Opening Framing
Technical controls are necessary but insufficient. The most sophisticated security tools can be bypassed by an employee who clicks a phishing link, shares credentials, or ignores security procedures. Conversely, security-aware employees become an active defense layer—detecting anomalies, reporting suspicious activity, and making security-conscious decisions in situations no policy anticipated.
Security awareness isn't just annual training—it's building a culture where security is everyone's responsibility, where good security practices are the norm rather than the exception, and where people understand the "why" behind security requirements. This requires understanding human behavior, designing programs that actually change behavior (not just check compliance boxes), and creating an environment where security is enabled rather than obstructed.
This week covers security awareness program design, training methods, phishing simulations, behavior change principles, building security culture, and measuring awareness effectiveness. You'll learn to create programs that genuinely improve security posture through people.
Key insight: Awareness is knowing the threat exists. Culture is caring enough to do something about it.
Building on Prior Knowledge
This week integrates concepts from across the curriculum:
- CSY101 Week 01: Risk framing and stakeholder communication principles for security awareness messaging
- CSY204 Week 03: Social engineering detection techniques that inform phishing simulation design
- CSY303 Week 02: Risk management frameworks provide structure for awareness program metrics
- CSY303 Week 10: Metrics and KPIs applied to measure awareness program effectiveness and behavior change
1) Human Factor in Security
Understanding why people make security mistakes helps design effective interventions:
Human Security Challenges:
WHY PEOPLE FAIL AT SECURITY:
┌─────────────────────────────────────────────────────────────┐
│ Cognitive Limitations: │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ - Limited attention (can't evaluate every email) │ │
│ │ - Cognitive load (security competes with primary task) │ │
│ │ - Pattern matching fails (sophisticated attacks) │ │
│ │ - Decision fatigue (too many security choices) │ │
│ │ - Memory limitations (password complexity) │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ Behavioral Factors: │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ - Convenience trumps security (path of least resistance)│ │
│ │ - Optimism bias ("it won't happen to me") │ │
│ │ - Authority compliance (CEO fraud) │ │
│ │ - Social proof (if others do it, it must be okay) │ │
│ │ - Urgency response (time pressure bypasses caution) │ │
│ │ - Habituation (alert fatigue) │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ Organizational Factors: │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ - Security seen as obstacle to work │ │
│ │ - No clear ownership ("not my job") │ │
│ │ - Fear of punishment prevents reporting │ │
│ │ - Lack of visible leadership commitment │ │
│ │ - Security team seen as "the enemy" │ │
│ │ - Misaligned incentives │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ Knowledge Gaps: │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ - Don't understand the threats │ │
│ │ - Don't know what to do │ │
│ │ - Don't know how to report │ │
│ │ - Don't understand why policies exist │ │
│ └─────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
SOCIAL ENGINEERING TACTICS:
┌─────────────────────────────────────────────────────────────┐
│ Attackers exploit human psychology: │
│ │
│ Authority: │
│ - Impersonating executives, IT, government │
│ - "This is the CEO, I need this wire transfer now" │
│ │
│ Urgency/Scarcity: │
│ - Creating time pressure │
│ - "Your account will be suspended in 24 hours" │
│ │
│ Social Proof: │
│ - Referencing others who complied │
│ - "Your colleague John already sent this information" │
│ │
│ Reciprocity: │
│ - Offering something first │
│ - "I helped you last week, can you help me now?" │
│ │
│ Liking/Trust: │
│ - Building rapport before attack │
│ - Researching targets on social media │
│ │
│ Fear: │
│ - Threatening consequences │
│ - "Your computer is infected, call this number immediately" │
└─────────────────────────────────────────────────────────────┘Attack Statistics:
Human Element in Breaches:
BREACH STATISTICS:
┌─────────────────────────────────────────────────────────────┐
│ From Verizon DBIR and industry research: │
│ │
│ - 74% of breaches involve human element │
│ (social engineering, errors, misuse) │
│ │
│ - Phishing is #1 initial access vector │
│ (present in 36% of breaches) │
│ │
│ - Stolen credentials used in 49% of breaches │
│ │
│ - Business Email Compromise (BEC) losses: │
│ $2.7 billion in 2022 (FBI IC3) │
│ │
│ - Average phishing click rate: 10-15% │
│ (varies significantly by organization) │
│ │
│ - Time to click phishing link: median 21 seconds │
│ (people decide quickly) │
└─────────────────────────────────────────────────────────────┘
COST OF HUMAN ERROR:
┌─────────────────────────────────────────────────────────────┐
│ Misconfiguration: │
│ - Cloud storage exposed (S3 buckets, Azure blobs) │
│ - Database left open to internet │
│ - Default credentials unchanged │
│ │
│ Misdirected Communication: │
│ - Sensitive data sent to wrong recipient │
│ - Reply-all with confidential information │
│ - Email autofill selecting wrong address │
│ │
│ Physical Security Lapses: │
│ - Tailgating (holding door for attacker) │
│ - Leaving devices unattended │
│ - Sensitive documents in trash │
│ │
│ These are addressable through awareness and culture │
└─────────────────────────────────────────────────────────────┘Key insight: People aren't the weakest link—they're the most frequently attacked link. Strengthen them.
