Managing Cybersecurity Risks through User Training, Awareness & Accountability

Instructor: Daniel Arnold

Daniel has a bachelor's in Computer Science, is a CISSP and CEA. He is a cyber competition coach and speaks on Info Security at conferences.

In this lesson, we will be exploring the role of the user awareness and training program as a component in the practice of managing cybersecurity risks. We will distinguish security awareness, training, and education and relate the importance of accountability to the awareness and training program.

The Weakest Link: The User

A truism within the cybersecurity industry is that the organization's users are always the weakest link in the defensive chain. Regardless of the best technology, most optimized compliance with security best practices, or the most layers of a defense in depth strategy, one bad decision by a user can nullify the best technology and processes. This makes the training and awareness program a crucial component of the cybersecurity program.

Awareness, Training, and Education

In developing a program to make our users cyber-savvy we need to correctly define the types of educational exercises that we'll need to implement. Though often used interchangeably, awareness, training, and education actually have distinct qualities in a cybersecurity context.


Awareness is what we usually think of when we think of user training. This typically entails either an in-person or online session that all of an organization's employees must complete. There is usually a session during the employee's personal on-boarding and then a session that employees must complete at least annually. The content should provide an overview of the organization's information security policies, guidance on how to identify and avoid phishing attacks, and how to correctly engage the security or incident management team if a breach or other event is suspected. Ideally, the examples in this session will draw from actual attack attempts experienced by users. Some organizations take the phishing attacks that users identify and then use them for both the annual sessions as well as alerts to the users when certain attack types are spiking.


Training as distinguished from awareness is intended to be specific to the user's job function. As an example, the training required for someone from the accounting department could be different from a user in the research department. An accounting staff member would need to be savvy to attack attempts trying to pull account numbers or trying to initiate fraudulent transfers. The research staff, in contrast, would need to be alert to attempts to pull sensitive info by corporate espionage actors or even state actor level threat actors.


In a cybersecurity context, education is distinguished as the activities that develop professional skills that lead to a certification or some other form of credential. This could be an IT security team member getting a Security+ or CISSP certification or medical professional getting HIPAA certified.


A necessary component of the training and awareness program is accountability. If the program doesn't have any form of follow up and potential consequences/rewards, then it's unlikely to be effective and likely gets relegated to yet another session to be ignored in a clock-watching session. In making sure the efforts are taken seriously, there are a couple of things that the information security team - with the support of other teams - can do to increase the program's effectiveness.

Testing exercises

Few things increase the attention to a presentation as knowing there will be a test. This can work especially well with online sessions that then have check-up exercises along the way as well as a competency test at the end with the expectation that the exercise will need to be repeated should the user not pass.

Internal phishing exercises

Probably nothing increases the vigilance toward phishing emails like knowing that some of the phishing emails are coming from the security team to test the user base. While it is a capability that can be developed and managed internally, it is often procured from external vendor sources. One approach that many organizations have found effective is to send emails from two sources. One is to take emails that have been seen in the wild and mimic them to send to the users. The other is to craft some specific emails that might be interesting but not pertinent to the user's job function. Bogus job offers, a feigned inquiry from a competitor, or access to info that the user's job (e.g., executive salaries) should not have access to are some examples. The phishing email responses then need to be monitored and tracked for accountability purposes. This is where support from other teams will make or break the effectiveness of the program. The support and guidance from the legal and/or human resources team should be engaged to implement a progressive set of steps to encourage and if necessary discipline an employee that is habitually clicking phishing emails.

To unlock this lesson you must be a Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use

Become a member and start learning now.
Become a Member  Back
What teachers are saying about
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 160 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create An Account