Chapter 121 · Security Advisory

User Training

Pre-access security training requirements; role-based and third-party training; situational awareness for digital and physical threats; insider threat mitigation; password and credential management; removable media risks; social engineering awareness; operational security (OPSEC) mindset; and remote and hybrid work security considerations.

TRAIN-2024-001
Pre-Access Training, User Guidance, and Situational Awareness
Severity: High

Overview

User training is most effective when completed before users are granted access to organizational systems. This ensures that every user who connects to the network already understands their security responsibilities. Training must be role-specific — different jobs carry different security obligations — and must apply to third parties as well as employees. Supporting documentation, particularly security policies and employee handbooks, reinforces training and provides an ongoing reference.

Pre-Access Training Requirements

The fundamental rule: train users before granting them access to systems or data. Key requirements:

  • Timing — training must be completed and documented before the first network connection
  • Role-specific content — accounting staff have different security requirements than shipping and receiving staff; training must reflect those differences
  • Third-party coverage — contractors, partners, and suppliers who connect to organizational systems must receive appropriate security training; external access does not exempt users from security expectations
  • Documentation and records — training completion must be documented; if a security incident later occurs, proof that training was provided (or was not) has significant legal and operational consequences

User Guidance: Policies and Handbooks

Training alone is insufficient without supporting documentation. Security policies must be:

  • Comprehensive — covering all relevant security requirements
  • Accessible online — available on the corporate intranet so users can reference them at any time
  • Referenced in employee handbooks — new employees encounter policies as part of onboarding
  • Kept current — outdated policies create confusion and compliance gaps

Policies are not just compliance documents — they are the daily behavioral framework for every user decision. Users should know where policies are and be encouraged to consult them when uncertain.

Situational Awareness: Digital and Physical Threats

Situational awareness means users are constantly alert to potential threats in their environment, not just during dedicated security tasks. Threats come from both digital and physical directions:

Threat TypeExamples
Digital threatsPhishing email links; malicious attachments; suspicious URLs in emails or messages; SMS-based phishing (smishing); unexpected password reset requests
Physical threatsUnknown USB drive in a FedEx envelope; USB drives found in parking lots; unlocked building doors held open by strangers; shoulder surfing; tailgating past badge readers
Critical physical threat example: An attacker places a USB drive in an official-looking envelope and leaves it on an employee's desk or in a common area. The drive is labeled with an enticing name. If the employee plugs it in, malware installs immediately. Users must be trained: unknown USB devices are never plugged in, regardless of apparent source or labeling.

Users must understand that threats are not always obvious and may be designed to look entirely legitimate. Security skepticism is not paranoia — it is the correct response to unexpected situations.

Key Terms

  • Pre-access training — security training completed before users are granted system or network access
  • Role-based training — training content tailored to the specific security responsibilities of each job function
  • Situational awareness — continuous alertness to both digital and physical security threats in the user's environment
  • Third-party training — security education required for contractors, partners, and suppliers with system access
TRAIN-2024-002
Insider Threats, Passwords, Removable Media, and Social Engineering
Severity: Critical

Overview

User training must address four categories of threat where human behavior is the primary attack surface: insider threats (malicious or careless employees with legitimate access), password management (credential security practices), removable media risks (physical vectors for malware), and social engineering (manipulation-based attacks targeting human decision-making). Each requires both awareness training and supporting organizational controls.

Insider Threat

Insider threats are among the most difficult security risks to detect and prevent. Because insiders already have legitimate access, their actions may not trigger the same alerts as external attacks. Training and controls together address this risk:

  • Multiple approvals for critical processes — no single individual can complete sensitive transactions alone; requires a second authorized party
  • Active file and system monitoring — automated alerts when sensitive files are accessed, copied, or transferred; any unexpected change triggers immediate notification
  • Access restriction — users can access only what their role requires (principle of least privilege); limiting access limits damage
  • Making unauthorized changes very difficult — technical controls should make it hard to bypass established processes, even for users with elevated privileges

Training reinforces that accountability and monitoring are real — users understand their actions are logged and reviewed.

Password Management

Weak or reused passwords remain one of the most exploited vulnerabilities. User training covers both the requirements and the reasons behind them:

  • Length requirements — longer passwords are exponentially harder to brute-force
  • Complexity requirements — mixing uppercase, lowercase, numbers, and special characters increases entropy
  • Technology enforcement — in Windows environments, Group Policy enforces minimum length and complexity requirements automatically; policy controls replace reliance on user memory
  • No password sharing — shared passwords prevent attribution; each user must have unique credentials
  • Password manager adoption — approved password managers allow users to maintain unique, complex passwords for every system without memorization

Removable Media and Cable Risks

Physical media introduces malware vectors that bypass network defenses entirely:

  • Unknown USB drives — can contain malware that executes automatically on connection (autorun attacks) or appears as a legitimate file drive while quietly deploying payloads; users must never plug in unfamiliar USB drives regardless of where they were found
  • Unknown cables — malicious cables (such as the O.MG Cable) appear to be ordinary USB cables but contain embedded systems that can transmit keystrokes or connect to malicious infrastructure; users who are away from the office should never use a cable they find or are given to charge mobile devices
Physical media attacks (BadUSB, HID injection) succeed because the device presents itself as a trusted peripheral rather than a threat. The operating system has no way to distinguish a malicious USB device from a legitimate one at the hardware level. User awareness is the only effective defense.

