Security Awareness Training — Program Generator

WALKTHROUGH VIDEO Learn how to create a training program!

Step 1 of 7

Introduction

Overview

This tool provides you with a security awareness training program tailored to meet your specific needs. The information needed to generate this program is captured in a multi-step interactive wizard where you'll be asked for information about your organization, compliance and regulatory needs, and training objectives.

Benefits

Industry Benchmarking: This tool will give you unique insights into what you can do to create a modern training program that adheres to common compliance frameworks and regulatory standards.
Improved Employee Engagement: By understanding what your objectives are, this tool can provide a variety of practices and recommendations that will improve employee engagement with your training program.
Targeted Training Content: By identifying your unique needs, this tool will identify relevant and impactful training content.
Targeted Phishing Content: By identifying unique organizational attributes, this tool will identify relevant and realistic phishing content.

Important Note: Upon completion of this wizard, you’ll be provided with a unique 12-character program code which can be used to save and return to your program at any time.

Step 2 of 7

Organization Information

Organization Name Please enter your organization name.

Organization Size

Organization Industry

Geographic Location

Spoken Language

Step 6 of 7

Content Selection

Step 7 of 7

Security Awareness Training Program

Overview

The security awareness training program establishes a framework for delivering comprehensive training on information security to all employees of . This program aims to equip employees with knowledge and skills essential for protecting 's information assets and to foster a culture of security awareness within .

Purpose

Though technical security measures form an essential component of our overall information security strategy, they alone cannot fully protect our information assets. A truly effective defense against cyber threats also hinges on the informed and active participation of every staff member, who must work in concert with these technological safeguards. This need becomes particularly clear in the face of tactics like social engineering, which aim to exploit human vulnerabilities rather than technological weaknesses.

Without a solid foundation in information security awareness, our employees may not effectively identify or respond to security challenges, potentially exposing our critical data to risks. Therefore, it is crucial that every employee is not only aware of but also engaged with the latest security practices and threats. This ensures they are well-prepared to contribute to our collective security efforts and uphold their responsibilities in safeguarding our valuable information assets.

Requirements

The security awareness training program must ensure the following requirements are met:

Employees must be capable of achieving and maintaining an level of knowledge as it relates to information and cyber security. This includes knowledge of the compliance frameworks and regulatory standards that adheres to. Notably, .
New employees must begin receiving general and, where applicable, specialized employee training material within 2 weeks of joining . This training material must be sufficient to ensure that all newly joined employees can obtain an level of knowledge as it relates to information and cyber security.
Employees who perform specialized functions or activities that are not otherwise addressed by general employee training must undertake additional specialty training. Examples of this include IT Administration, Software Development, Credit Card Handling, and Remote Working.
Training assignments must be supplemented with practical phishing simulations. The frequency and difficulty of these simulations must be based on each employee's unique phish risk profile.

Scope

This program applies to all employees, contractors, and third-party personnel who have access to 's information systems and data.

This section outlines the specific training activities that employees receive to ensure they have a well-rounded training experience. Notably, formal security awareness training is provided through the delivery of digital assignments, and practical training is provided through the delivery of simulated phishing material.

requires that each employee obtain and maintain an level of knowledge as it relates to information and cyber security. To support this, runs security awareness training activities to address the unique requirements of each employee.

New Employee Training

Scope: New employees must participate within 2 weeks of their start date.
Frequency: Once
Training Assignments: Employees must complete all the specified training modules.
Due Date: 14 days after assignment

General Employee Training

Scope: All employees must participate.
Frequency: Monthly
Training Assignments: Employees must complete one of the specified training modules, selected with intelligent assignment.
Due Date: 14 days after assignment

Specialty Employee Training

Scope: All employees who perform one of the following activities must participate: .
Frequency: Yearly
Training Assignments: Employees must complete the training module corresponding to their specialized activity.
Due Date: 14 days after assignment

Supporting Information

Intelligent Assignment: Machine learning is used to identify the most suitable training for an employee based on their security intelligence profile and previously completed training assignments.

requires that each employee participate in periodic simulated phishing activities to reinforce security awareness training and reduce the risk associated with social engineering attacks. To support this, runs three simulated phishing activities grouped by employee risk profiles to address the unique risk-based needs of each employee.