2) Security Awareness Program Design
Effective awareness programs are strategic, not checkbox compliance exercises:
Awareness Program Framework:
PROGRAM COMPONENTS:
┌─────────────────────────────────────────────────────────────┐
│ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ FOUNDATION │ │
│ │ │ │
│ │ - Executive sponsorship and visible commitment │ │
│ │ - Defined objectives and success metrics │ │
│ │ - Alignment with business and risk priorities │ │
│ │ - Adequate resources and budget │ │
│ └─────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ CORE TRAINING │ │
│ │ │ │
│ │ - New hire security orientation │ │
│ │ - Annual security awareness training │ │
│ │ - Role-based training (developers, admins, etc.) │ │
│ │ - Compliance-required training (HIPAA, PCI) │ │
│ └─────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ REINFORCEMENT │ │
│ │ │ │
│ │ - Phishing simulations │ │
│ │ - Security newsletters/communications │ │
│ │ - Posters and visual reminders │ │
│ │ - Lunch and learns │ │
│ │ - Security awareness month campaigns │ │
│ └─────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ MEASUREMENT │ │
│ │ │ │
│ │ - Training completion tracking │ │
│ │ - Phishing simulation results │ │
│ │ - Security incident correlation │ │
│ │ - Behavior change assessment │ │
│ │ - Culture surveys │ │
│ └─────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘
TRAINING CONTENT AREAS:
┌─────────────────────────────────────────────────────────────┐
│ Universal Topics (all employees): │
│ - Phishing and social engineering recognition │
│ - Password security and authentication │
│ - Safe web browsing │
│ - Mobile device security │
│ - Physical security │
│ - Data handling and classification │
│ - Incident reporting │
│ - Clean desk policy │
│ - Remote work security │
│ - Social media risks │
│ │
│ Role-Based Topics: │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Developers: │ │
│ │ - Secure coding practices │ │
│ │ - OWASP Top 10 │ │
│ │ - Code review for security │ │
│ │ - Secrets management │ │
│ │ │ │
│ │ IT Administrators: │ │
│ │ - Secure configuration │ │
│ │ - Privileged access responsibility │ │
│ │ - Patch management │ │
│ │ - Incident response role │ │
│ │ │ │
│ │ Executives: │ │
│ │ - Business email compromise awareness │ │
│ │ - Targeted attacks (whale phishing) │ │
│ │ - Security governance responsibilities │ │
│ │ │ │
│ │ Finance/HR: │ │
│ │ - Wire fraud recognition │ │
│ │ - Sensitive data handling │ │
│ │ - Verification procedures │ │
│ └─────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘Program Development:
Building Effective Training:
ADULT LEARNING PRINCIPLES:
┌─────────────────────────────────────────────────────────────┐
│ Adults learn differently than children: │
│ │
│ Self-Directed: │
│ - Want control over their learning │
│ - Prefer self-paced options │
│ → Offer flexible delivery, let them choose when │
│ │
│ Experience-Based: │
│ - Connect new info to existing knowledge │
│ - Learn from mistakes and successes │
│ → Use real examples, their context, their mistakes │
│ │
│ Relevance-Focused: │
│ - Need to know why it matters │
│ - Want practical application │
│ → Show "what's in it for me," make it job-relevant │
│ │
│ Problem-Oriented: │
│ - Learn to solve problems, not just absorb info │
│ - Want to apply immediately │
│ → Give them scenarios to solve, not just lectures │
│ │
│ Respect: │
│ - Don't want to feel talked down to │
│ - Have existing knowledge and experience │
│ → Treat them as partners, not children │
└─────────────────────────────────────────────────────────────┘
TRAINING DELIVERY METHODS:
┌─────────────────────────────────────────────────────────────┐
│ Method │ Pros │ Cons │
