How to build a Security Awareness

Training Program
This is a comprehensive guide on how to build a successful Security Awareness
Training Program for your company. If you are interested in learning how to get
your employees engaged, what learning materials work best, and how to
develop a positive security culture - then you're in the right place!

Contents
1 Security Awareness Training Essentials

2 What Topics Should Security Awareness Include?

3 How to Engage Your Employees

4 How to Get Executive Support for Security Awareness

5 Quick Guide for Setting Up an Ambassador Program

6 Measure the Effectiveness of the Security Awareness Program

www.wizer-training.com
 1 Security Awareness Training Essentials

We’re going to discuss the most important things you can do right
away to secure your company without a big budget. The key is to start
simple and build a foundation.

It All Starts With Onboarding…

It’s crucial to instill the importance of security from the very beginning.
Cyber criminals often target new hires because they don’t know many

co-workers and are likely to follow directions from someone who pretends
to be an executive.

What's in it for me?

Cyber criminals are indiscriminate and often use the same methods to hack
organizations and individuals. People are more accepting of learning when
it’s personal. If you make training personal and teach employees how to
protect themselves at home, they will soon apply the same behavior at the
workplace.

Stay Away From Just Ticking the Compliance Box

After all, we just want our employees to learn something and change their
behavior, so take the time to explain why you are implementing the
program. If they don't understand the importance of security, then they
won't take it seriously. Don’t make it a once-a-year thing, it should be a
continuous effort all year long.

Get the Boss (Or Leadership) to Buy in

Show how security training aligns with organizational goals and specific
targets. Remind them that they have a huge target on their back because
they have access to valuable and sensitive information. This is also where
compliance can help.

How to Convince Your Boss to Invest in Security Awareness

www.wizer-training.com
Getting the Employee to Buy-In
Employees will probably complete training if they are forced to, however, it is
much better to get their buy-in. Establish a supportive presence by creating
a circle of influencers who will act as ambassadors of the training program.
Your Ambassador Program
Keep It Simple and Real
Don’t assume employees have a technical background. Use simple terms
and real-life examples they can relate to. Ensure not to make it childish,
adults don’t appreciate content appearing like it was taken from a kids’ TV
show like “Dora the Explorer”.
Make It Easy to Consume
After all, we just want employees to learn something and change their
behavior, so take the time to explain why you are implementing the
program. If they don't understand the importance of security, then they
won't take it seriously. Again, don’t make it a once-a-year thing, it should be
a continuous effort all year long.

t E a sy t o
MaknesIume
Co

www.wizer-training.com
 2 Security Awareness Training Essentials

How do you decide what topics to include in your security awareness

training? There is no one-size-fits-all answer, however, to increase

engagement you will first need to grab their attention.

Start With Showing Them Personal Benefit

For example, teach them how to secure their social accounts, photos, and

bank accounts, and how to ensure their kids stay safe online. Then show

how the same principles are applied at work. The key is to blend personal

benefit with work-related training. This can be done by splitting training

into 3 categories:

Protect Protect

Yourself Your Data

Protect


Your Devices

When taking this approach, it will be easier to refresh content every year.

Instead of replacing one phishing video with another, you can include new

threats that involve phishing, such as wire fraud-related scams.

How to Protect Yourself?

Pe rso na l Bu sin ess

Identity Theft Phishing, Smishing, Vishing

Social Media Safety Wire Fraud

Common Scams (Job Scam, Fake Work Related Scams Like HR Scam

Check Scam, Shopping Scam)

Work From Home

Insider Threat

Public WiFi

www.wizer-training.com
How to Protect Devices?
Personal Business
Mobile Safety USB Safety
Internet of Things Safety Laptop Safety
Physical Security
How to Protect Your Data?
Personal Business
Strong Password Preventing Data Leaks
Multi-Factor Authentication Avoiding Ransomware
Protecting Your Privacy
Next, you will need to address the different regulations you need to comply
with, such as PCI, GDPR, HIPAA, etc…
Now, you can start plugging in training videos similar to this.
You can find all these videos and more on the Wizer Platform.