Scope: All employees must participate.
Frequency: Monthly
Phishing Content: Employees must receive a phishing message that includes but is not limited to those specified below:

High Risk Employees

Scope: All high risk employees must participate.
Frequency: Weekly
Phishing Content: Employees must receive a phishing message with an easy difficulty rating that includes but is not limited to those specified below:

Medium Risk Employees

Scope: All medium risk employees must participate.
Frequency: Monthly
Phishing Content: Employees must receive a phishing message with a moderate difficulty rating that includes but is not limited to those specified below:

Low Risk Employees

Scope: All low risk employees must participate.
Frequency: Quarterly
Phishing Content: Employees must receive a phishing message with a hard difficulty rating that includes but is not limited to those specified below:

Supporting Information

Phishing Content Difficulty: The difficulty of a phishing message is defined by the percentage-based likelihood of payload interaction by the average employee. The difficulty ratings and their respective interaction ranges are outlined below:

Phish Difficulty Rating	Payload Interaction Likelihood
Hard Difficulty	30%+
Moderate Difficulty	20-29%
Easy Difficulty	0-19%

Remedial Actions: In the event that an employee falls victim to a simulated phishing message, they will receive an immediate training assignment on Phishing or Cybersecurity Fundamentals. Additionally, if they fall victim to a simulated phishing website, they will be redirected to an educational page that provides a walkthrough of the exact phish they received, along with a variety of other phishing-related educational information.

This section outlines the expectations that holds for all its employees to meet the requirements of this security awareness training program.

Compliance

Employees are expected to demonstrate their commitment to cybersecurity through the following actions, which adhere to the security awareness training program:

Completion of training assignments on or before the designated due date.
Obtaining a passing score for training assignments within three attempts.
Avoiding interaction with both simulated and real phishing payloads (i.e. clicking links, replying, or downloading attachments).
Reporting suspected phishing attempts to the IT security team.

Non-Compliance

Actions that constitute non-compliance with the security awareness training program include:

Clicking on a link from a real or simulated phishing message.
Entering credentials or sensitive information into a real or simulated phishing website.
Downloading an attachment from a real or simulated phishing message.
Responding to a real or simulated phishing message with any information.
Not completing training assignments on or before the designated due date.
Taking more than three attempts to pass a training assignment.

Information on the penalties associated to repeated and ongoing employee non-compliance can be found in Appendix A - Employee Non-Compliance Schedule.

This section outlines the specific capabilities that utilizes to ensure employee training activities are engaging and address the specific training requirements of each individual employee.

Gamification

To enhance the employee learning and training experience, utilizes a badge-based gamification system to encourage positive cyber behaviors. Employees are rewarded for positive behaviors and penalized for negative behaviors through the assignment of badges. This method of gamification is designed to incentivize participation in training activities through passive, consistent, and measurable feedback.

The introduction of this gamification strategy aims to make cybersecurity training more engaging and to promote a culture where security is everyone's responsibility. By rewarding positive security actions with badges, intends to foster a competitive and collaborative environment, highlighting the importance of each employee's role in maintaining 's cybersecurity posture.

Information on available badges and their corresponding rewards or penalties can be found in Appendix B – Gamification Metrics Schedule.

Security Intelligence Profiling

A security intelligence profiling system is utilized to customize and optimize cybersecurity training across the workforce. This profiling system evaluates the cybersecurity skill levels of individual employees, categorizing them into three distinct tiers: Beginner Level, Intermediate Level, and Advanced Level. This categorization is pivotal in tailoring the complexity and focus of training assignments to match the learning needs and capabilities of each employee effectively.

Employees identified at the Beginner Level are provided with training materials that are less complex and more introductory in nature. This ensures that foundational cybersecurity concepts are clearly understood, forming a solid base for their skill development. On the other hand, employees at higher skill levels, such as those classified as Intermediate or Advanced, receive training assignments that delve into more complex and challenging cybersecurity concepts. This approach not only keeps them engaged but also enhances their expertise and preparedness for sophisticated cyber threats.

As part of ’s ongoing efforts to create a company-wide culture of cybersecurity awareness, an organizational baseline has been established whereby employees are expected to achieve and maintain an level of skill as it relates to information and cyber security.

Information on how security intelligence profiles are calculated can be found in .

Phish Risk Profiling

To ensure that employees uniformly excel in identifying phishing content unaffected by prior knowledge, biases, or perceptions, employs a risk-based profiling system. This system is designed to evaluate and categorize the phishing risk each employee poses to . Through comprehensive risk profiling, can tailor simulated phishing exercises to the specific needs and risk levels of its employees.

By assessing previous interactions with simulated phishing emails, employees are assigned a phish risk profile of Low, Medium, or High Risk. This classification directly influences the nature and frequency of the simulated phishing activities each employee will participate in.

Employees with a high phish risk profile will participate more frequently in simulated phishing activities, but the phishing content will be easier to detect. Conversely, employees with a Low-Risk profile will participate less often but will receive more sophisticated and harder-to-detect phishing content. This ensures each employee will receive phishing content commensurate with their skill level while there is an overall progression to a consistent level of skill across all employees.