│ ────────────────────┼─────────────────────┼─────────────────│
│ Computer-Based │ Scalable, trackable │ Low engagement, │
│ Training (CBT) │ self-paced │ passive learning│
│ ────────────────────┼─────────────────────┼─────────────────│
│ Instructor-Led │ Interactive, Q&A │ Not scalable, │
│ Training (ILT) │ engagement │ scheduling hard │
│ ────────────────────┼─────────────────────┼─────────────────│
│ Microlearning │ Short, focused, │ Limited depth │
│ (3-5 min modules) │ just-in-time │ │
│ ────────────────────┼─────────────────────┼─────────────────│
│ Gamification │ Engaging, memorable │ Can trivialize │
│ │ │ serious topics │
│ ────────────────────┼─────────────────────┼─────────────────│
│ Simulations │ Realistic practice │ Resource │
│ (phishing, etc.) │ behavior testing │ intensive │
│ ────────────────────┼─────────────────────┼─────────────────│
│ Videos/Stories │ Emotional impact, │ Passive, may │
│ │ memorable │ not stick │
└─────────────────────┴─────────────────────┴─────────────────┘
Best practice: Blend multiple methods for different
learning styles and reinforcementKey insight: Training that people dread and rush through doesn't change behavior. Design for engagement.
3) Phishing Simulations
Phishing simulations test and reinforce awareness through realistic practice:
Phishing Simulation Program:
PROGRAM DESIGN:
┌─────────────────────────────────────────────────────────────┐
│ Objectives: │
│ - Measure susceptibility to phishing attacks │
│ - Provide practical learning opportunities │
│ - Identify high-risk groups for additional training │
│ - Track improvement over time │
│ - Build recognition skills through practice │
│ │
│ NOT Objectives: │
│ - Catch and punish people │
│ - Create fear or embarrassment │
│ - "Gotcha" exercises │
└─────────────────────────────────────────────────────────────┘
SIMULATION TYPES:
┌─────────────────────────────────────────────────────────────┐
│ By Difficulty: │
│ │
│ Level 1 - Easy (obvious): │
│ - Poor grammar and spelling │
│ - Suspicious sender addresses │
│ - Generic greetings │
│ - Baseline measurement │
│ │
│ Level 2 - Moderate: │
│ - Better crafted content │
│ - Plausible scenarios │
│ - Some personalization │
│ │
│ Level 3 - Difficult (targeted): │
│ - Highly personalized (spear phishing) │
│ - Legitimate-looking domains │
│ - Current events/company context │
│ - Tests advanced users │
│ │
│ By Theme: │
│ - IT notifications (password reset, system update) │
│ - HR/Benefits (policy update, benefits enrollment) │
│ - Financial (invoice, payment confirmation) │
│ - Authority (CEO request, legal notice) │
│ - Curiosity (package delivery, document shared) │
│ - Fear (account suspended, security alert) │
│ - Current events (tax season, COVID, elections) │
└─────────────────────────────────────────────────────────────┘
SIMULATION PROCESS:
┌─────────────────────────────────────────────────────────────┐
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ PLAN │──►│ SEND │──►│ MEASURE │ │
│ │ │ │ │ │ │ │
│ └──────────┘ └──────────┘ └────┬─────┘ │
│ │ │
│ ▼ │
│ ┌──────────┐ │
│ │ EDUCATE │ │
│ │ │ │
│ └────┬─────┘ │
│ │ │
│ ▼ │
│ ┌──────────┐ │
│ │ IMPROVE │ │
│ │ │ │
│ └──────────┘ │
│ │
│ Plan: │
│ - Select template/theme │
│ - Define target audience │
│ - Schedule campaign │
│ - Prepare education content │
│ │
│ Send: │
│ - Deploy simulation │
│ - Stagger sending (avoid detection) │
│ - Monitor for issues │
│ │
│ Measure: │
│ - Track opens, clicks, submissions │
│ - Track reports (people reporting the phish) │
│ - Segment by department, role, location │
│ │
│ Educate: │
│ - Immediate teachable moment for clickers │
│ - Positive reinforcement for reporters │
