There is a growing recognition of the need for a transformation from organizational security awareness programs focused on compliance -- measured by training completion rates -- to those resulting in behavior change. However, few prior studies have begun to unpack the organizational practices of the security awareness teams tasked with executing program transformation. We conducted a year-long case study of a security awareness program in a United States (U.S.) government agency, collecting data via field observations, interviews, and documents. Our findings reveal the challenges and practices involved in the progression of a security awareness program from being compliance-focused to emphasizing impact on workforce attitudes and behaviors. We uniquely capture transformational organizational security awareness practices in action via a longitudinal study involving multiple workforce perspectives. Our study insights can serve as a resource for other security awareness programs and workforce development initiatives aimed at better defining the security awareness work role.

翻译：组织安全意识项目正逐渐从以合规为导向——通常以培训完成率衡量——转向以改变行为为目标。然而，目前鲜有研究深入探讨负责执行项目转型的安全意识团队的组织实践。我们针对一家美国政府机构的安全意识项目开展了为期一年的案例研究，通过实地观察、访谈和文档收集数据。研究结果揭示了安全意识项目从关注合规到强调对员工态度和行为影响这一演进过程中面临的挑战与实践。我们通过一项涉及多视角组织成员的纵向研究，独特地捕捉到了组织安全意识实践的实际转型过程。本研究的见解可为其他安全意识项目及旨在更好定义安全意识工作角色的人才发展计划提供参考资源。