Useful

1 minute

Vids!

www.wizer-training.com
 3 How to Engage Your Employees

Security Awareness is about changing people's behavior, therefore the

focus should be on them.

Quit That Bullshit

Use conversational language to explain things and skip the technology
jargon. Instead, use relatable terms. For example, most people have never
experienced a "Data Breach" in their personal lives, but they probably know
someone who was “scammed” or “hacked”. We created a quick dictionary to
explain simple technology terms.
Wizernary (Geek to English)

Do not baffle with bullshit or blind with science… This is NOT

a slightly off-kilter tribute to W.C Fields, but a reminder that,
as an industry, we HAVE spent TOO many years trying to
baffle people, outsmart them, or simply tell them they don’t
understand.
Chris Roberts
Wizer's Hacker

Get to the Point, Because our Attention Span is Short!

Let’s face it, security awareness training isn’t everyone’s favorite video
genre. Many feel they barely have time to do the work they’re paid for, let
alone with the same 45-minute video from last year. If you want people to
remember anything, keep it short and to the point. Yes, this can be done! All
of Wizer’s videos are 1-minute long, and many are free.

Make it Relevant
Keep content fresh and relevant. Nobody wants to watch the same exact
video over and over again... and it is important to make it personal. For
example, for Valentine’s Day, we created a video called “Nobody Loves You
on the Internet”. You can check out our Security Awareness Annual Plan
PDF here.

www.wizer-training.com
Create Easy to Consume Content
Create content that is frictionless to consume! Follow patterns people use
to consume content to increase engagement. For example, almost
everyone today uses their mobile devices to watch videos, so go mobile!
Make sure employees can do the same with your content. Secondly, set up
a one-stop shop for everything security-related, and make sure they know
how to access it. Lastly, use single sign-on (SSO) or something similar,
because you don’t want your employees prevented from accessing this
knowledge base just because they forgot their password.
Make It Personal
Most scams that target individuals like the “Job Scam”, and “Fake Check
Scam” and many social media scams follow the same attack patterns that
target companies. The main difference is in the context. For example,
instead of impersonating your boss, the scammer will impersonate a buyer
who wants to buy your iPhone or a recruiter with a once-in-a-lifetime job
offer. Once people learn how to protect themselves and their families, they
will soon apply the same behavior in the workplace.

Internet Safety for kids

In this guide will you learn all about the
internet threats for your kids, how to
teach your children to stay safe and
what to do in case it happened!
Read More

The top 6 scams you need


to know about
Scammers are getting smarter so we
need to stay up to date and protect
ourselves from potentional threaths
Read More

www.wizer-training.com
 4 How to Get Executive Support for Security
Awareness

Help Make Money

Security is like car brakes. They were invented as a solution for going fast.
It's the ability to stop quickly that allows us to travel fast. Without brakes,
we would all be driving very slowly. Security is about creating a safe
environment for the company to grow fast without crashing. We need to
align security with the business goals. Once we know the business goal, we
can create a safe environment for the business to grow fast. For example, if
the business wants to improve collaboration with partners, the security
team should offer to set up a secure collaboration and security training for
them. Instead of a general statement that “security is important”, focus on
security aligned with business objectives.

Save Money
Many compliance regulations require employees to complete annual
security awareness training. This is an easy one since it is a “must-do”
activity. However, instead of just ticking a checkbox, conduct security
awareness the right way to act as a force multiplier for the security team.
Training employees will result in less fraud, compliance fines, data
breaches, money loss, etc.

