Security Awareness Training

How to successfully train employees, managers and IT professionals on security awareness.

90% of errors sit in front of the screen

Most security vulnerabilities are caused by people. Not at all with malicious intent, but mostly due to a lack of knowledge. That is why security awareness training is a fundamental component of a successful cyber security strategy.

But not all security awareness training is the same.There are very different target groups with different needs, messages and training measures. In total, a complete cyber security qualification matrix is formed.

Here we present the most important security awareness trainings in this qualification matrix.

See our overview article: Cyber security: What's important for your IT security
Security Awareness Training Overview

Target groups for security awareness training

Typical content
  • Detect and fend off phishing & ransomware
  • Detect and fend off social engineering
  • Understanding viruses & Trojans
  • Secure handling of passwords
  • Secure handling of mobile devices
  • Approved and forbidden cloud services
  • Dealing with sensitive information (information classification)
  • Dealing with visitors
  • Secure workplace (clean desk, clear screen, etc.)
  • Working securely in the home office
  • Incident reporting procedures
Effects on everyday work

For users, the immediate impact on everyday work is not dramatic. Locking the computer, reporting suspicious emails via the reporting button or throwing documents into a data container instead of the trash... all these are only a few seconds of additional effort.

That's why security awareness training for users can often be tool-supported via e-learning or phishing simulations.

Security awareness trainings for users are usually designed over several years and therefore integrated into a security awareness campaign.

Security awareness training for users and managers

Typical content

Managers are also users. Therefore, they basically receive all content for users. 

However, executives are also information owners, decision makers and role models. Therefore, they need additional messages in a security awareness training:

  • How does cyber security work in the company? Including an overview of the ISMS rules and regulations.
  • What is the role and responsibility of an information owner (risk assessment, information classification, control obligations)?
  • What influence does the role model function have on the behavior of users and thus on the security of the company? 

Security awareness training for users and managers

Effects on everyday work

The pure user topics are, as with all users, just moderately annoying, even for executives. These are usually trained accordingly on a tool basis.

However, it is much more difficult to convey to a manager his or her responsibility as an information owner. A risk analysis of the own area, regular controls of permissions... such topics cannot be done in passing. And since managers usually cannot complain about a lack of workload, such additional tasks are emotionally quite unpopular.

A simple "You're in charge" understandably often leads to a "Yes, yes, keep talking" reaction. Security is associated in a correspondingly negative way, which leads in turn to a very negative impact on the role model function.  

Leaders need to experience personal involvement and insight in order to understand their role and responsibility. Therefore, we are convinced that security awareness trainings for executives only work face-to-face (in presence or virtually).

Typical content
  • The fundamental importance of hardening and patching for effective protection.
  • Understanding the "Defense in Depth" approach, with security zones and role-based access.
  • Secure handling of privileged accounts.
  • Sense and benefit of Vulnerability Management.
  • The importance of central logging for the detection of attacks.
  • The importance of error messages for the detection of attacks.
  • Which system anomalies indicate an attack.
  • How to behave in incident response.

Security Awareness Training for Administrators

Effects on everyday work

"What? One or even several accounts for each system, depending on the use case? And each account has its own password? And patching within days? Are you guys nuts? Do you even know how I work?"

IT administrators have a massive impact on a company's cyber security with their behaviour. Due to their privileged accounts even more than users. However, they are usually not even aware of the correlation between successful cyber attacks and their own behaviour. In addition, this target group is increasingly exposed to "dangerous security half-knowledge" from IT forums and communities, which cements this behaviour and makes it much more difficult to initiate change.

Changing this behaviour, however, has a very large impact on everyday work. It becomes more complicated. Security awareness training for IT administrators must therefore first create understanding and insight for this change in behaviour, otherwise the appeals will not be heard. Cyber Security LAB E-Learnings create exactly this basis.

Typical content
  • The objectives and principles of cyber security
  • The phases of the Secure Development Lifecycle
  • The benefits of threat modeling in the design phase
  • Common mistakes in implementation

    • Input validation
    • Authorization
    • Authentication
    • Handling secrets in development
    • Logging
  • The benefit of code reviews and penetration tests in the validation phase
  • The importance of secure configuration and clarification of responsibilities
  • Measures for the secure de-commissioning of software
Effects on everyday work

Secure Development and Secure Coding means a significant change for software developers. Developers prefer to write code and security hinders them in doing so. Starting with design topics such as risk assessment and threat modeling is not exactly "sexy" in their eyes and slows down the development process. The same applies to code analysis and fixing pentest findings.

