This is a very common question. It’s easy to feel like you’re operating in a vacuum when managing your team’s Security Awareness Training program. We outline the steps to make your objectives and duties clear, so you can provide your team with a complete Training program. 

As an IT Admin, CISO or HR manager seeking to add this critical layer of security, you’d like peace of mind in knowing that your program is adequate for your team. The good news is that this peace of mind is attainable!

Here, we lay out guidance for ensuring your program is active, accurate and complete.

Note: Depending on the vendor you choose, your time spent on achieving these goals can vary widely. Platforms range from highly manual to fully automated. This may help you determine what type of platform suits your team best.

Which Training courses are necessary for my program?

The most prominent and widely used guidance for Cyber Security Awareness Training comes from NIST (National Institute of Standards and Technology). NIST created the Cybersecurity Framework (CSF) to provide cybersecurity guidance for a broad range of industries and across the spectrum of security layers.

The NIST CSF establishes the Framework’s 5 Core Functions. These five functions are Identify, Protect, Detect, Respond and Recover. (You can learn more about them here)

As you may have guessed, Security Awareness Training falls under the Protect function. According to NIST, each organization needs to ensure its “personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities…”

Many Security Awareness Training vendors offer guides on choosing your organization’s curriculum. This is often very helpful and can include specific compliance courses (ex: PHI for healthcare or PCI for credit card acceptance). Otherwise, you’ll be studying the guidance from each one of your stakeholders and regulators. That’s not pleasant but may be necessary, depending on the vendor you choose.

Bottom Line

NIST established the baseline for Training requirements. Most vendors will assist you in picking your team’s specific courses.

How many courses do my users need?

This is all dependent on the length of each course you provide your users and on any specific compliance needs of your organization. You want to ensure that you don’t overwhelm your team with too many courses. Frequency matters.

A good benchmark is approximately one course every 1-2 months. Anything less than quarterly is simply too far apart in time to ensure ongoing Training is met. You’ll want to ensure your vendor either provides the option of 6-12 courses per year or simply automates that process on your behalf.

Bottom Line

To ensure ongoing Training, your users should expect one course every 1-2 months.

How long should Training courses be?

This is a critical question. You want your users educated, not annoyed and exhausted. It can be a difficult balance to strike, depending on the vendor you choose.

As you’re well aware, our attention spans are often shockingly short. This means the courses need to be both engaging and relatively concise. 

10 minutes is a good benchmark. Generally speaking, you’ve lost your user’s attention at 10 minutes. Also, they’re likely to delay taking the course if they know it’s 10 minutes or longer.

For best results, you’ll want to target courses that take between 3 and 7 minutes.

Bottom Line

Training courses need to be engaging and take less than 10 minutes each.

When should Training reminders be sent?

Reminding your team to take Training courses is one of the most tedious and unloved parts of the job of managing your organization’s Security Awareness Training program. No one likes being the nag around the office, and you want to ensure that the Training sticks. So it’s important that your users receive Training reminders at appropriate times.

Research indicates mornings early in the week are typically good times for finding users alert and ready to engage in new learning. Also, it’s helpful to identify a specific time for users to expect their Training reminders to arrive. This makes it more likely that they’ll jump right in and complete courses promptly.

Bottom Line

Ensure your team receives Training reminders in the morning, preferably early in the week.

How often should I be Phishing my team?

You want your team prepared to avoid attacks, but you also don’t want to overwhelm them with too many Phishing simulations.

Many regulatory guidance documents and vendor questionnaires call for “regular” or “periodic” Phishing testing. This suggests it’s certainly more than once or twice a year, but it still doesn’t answer the question clearly.

One industry leader, KnowBe4, calls out a specific frequency of Phishing that’s required to qualify for their product guarantee.* The company provides a reimbursement in the form of $1000 in Bitcoin after a Ransomware attack (details as of this writing). To qualify for this Ransomware guarantee, an organization must send at least 1 simulated Phish per employee per month.

At one Phish per month per employee, you will strike a balance of providing useful practice while not over-burdening your users with simulated Phishing attacks.

Bottom Line

Phish every member of your team at least once a month.

* Details from company website, as of June 10, 2020:

What types of Phishing templates are right for my team?

Your organization faces all forms of Social Engineering and Phishing attacks. Hackers and con artists are often a smart and crafty bunch. These cyber criminals are also very practical in their approach. They’re running a business, after all. Yes, that’s exactly how many of them see it! This means they will test various attack styles until one works. This is absolutely true for Phishing. Once hackers find a Phish that works, they will blast that template millions of times over in search of victims.

In protecting your organization, you want to be aware of those most successful Phishing templates in use at all times. These are the Phishes you can expect to see in your network.

