Annual Security Training – Phase 1: Design

Are you looking for insight into the best method of establishing a security training environment within your organization? This is a recurring need across all organizations and one which we aim to guide you through as we work through this series, titled “Annual Security Training – Design, Develop, and Deliver”. If you’re wondering why you should focus resources on developing security training programs or missed the first part of the series, go ahead and follow the above link.

There you will learn why security training is important and how to present those “whys” to senior leadership for support. In this installment of the series, we will address the first step in operating a successful training program: design.


Ask anyone that operates in a teaching capacity and they will tell you that crafting a curriculum to best convey the material is the most important part of planning.

Think back to your time pursuing your degree and you will likely remember professors spending the entire first day of class addressing the syllabus and informing you of the semester’s overall theme and learning objectives, all to ensure you get the most out of the class and learn the material in a meaningful way. This is because those tasked with informing others are aware that the content of the presented material varies greatly based on the target audience and there must be an alignment of learning objectives and content.

When designing your security awareness program, it is important to understand the needs specific to your industry. In other words, you must identify the learning objectives to develop a complete syllabus. Depending on your industry there will likely be specific items that may need to be addressed in greater detail, while you may be able to avoid others altogether. An example is the requirement of addressing privacy concerns within GDPR if your organization works with EU citizen data or HIPAA information controls for those operating in the medical industry.

Accordingly, if your organization does not operate in those industries it would make more sense to focus on other high-risk areas in which all organizations are susceptible. In addition to industry-specific topics, there are many areas in which all industries are vulnerable and should be addressed across all organizations.

These areas include but are not limited to:

  • Acceptable Use of Company Infrastructure – Address company policies regarding personal use of company resource such as social media and personal email.
  • Phishing – Provide resources addressing the methods of identifying and preventing phishing attempts.
  • Incident Reporting – Instruct employees on the organization’s procedures around how to report security incidents along with all necessary information.
  • Email Requirements – Referencing the companies data retention policy and industry-specific regulations, instruct employees on the retention and transmission of sensitive information.
  • Safe Internet Behavior – Instruct employees on proper cyber hygiene behavior such as avoiding malicious links, utilizing encrypted links, etc.
  • Password Requirements – Reference the company’s policy on the use of SSO, password complexity, and password reuse.
  • Physical Security – Identify the security perimeter, and methods for mitigating the risks of shoulder surfing, tailgating, etc.

When designing the curriculum for the organization, you should also consider the individual’s levels of responsibility and access to sensitive information each group of employees has. This will allow you to better tailor training and ensure high-risk users receive reinforced training where needed. This may look like additional privacy or sensitive material training for those employees who routinely interact with private healthcare or financial data.


Questions about policies or compliance and where to start? Contact us here! We’d love to chat with you and see how risk3sixty can meet your organization’s needs.

Share to


Share to

Like our content? Subscribe and stay informed.