Security awareness

10 factors for implementing successful and effective security awareness training

Kurt Ellzey
November 14, 2019 by
Kurt Ellzey

"… And that is why for the next five to six hours we will be providing a comprehensive plan of how to show that you are at risk for phishing. If you'll all turn to page eight hundred and twenty-four of your guidebooks, we will begin silent reading …" 

Sound familiar?

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Employee engagement is an absolutely critical element when setting up security training at an organization, but it's also one of the easiest to lose. People need to understand why the training they're receiving is important, why they need to bother doing it and why they should care about any of this. If you don't have your users on board, everything else is pointless. On the flip side, it may be nearly impossible to even get that far without having assistance from higher-ups, so you need to have management firmly on your side as well. 

With that in mind, we're going to briefly cover 10 critical factors to keep in mind when implementing your own security training. We’ll divide them up into two categories: for the employee and for the managers.

Critical factors for the employee

1. How does this affect me?

Trying to break through the primary protections of any organization usually isn't the easiest way to compromise a physical location or network, but if a user lets them in, all bets are off. It's vital for users to understand that THEY are the soft target, and they need to understand their responsibilities on a day-to-day basis. Whether this means "Don't pick up a random USB drive in the parking lot" or "Don't let somebody in behind you through a secure doorway" or "Don't let the random pizza guy roam around the building by themselves," it's necessary for everyone in the company to know they play a critical role in security. 

2. Why should I care? 

Depending on your organization and the person asking the question, this can be a loaded statement. Every user needs to care, yet if you're dealing with users that are not tech-savvy and potentially in positions where they can be actively targeted, they may require additional customized explanations. 

3. What's in it for me? 

This question is one of the harder ones on the list, because you're asking users to change from methods that they may have been using for a considerable amount of time to ones that, from their perspective, may do nothing useful but make their tasks longer and harder. 

If you do have the backing of management, you may have a bit of a stick to use in lieu of any carrots, but be careful in this situation. It will be important to have the full enthusiasm and understanding of your staff in implementing these big security changes in order to prevent major problems down the line. Employees who never get a satisfactory answer to the question above could drag their heels on the implementation process, and that holds everybody back.

4. Why is this so complicated?

If a user is not familiar with security at all, jumping into a high-security environment may be a fundamental change in the way they do things. In situations like this, you'll want to work with your preferred vendors before deployment for solutions that are either automated or have minimal actual impact on users. Granted, these options may end up costing more, but that will be a priority for management to decide, and the benefits in time saved and higher rates of successful implementation of strategy should nicely offset the higher price tag.

5. Oh! I heard about this on the news! 

If a breach or a new attack in the wild has made the news, it's a double-edged sword. Somebody out there is having a really bad day (hopefully not your organization), but on the flip side, if a user is aware of the dangers ahead of time and what can happen in worst-case scenarios, half of the work is already finished. They're already invested and have a very good reason to follow recommendations. 

These events are brief windows of time where you can show users a real-world example of why these policies have been put in place, and they close fast. Be sure to use them wisely. 

Critical factors for the managers

6. Get the support of C-level executives

Security is expensive. Good security is even more expensive. But having no security at all is the most expensive of all. 

Whenever you're introducing new security measures at an organizational level, it's going to need money. Depending on the project, a LOT of money. That's why it's best to have support from as many C-level executives as possible ahead of time so that funding can be secured and any additional concerns ironed out long before deployment begins.

7. Get assistance from other departments

Without the support of other department heads, any attempt to perform training may be doomed to failure. They have schedules and requirements to meet, and if something is going to take up users’ time up front and make things slower in the long run, they're going to push back hard. With their help and understanding, however, this can be completely turned around and allow for the time and resources required to be obtained considerably more easily.

8. Be able to incentivize staff

We talked about getting support for the stick earlier but didn't really mention the carrot. With upper management's support, there may be ways to help incentivize staff to take the training seriously by making it worthwhile for them. 

It may not be as obvious as extra money in their pocket, but extra time off, loosening of other rules and regulations, or potentially just retiring requirements that aren't needed anymore with the new measures can completely change the perspective a user has on training. 

9. Listen to employee feedback

Once you have users’ attention, you need to keep it. This means listening to problems, ideas and suggestions they are running into with policies and training. For every one person that brings something up, you can bet there are a lot more behind the scenes running into an issue without saying anything. The users can bring this information to their department heads, who can then forward it on to security if it is a legitimate concern. 

10. Have a deliverable

Most important of all, however, is being able to show proof that the changes being put in place are making an impact. Having data to show where you were before versus where you are after implementation is required to prove that the organization has not wasted time and money. Furthermore, if you are ever going to need to do something like this again (spoiler: you will), having this documentation will make things much easier in the next negotiation phase.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.


There is a lot of work to do in preparing for and implementing security training, but even more so in making sure that it has a lasting effect. By getting everyone on board well ahead of time, doing your homework and listening to the people that it impacts on a daily basis, the process will be far more effective for everybody involved, from the C-suite on down. 

Kurt Ellzey
Kurt Ellzey

Kurt Ellzey has worked in IT for the past 12 years, with a specialization in Information Security. During that time, he has covered a broad swath of IT tasks from system administration to application development and beyond. He has contributed to a book published in 2013 entitled "Security 3.0" which is currently available on Amazon and other retailers.