Chapter 120 · Security Advisory

Security Awareness

Phishing campaigns as measurement and training tools; recognizing phishing indicators; anomalous behavior recognition (risky, unexpected, and unintentional); automated reporting and monitoring metrics; and the development and execution of formal security awareness programs.

AWARE-2024-001
Phishing Campaigns and Phishing Recognition
Severity: Critical

Overview

Phishing remains one of the most effective attack vectors because it targets human behavior rather than technical vulnerabilities. Security awareness programs use internal phishing campaigns to measure organizational susceptibility and provide immediate, targeted training. The goal is not to punish users who click — it is to create a measurable baseline and reduce click rates over time through education and feedback.

Internal Phishing Campaigns

Organizations run their own phishing campaigns to answer a critical question: how many employees would click a link in a malicious email? The process:

  1. Security team (or contracted third-party service) designs a simulated phishing email
  2. Email is sent to the employee population
  3. An automated system tracks opens, clicks, and interactions with the phishing link
  4. Users who click receive immediate automated feedback explaining the mistake
  5. Clickers are directed to remedial training (online or in-person)
  6. Results are reported to the security team in a central console

Phishing campaigns can be built internally or provided by third-party vendors who offer automated platforms with reporting dashboards. Results are expressed as phishing click rates — the percentage of users who clicked the simulated link.

A secondary benefit of internal phishing campaigns: they test whether the email filtering system is working. Phishing emails that bypass the filter and reach inboxes indicate a gap in email security controls.

Recognizing Phishing Indicators

Users must be trained to identify common phishing indicators before clicking any link or opening any attachment:

  • Spelling and grammatical errors — legitimate corporate communications are carefully proofread; errors are a red flag
  • Domain name inconsistencies — the link may display a familiar company name but the actual URL goes to a different domain (e.g., support-microsoft.com instead of microsoft.com)
  • Email address inconsistencies — the sender's email does not match the claimed organization (e.g., unitednation@gmail.com)
  • Unusual attachments — unexpected file attachments, especially executable files, ZIP archives, or Office documents with macros
  • Requests for personal information or credentials — legitimate organizations never request passwords by email
  • Urgency or threat language — "Your account will be closed in 24 hours" is a social engineering pressure tactic

Response rules users must follow:

  • Never click a link inside an unexpected email — navigate directly to the site instead
  • Never open an attachment from an unexpected email
  • Report suspicious emails to the IT security team using the established reporting process

Key Terms

  • Phishing campaign — internal test sending simulated phishing emails to measure user susceptibility
  • Phishing click rate — percentage of users who clicked a simulated phishing link; primary campaign metric
  • Remedial training — targeted education provided immediately to users who fail phishing simulation tests
AWARE-2024-002
Anomalous Behavior Recognition and Automated Monitoring
Severity: High

Overview

Security awareness extends beyond phishing recognition. A well-trained workforce is capable of identifying anomalous behavior — actions that deviate from expected patterns and may indicate malware, insider threats, compromised accounts, or accidental misuse. Effective programs combine user training with automated monitoring systems that track security metrics continuously and alert the security team without manual effort.

Anomalous Behavior: Three Categories

CategoryDefinitionExamples
Risky behaviorActions that create security risk, often associated with malware or insider threatsModifying the hosts file; replacing core OS files; uploading sensitive data to unauthorized external locations
Unexpected behaviorActions that deviate from normal patterns, often indicating compromised accounts or unauthorized accessLogin from an unusual country or geographic location; sudden large increase in data transfers from a device; access at unusual hours
Unintentional behaviorAccidental errors that create security risks without malicious intentTyping the wrong domain name (typosquatting risk); misplacing a USB drive containing sensitive data; accidentally misconfiguring security settings
All three categories of anomalous behavior require awareness training. Unintentional mistakes can cause just as much damage as deliberate attacks — a misplaced USB drive or misconfigured permission can expose sensitive data regardless of intent.