The ultimate goal of employee risk profiling at is not only to identify areas for individual improvement but also to foster a company-wide culture of cybersecurity awareness.

Information on how phish risk profiles are calculated can be found in .

This section outlines the specific roles, responsibilities, and accountabilities associated with the security awareness training program. It is designed to ensure that all parties understand their obligations in contributing to a secure information environment within .

Information Security Team

The Information Security Team holds overall accountability for ensuring the security awareness training program is successful. These accountabilities include:

Program Management: Develop, implement, and maintain an effective security awareness training program tailored to the needs of , ensuring it addresses current security threats and complies with relevant laws and regulations.
Content Development: Regularly update training content, including policies, standards, procedures, and guidelines, to reflect the evolving information security landscape and organizational objectives.
Stakeholder Engagement: Collaborate with various corporate functions to integrate security awareness into the broader organizational culture and processes.

People Managers

Any employee who has direct responsibility for another employee, contractor, or third-party personnel who has access to information systems and data is considered a people manager. People managers are responsible for:

Promotion of Security Culture: Act as champions of information security within their teams, emphasizing the importance of security awareness and adherence to 's policies and procedures.
Ensuring Compliance: Ensure that all team members complete required security awareness training sessions and understand their role in protecting the 's assets.
Support and Enforcement: Provide support to team members in understanding and applying security practices in their daily work and enforce compliance with security policies and training requirements.

All Employees

Any employee, contractor, or third-party personnel who has access to information systems and data is ultimately accountable for ensuring they remain compliant with the requirements of this security awareness training program. Specifically, these accountabilities include:

Active Participation: Complete all mandated security awareness training sessions and engage with the provided materials to understand 's information security policies, standards, and guidelines.
Compliance: Adhere to all applicable information security policies, laws, and regulations in their daily work activities, understanding that this is a personal responsibility.
Vigilance and Reporting: Remain vigilant against security threats and report any suspicious activities or potential security breaches to the Information Security Team.

This appendix defines a progressive series of remedial actions and penalties designed to address non-compliance with the security awareness training program over a rolling 12-month period. These penalties emphasize learning and correction, progressing to more serious consequences for continued non-compliance.

Occurrence	Remedial Action
First Non-Compliance	Immediate assignment of a training module on Phishing or Cybersecurity Fundamentals.	Notification to the affected employee of the recorded non-compliance.
Second Non-Compliance	Immediate assignment of a training module on Phishing or Cybersecurity Fundamentals.	Notification to the affected employee of the recorded non-compliance.
Third Non-Compliance	Immediate assignment of a training module on Phishing or Cybersecurity Fundamentals.	Notification to the affected employee of the recorded non-compliance.
Fourth Non-Compliance	A formal meeting with the Information Security Team and direct supervisor regarding the implications of continued non-compliance, along with the creation of a performance improvement plan. Additionally, immediate assignment of a training module on Phishing or Cybersecurity Fundamentals.
Fifth Non-Compliance	Immediate assignment of a training module on Phishing or Cybersecurity Fundamentals.	Notification to the affected employee of the recorded non-compliance.
Sixth Non-Compliance	A second formal meeting with the Information Security Team, HR representative, and department head to assess the employee's commitment to security and determine necessary adjustments to work processes or access rights. Additionally, the duration of the employee's performance improvement plan will be extended. Additionally, immediate assignment of a training module on Phishing or Cybersecurity Fundamentals.
Seventh Non-Compliance	Immediate assignment of a training module on Phishing or Cybersecurity Fundamentals.	Notification to the affected employee of the recorded non-compliance.
Eighth Non-Compliance	A final review panel including the Information Security Team, HR representative, and relevant executive leadership to decide on employment status, up to and including termination. Additionally, immediate assignment of a training module on Phishing or Cybersecurity Fundamentals.

