Department-Specific Security Awareness Campaigns: A Cross-Organizational Study of HR and Accounting
Pfister, M., Apruzzese, G., & Pekaric, I., APWG Symposium on Electronic Crime Research, 2025 Conference
Oneliner: Takeaway: instead of looking at an entire organization, security-awareness campaigns should focus on specific departments (as trivial as it may sound, not many papers did this).
Abstract. Many cyberattacks succeed because they exploit flaws at the human level. To address this problem, organizations rely on security awareness programs, which aim to make employees more resilient against social engineering. While some works have, implicitly or explicitly, suggested that such programs should account for contextual relevance, the common praxis in research is to adopt a “general” viewpoint. For instance, instead of focusing on department-specific issues, prior user studies sought to provide organization-wide conclusions by treating all participants equally. Such a protocol may lead to overlooking vulnerabilities that affect only specific subsets of an organization, and which can be (or are) exploited by real-world attackers.
In this paper, we tackle such an oversight. First, through a systematic literature review encompassing over 1k papers, we provide factual evidence that prior literature poorly accounted for department-specific needs. Then, building on this (worrying) finding, we carry out a multi-company and mixed-methods study focusing on two pivotal departments of modern organizations: human resources (HR) and accounting. We explore three dimensions: what specific threats are faced by these departments; what topics should be covered in the security-awareness campaigns delivered to these departments; and which delivery methods would maximize the effectiveness of such campaigns for these departments. We begin by interviewing 16 employees of a multinational enterprise, and then use these results as a scaffold to design a structured survey through which we collect the responses of over 90 HR/accounting members of 9 organizations of varying size. We find that HR and accounting departments face distinct threats: HR is targeted through job applications containing malware and executive impersonation, while accounting is exposed to invoice fraud, credential theft, and ransomware. Current training is often viewed as too generic, with employees preferring shorter, scenario-based formats like videos and simulations. These preferences contradict the common industry practice of lengthy, annual sessions. Based on these insights, we propose practical recommendations for designing awareness programs tailored to departmental needs and workflows.