There are several ways to keep abreast of the latest Phishing templates in the wild. You can monitor white hat forums, subscribe to vendor email lists or simply utilize a fully automated Phishing platform.

Bottom Line

Your users should receive examples from the most active and successful hacker campaigns in the wild.

When should I send Simulated Phishing attacks?

In many parts of life, timing is everything. This rings true for your organization’s Simulating Phishing program. If everyone gets the same Phish at the same time, it just takes one Bob or Jill shouting it out, and all your effort in crafting the perfect Phish test goes out the window. Your team’s stats look great - no one else falls for the Phishing test! But this simply provides a false sense of security.

Your organization’s Phishing needs to be randomized in timing and content. This means no one receives the same template at the same time. These variations are critical to ensure you avoid a false sense of security with your Phishing tests.

People talk, and you want to use this to your advantage in enhancing learning. If employees all know what to look for, then the test is useless. This is obvious, but it certainly can add work to your plate, depending on the vendor you choose. When users receive different Phishes at different times, the only option is to become more vigilant.

It’s important to recognize that randomizing the timing means your Phishing emails should be delivered throughout the work week and even over the weekend. Every user’s vulnerability can change at different points during a week or after big events. Consider HR Admin after an exhausting week. He could easily fall for a Phish on Friday afternoon while exhausted, even if he wouldn’t dream of clicking that same link on Tuesday morning. Your salesperson may be much more vulnerable to a Phish after losing a big client at that point than any other. None of your users wants to be the one to click on a real Phishing email and open your organization to an attack. But every one of us is vulnerable, especially when varying timing includes a range of emotional and mental states.

Bottom Line

Your Phishing tests need to be randomized throughout the month for all users.

What should I do about consistent Phishing clickers?

This follows right along with the amount of simulated Phishing attacks you provide for your team. Shortly after you start your simulated Phishing program, you should expect to see some of your team fall for these tests.

What you do next is critical for the learning experience. Studies show that immediate training after an employee fails a Phishing test is “mostly ineffective because information isn’t recalled and practiced enough.” (see: D. D. Caputo, S. L. Pfleeger, J. D. Freeman and M. E. Johnson, "Going Spear Phishing: Exploring Embedded Training and Awareness," in IEEE Security & Privacy, vol. 12, no. 1, pp. 28-38, Jan.-Feb. 2014, doi: 10.1109/MSP.2013.106.)

This fact may seem confusing, but consider the mindset of your employee who just clicked on a bad link. It’s a startling place to be, and that’s rarely an effective time to learn new skills. Remember, it’s not that your users don’t want to learn. In fact, they overwhelmingly do! Timing and delivery can be the difference maker in ensuring lessons stick.

In lieu of immediate training, a very useful option is providing specific education once the dust settles. This includes re-targeting those repeat clickers with additional Phishing in the following days or weeks and providing focused guidance on safer security behaviors to avoid the real-world version of that simulated attack. Just like any other skill, more practice is necessary to improve!

Bottom Line

Your most vulnerable people need additional Phishing and should be re-targeted upon failing a test.

What metrics are important for reporting on my Security Awareness Training program?

It’s important to start with identifying the viewers of your reports. You’re typically going to be sharing these reports with Executives and Regulators or Customers. These groups are all interested in your organization’s security, but their specific information needs may differ.

Executives are primarily focused on the efficacy of the program and want to be able to identify your most vulnerable users. Essentially, they want to be sure the organization is getting safer! To satisfy this, you’ll want to show them your team’s progress in Training and results for Phishing tests. Your reports should make available the aggregate and individual results across the organization. As your team completes more Training, your users should gain more knowledge. This helps them avoid more Phishing attacks, real and simulated.

Regulators and Customers need to know that your organization is making efforts to keep operations and data secure. Rather than focusing on each individual, these stakeholders want assurance that the team is engaged in your Security Awareness Training program. This is most efficiently achieved by sharing your Security Awareness Training Policy and showing that every employee is actively enrolled in the program. Be sure to ask your Training vendor if they provide this Policy for you.

Bottom Line

You need to show your organization’s progress in Training and results from Phishing, highlighting any laggards. You should also maintain a Security Awareness Training Policy and ensure all users are active in your program.


Your Security Awareness Training program will quickly become a critical piece of your organization’s security effort. From satisfying regulatory requirements to reducing Ransomware risks, a complete program provides tremendous value to the organization. 

It’s important to consider the time you can allocate to ensuring your program remains active and accurate. This can help you determine whether you want an automated or more manual platform. It’s critical that you avoid exhausting your IT team with additional hours of work. This leads to a weak or dormant Security Awareness Training program for your team. We want to help you avoid this!