This appendix defines the schedule of gamification metrics which are used to foster an environment where employees are motivated and rewarded for positive security behaviors. A badge-based system is used to provide this gamification capability. These badges are outlined below:

Badge Name	Badge Description	Badge Type	Badge Score
Unphishable	Never clicked on a phishing email	Phishing	+50 Points
Swimming with sharks	Successfully dodged 10 phishing attacks in a row	Phishing	+50 Points
Anchor duty	Completed all training modules within 1 day of receiving them	Training	+50 Points
Spam samurai	Successfully reported 5 simulated phishing emails	Phishing	+50 Points
PhD in Phishology	Completed all training modules on the first attempt	Training	+25 Points
Swimming with jellyfish	Successfully dodged 5 phishing attacks in a row	Phishing	+20 Points
Phish whisperer	Successfully reported 2 simulated phishing emails	Phishing	+20 Points
Marathon swimmer	Completed all training modules before the due date	Training	+15 Points
Swimming with dolphins	Successfully dodged 2 phishing attacks in a row	Phishing	+10 Points
Sonar detector	Completed a training module within 1 day of receiving it	Training	+10 Points
Phish finder	Successfully reported a simulated phishing email	Phishing	+10 Points
Clickbait	Clicked on an email but reported it to IT	Phishing	+10 Points
Swimming with floaties	Successfully dodged the latest phishing attack	Phishing	+5 Points
School of phish	Failed a training module but then passed with 100%	Training	+5 Points
Phish bait	Fell for two phishing attacks in a row	Phishing	-5 Points
Overboard!	2 assigned training modules are overdue	Training	-5 Points
Phish food	Fell for five phishing attacks in a row	Phishing	-10 Points
Lost at sea	3 assigned training modules are overdue	Training	-10 Points
Phish fingers	Fell for ten phishing attacks in a row	Phishing	-25 Points
Shipwrecked	5 assigned training modules are overdue	Training	-25 Points

This appendix defines the calculation and algorithm used to determine employee security intelligence profiles. An employee's security intelligence score is calculated based on how recently training assignments were completed and the difficulty level of those training assignments.

Security Intelligence Profiling

An employee's security intelligence score determines their security intelligence profile. What these profiles are and their respective score range are outlined below:

Security Intelligence Score	Security Intelligence Profile
70-100	Advanced Level
40-69	Intermediate Level
0-39	Beginner Level

Security Intelligence Scoring

Every training assignment completed in the prior 24-months is factored into an employee's security intelligence score. To calculate this, every training assignment is assigned a number of points based on difficulty:

Training Difficulty	Points Awarded
Beginner Training	15 Intelligence Points
Intermediate Training	20 Intelligence Points
Advanced Training	25 Intelligence Points

A deduction is then applied to each training based on how many months have passed between the current date and the date the training was completed. This deduction reinforces the need to conduct continuous training so the material is kept up-to-date and front-of-mind.

The deduction is represented as a penalization for every month that passes over a 24-month period. E.g. An intermediate training completed 3 months ago will receive 17.5 IQ Points (noting a 12.5% deduction from the available 20 IQ Points).

Example Scenario: An employee joined 3 months ago, and since joining, they have completed 4 training modules, all of which were completed in the first month of their employment.

1st Training: Completed 3 Months Ago (12.5% deduction) - Beginner Skill Level: 13.13 IQ Points
2nd Training: Completed 3 Months Ago (12.5% deduction) - Beginner Skill Level: 13.13 IQ Points
3rd Training: Completed 3 Months Ago (12.5% deduction) - Beginner Skill Level: 13.13 IQ Points
4th Training: Completed 3 Months Ago (12.5% deduction) - Beginner Skill Level: 13.13 IQ Points

Example Security Intelligence Profile: Intermediate Level (52.5/100 IQ Points)

This appendix defines the calculation and algorithm used to determine employee phish risk scores and profiles. An employee's phish risk score is calculated based on their prior interactions with simulated phishing content.

Phish Risk Profiling

An employee's phish risk score determines their phish risk profile. What these profiles are and their respective score range are outlined below:

Risk Score	Risk Profile
70-100	High Risk
40-69	Medium Risk
0-39	Low Risk

Phish Risk Scoring

Every simulated phishing campaign an employee is involved in introduces opportunities to calculate risk.

Each campaign consists of a possible 250 risk points. If an employee responds to an email, then they receive 50 risk points. If an employee interacts with a payload, then they receive 100 risk points. If an employee gets compromised by a payload, they receive all possible risk points - totaling a maximum of 250 for a campaign. If the employee doesn't respond to the email, interact with the payload, or get compromised, then they receive 0 risk points.

Recent campaigns are weighted more heavily than historical campaigns, and this is reflected in the way risk points are scored. Risk points attributed to previous campaigns are weighted 20% lower than the campaign before it.

Example Scenario: An employee has participated in 5 phishing campaigns and has varied success with detecting phishing content.

