From awareness to influence: toward a model for improving employees’ security behaviour

This paper argues that a conventional approach to cybersecurity awareness is not effective in influencing employees and creating sustainable behaviour change. The increase in security incidents caused by employees is evidence that providing information to raise employees’ awareness does not necessarily result in improving their security behaviour, and organisations must transform their security awareness program to extend beyond awareness to influence and behaviour change. This paper presents an in-depth case study of Telstra a leading Australian telecommunication company with a well-resourced and mature cybersecurity influence program that evolved as a result of experience throughout the years. The paper adopts the psychological attachment theory to explain strategies (e.g. cybersecurity champion) implemented by Telstra influence team to influence employees to improve their security-related behaviour. The contribution of this paper represents the first step for a comprehensive practice-based guidance for organisations on how to transform their cybersecurity beyond awareness to influence behavioural change. This paper is based on both academic and industrial perspectives, and it provides a sound basis for future empirical work.