This paper argues that a conventional approach to cybersecurity awareness is not effective in influencing employees and creating sustainable behaviour change. The increase in security incidents caused by employees is evidence that providing information to raise employees’ awareness does not necessarily result in improving their security behaviour, and organisations must transform their security awareness program to extend beyond awareness to influence and behaviour change. This paper presents an in-depth case study of Telstra a leading Australian telecommunication company with a well-resourced and mature cybersecurity influence program that evolved as a result of experience throughout the years. The paper adopts the psychological attachment theory to explain strategies (e.g. cybersecurity champion) implemented by Telstra influence team to influence employees to improve their security-related behaviour. The contribution of this paper represents the first step for a comprehensive practice-based guidance for organisations on how to transform their cybersecurity beyond awareness to influence behavioural change. This paper is based on both academic and industrial perspectives, and it provides a sound basis for future empirical work.

本文认为，传统的网络安全意识方法无法有效地影响员工并创造可持续的行为改变。员工引起的安全事件增加表明，提供信息以提高员工的意识并不一定会改善他们的安全行为，并且组织必须转变其安全意识计划，以将意识扩展到影响和行为改变之外。本文介绍了澳大利亚领先的电信公司Telstra的深入案例研究，该公司具有资源丰富且成熟的网络安全影响力计划，该计划是根据多年的经验而发展而来的。本文采用心理依恋理论来解释策略（例如 网络安全冠军）由Telstra影响力团队实施，以影响员工以改善其与安全相关的行为。本文的贡献是为组织提供基于实践的综合指导的第一步，该指导涉及如何将其网络安全从意识转变为影响行为改变的方法。本文基于学术和工业角度，为将来的实证工作提供了良好的基础。