This document outlines a 5-step framework for masterminding an effective security awareness program: 1. Analyze - Define strategic goals and objectives aligned with information security and business strategy. 2. Plan - Define objectives, key performance indicators, and metrics to ensure the program delivers results. 3. Deploy - Launch an effective security awareness campaign using online training, microlearning, role-based modules, and an integrated behavioral change approach. 4. Measure - Evaluate the success of the security awareness campaign by reporting results to management. 5. Increase Effectiveness - Learn lessons to improve future campaigns by comparing objectives to results and addressing key issues.

1. © Terranova Worldwide Corporation 2019. All rights reserved.
5 Steps To Masterminding An
Effective Security Awareness Program
The Human Fix to Human Risk™
Lise Lapointe – Author and CEO
Anastasia Tsimiklis - CMO

2. © Terranova Worldwide Corporation 2019. All rights reserved.
Security Awareness 5-Step Framework

3. © Terranova Worldwide Corporation 2019. All rights reserved.
Step 1 – Analyze: An Important Step!

4. © Terranova Worldwide Corporation 2019. All rights reserved.
Define Strategic Goals
Why are you deploying a security awareness program?
What are you trying to achieve?
• Strategic goals must clearly identify what you aim to achieve with your
Be Aware program
• Goals must be identified so a plan can be laid out with all the steps
required to get there
• Goals must be aligned with the Information Security program and
even the business strategy of the organization
• Clearly defined goals will help decision makers approve and support
your program

5. © Terranova Worldwide Corporation 2019. All rights reserved.
Your security awareness goals can be in
any or all of these three categories:
• Risks and Behaviors
• to reduce risk and foster behavioral
changes
• Security Culture
• to instill or reinforce a culture of
security
• Compliance Obligations
• to ensure compliance with your
organization’s security obligations
Setting Strategic Goals Will Help Ensure Your Awareness Program Delivers Results

6. © Terranova Worldwide Corporation 2019. All rights reserved.
Step 2 – Plan: Define Your Objectives

7. © Terranova Worldwide Corporation 2019. All rights reserved.
Objectives, KPIs & Metrics Program/ Campaign Results
Participation Rates
Metrics and KPIs DataMetrics and KPIsMetrics and KPIs
Participation RatesParticipation Rates
DataData
Program/ Campaign ResultsProgram/ Campaign Results

8. © Terranova Worldwide Corporation 2019. All rights reserved.
Objective – Train Users to Defend Themselves Against Phishing
Users are aware of cyber
security risks and controls
Percentage of participants
who have completed
training
Increase in attendance
Compliance Behavior Culture
KPI
All employees have
received training on the
Phishing attack method
Reduction in the number
of incidents that result
from an email attack
Increase in number of
employees report phishing
activity to the Service Desk
Metric Training participation rates
Recorded malware
infections or other
incidents as a result of
phishing
Reported phishing attacks
(e.g. simulations)
Effectiveness
Indicator
Increase in the number of
users that participate to
online training
Reduction in the number
of users that opened
attachments in real or
simulated phishing
attempts
Increase in the number of
users who reported real or
simulated phishing
attempts

9. © Terranova Worldwide Corporation 2019. All rights reserved.
Establishing a Cyber Security
Ambassador Program

10. © Terranova Worldwide Corporation 2019. All rights reserved.
Awareness Challenges Opportunity with Ambassador Program
Cyber Security Ambassadors Help Promote and Reinforce Importance of
Security Awareness
Elevate Visibility
of Security
Awareness
Ability To Share
Key and Common
Messages
Increase in
Interest and
Participation
Key Contact and
Local
Representation
Lack of Security
Resources
Difficult To Extend
Common Message
Promote
Awareness
Activities in All
Locations
Time Constraints
To Achieve
Security Culture

11. © Terranova Worldwide Corporation 2019. All rights reserved.
Ambassador Applications and Nominations: Identify expectations, responsibilities and benefits
Review and Select Applicants: Good representation across departments and geography
Training and Mentorship Program: Training, workshops and materials
Ceremony and Acknowledgment: Main point of contact / communication point for security awareness
Manage and Track Success of Ambassador Program: Frequent touch points and metrics to gauge
success
5 Key Steps To Set Up A Successful Cyber Security Ambassador Program

12. © Terranova Worldwide Corporation 2019. All rights reserved.
Step 3 – Deploy: Launch An Effective Security Awareness Campaign

13. © Terranova Worldwide Corporation 2019. All rights reserved.
Types of Online Training
• Information Security Awareness
Modules
• Microlearnings and Nanolearnings
• Role-based Awareness Modules
• Privacy, Compliance and
Governance Courses

14. © Terranova Worldwide Corporation 2019. All rights reserved.
Integrated Approach to Change User Behavior
MicrolearningRole-Based Course
Ie: manager
End User Topics
Newsletters
Newsletters
End User Topics
Nanolearning
Communication Plan Deployment
KnowledgeRetention

15. © Terranova Worldwide Corporation 2019. All rights reserved.
Automated Results-based Learning Path Promotes The Right Security Behaviors
FOUNDATIONAL TRAINING
E-Learning Modules
MICROLEARNING - Introducing RISK #1
i.e. Business Email Compromise
JOINER #2JOINER #1 JOINER #3
PHISHING #1
PASSED
PHISHING #1
PASSED
PHISHING #1
FAILED
Move to Champion Group Move to Champion Group Move to First Time Clicker Group
MICROLEARNING - Introducing RISK #2
i.e. Spear Phishing
Remain in Champion Group Move to First Time Clicker Group Move to Repeat Clicker Group
Just in Time Training
Just in Time TrainingJust in Time Training
PHISHING #2
PASSED
PHISHING #2
FAILED
PHISHING #2
FAILED
Use Case:
New Joiners
MANAGER
ESCALATION
BASELINE: Quiz and Phishing Simulation

16. © Terranova Worldwide Corporation 2019. All rights reserved.
Step 4 – Measure: Evaluate The Success Of Your Security Awareness Campaign

17. © Terranova Worldwide Corporation 2019. All rights reserved.
Report Results
Effective reporting is required to
provide management valuable
information on the program to
assist with decision making and
future investment and direction.

18. © Terranova Worldwide Corporation 2019. All rights reserved.
Step 5 – Measure: Increase Effectiveness

19. © Terranova Worldwide Corporation 2019. All rights reserved.
Lessons Learned
Sharing what has been learned from what worked and
what didn't work should be included in the post-
campaign process.
We recommend you:
Compare objectives with results after a campaign or on a
yearly basis.
• Pick the top three items to address (don't try to resolve
all the issues at the same time).
• After a major activity, we will schedule some time with
key players.

20. © Terranova Worldwide Corporation 2019. All rights reserved.
Please join us at Booth #416
to get your book signed and
for more discussions on:
5 Steps to Masterminding An
Effective Security Awareness
Program
Proud To Be A Recognised Leader in the Gartner Magic Quadrant for Security Awareness CBT
Magic Quadrant for Security Awareness Computer-Based Training, November 2018. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise
technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be
construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

21. © Terranova Worldwide Corporation 2019. All rights reserved.