Automated Reporting and Monitoring

Manual monitoring of user security behavior is not scalable. Security awareness programs rely on automated systems to track metrics, generate alerts, and produce reports:

  • Phishing click rates — tracked automatically from phishing simulation platforms
  • Password manager adoption — percentage of users using approved password managers
  • Multifactor authentication (MFA) use — adoption rates across the user population
  • Password sharing incidents — detected through behavioral analytics and user reporting
  • Suspicious login alerts — automated detection of logins from new devices, locations, or at unusual times

Monitoring approach:

  • Initial occurrence — first-time mistakes become learning opportunities; user receives training and feedback
  • Recurring incidents — users who repeatedly trigger alerts may need extended training, additional controls, or IT intervention; long-term monitoring identifies high-frequency problem areas

Automated systems generate daily reports for the security awareness team, enabling continuous tracking of whether training efforts are producing measurable improvements in user behavior.

Key Terms

  • Anomalous behavior recognition — identifying actions that deviate from expected patterns; three types: risky, unexpected, unintentional
  • Risky behavior — actions that create security risk (hosts file modification, unauthorized uploads)
  • Unexpected behavior — deviations from normal patterns (foreign logins, data transfer spikes)
  • Unintentional behavior — accidental mistakes (wrong domain, misplaced USB, misconfigured settings)
  • MFA adoption rate — key security awareness metric: percentage of users enrolled in multifactor authentication
AWARE-2024-003
Security Awareness Program Development and Execution
Severity: Medium

Overview

A security awareness program is not a single training session — it is a structured, continuous program with defined roles, content, metrics, and stakeholder accountability. Successful programs require a dedicated security awareness team, integration of compliance mandates, defined success metrics, and ongoing deployment of training across multiple channels.

Program Development

Step 1: Create a Security Awareness Team
A dedicated team owns training development, monitoring, and policy creation. Roles typically include training designers, compliance specialists, and program managers who track metrics.

Step 2: Establish minimum awareness levels
Every employee must meet a baseline security awareness standard. Delivery mechanisms include:

  • Emails and internal communications
  • Posters and physical notices in office spaces
  • Online training modules
  • Structured courses and classroom sessions

Step 3: Tailor depth by job function
Training should be customized based on role. Finance employees need deeper training on wire fraud and executive impersonation. IT staff need training on social engineering targeting technical personnel. All roles receive baseline training; high-risk roles receive additional targeted content.

Step 4: Integrate compliance mandates
Organizations subject to PCI DSS, HIPAA, GDPR, or other regulations must ensure training meets those specific requirements. Compliance-driven training content must be documented and tracked.

Step 5: Define metrics
Success must be measurable. Define key performance indicators (KPIs) including phishing click rates, training completion rates, MFA adoption, and incident rates before deploying the program.

Program Execution

Execution translates the development plan into action:

  • Create training materials — develop content appropriate for each delivery format (online, classroom, poster, email)
  • Document success measurements — define in advance how improvement will be demonstrated
  • Identify stakeholders — management, compliance, legal, and business unit leaders who need ongoing performance data
  • Deploy training materials — through classroom sessions, automated email campaigns, online platforms, and physical materials
  • Track participation and performance — automated reporting systems monitor completion rates, phishing test results, and metric trends over time
Stakeholders receive ongoing metrics that tie training efforts back to actual security improvements. This demonstrates program value and supports continued investment. If click rates fall by 60% over six months, that measurable reduction is the justification for the program's budget.

Key Terms

  • Security awareness team — dedicated group responsible for training development, monitoring, and policy creation
  • Minimum awareness level — baseline security knowledge required of all employees regardless of role
  • Job-function training — role-specific training tailored to the security risks relevant to each position
  • Compliance mandate — regulatory requirement driving specific training content (PCI DSS, HIPAA, GDPR)
  • Security awareness metrics — quantitative measures of program effectiveness: click rates, completion rates, MFA adoption
  • Stakeholders — management and business leaders who receive ongoing program performance data