Abstract
Security awareness campaigns in organizations now collectively cost billions of dollars annually. There is increasing focus on ensuring certain security behaviors among employees. On the surface, this would imply a user-centered view of security in organizations. Despite this, the basis of what security awareness managers do and what decides this are unclear. We conducted n = 15 semi-structured interviews with full-time security awareness managers, with experience across various national and international companies in European countries, with thousands of employees. Through thematic analysis, we identify that success in awareness management is fragile while having the potential to improve; there are a range of restrictions, and mismatched drivers and goals for security awareness, affecting how it is structured, delivered, measured, and improved. We find that security awareness as a practice is underspecified, and split between messaging around secure behaviors and connecting to employees, with a lack of recognition for the measures that awareness managers regard as important. We discuss ways forward, including alternative indicators of success, and security usability advocacy for employees.
Original language | English |
---|---|
Title of host publication | Proceedings of the 33rd USENIX Security Symposium |
Publisher | USENIX Association |
Pages | 3295-3312 |
Number of pages | 18 |
ISBN (Electronic) | 9781939133441 |
Publication status | Published - 2024 |
Event | 33rd USENIX Security Symposium, USENIX Security 2024 - Philadelphia, United States Duration: 14 Aug 2024 → 16 Aug 2024 |
Conference
Conference | 33rd USENIX Security Symposium, USENIX Security 2024 |
---|---|
Country/Territory | United States |
City | Philadelphia |
Period | 14/08/24 → 16/08/24 |