Social Engineering Awareness

Social engineering exploits human psychology rather than technical vulnerabilities. Attackers are highly skilled at constructing convincing pretexts. Training must be:

  • Extensive — social engineering techniques are sophisticated and constantly evolving
  • Ongoing — periodic refreshers ensure users remain alert even when attacks are not frequent
  • Practical — examples of real social engineering scenarios help users recognize manipulation when it occurs

Users must understand that attackers often appear trustworthy, authoritative, or urgent. Common techniques include pretexting (fabricating a scenario), impersonation (posing as IT, management, or vendors), and urgency creation ("I need this password right now or the system will go down"). Users who understand these techniques can pause, verify, and report rather than comply.

Key principle: users are the organization's front-line defense against social engineering. Technical controls cannot stop a user who willingly provides credentials to a convincing impersonator.

Key Terms

  • Insider threat — security risk posed by users with legitimate access who act maliciously or carelessly
  • Group Policy — Windows technology for enforcing password and security configuration requirements across all users
  • BadUSB / HID injection — attacks using malicious USB devices that impersonate trusted peripherals
  • Social engineering — manipulation-based attacks targeting human decision-making rather than technical vulnerabilities
  • Pretexting — creating a fabricated scenario to manipulate a target into taking an unsafe action
TRAIN-2024-003
Operational Security Mindset and Remote/Hybrid Work
Severity: Medium

Overview

Two final dimensions of user training round out a comprehensive program: operational security (OPSEC), which teaches users to view data and behavior through an attacker's eyes, and remote/hybrid work security, which addresses the expanded attack surface created when users work outside the traditional office environment.

Operational Security (OPSEC)

Operational security training teaches users to think like attackers. The core question is: If I were an attacker targeting this organization, what information would be most valuable to me, and where would I find it?

OPSEC training covers:

  • Identifying sensitive data — users must know what types of information are valuable to attackers: customer data, financial records, authentication credentials, intellectual property, system architecture details
  • Handling sensitive data privately — sensitive information should not be discussed in public spaces, shared unnecessarily, or stored in insecure locations
  • Minimizing exposure — users should share only the minimum information necessary for a task; oversharing creates attack opportunities even when individual pieces seem harmless
  • Data classification awareness — users must understand the organization's data classification system and handle data according to its assigned sensitivity level

OPSEC is especially important for users who interact with the public, speak at conferences, or post on social media about their work. Information that seems innocuous in isolation (job title + technology stack + office location) can be combined by attackers to build a highly targeted attack profile.

Remote and Hybrid Work Security

Remote and hybrid work arrangements significantly expand the organizational attack surface. Users working outside the office face threats that traditional perimeter security cannot address:

  • No family or friend access to work systems — work devices must not be used by family members or friends; shared use introduces malware risk and breaks audit trail integrity
  • Additional endpoint security — devices outside the corporate network need enhanced protection: endpoint detection and response (EDR), full disk encryption, and device management (MDM/EMM)
  • VPN security policies — users must connect through approved VPN for all access to corporate resources; split-tunnel policies define which traffic goes through the VPN; always-on VPN for high-security environments
  • Secure home network awareness — users should understand home router security basics and not rely on default router credentials
The most important remote work rule: no access by family and friends. The corporate laptop is not a family computer. Logging in as a family member bypasses user-specific security policies and could allow malware or data leakage through an unmonitored account.

User Training Summary: All Coverage Areas

Training AreaCore Message
Pre-access trainingTrain before granting access; role-specific; includes third parties; document completion
Policy documentationPolicies online and in handbooks; users know where to find and reference them
Situational awarenessAlways alert to digital and physical threats; security skepticism is correct behavior
Insider threatMultiple approvals, active monitoring, least privilege, make unauthorized changes difficult
Password managementLength + complexity + no sharing + password managers; Group Policy enforces standards
Removable mediaNever plug in unknown USB drives or use unknown cables; hardware-level trust cannot be verified
Social engineeringExtensive ongoing training; users are the last line of defense; verify then comply
OPSECThink like an attacker; identify and protect sensitive data; minimize unnecessary exposure
Remote/hybrid workNo family access; additional endpoint security; VPN for all corporate access

Key Terms

  • OPSEC (Operational Security) — practice of viewing data and behavior from an attacker's perspective to minimize information exposure
  • Data classification — system for categorizing data by sensitivity level to drive appropriate handling requirements
  • VPN (Virtual Private Network) — encrypted tunnel protecting corporate traffic for remote users
  • MDM/EMM — Mobile Device Management / Enterprise Mobility Management; enforces security policies on remote and mobile devices
  • Split tunneling — VPN configuration where only corporate-bound traffic goes through the VPN; remainder goes direct to internet