Skip to Main Content

Security Awareness

Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization.

What is Security Awareness?

Security Awareness

Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization.

What topics should security awareness training cover?

1. Classroom-based training program

In case there’s even a smidgen of doubt, this is the sort of awareness training where people step away from the day job while an instructor leads them through various security topics.

The main benefit is that people can get immediate feedback. Plus they can chat with the trainer, which means they can pick an expert’s brains. So they could discover more useful information than in, say, a video seminar. 

However, some argue that a classroom approach conflicts with something called Adult Learning Theory, which suggests that classroom learning suits children far more than it does adults.

What’s more, classroom-based training can be pricey, and it takes people away from their main roles for a large chunk of the day. Both these hurdles mean the sessions are often long and  infrequent.

Neither of which bodes well for information retention.


2. Visual aids

Visual aids aim to influence cybersecurity behavior through (gasp) visuals. We’re talking anything from posters to handouts to videos, all of which can cover a range of topics, from password security to phishing scams.

Visual aids are easy to process. Unlike written messages, visuals are simple to understand. That means they communicate complex information quickly, without overwhelming people. 

What’s more, they’re pretty cheap to get in place, especially compared to classroom-based training. You’re potentially just looking at covering the costs of a graphic designer (if you need one), printer ink, and some paper. And, in return, people are reminded to stick with good cybersecurity practices. 

However, they do have some downsides. Visual aids can be easily ignored if they’re not engaging or interactive. Plus, over time, we stop “seeing” things that we’re used to. And unlike classroom-based training, there is no feedback loop between the sender and receiver. 

Last but not least, we know that follow-up testing can boost recall rates. So, visual aids may result in a lower rate of the important advice sticking in people’s minds.


3. Through phishing simulations

The popular way to test people’s response to cyber threats—attacking them! Okay, it’s just a simulation. You can send a phishing email, SMS, and even a “misplaced” USB stick.

Evidence tells us that simulated attacks are a super-powerful way of cementing messages in people’s minds, thus changing long-term behavior.

Sounds like a no-brainer, right? Wrong. 

Some argue that simulated attacks are unproductive—even immoral. You’re choosing to put people through the wringer, which can raise a few eyebrows. Plus, it’s an emotionally charged experience, and that can impact people’s mental wellbeing.

We’re behavioral science nuts. So, we know that phishing sims can do more harm than good—if they’re done wrong.But that’s not a good reason to dispense with them. It is; however, a reason to make sure you get them right.


4. Computer-based training

Online training can take many forms, from text to audio, video and quizzes. It’s also dynamic—when a new threat emerges, you can add a new module.

Some providers offer compliance-based training that’s no more than a tick-box exercise. Training should influence long-term security behaviors and reduce the risk of a breach.

It’s also important to look for training offered by security specialists, not training specialists. That’s not to say all security specialists are created equal, and they’ll need to demonstrate how their offering can go about influencing security behaviors, and how it can nurture a culture of security.


Couldn’t be me


Identity theft

  • Preventing identity theft is key to good cybersecurity training. Your program needs to help people spot warning signs, clean up their passwords.


Passphrases and multi-factor authentication

  • Encourage  people to embrace passphrases and use 2FA for added security.


Public Wi-Fi

  • This is where people can learn all about the risks of unsecured public Wi-Fi–and how to use a VPN for protection.


Social engineering

  • From phishing to SMShing, people need to feel confident about how to identify and avoid scams. A simulated phishing attack can (when done well) transform how people respond to threats.


Browsing securely

  • Support people in how to browse securely, and how to avoid tracking or form auto-filling. Break it down with step-by-step guides on browser configuration.


Device security

  • Help people to make their devices into Fort Knox. Teach them how to configure antivirus software, firewalls, and set up auto-updates.



  • Give people time to learn about different types of malware and how to identify the signs of infection.


Breach recovery

  • Advocate for regular back-ups, and lay out how to recover from a data breach and minimize damage.


GDPR and data privacy

  • It’s not uncommon for people’s roles to involve being a “data handler” under the General Data Protection Regulation. That means they have specific responsibilities—but what are they, and what do they need to do to keep data security tight? Your training should cover it all.