│ - Share aggregate results │
│ │
│ Improve: │
│ - Identify patterns and high-risk groups │
│ - Target additional training │
│ - Adjust program based on results │
└─────────────────────────────────────────────────────────────┘Handling Results:
Phishing Simulation Best Practices:
WHAT TO DO WITH CLICKERS:
┌─────────────────────────────────────────────────────────────┐
│ DO: │
│ ✓ Provide immediate education (landing page explaining │
│ what happened and what to look for) │
│ ✓ Offer additional training resources │
│ ✓ Track for patterns (repeat clickers) │
│ ✓ Provide individualized coaching for high-risk users │
│ ✓ Focus on learning, not punishment │
│ │
│ DON'T: │
│ ✗ Publicly shame or humiliate │
│ ✗ Use results for performance reviews (initially) │
│ ✗ Send to HR immediately │
│ ✗ Create fear that discourages reporting │
│ │
│ For Persistent Repeat Clickers: │
│ - One-on-one training session │
│ - Manager involvement (supportive, not punitive) │
│ - Additional technical controls (restricted access) │
│ - Consider role fit for high-risk positions │
└─────────────────────────────────────────────────────────────┘
ENCOURAGING REPORTING:
┌─────────────────────────────────────────────────────────────┐
│ Report rate is as important as click rate: │
│ │
│ - Make reporting easy (one-click button in email client) │
│ - Celebrate reporters ("You helped protect the company!") │
│ - Track and publicize report rate │
│ - Respond to reports (even simulations) │
│ - Never punish someone for reporting │
│ │
│ Goal progression: │
│ - Initial: Reduce click rate │
│ - Mature: Increase report rate │
│ - Advanced: Report rate > click rate │
│ │
│ A user who clicks but reports is better than one who │
│ clicks and hides it │
└─────────────────────────────────────────────────────────────┘
METRICS TO TRACK:
┌─────────────────────────────────────────────────────────────┐
│ Primary Metrics: │
│ - Click rate (% who clicked link) │
│ - Submission rate (% who entered credentials) │
│ - Report rate (% who reported the phish) │
│ │
│ Secondary Metrics: │
│ - Time to click (how quickly people click) │
│ - Time to report │
│ - Repeat clicker rate │
│ - Click rate by department/role │
│ - Trend over time │
│ │
│ Industry Benchmarks: │
│ - Average click rate: 10-15% │
│ - Well-trained organizations: <5% │
│ - Report rate: varies widely (20-80%) │
│ │
│ Note: Difficulty affects rates—compare like to like │
└─────────────────────────────────────────────────────────────┘Key insight: The goal is learning, not catching people. Punitive approaches backfire and discourage reporting.
4) Building Security Culture
Culture goes beyond training—it's how security is embedded in organizational DNA:
Security Culture Model:
CULTURE DIMENSIONS:
┌─────────────────────────────────────────────────────────────┐
│ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ KNOWLEDGE │ │
│ │ Do people know what to do? │ │
│ │ - Understand threats and risks │ │
│ │ - Know policies and procedures │ │
│ │ - Know how to report and get help │ │
│ └─────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ ATTITUDE │ │
│ │ Do people care about security? │ │
│ │ - Believe security is important │ │
│ │ - Feel personal responsibility │ │
│ │ - Positive view of security team │ │
│ └─────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ BEHAVIOR │ │
│ │ Do people act securely? │ │
│ │ - Follow policies consistently │ │
│ │ - Report suspicious activity │ │
│ │ - Make secure choices unprompted │ │
│ └─────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ NORMS │ │
│ │ Is security "how we do things here"? │ │
│ │ - Peer expectations and accountability │ │
│ │ - Security integrated into processes │ │
