014), pages 248–252, 2014.
  6. Ross Anderson. Why information security is hard-an economic perspective. In Seventeenth Annual Computer Security Applications Conference, pages 358–365. IEEE, 2001.
  7. The economics of information security. science, 314(5799):610–613, 2006.
  8. Information security: where computer science, economics and psychology meet. Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences, 367(1898):2717–2727, 2009.
  9. Can we sell security like soap? a new approach to behaviour change. In Proceedings of the 2013 New Security Paradigms Workshop, pages 87–94, 2013.
  10. Security dialogues: Building better relationships between security and business. IEEE Security & Privacy, 14(3):82–87, 2016.
  11. Cisos and organisational culture: Their own worst enemy? Computers & Security, 39:396–405, 2013.
  12. Developing cybersecurity education and awareness programmes for small-and medium-sized enterprises (smes). Information & Computer Security, 2019.
  13. Cyber security awareness campaigns: Why do they fail to change behaviour?, 2019.
  14. End user information security awareness programs for improving information security in banking organizations: preliminary results from an exploratory study. In AIS SIGSEC Workshop on Information Security & Privacy (WISP 2013), Milano, 2013.
  15. Productive security: A scalable methodology for analysing employee security behaviours. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), pages 253–270, 2016.
  16. The compliance budget: managing security behaviour in organisations. In Proceedings of the 2008 New Security Paradigms Workshop, pages 47–58, 2008.
  17. Finding security champions in blends of organisational culture. Proc. USEC, 11:124, 2017.
  18. Unpacking security policy compliance: The motivators and barriers of employees’ security behaviors. In Eleventh Symposium On Usable Privacy and Security ({{\{{SOUPS}}\}} 2015), pages 103–122, 2015.
  19. Human cyber risk management by security awareness professionals: Carrots or sticks to drive behaviour change? In International Conference on Human-Computer Interaction, pages 76–91. Springer, 2020.
  20. One size fits all? what counts as quality practice in (reflexive) thematic analysis? Qualitative research in psychology, 18(3):328–352, 2021.
  21. To do this properly, you need more resources: The hidden costs of introducing simulated phishing campaigns. In 32nd USENIX Security Symposium (USENIX Security 23), pages 4105–4122, Anaheim, CA, August 2023. USENIX Association.
  22. Barriers to usable security? three organizational case studies. IEEE Security & Privacy, 14(5):22–32, 2016.
  23. Impact of security awareness training on phishing click-through rates. In 2017 IEEE International Conference on Big Data (Big Data), pages 4458–4466. IEEE, 2017.
  24. Thematic analysis. Qualitative psychology: A practical guide to research methods, 222(2015):248, 2015.
  25. James Clear. Atomic habits: An easy & proven way to build good habits & break bad ones. Penguin, 2018.
  26. Organizational information security policies: a review and research framework. European Journal of Information Systems, 26(6):605–641, 2017.
  27. " cyber security is a dark art": The ciso as soothsayer. Proceedings of the ACM on Human-Computer Interaction, 6(CSCW2):1–31, 2022.
  28. A framework and assessment instrument for information security culture. Computers & security, 29(2):196–207, 2010.
  29. The boundedly rational employee: Security economics for behaviour intervention support in organizations. Journal of Computer Security, 1(Preprint):1–30, 2022.
  30. Behavior ever follows intention? a validation of the security behavior intentions scale (sebis). In Proceedings of the 2016 CHI conference on human factors in computing systems, pages 5257–5261, 2016.
  31. The positive outcomes of information security awareness training in companies–a case study. information security technical report, 14(4):223–229, 2009.
  32. ENISA. Cybersecurity culture guidelines: behavioural aspects of cybersecurity. European Union Agency for Network and Information Security, 2019.
  33. Divide and conquer: the role of trust and assurance in the design of secure socio-technical systems. In Proceedings of the 2005 workshop on New security paradigms, pages 33–41, 2005.
  34. Brian J Fogg. Tiny habits: The small changes that change everything. Eamon Dolan Books, 2019.
  35. Organizational security culture: Embedding security awareness, education, and training. Proceedings of the IFIP TC11 WG, 11:67–74, 2005.
  36. Selecting security champions. Computer Fraud & Security, 2011(8):8–12, 2011.
  37. German Federal Office for Information Security. IT-Grundschutz-Compendium. Standard, BSI – German Federal Office for Information Security, Bonn, DE, 2022.
  38. Ian Grigg. The market for silver bullets. Citeseer, 2008.
  39. An introduction to computer security: the nist handbook, 1995.
  40. Approaches and challenges of federal cybersecurity awareness programs. NIST Reports, 2022.
  41. Federal cybersecurity awareness programs a mixed methods research study. In NISTIR 8420, 2022.
  42. An investigation of roles, backgrounds, knowledge, and skills of us government security awareness professionals. In Proceedings of the 2022 Computers and People Research Conference, pages 1–12, 2022.
  43. Skills and characteristics of successful cybersecurity advocates. In SOUPS, 2017.
  44. The work of cybersecurity advocates. In Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing Systems, pages 1663–1670, 2017.
  45. "it’s Scary…It’s Confusing…It’s dull": How cybersecurity advocates overcome negative perceptions of security. In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), pages 411–425, Baltimore, MD, August 2018. USENIX Association.
  46. Cormac Herley. So long, and no thanks for the externalities: the rational rejection of security advice by users. In Proceedings of the 2009 workshop on New security paradigms workshop, pages 133–144, 2009.
