Current security awareness training predominantly adopts a one-size-fits-all approach, overlooking department-specific threat landscapes. This study focuses on Human Resources (HR) and Finance departments, employing a mixed-methods design—comprising in-depth interviews and a structured survey administered to over 90 practitioners across nine organizations—to empirically identify distinct threat profiles: HR faces elevated risks from malicious resumes and CEO fraud, whereas Finance is disproportionately targeted by invoice fraud and ransomware. Findings further reveal strong practitioner preference for scenario-based, short-cycle modalities—including micro-videos and simulated phishing exercises. Building on these insights, the study proposes the first business-process-oriented, department-tailored security awareness framework, departing from generic, organization-wide paradigms. Validated through iterative stakeholder feedback, this framework significantly enhances the precision and operational effectiveness of social engineering defense strategies.

Many cyberattacks succeed because they exploit flaws at the human level. To address this problem, organizations rely on security awareness programs, which aim to make employees more resilient against social engineering. While some works have suggested that such programs should account for contextual relevance, the common praxis in research is to adopt a "general" viewpoint. For instance, instead of focusing on department-specific issues, prior user studies sought to provide organization-wide conclusions. Such a protocol may lead to overlooking vulnerabilities that affect only specific subsets of an organization. In this paper, we tackle such an oversight. First, through a systematic literature review, we provide evidence that prior literature poorly accounted for department-specific needs. Then, we carry out a multi-company and mixed-methods study focusing on two pivotal departments: human resources (HR) and accounting. We explore three dimensions: threats faced by these departments; topics covered in the security-awareness campaigns delivered to these departments; and delivery methods that maximize the effectiveness of such campaigns. We begin by interviewing 16 employees of a multinational enterprise, and then use these results as a scaffold to design a structured survey through which we collect the responses of over 90 HR/accounting members of 9 organizations. We find that HR is targeted through job applications containing malware and executive impersonation, while accounting is exposed to invoice fraud, credential theft, and ransomware. Current training is often viewed as too generic, with employees preferring shorter, scenario-based formats like videos and simulations. These preferences contradict the common industry practice of annual sessions. Based on these insights, we propose recommendations for designing awareness programs tailored to departmental needs and workflows.