Most recent campaign: Clicked payload but wasn't compromised: 100/250 risk points
2nd most recent: Didn't click payload and wasn't compromised: 0/250 * 0.8 = 0/200 risk points
3rd most recent: Responded to email, clicked payload, and was compromised: 200/200 * 0.8 = 160/160 risk points
4th most recent: Clicked payload and wasn't compromised: 64/160 * 0.8 = 51.2/128 risk points
5th most recent: Clicked payload and was compromised: 128/128 * 0.8 = 102.4/102.4 risk points

Example Risk Score: Risk Points / Possible Risk Points = 413.6/840.4 = 0.492 * 100 = 49/100 (Medium Risk)

The following security awareness training campaigns will be created. Customize the campaign names as required.

Scope	Training Modules	Configuration
New employees will be assigned all of the specified training modules.		Start Date: Frequency: Once Employee List:
Employees will be assigned one of the specified training modules.		Start Date: Frequency: Employee List:
IT administrators will be assigned the specified training module.	Privileged-User-Best-Practices	Start Date: Frequency: Annually Employee List:
Remote workers will be assigned the specified training module.	Remote-Working	Start Date: Frequency: Annually Employee List:
Software developers will be assigned the specified training module.	Secure-Software-Development	Start Date: Frequency: Annually Employee List:
Credit card handlers will be assigned the specified training module.	Secure-Credit-Card-Handling	Start Date: Frequency: Annually Employee List:

The following simulated phishing campaigns will be created. Feel free to customize the campaign names.

Campaign Name	Scope	Phishing Emails	Configuration
	Employees will be sent one of the specified phishing emails.		Delivery Date: Frequency: Monthly Employee List:
	Low risk employees will be sent one of the specified phishing emails.		Delivery Date: Frequency: Quarterly Employee List:
	Medium risk employees will be sent one of the specified phishing emails.		Delivery Date: Frequency: Monthly Employee List:
	High risk employees will be sent one of the specified phishing emails.		Start Date: Frequency: Weekly Employee List:

The following employee lists will be created. Customize the employee list names as required.

Employee List Name	Scope
	This employee list should contain all employees. Important Note: Update this employee list once created to include all employees.
	This employee list will be linked to the All-Employees employee list and will include a filter to only select those with a high phish risk profile. This list is dynamically updated every 24-hours based on risk scores.
	This employee list will be linked to the All-Employees employee list and will include a filter to only select those with a medium phish risk profile. This list is dynamically updated every 24-hours based on risk scores.
	This employee list will be linked to the All-Employees employee list and will include a filter to only select those with a low phish risk profile. This list is dynamically updated every 24-hours based on risk scores.
	This employee list should contain all IT Administrators. Important Note: Update this employee list once created to include IT Administrators.
	This employee list should contain all Remote Workers. Important Note: Update this employee list once created to include Remote Workers.
	This employee list should contain all Software Developers. Important Note: Update this employee list once created to include Software Developers.
	This employee list should contain all Credit Card Handlers. Important Note: Update this employee list once created to include Credit Card Handlers.

Actions Required:

Update Employee Lists: After creation, the employee lists need to be updated to include the employees outlined in their scope.
Review Start Dates: After creation, the start date of all campaigns are future-dated by at least 1 week to provide sufficient time to update the necessary employee lists. If you’d like these campaigns to deliver earlier or later, simply update the campaign and change the given start date.

Important Notes:

Employee Lists: The following employee lists do not need to be updated: . These employee lists are dynamically populated based on the employee list and then grouped based on the risk rating of individual employees.
New Employees: New employees will be seamlessly injected into and receive immediate training for all campaigns aside from the training campaign. For the campaign, along with all simulated phishing campaigns, new employees will receive the training material at the next occurrence of that campaign (e.g. the following month/quarter).

Looking for a guided walkthrough? Checkout our demonstration video!

Security Awareness Training — Program Generator

Introduction

Overview

Benefits

Organization Information

Framework Selection

Program Scoping

Tools & Applications

Content Selection

Training Content

Simulated Phishing Content

Security Awareness Training Program

Program Statements

Overview

Purpose

Requirements

Scope

Training Activities

Security Awareness Training Activities

New Employee Training

General Employee Training

Specialty Employee Training

Supporting Information

Simulated Phishing Activities

High Risk Employees

Medium Risk Employees

Low Risk Employees

Supporting Information

Employee Compliance

Compliance

Non-Compliance

Employee Engagement

Gamification

Security Intelligence Profiling

Phish Risk Profiling

Roles & Responsibilities

Information Security Team

People Managers

All Employees

Supplemental Information

Appendix A - Employee Non-Compliance Schedule

Appendix B - Gamification Metrics Schedule

Appendix C - Security Intelligence Profile Calculation

Security Intelligence Profiling

Security Intelligence Scoring

Appendix D - Phish Risk Profile Calculation

Phish Risk Profiling

Phish Risk Scoring