  47. Cormac Herley. More is not the answer. IEEE Security & Privacy, 12(1):14–19, 2013.
  48. “Employees who Don’t accept the time security takes are not aware Enough”: The CISO view of Human-Centred security. In 32nd USENIX Security Symposium (USENIX Security 23), pages 2311–2328, Anaheim, CA, August 2023. USENIX Association.
  49. Lacking the tools and support to fix friction: Results from an interview study with security managers. In Nineteenth Symposium on Usable Privacy and Security (SOUPS 2023), pages 131–150, Anaheim, CA, August 2023. USENIX Association.
  50. Specifying it security awareness. In 2014 25th International Workshop on Database and Expert Systems Applications, pages 326–330, New York, 2014. IEEE.
  51. SANS Institute. 2021 security awareness report – managing human cyber risk. Technical report, SANS Institute, 2021.
  52. SANS Institute. 2022 security awareness report – managing human cyber risk. Technical report, SANS Institute, 2022.
  53. ISO Central Secretary. Information Technology – Security techniques – Information Security Management – Measurement. Standard ISO/IEC TR 29110-1:2016, International Organization for Standardization, Geneva, CH, 2016.
  54. Exploring government security awareness programs: A mixed-methods approach. Workshop on Security Information Workers (WSIW), 2021.
  55. Evaluation of security training and awareness programs: Review of current practices and guideline. arXiv preprint arXiv:2112.06356, 2021.
  56. The menlo report: Ethical principles guiding information and communication technology research. Available at SSRN 2445102, 2012.
  57. Enhancing employees information security awareness in private and public organisations: A systematic literature review. Computers & Security, 106:102267, 2021.
  58. Learning from "Shadow Security": Why Understanding Non-Compliant Behaviors Provides the Basis for Effective Security. In Matthew Smith and David Wagner, editors, Proceedings 2014 Workshop on Usable Security, Reston, VA, February 23, 2014. Internet Society.
  59. Udo Kuckartz. Qualitative inhaltsanalyse (German). Beltz Juventa, 2012.
  60. Phishing in organizations: Findings from a large-scale and long-term study. In 2022 IEEE Symposium on Security and Privacy (SP), pages 842–859. IEEE, 2022.
  61. Reliability and inter-rater reliability in qualitative research: Norms and guidelines for cscw and hci practice. Proc. ACM Hum.-Comput. Interact., 3(CSCW), nov 2019.
  62. Why it security needs therapy. In European Symposium on Research in Computer Security, pages 335–356. Springer, 2021.
  63. Caring not scaring – an evaluation of a workshop to train apprentices as security champions. In Proceedings of the 2023 European Symposium on Usable Security, EuroUSEC ’23, New York, NY, USA, 2023. Association for Computing Machinery.
  64. Identifying how firms manage cybersecurity investment. In Workshop on the Economics of Information Security (WEIS), pages 1–27, 2016.
  65. Who comes up with this stuff? interviewing authors to understand how they produce security advice. In Nineteenth Symposium on Usable Privacy and Security (SOUPS 2023), pages 283–299, Anaheim, CA, August 2023. USENIX Association.
  66. Who comes up with this stuff? interviewing authors to understand how they produce security advice. In Nineteenth Symposium on Usable Privacy and Security (SOUPS 2023), pages 283–299, 2023.
  67. Frank Pallas. Information security inside organizations-a positive model and some normative arguments based on new institutional economics. Available at SSRN 1471801, 2009.
  68. Change that respects business expertise: Stories as prompts for a conversation about organisation security. In New Security Paradigms Workshop, pages 28–42, 2021.
  69. A stealth approach to usable security: helping it security managers to identify workable security solutions. In Proceedings of the 2010 New Security Paradigms Workshop, pages 33–50, 2010.
  70. The human aspects of information security questionnaire (hais-q): two further validation studies. Computers & Security, 66:40–51, 2017.
  71. A comprehensive quality evaluation of security and privacy advice on the web. In 29th USENIX Security Symposium (USENIX Security 20), pages 89–108. USENIX Association, August 2020.
  72. 152 simple steps to stay safe online: Security advice for non-tech-savvy users. IEEE Security & Privacy, 15(5):55–64, 2017.
  73. Security managers are not the enemy either. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, pages 1–7, 2019.
  74. The curious incidence of security breaches by knowledgeable employees and the pivotal role a of security culture. In Human Aspects of Information Security, Privacy, and Trust: Second International Conference, HAS 2014, Held as Part of HCI International 2014, Heraklion, Crete, Greece, June 22-27, 2014. Proceedings 2, pages 361–372. Springer, 2014.
  75. Scientific knowledge of the human side of information security as a basis for sustainable trainings in organizational practices. Hawaii International Conference on System Sciences (HICSS), 2018.
  76. Privacy champions in software teams: Understanding their motivations, strategies, and challenges. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, pages 1–15, 2021.
  77. VMR: Verified Market Research. Global Security Awareness Training Software Market Size, 2023.
  78. Analysing simulated phishing campaigns for staff. In Computer Security: ESORICS 2020 International Workshops, DETIPS, DeSECSys, MPS, and SPOSE, Guildford, UK, September 17–18, 2020, Revised Selected Papers, page 312–328, Berlin, Heidelberg, 2020. Springer-Verlag.
  79. Building an information technology security awareness and training program, 2003.
  80. Systematization of knowledge: Quantifying cyber risk. In IEEE Symposium on Security & Privacy, 2021.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now