--- name: security-awareness-training description: Run security awareness programs including phishing simulations, security training campaigns, security culture initiatives, and compliance training. Use when designing phishing simulations, running security awareness campaigns, tracking training completion, measuring security culture, or managing compliance training requirements. Triggers on phrases like "security training", "phishing simulation", "security awareness", "phishing campaign", "security culture", "compliance training", "security champions", "employee training". --- # Security Awareness & Training Build and maintain a strong security culture through continuous training, phishing simulations, and awareness campaigns. ## Workflow ### 1. Security Training Program Design 1. **Training needs assessment**: - Identify required training by role (all employees, developers, admins, executives) - Map training to compliance requirements (SOC 2, ISO 27001, HIPAA annual training) - Assess current security knowledge baseline through survey - Identify high-risk departments (finance, HR, executive assistance) 2. **Curriculum development**: - Core modules: phishing identification, password security, social engineering, data protection, physical security - Role-specific modules: secure coding (devs), privileged access (admins), executive protection (C-suite) - Format: interactive modules, video lessons, quizzes, hands-on labs - Duration: 2-4 hours initial, 1-2 hours annual refresh 3. **Training delivery strategy**: - Initial onboarding: complete within first week - Annual refresh: complete within 30 days of anniversary - Just-in-time training: triggered by security events or violations - Micro-learning: 5-minute modules delivered monthly - Multi-language support for global organizations ### 2. Phishing Simulation Program 1. **Campaign design**: - Develop realistic phishing templates matching current threat landscape - Campaign types: credential harvesting, malicious attachment, CEO fraud, tech support scam - Customize by department and role risk profile - Increase difficulty progressively (from obvious to sophisticated) 2. **Campaign execution**: - Send simulated phishing emails to target groups - Track metrics: open rate, click rate, credential submission rate, report rate - Redirect clicks to educational landing page (not error page) - Immediate micro-training for users who fall for simulation - Schedule campaigns quarterly (minimum) 3. **Results analysis and follow-up**: - Aggregate results by department, role, tenure - Identify repeat offenders requiring additional training - Track improvement trends over time - Benchmark against industry averages - Report results to leadership quarterly 4. **Escalation management**: - First fail: automated training module - Second fail: mandatory extended training - Third fail: manager notification + personalized coaching - Fourth fail: HR involvement per security policy - Track escalation outcomes and completion ### 3. Security Culture Building 1. **Security champions program**: - Recruit volunteer security champions from each department - Provide advanced training to champions - Champions serve as department security liaisons - Monthly champion meetings and updates - Recognize and reward champion contributions 2. **Continuous awareness campaigns**: - Monthly security newsletter with tips, recent incidents, stats - Desktop wallpaper rotation with security reminders - Physical posters in offices (password hygiene, clean desk, visitor policy) - Security tip of the day via Slack/Teams bot - Quarterly security awareness month with themed activities 3. **Engagement and gamification**: - Security quiz competitions with prizes - "Spot the phishing email" challenges - Bug bounty-style reporting rewards for real phishing reports - Leaderboards for security-positive behaviors - Certificates and badges for training completion ### 4. Compliance Training Management 1. **Mandatory training tracking**: - Annual security awareness training (complete within 30 days) - Role-specific compliance training (HIPAA, GDPR, PCI) - Code of conduct and acceptable use policy acknowledgment - Harassment and ethics training (HR co-owned) - Vendor/third-party training requirements 2. **Completion monitoring**: - Real-time completion dashboard by department and individual - Automated reminders at 7, 3, and 1 days before deadline - Manager escalation for non-compliant team members - Integration with HR system for new hire training assignment - Certificate generation upon completion 3. **Training effectiveness measurement**: - Pre/post training knowledge assessment - Behavior change metrics (phishing click rate, password compliance) - Security incident rate correlation with training completion - Training satisfaction surveys - ROI analysis: training cost vs incident reduction ### 5. Incident-Based Learning 1. **Real incident case studies**: - Develop case studies from actual organizational incidents (anonymized) - Share lessons learned within 2 weeks of