│ │ - Visible leadership commitment │ │
│ └─────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘
CULTURE MATURITY LEVELS:
┌─────────────────────────────────────────────────────────────┐
│ Level 1 - Compliance: │
│ - Security is imposed requirement │
│ - People do minimum to avoid trouble │
│ - "I have to do this" │
│ │
│ Level 2 - Awareness: │
│ - People understand why security matters │
│ - Follow rules but may not internalize │
│ - "I should do this" │
│ │
│ Level 3 - Ownership: │
│ - Security is personal responsibility │
│ - Proactive secure behaviors │
│ - "I want to do this" │
│ │
│ Level 4 - Embedded: │
│ - Security is "how we work" │
│ - Peers reinforce secure behavior │
│ - "We all do this" │
│ │
│ Level 5 - Champion: │
│ - Employees actively promote security │
│ - Security innovation from all levels │
│ - "We lead on this" │
└─────────────────────────────────────────────────────────────┘Building Culture:
Culture Building Strategies:
LEADERSHIP COMMITMENT:
┌─────────────────────────────────────────────────────────────┐
│ Visible executive support: │
│ - CEO messages about security importance │
│ - Executives complete training (visibly) │
│ - Security in company communications │
│ - Resources allocated to security │
│ - Security discussed in all-hands │
│ │
│ Actions speak louder: │
│ - Executives follow same rules │
│ - No "exceptions for important people" │
│ - Security prioritized when it conflicts with convenience │
│ - Recognition for security-conscious behavior │
└─────────────────────────────────────────────────────────────┘
SECURITY CHAMPIONS PROGRAM:
┌─────────────────────────────────────────────────────────────┐
│ Embed security advocates throughout organization: │
│ │
│ Champion Responsibilities: │
│ - First point of contact for security questions │
│ - Promote security awareness in their team │
│ - Provide feedback to security team │
│ - Help roll out new security initiatives │
│ - Model good security behavior │
│ │
│ Selection Criteria: │
│ - Interest in security (volunteers preferred) │
│ - Respected by peers │
│ - Good communicators │
│ - Diverse representation across organization │
│ │
│ Support Champions: │
│ - Regular training and updates │
│ - Recognition and rewards │
│ - Access to security team │
│ - Clear role definition │
└─────────────────────────────────────────────────────────────┘
POSITIVE REINFORCEMENT:
┌─────────────────────────────────────────────────────────────┐
│ Reward good behavior (not just punish bad): │
│ │
│ Recognition Programs: │
│ - "Security Star" awards │
│ - Public recognition for reporting threats │
│ - Team recognition for good metrics │
│ - Security leaderboards (gamification) │
│ │
│ Tangible Rewards: │
│ - Gift cards for catching phishing │
│ - Team celebrations for milestones │
│ - Swag for security champions │
│ - Bonus consideration for security contributions │
│ │
│ Social Rewards: │
│ - Thank-you notes from CISO │
│ - Mention in company communications │
│ - Peer recognition │
└─────────────────────────────────────────────────────────────┘
REDUCING FRICTION:
┌─────────────────────────────────────────────────────────────┐
│ Make secure behavior easy: │
│ │
│ - Single sign-on (fewer passwords to manage) │
│ - Password managers (provided by company) │
│ - One-click phishing report button │
│ - Clear, simple policies │
│ - Helpful, not punitive security team │
│ - Security tools that don't slow work │
│ │
│ If security is harder than insecurity, people will │
│ choose insecurity │
└─────────────────────────────────────────────────────────────┘Key insight: Culture is what people do when no one is watching. Build it through consistent actions, not just words.
