Security Awareness Training SOP¶

Standard Operating Procedure for security awareness and training programs

Service Pillar: Protect Service Category: Security Awareness Target Duration: Varies (one-time or ongoing) Related Pricing: See Pricing & Positioning

Service Overview¶

Purpose¶

Develop and deliver security awareness training programs that reduce human-factor risks through education, simulated phishing, and ongoing reinforcement.

Target Personas¶

Persona	Primary Pain Point	Value Case
Healthcare Admin	HIPAA training requirements, staff compliance	Audit-ready documentation
Service Business Owner	Staff training gaps, compliance anxiety	Reduced incident rate
Solo IT Director	Can't monitor everyone, needs backup	Expert program management

Business Justification¶

Metric	Value	Source
Phishing involved in breaches	36% of breaches	Verizon DBIR 2024
Social engineering attacks	98% of attacks involve	Proofpoint Human Factor Report
Phishing click reduction after training	75-90%	KnowBe4 Benchmarking Report
Average phishing click rate (untrained)	25-35%	KnowBe4 2024
Average phishing click rate (trained)	2-5%	KnowBe4 2024
Human error causing breaches	74%	Verizon DBIR 2024

Pricing Reference¶

Package	Scope	Price Range	Duration
Foundation	Initial training, annual refresh, baseline phishing	$5,000-$10,000	One-time
Standard	Foundation + quarterly phishing, reporting	$10,000-$18,000/year	Annual
Premium	Standard + monthly phishing, custom content, metrics	$18,000-$30,000/year	Annual
Add-On: Executive Training	Board/leadership specific training	$2,500-$5,000	Per session

See Pricing & Positioning for complete pricing structure.

Pre-Engagement¶

Qualification Checklist¶

Employee count confirmed
Current training status assessed
Compliance requirements identified
Leadership sponsor identified
Email access for phishing campaigns confirmed
Platform integration requirements understood

Required Information Gathering¶

Category	Information Needed
Organizational	Employee count, departments, locations
Current State	Prior training, phishing click rates, incidents
Compliance	HIPAA, PCI, SOC 2, insurance requirements
Technical	Email platform, SSO availability, LMS access
Culture	Previous security messaging, incident history

Program Components¶

Training Curriculum¶

Core Modules (All Employees)¶

Module	Duration	Topics	Frequency
Security Fundamentals	30 min	Threat landscape, SBK responsibilities, reporting	Annual
Phishing Recognition	20 min	Email threats, link analysis, reporting	Annual + reinforcement
Password Security	15 min	Strong passwords, MFA, password managers	Annual
Data Protection	20 min	Classification, handling, disposal	Annual
Physical Security	15 min	Clean desk, visitor management, tailgating	Annual
Remote Work Security	20 min	Home network, public WiFi, device security	Annual
Incident Reporting	15 min	What to report, how to report, no-blame culture	Annual

Role-Specific Modules¶

Role	Modules	Topics
IT/Technical	Secure development, system administration	Secure coding, privileged access
HR/Recruiting	PII handling, employee data	Privacy, data retention
Finance	BEC awareness, wire fraud	Payment verification, fraud detection
Customer Service	Social engineering, customer data	Call verification, data handling
Executives	Whale phishing, decision-making	High-value targeting, strategic risks

Compliance-Specific Training¶

Compliance	Required Topics	Documentation
HIPAA	PHI handling, Privacy Rule, Security Rule	Training logs, acknowledgments
PCI DSS	Cardholder data, POS security	Annual certification
SOC 2	Security policies, access management	Completion records
Cyber Insurance	Policy requirements, incident reporting	Carrier-specific

Implementation Process¶

Phase 1: Program Design (Week 1-2)¶

Objective: Customize program for client environment

Activity	Deliverable	Duration
Requirements gathering	Program spec	2 days
Baseline assessment	Current state report	1 day
Curriculum customization	Tailored content plan	2 days
Platform configuration	Configured training system	2 days
Phishing template design	Custom phishing campaigns	1 day

Phase 2: Baseline Measurement (Week 2-3)¶

Objective: Establish current security awareness levels

Assessment	Method	Metric
Knowledge baseline	Pre-training quiz	Score percentage
Phishing susceptibility	Baseline simulation	Click rate, report rate
Incident history	Review prior incidents	Human-factor incidents

Phase 3: Training Deployment (Week 3-4)¶

Objective: Roll out training program

Activity	Timeline	Approach
Leadership communication	Day 1	Executive announcement
Training launch	Days 2-14	Phased department rollout
Completion tracking	Ongoing	Weekly progress reports
Non-completion follow-up	Day 10+	Manager escalation

