Build a Security Awareness and Training Program

Your weakest link is between the keyboard and the chair.


This content requires an active subscription.

Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.

Speak With A Representative Sign In
or Call: 1-888-670-8889 (US) or 1-844-618-3192 (CAN)

Your Challenge

  • Security threats and exploits continue to be on the rise in the form of advanced persistent threats (APTs) and other unique attack types.
  • APTs and attackers are looking to go after the weakest link within your organization – the people.
  • Whether it is a lack of knowledge or a disregard for security, your end users are either the intentional or unintentional cause of security threats for your organization.

Our Advice

Critical Insight

  • Even with extremely robust security controls, your end users will continue to be one of the weakest links.
  • To change the behaviors of your employees, make them invested in organizational security through positive reinforcement.

Impact and Result

  • Focus on increasing employees’ knowledge within the training but actively going beyond to change their behavior by making them all security aware.
  • Go beyond the standard classroom style learning that is expected of training – use new teaching methods and positive reinforcement to ensure that your end users become more security aware.
  • Use Info-Tech’s blueprint and methodology to craft a program that will engage your audiences and employees, while ensuring to review important security-related topics.


  • Adriyel Greeve, IT Director, Waiward Steel Fabricators Ltd.
  • Karen Rousseau, Sr IT Portfolio Analyst, Charles River
  • Karla Thomas, Director IT, Global Support, Audit and Security, Tower International, Inc.
  • Kevin Vadnais, Security Manager, University of Lethbridge
  • Michel Fosse, Consulting Services Manager, IBM Canada (LGS)
  • Pierre St-Jean, Management Consultant, Triac Consulting
  • Robert Hawk, Information Security Expert, xMatters, Inc.
  • Rob Marano, Co-Founder, The Hackerati, Inc.
  • Steven Woodward, CEO, Cloud Perspectives

Get the Complete Storyboard

See how all the steps you need to take come together, with tools and advice to help with each task on your list.

Download Now

Get to Action

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should build a security awareness and training program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

  1. Determine the appropriateness

    Make the case for a security awareness and training program while reviewing the appropriateness for the organization.

  2. Identify the content

    Identify which topics need to be communicated to staff by reviewing security policies.

  3. Determine how to execute the plan

    Translate security policies and topics into engaging and effective training.

  4. Implement the program

    Deliver developed content to audiences and measure success.

Guided Implementation icon Guided Implementation

This guided implementation is a ten call advisory process.

    Guided Implementation #1 - Determine the appropriateness

  • Call #1: Determine your program appropriateness

  • Call #2: Measure the business satisfaction with security

  • Guided Implementation #2 - Identify the content

  • Call #1: Identify any missing security policies and topics

  • Call #2: Understand the Threat Intelligence market space and prioritize your content

  • Guided Implementation #3 - Determine how to execute the plan

  • Call #1: Create a project charter

  • Call #2: Review your program governance and target state

  • Call #3: Evaluate communication method options

  • Guided Implementation #4 - Implement the program

  • Call #1: Create an implementation timeline

  • Call #2: Run a pilot program

  • Call #3: Develop a review and update process

Onsite Workshop

Module 1: Determine Your Security Awareness and Training Program Appropriateness

The Purpose

  • Identify your organization’s rationale for building an awareness and training program and articulate this in terms of appropriateness.
  • Build project support through documented benefits and objectives.
  • Determine what the business thinks of security.

Key Benefits Achieved

  • Identified contributing factors towards developing a security awareness and training program.
  • Gained program support.
  • Understanding of what the business thinks of security.

Activities: Outputs:
1.1 Assess your program appropriateness.
  • Defined program rationale and appropriateness
1.2 Document your need for a program.
1.3 Define your benefits and objectives for a program.
1.4 Gain an executive champion.
  • Executive Champion
1.5 Measure the business satisfaction with security.
  • Determined current business satisfaction with security

Module 2: Identify Your Content for Your Program

The Purpose

  • Evaluate your existing security policy suite as a basis for your awareness and training program.
  • Identify any missing security policies needed to provide a foundation and credibility to your program.
  • Identify any unique security topics that need to be addressed. 

Key Benefits Achieved

  • Developed a complete security policy suite to support your program.
  • Prioritized security topics to be trained on. 

Activities: Outputs:
2.1 Identify existing security topics and policies.
  • Identified and prioritized security policies and topics to be covered in the program
2.2 Identify missing security policies.
2.3 Identify unique security topics.
2.4 Prioritize your security topics.

Module 3: Determine How to Execute Your Plan

The Purpose

  • Develop program governing structures to ensure efficient program creation and maintenance.
  • Identify what your target state for security awareness and training is.
  • Identify and customize multiple communication methods for your program. 

Key Benefits Achieved

  • Effective program governance.
  • Defined program purpose.
  • Identified current and target state of end-user security awareness levels.
  • Customized communication methods that are unique to your organization’s needs. 

Activities: Outputs:
3.1 Develop program governance.
  • Project Charter
3.2 Perform a current state assessment of your end users.
3.3 Determine your target state.
  • Identified target state
3.4 Develop your communication methods.
  • Customized communication methods

Module 4: Implement Your Program

The Purpose

  • Implement the program in a controlled agile methodology.

Key Benefits Achieved

  • Effective rollout of security awareness program.
  • Identify potential issues early on. 

Activities: Outputs:
4.1 Create an implementation timeline.
  • Implementation timeline
4.2 Run a pilot program.
  • Pilot program
4.3 Develop a review and update process.
  • Completed planning

Workshop Icon Book Your Workshop

Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.

Book Now
GET HELP Contact Us
VL Methodology