2.6.1. Awareness Program Design and Delivery
💡 First Principle: Security awareness is a behavior change program, not an information delivery program. The goal is not for employees to be able to recite the phishing policy — it is for employees to actually pause and verify before clicking a suspicious link. Measuring awareness effectiveness means measuring behavior, not course completion.
Awareness vs. Training vs. Education:
| Level | Audience | Goal | Methods | Example |
|---|---|---|---|---|
| Awareness | All employees | Recognize threats, know when to ask for help | Posters, email campaigns, simulations, short videos | Phishing awareness month |
| Training | Role-specific groups | Develop specific security skills | Hands-on courses, workshops, simulations | Developer secure coding training |
| Education | Security professionals | Deep professional expertise | University programs, certifications (CISSP), research | CISSP study program |
Effective delivery methods — matched to objectives:
| Method | Best For | Effectiveness Signal |
|---|---|---|
| Phishing simulations | Phishing awareness, credential protection | Click rate trends downward over time |
| Gamification | General awareness, broad engagement | Completion rates, quiz scores, competitive participation |
| Security champions | Embedding security in business units | Number of security issues raised proactively by business |
| Just-in-time training | Post-failure learning | Failure rate change before/after for that individual |
| Tabletop exercises | Incident response, BCP awareness | Confidence and decision quality in exercises |
| Brown bag sessions | Deep-dive topics for interested employees | Attendance, Q&A quality, follow-up questions |
Social engineering awareness — the primary human-layer attack vector. The exam tests recognition of specific techniques:
| Technique | Description | Awareness Defense |
|---|---|---|
| Phishing | Mass email impersonating trusted entity | Verify sender; hover over links; report suspicious email |
| Spear phishing | Targeted phishing with personal details | Extra caution for personalized requests, verify out-of-band |
| Vishing | Voice phishing (phone calls) | Never provide credentials via phone; call back on known number |
| Smishing | SMS phishing | Don't click links in texts; verify via app/official website |
| Pretexting | Creating a fabricated scenario to extract information | Verify identity and need-to-know before disclosing anything |
| Tailgating / Piggybacking | Physically following authorized person through secure door | Challenge anyone without visible badge; never hold doors |
| Baiting | Leaving infected USB drives where targets will find them | Never connect unknown physical media |
Emerging topics to include in content reviews:
- Artificial intelligence attacks (deepfake audio/video, AI-generated phishing at scale)
- Cryptocurrency scams and social engineering
- Blockchain and digital asset security
- Quantum computing threats (awareness, not technical detail)
- MFA fatigue attacks (push notification bombing)
⚠️ Exam Trap: Periodic content reviews are mandatory, not optional — the exam emphasizes this. A security awareness program using content about threats from three years ago actively undermines security by teaching employees to recognize obsolete attack patterns while being blind to current ones.
Reflection Question: Your organization's phishing simulation click rate has dropped from 24% to 8% over two years. The CISO calls this a success. What other metrics would you want to see before concluding the awareness program is effective, and why is click rate alone an insufficient measure?