5) Measuring Awareness Effectiveness
Demonstrating that awareness programs actually work requires thoughtful measurement:
Awareness Metrics:
MEASUREMENT FRAMEWORK:
┌─────────────────────────────────────────────────────────────┐
│ INPUT METRICS (What we do): │
│ - Training completion rates │
│ - Number of awareness communications │
│ - Phishing simulations conducted │
│ - Security events held │
│ - Budget spent on awareness │
│ │
│ OUTPUT METRICS (Immediate results): │
│ - Training assessment scores │
│ - Phishing simulation click rates │
│ - Phishing report rates │
│ - Policy acknowledgment rates │
│ │
│ OUTCOME METRICS (Behavior change): │
│ - Human-caused incident rate │
│ - Policy violation trends │
│ - Self-reported security issues │
│ - Help desk security questions │
│ - Audit findings related to human factors │
│ │
│ IMPACT METRICS (Business value): │
│ - Cost savings from prevented incidents │
│ - Reduced breach risk │
│ - Compliance achievement │
│ - Insurance premium impact │
└─────────────────────────────────────────────────────────────┘
KEY METRICS DASHBOARD:
┌─────────────────────────────────────────────────────────────┐
│ SECURITY AWARENESS METRICS │
├─────────────────────────────────────────────────────────────┤
│ │
│ TRAINING │
│ ┌───────────────────────────────────────────────────────┐ │
│ │ Completion Rate: 92% (Target: 95%) Trend: ↑ │ │
│ │ Overdue Training: 38 employees │ │
│ │ Avg Assessment Score: 84% (Target: 80%) │ │
│ └───────────────────────────────────────────────────────┘ │
│ │
│ PHISHING SIMULATIONS (Last 12 Months) │
│ ┌───────────────────────────────────────────────────────┐ │
│ │ Click Rate: 8% ▼ (was 15% 12 months ago) │ │
│ │ Report Rate: 45% ↑ (was 22% 12 months ago) │ │
│ │ Repeat Clickers: 12 employees (focused training) │ │
│ └───────────────────────────────────────────────────────┘ │
│ │
│ INCIDENTS (Human Factor) │
│ ┌───────────────────────────────────────────────────────┐ │
│ │ Phishing Compromises: 2 (down from 8 last year) │ │
│ │ Credential Sharing: 1 incident │ │
│ │ Data Handling Violations: 3 │ │
│ │ User-Reported Threats: 127 (↑ - good!) │ │
│ └───────────────────────────────────────────────────────┘ │
│ │
│ CULTURE INDICATORS │
│ ┌───────────────────────────────────────────────────────┐ │
│ │ Survey: "Security is everyone's responsibility" │ │
│ │ Agree/Strongly Agree: 78% (↑ from 65%) │ │
│ │ │ │
│ │ Survey: "I know how to report security concerns" │ │
│ │ Agree/Strongly Agree: 91% (↑ from 72%) │ │
│ └───────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘Culture Assessment:
Security Culture Survey:
SAMPLE SURVEY QUESTIONS:
┌─────────────────────────────────────────────────────────────┐
│ Knowledge: │
│ - I know how to identify a phishing email │
│ - I understand the data classification policy │
│ - I know how to report a security incident │
│ │
│ Attitude: │
│ - Security is important to me personally │
│ - I believe security is everyone's responsibility │
│ - I trust the security team to help me │
│ - Security policies are reasonable and fair │
│ │
│ Behavior: │
│ - I would report a suspicious email even if unsure │
│ - I lock my computer when leaving my desk │
│ - I verify unusual requests before acting │
│ - I feel comfortable asking security questions │
│ │
│ Norms: │
│ - My manager emphasizes the importance of security │
│ - My coworkers follow security policies │
│ - Our team discusses security regularly │
│ - People who report security issues are appreciated │
│ │
│ Scale: Strongly Disagree to Strongly Agree (1-5) │
│ Track scores over time, segment by department │
└─────────────────────────────────────────────────────────────┘
DEMONSTRATING ROI:
┌─────────────────────────────────────────────────────────────┐
│ Calculating awareness program value: │
│ │
│ Cost Avoidance: │
│ - Phishing incidents prevented │
│ (click rate reduction × estimated incident cost) │
│ - BEC attempts thwarted │
│ - Malware infections avoided │
│ │
│ Example: │
│ - Phishing click rate reduced from 15% to 5% │
│ - 10% of clicks would result in incident │
│ - Average incident cost: $50,000 │
│ - 12 simulations/year, 500 employees │
│ - Incidents prevented: (10% × 500 × 12) - (5% × 500 × 12) │
│ = 600 - 300 = 300 fewer clicks │
│ - Potential incidents prevented: 300 × 10% = 30 │
│ - Cost avoided: 30 × $50,000 = $1,500,000 │
│ - Program cost: $100,000 │
│ - ROI: 1400% │
│ │
│ Note: Estimates require assumptions, be transparent │
└─────────────────────────────────────────────────────────────┘Key insight: Measure behavior change and business impact, not just training completion checkboxes.
Real-World Context
Case Study: Transforming Security Culture
A manufacturing company had a 25% phishing click rate and viewed security as "IT's problem." Leadership committed to change: the CEO opened the next all-hands talking about a recent industry breach and why security mattered, managers were measured on their teams' security metrics, a security champions program recruited volunteers from each department, phishing simulations became monthly with immediate feedback, and reporters were publicly thanked. Two years later, click rates dropped to 4%, report rates exceeded 60%, and employee surveys showed 85% felt "security is part of my job." Key factor: sustained leadership commitment, not just a training program.