Phase 4: Ongoing Reinforcement (Ongoing)¶

Objective: Maintain and improve security awareness

Activity	Frequency	Purpose
Phishing simulations	Monthly/Quarterly	Behavior testing
Microlearning	Weekly/Bi-weekly	Knowledge reinforcement
Security newsletters	Monthly	Awareness updates
Incident-based training	As needed	Address specific events
Annual refresh	Annual	Curriculum update

Phishing Simulation Program¶

Campaign Design¶

Campaign Type	Purpose	Frequency	Difficulty
Baseline	Initial measurement	Once	Medium
Educational	Low-risk learning	First 2-3 campaigns	Easy-Medium
Progressive	Skill building	Ongoing	Escalating
Advanced	Expert detection	Periodic	Difficult

Phishing Template Categories¶

Category	Examples	Risk Level
Generic	Shipping notification, invoice	Low
Corporate	IT support, HR announcement	Medium
Impersonation	Executive request, vendor	High
Current Events	News-related, seasonal	Variable
Targeted	Role-specific, personalized	High

Phishing Metrics¶

Metric	Definition	Target
Click Rate	Users who clicked link	<5% (trained)
Report Rate	Users who reported email	>60%
Data Entry Rate	Users who entered credentials	<2%
Time to Click	Average time before clicking	Trend to increase
Repeat Offenders	Same users clicking multiple times	<10% of clickers

Failed Phishing Response¶

Action	When	Purpose
Immediate education	Post-click	Teachable moment
Manager notification	Repeat offense	Accountability
Additional training	Pattern identified	Skill building
Coaching session	High-risk clicks	Intervention

Deliverables¶

Initial Deliverables¶

Deliverable	Content
Training Plan	Curriculum, schedule, metrics
Baseline Report	Current awareness levels
Platform Configuration	Configured training system
Communication Kit	Announcement templates, leadership talking points

Ongoing Deliverables¶

Deliverable	Frequency	Content
Training Completion Report	Monthly	Completion rates by department
Phishing Campaign Report	Per campaign	Click rates, trends, insights
Quarterly Summary	Quarterly	Metrics, trends, recommendations
Annual Review	Annual	Year-over-year improvement, ROI

Compliance Documentation¶

Document	Purpose	Format
Training Completion Records	Audit evidence	Exportable logs
Acknowledgment Records	Policy acceptance	Signed/electronic
Phishing Test Results	Compliance evidence	Report format
Remedial Training Records	Due diligence	Individual records

Quality Assurance¶

Program Effectiveness Metrics¶

Metric	Baseline	6-Month Target	12-Month Target
Phishing click rate	25-35%	10%	<5%
Report rate	<20%	40%	>60%
Training completion	N/A	95%	100%
Knowledge assessment	N/A	75%	85%
Incidents (human factor)	Baseline	50% reduction	75% reduction

Continuous Improvement¶

Activity	Frequency	Purpose
Campaign analysis	Per campaign	Identify weak spots
Content updates	Quarterly	Current threats
Curriculum review	Annual	Comprehensive update
Industry benchmarking	Annual	Competitive comparison

Post-Delivery¶

Ongoing Support¶

Activity	Frequency	Included
Campaign management	Monthly/Quarterly	Platform administration
Report generation	Monthly	Metrics reporting
Content updates	Quarterly	New modules, updated content
Strategy review	Quarterly	Program optimization

Annual Renewal¶

Activity	Timing	Purpose
Annual curriculum refresh	Q4	Update training content
Metrics review	Q4	Year-over-year analysis
Program recommendations	Q4	Enhancement proposals
Contract renewal	Q4	Service continuation

Service	Connection	SOP Reference
HIPAA Gap Assessment	Training evidence required	hipaa-gap-sop.md
SOC 2 Gap Assessment	CC1/CC2 requirements	soc2-gap-sop.md
vCISO	Ongoing security oversight	vcto-vciso-engagement-sop.md
Incident Response	Incident reporting training	incident-response-sop.md

Evidence Base¶

Why This Approach Works¶

Principle	Evidence	Source
Continuous reinforcement	75% retention vs 10% single session	Learning retention studies
Simulated phishing effective	50-70% click rate reduction	KnowBe4 Research
Positive culture approach	Higher reporting, better outcomes	SANS Security Awareness Report
Role-based training	Higher relevance, better retention	Industry best practice

SBK Success Metrics¶

Metric	Target	Measurement
Click rate improvement	80% reduction	Baseline vs 12-month
Report rate improvement	3x increase	Baseline vs 12-month
Training completion	95%+	LMS reporting
Client satisfaction	4.5+/5.0	Post-engagement survey

Regulatory References¶

HIPAA Training Requirements
NIST SP 800-50 - Security Awareness Training
PCI DSS Requirement 12.6 - Security Awareness
SANS Security Awareness
KnowBe4 Benchmarking Report

Last Updated: February 2026 Version: 1.0