There is a growing recognition of the need for a transformation from
organizational security awareness programs focused on compliance -- measured by
training completion rates -- to those resulting in behavior change. However,
few prior studies have begun to unpack the organizational practices of the
security awareness teams tasked with executing program transformation. We
conducted a year-long case study of a security awareness program in a United
States (U.S.) government agency, collecting data via field observations,
interviews, and documents. Our findings reveal the challenges and practices
involved in the progression of a security awareness program from being
compliance-focused to emphasizing impact on workforce attitudes and behaviors.
We uniquely capture transformational organizational security awareness
practices in action via a longitudinal study involving multiple workforce
perspectives. Our study insights can serve as a resource for other security
awareness programs and workforce development initiatives aimed at better
defining the security awareness work role