incident resolution - Update training content based on emerging threats - Conduct "tabletop" exercises for security team and leadership 2. **Threat intelligence integration**: - Share relevant threat intelligence with employees monthly - Alert on active campaigns targeting organization/industry - Update phishing simulation templates to match current threats - Provide specific guidance on active threats ## Templates & Frameworks ### Phishing Simulation Campaign Template ``` PHISHING CAMPAIGN — Q2 2025 ============================= Campaign Name: "HR Benefits Update" Target Audience: All employees Difficulty Level: Medium Send Date: May 15, 2025 Email Template: From: hr-notifications@company-benefits-portal.com (spoofed) Subject: Action Required: Update Your Benefits Information by Friday Body: "Dear Employee, Please click here to review and update your benefits information. This link expires in 48 hours. — HR Benefits Team" Expected Metrics: Target open rate: 60-80% Acceptable click rate: <25% Target report rate: >15% Educational Landing Page: "This was a simulated phishing email. In a real attack, clicking this link would have sent your credentials to an attacker. Always verify the sender's email address and look for urgent language and shortened URLs." Follow-Up: Clicked → Mandatory 5-minute training module Reported → Recognition message + points toward rewards program Ignored → No action (expected behavior) ``` ### Security Training Curriculum ``` ANNUAL SECURITY TRAINING CURRICULUM ==================================== MODULE 1: Foundation (All Employees) — 45 min □ Phishing and social engineering identification □ Password and MFA best practices □ Data classification and handling □ Physical security and clean desk policy □ Reporting security incidents MODULE 2: Advanced Threats (All Employees) — 30 min □ Business email compromise (BEC) awareness □ Mobile device security □ Remote work security □ Cloud storage safety □ Third-party and vendor risks MODULE 3: Developer Security (Engineering) — 60 min □ Secure coding practices □ OWASP Top 10 awareness □ Secrets management □ Dependency vulnerability awareness □ Code review security checklist MODULE 4: Admin Security (IT/Ops) — 45 min □ Privileged access management □ Patch management urgency □ Logging and monitoring importance □ Change management compliance □ Incident response procedures MODULE 5: Executive Security (Leadership) — 30 min □ Executive-targeted threats (whaling, CEO fraud) □ Personal device and social media risks □ Board meeting security □ Travel security □ Decision-making during security incidents ``` ## Integration Points - Learning Management Systems (Saba, Cornerstone, Docebo): Training delivery and tracking - Phishing simulation platforms (KnowBe4, Cofense, Proofpoint Security Awareness): Campaign management - HRIS (Workday, BambooHR): Employee roster, role data, training assignment - SIEM: Security event correlation with training completion data - Identity platforms (Okta, Azure AD): MFA enrollment tracking - Communication platforms (Slack, Teams): Micro-learning delivery, security tips - Survey tools: Training effectiveness measurement ## Edge Cases - **Global/remote workforce**: Multi-language training content; timezone-friendly campaign scheduling; virtual-only engagement activities - **High-turnover organizations**: Automated training assignment on hire; self-paced modules; just-in-time training before system access - **Resistant culture**: Leadership sponsorship; positive reinforcement over punitive approach; make training engaging and relevant - **Regulatory-heavy industries**: Additional compliance modules; stricter completion deadlines; documented evidence for auditors - **Post-incident surge**: Rapid deployment of targeted training; leadership communication; temporary increased simulation frequency ## Output ### Security Awareness Dashboard ``` SECURITY AWARENESS — April 2025 ================================ TRAINING COMPLIANCE: Annual training complete: 91% (1,137/1,247 employees) Overdue: 42 employees (escalated to managers) New hire training (30-day): 96% compliance PHISHING SIMULATION RESULTS (Q2 Campaign 1): Emails sent: 1,247 Open rate: 72% (industry avg: 70%) Click rate: 18% (↓ from 24% last campaign ✓) Credential submitted: 4% (↓ from 8% ✓) Reported: 22% (↑ from 15% ✓) DEPARTMENT BREAKDOWN: Engineering: 12% click rate ✓ Sales: 21% click rate ⚠ (target: <20%) Finance: 15% click rate ✓ HR: 28% click rate 🔴 (requires targeted training) SECURITY CULTURE METRICS: Real phishing reports this month: 47 (↑ from 32 ✓) Security champions active: 23/24 departments Training satisfaction: 4.3/5.0 Security incident rate: ↓ 22% YoY ``` ## Trigger Phrases "security training", "phishing simulation", "security awareness", "phishing campaign", "security culture", "compliance training", "security champions", "employee training", "security quiz", "awareness campaign", "training compliance", "social engineering training", "security education", "security newsletter", "security champions program"