On the other hand, developers can create serious vulnerabilities through bugs in their software that can be exploited for global attacks (Solarwinds, Kaseya, Log4shell, the list is long).

Secure Development changes the daily work for developers as massively as Secure Administration does for administrators. There are things coming up that you haven't exactly been waiting for. Security awareness training for software developers must therefore first create understanding and insight for a change in behaviour, otherwise the appeals will go unheard and the vulnerabilities will remain. Cyber Security LAB E-Learnings create exactly this basis.

Security Awareness Trainings for developer

Security Awareness Training for Users and Managers

Icon for security awareness
Intranet Security Portal
A good intranet is a daily security awareness training. No user will ever go to an e-learning for a quick look-up. You need a cyber security wiki for everyday use. It contains everything users need to know about security. Without technical terms, but with security videos, instructions, guidelines and contact persons.
Icon for phishing-simulations
Phishing tests
Phishing tests should always include a learning component, which is why they are also part of security awareness training. However, phishing tests alone do not create security awareness, even if some tool providers like to sell it that way. For us, they are an important component in a variety of training measures.
More about phishing tests
Icon for online course (E-Learning)
E-Learning
Virtually "El Classico" among security awareness trainings, because with an e-learning you can train users worldwide and track their success. No other training measure has this cost/benefit ratio. E-learning is available in many variants, from "learning nuggets" to courses lasting several hours.
Cyber Security E-Learning
Icon for impulse lectures
Live hacking events
There is no better security awareness training than live hacking. Examples and background stories create personal involvement and remain. Since presence is sometimes considerably more expensive than webinars, you should "stuff the house" (company meetings, security days, etc.) or address an exclusive audience (board meetings, leadership meetings, etc.).
More about live hacking events
Icon for classroom trainings and webinars
Webinars
They have come with Corona to stay. Webinars have the same power as face-to-face trainings, but are much more cost effective and by now are fully accepted. From a 20 min CxO briefing to a 45 min thematic webinar (phishing, ransomware, social engineering, etc.) to a virtual keynote of your Security Day. A "must have" of security awareness trainings.
More about webinars
Icon for data protection
Special trainings
Selected target groups are particularly exposed and require a special security awareness training, for example, personal assistants and accounting for the topic of CEO fraud or HR for the topic of file attachments from unknown senders. Since live hacking examples and background stories make the difference here as well, webinars are usually better than just an e-learning.

Security Awareness Training for IT-Administrators

Icon for online course (E-Learning)
User e-learning
IT administrators are also users and have to follow the policies. Admins can also be excellently phished, you just need another worm as bait. So there are many good reasons why admins should also complete the security awareness training for all employees.
Cyber Security E-Learning
Icon for a cyber security lab
Cyber LAB for IT-Admins
You first have to "open up" admins to accept your security messages, i.e. generate understanding and readiness. In the Cyber LAB, they take on the perspective of a hacker and dissect an entire corporate network. Afterwards, they understand the danger and ask for a remediation.
Cyber LABs for administrators
Icon for security awareness
How-To Trainings
When admins are ready to become more security-conscious in their behavior, you can provide very specific content, such as "how we harden servers" or "what does our Privileged Identity Management look like and how are the tools used". This are usually trainings offered by your internal teams.

Security Awareness Training for developers

Icon for online course (E-Learning)
User e-learning
Developers are also users in the company. They write e-mails, create documents, have access to systems and must therefore comply with the policies. That's why it's practically standard for developers to complete the basic security awareness training for all employees.
Cyber Security E-Learning
Icon for a cyber security lab
Cyber LAB for developers
You first have to "open up" developers to accept your security messages, i.e. generate understanding and readiness. In the Cyber LAB, they take on the perspective of an attacker and hack an application by every trick in the book. Afterwards, they will desire to take a secure coding course.
More about LABs for developer
Icon for security awareness
Secure Coding Training
After the commitment to Secure Development has been raised, you can teach the concrete contents: Threat Modeling using the STRIDE Model or Secure Coding with PHP, with .NET, with Java, etc. Such courses can be offered by your internal specialists or online with dedicated LABs.

More know-how articles on security awareness