Protect Brand Reputation

Brand reputation is more important than ever. Many companies have
dedicated people monitoring social media for any mentions of the company
and respond immediately. If employees are not trained on how to be
respectful on social media or how to represent the brand, it could be very
costly to the brand's reputation. Also, privacy is a big issue today. If
customer data is leaked, the damage to the brand can be significantly
higher than the compliance fines.

www.wizer-training.com
 5 Quick Guide for Setting Up an Ambassador
Program
What is the Ambassador Program?
Employees will probably complete security awareness training if they are
forced to, however, it is much better to get their buy-in by engaging them
on an ongoing basis. A good way to do this is to establish a group of
influencers who act as ambassadors of the security team to help create a
positive security culture.
What's Included in the Ambassador Program?
How to Identify Your Brand & Choose Ambassador
Train, Set Expectations, & Create a Hub for Communicatio
Give Them a Voice and Provide Feedbac
How to Make Everything Simple and Fun!
Visit the Ambassador Program Page)

o me a W i ze r
Becbassador!
Am

www.wizer-training.com
 6 Measure the Effectiveness of the Security
Awareness Program
The key to measuring the effectiveness of a security awareness program is
to test specific segments vs. the entire program. One way is using A/B
testing. Let’s say we want to test the hypothesis - having an “external
email” warning will help employees detect phishing emails. Send a simulated
phishing email to employees, half with the warning, and half without, and
analyze the results.


In this case, the result is that an “external email” warning does help to
reduce phishing clicks. However, what about the hypothesis that - extra
training for those who failed the phishing test will help them avoid failing
future tests?

We should always be testing to validate that our initiatives are effective.

Now, let’s review the indicators that show employee awareness is improving.

Are People Participating in Non-Mandatory Training?

When people proactively consume your content, it is a strong indication
that they are interested and engaged. Offer optional training like "Online
Family Safety” or lunch and learn sessions, and track how many people
signed up or took the training.

How Deep Do They Go?

If you have analytics tools, you can measure how deep people dig into your
content, similar to how it’s done with your website. For example, how many
pages did they view, how much time was spent consuming your content,
etc. The more content they consume, the more engaged they are, but this
also requires high-quality content.

How Many Requests for New Technologies?

Prior to training people, they may have used unauthorized apps to bypass
security controls. This is commonly referred to as "Shadow IT". If people are
now asking for permission to use new technologies, it is a sign they
understand the risk and wish to mitigate it. This also shows healthy
collaboration with the security team where people are not afraid to ask for
assistance.

www.wizer-training.com
How Many People Reported Phishing, Loss Devices, or Other
Incidents?
When security awareness is going up, you'd expect to see an increase in
the accurate number of reports coming into InfoSec.

Is There a Decrease in the Amount of Clicks From Phishing Tests?

Phish testing puts the effectiveness of security awareness training to the
test by reinforcing what has been presented. Results of the testing are
evidence of effectiveness, or not. Monthly reporting can allow you to focus
on the greatest areas of risk, and provide a course of action for
improvement, whether it's customized training, or modifications to security
policies.

Is There a Decline in the Amount of Confirmed Incidents?

When your security awareness training is effective, you will see an overall
decline in the number of incidents year over year.

Is the Security Team Involved in More Projects?

Measure how often people are proactively coming to the security team for
help to ensure new projects are 'secure by design’.

Is the Number of Policy Violations Going Down?

Adhering to security policies shows maturity in the security culture. It is
usually a result of understanding why we implemented these controls and
an open door to the security team. Instead of bypassing these controls,
people feel comfortable reaching out to the security team.

Do Employees Ask Questions?

A great way to measure engagement is to track how often employees ask
questions. This could be through a ticketing system, Google Forms, or in person.

Observe People's Behavior

Similar to observing our kid's behavior when showing respect to others, we
can do the same simply by walking around the office. For example, how
often is sensitive information lying around? Do people still use sticky notes
with their passwords? Do people check the badges of others they don’t
know? Has tailgating increased? Are assets left unsecured, or are doors
closing completely?

www.wizer-training.com
See you soon, Become
Wizer is a Security Awareness platform that focuses on
security culture.

Want to learn more about us?

Check us out here.

www.wizer-training.com