Case Study: Phishing Simulation Backlash
An organization launched phishing simulations without communication or context. The first simulation was sent during a stressful project deadline using a template that looked like a company benefit announcement. When employees discovered it was a test, there was significant backlash— employees felt tricked, union representatives complained, and the security team lost credibility. They relaunched with a different approach: announced the program in advance, explained the purpose (learning, not punishment), started with easier simulations, focused on education not metrics, and celebrated improvements. Trust was rebuilt over time.
Awareness Program Quick Reference:
Awareness Program Checklist:
PROGRAM FOUNDATION:
□ Executive sponsorship secured
□ Objectives and metrics defined
□ Budget and resources allocated
□ Roles and responsibilities assigned
□ Communication plan developed
TRAINING PROGRAM:
□ Content developed/selected for all audiences
□ Role-based training identified
□ Delivery methods selected
□ Training schedule established
□ Tracking mechanism in place
PHISHING SIMULATION:
□ Platform selected and configured
□ Templates developed/customized
□ Reporting mechanism enabled
□ Education content prepared
□ Escalation process for repeat clickers
CULTURE BUILDING:
□ Leadership commitment visible
□ Security champions identified
□ Recognition program established
□ Feedback channels created
□ Friction points identified and addressed
MEASUREMENT:
□ Baseline metrics established
□ Dashboard created
□ Survey developed
□ Regular reporting cadence
□ Continuous improvement processAwareness programs fail when they're checkbox exercises. They succeed when they're genuine efforts to help people protect themselves and the organization.
Metrics Spotlight: Executive Security Scorecard
Executives need a short list of metrics that translate security performance into business impact.
Board-Level Metrics:
- Critical risk backlog (count + trend)
- MTTD / MTTR for high-severity incidents
- % of crown-jewel systems with full control coverage
- Phishing report rate vs click rate
- Security control exceptions and age
- Top 3 risk reduction wins this quarter
Guidance:
Use trend lines and context. Show why the numbers
matter to revenue, uptime, or regulatory exposure.Guided Lab: Awareness Program Design
In this lab, you'll design a comprehensive security awareness and culture program.
Lab Scenario:
- 500-person professional services firm
- Recent phishing incident compromised credentials
- Current awareness: annual compliance training only
- No phishing simulation program
- Leadership wants to "improve security culture"
Exercise Steps:
- Assess current state and gaps
- Define program objectives and success metrics
- Design training curriculum
- Create phishing simulation program
- Design security champions program
- Develop communication plan
- Create culture survey
- Build awareness metrics dashboard
Reflection Questions:
- How would you get buy-in from skeptical employees?
- What would you do about persistent repeat clickers?
- How would you demonstrate program value to leadership?
Week Outcome Check
By the end of this week, you should be able to:
- Explain why humans are targeted and how they fail at security
- Design comprehensive security awareness programs
- Apply adult learning principles to security training
- Implement effective phishing simulation programs
- Build security culture beyond compliance
- Establish security champions programs
- Measure awareness program effectiveness
- Demonstrate ROI of awareness investments
🎯 Hands-On Labs (Free & Essential)
Build security awareness programs with practical training design and culture-building exercises.
🎓 Security Awareness Program Design
What you'll do: Create comprehensive awareness programs—develop training
modules, design phishing simulations, measure effectiveness.
Why it matters: Humans are often the weakest link—training turns them into
the strongest defense.
Time estimate: 3-4 hours
🎯 Phishing Simulation Lab
What you'll do: Design and execute phishing simulations—create campaigns,
analyze results, provide targeted training.
Why it matters: Simulations build muscle memory for spotting real phishing
attempts.
Time estimate: 2-3 hours
🏢 Security Culture Assessment
What you'll do: Assess organizational security culture—conduct surveys,
identify gaps, design culture change initiatives.
Why it matters: Culture eats policy for breakfast—sustainable security
requires cultural change.
Time estimate: 2-3 hours
📊 Executive Metrics Brief
What you'll do: Build a one-page executive metrics brief with leading and
lagging indicators.
Why it matters: Clear metrics sustain leadership support and budget
alignment.
Time estimate: 1-2 hours
💡 Lab Strategy: Make training engaging and relevant—boring compliance training teaches people to ignore security messages.
Resources
Lab
Complete the following lab exercises to practice security awareness concepts.