19. Security Awareness Training Example

An example of security awareness training can be shown using an organization’s strategy to improve fire safety in the workplace.

• Education may help workers in a secure server room understand the interaction of:
  • fire and smoke detectors
  • suppression systems
  • alarms
  • electrical power, lighting, and ventilation systems
• Training provides task-specific learning about proper actions to take in:
  • an alarm
  • a suppression system going off without an alarm
  • a ventilation system failure
  • other contingencies
• This training builds on the learning gained through educational activities.
• Awareness activities include:
  • appropriate signage
  • floor or doorway markings
  • other indicators to help workers detect an anomaly, respond to an alarm, and take appropriate action
• Awareness acts as a constantly available reminder of what to do when alarms go off.

Anti-Phishing Campaign

This approach can also be applied to an anti-phishing campaign.

• Education may help selected groups of users understand:
  • how social engineering attacks are conducted
  • how to create and test their own strategies to improve defensive techniques
• Training helps users:
  • recognize potential phishing or similar attempts
  • practice correct responses to such events
  • identify phishing emails using simulated phishing emails sent to users on a network
• Awareness raises users’ understanding of threats such as:
  • phishing
  • vishing
  • SMS phishing (smishing)
  • other social engineering tactics
• Awareness techniques can alert selected users to new or novel approaches used in such attacks.