Roadmap
Security Awareness & Training Manager
The professional who designs, operates, and continuously improves the organization's security awareness and training program. Reduces human risk through phishing simulations, security education campaigns, role-based training, behavior change measurement, and building a culture where employees are the organization's first line of defense rather than its weakest link.
OPTIMISTIC 2-3 years · REALISTIC 3-5 years
Stage 00
Security Fundamentals
Security awareness managers must understand the threats they are training employees to recognize. Technical security literacy is the foundation.
Phishing and Email Threats
- Phishing — mass email luring users to fake websites or downloading malware
- Spearphishing — targeted phishing with personalized content based on OSINT
- Business Email Compromise (BEC) — impersonating executives or vendors for financial fraud
- Whaling — spearphishing targeting C-suite executives
- Vishing — voice phishing; phone calls impersonating IT, vendors, IRS, FBI
- Smishing — SMS phishing; clicking links in text messages
- QR code phishing (quishing) — QR codes redirecting to malicious sites
- AI-generated phishing — near-flawless grammar; personalized using scraped data; deepfake voice and video
- Deepfake video and voice — impersonating executives in video calls or voice messages
Social Engineering Beyond Phishing
- Pretexting — fabricating a scenario to extract information
- Baiting — leaving infected USB drives; offering free downloads containing malware
- Quid pro quo — offering something in exchange for information
- Tailgating / piggybacking — following authorized personnel through physical security doors
- Shoulder surfing — viewing screens in public places
Other Threats
- Ransomware mechanics — encryption, cryptocurrency demands, double extortion (exfiltration + encryption)
- Credential-based attacks — password reuse exploitation; credential stuffing; password spray
- Insider threats — malicious insiders; negligent employees; third parties with access
Security Controls Employees Encounter
- MFA — why it matters; how to use it; MFA fatigue attacks (repeated push notifications)
- Password managers — why reusing passwords is dangerous; how password managers work
- VPN — what it does; when to use it; not a complete protection
- Secure WiFi — risks of public WiFi; certificate warnings to take seriously
- Email security — spam filters don't catch everything; warning banners for external email
- Endpoint security — EDR; why employees shouldn't disable security software
- Data classification — what different sensitivity levels mean for handling requirements
- Physical security — clean desk policy; screen locks; shredding documents; access badges
Regulatory Requirements for Training
- PCI-DSS — Requirement 12.6: security awareness education and training program
- HIPAA — §164.308(a)(5): security awareness and training for workforce
- CMMC — Level 1 and above: awareness training requirements
- NIST SP 800-50: Building an Information Technology Security Awareness and Training Program
- NIST 800-16: Information Technology Security Training Requirements
- SOC 2 — CC9.9: security awareness training (common criteria)
- ISO 27001 — A.6.3: information security awareness, education, and training
- NERC CIP-004 — training requirements for bulk electric system personnel
Certification
- CompTIA Security+ — establishes the technical security foundation that underpins training content credibility
Resources
- SANS Security Awareness Resources (some free)
- KnowBe4 Resource Center (free)
- Verizon DBIR (free annual report)
- "The Art of Intrusion" and "The Art of Deception" by Kevin Mitnick (books)
- CISA resources (free)
Stage 01
Adult Learning and Instructional Design
Security awareness is a training program. Understanding how adults learn and retain information is what separates effective programs from compliance checkbox exercises.
Adult Learning Principles (Andragogy)
- Malcolm Knowles' adult learning theory — adults are self-directed, bring experience, are relevance-oriented, problem-centered, and intrinsically motivated
- Implications for security training — relevance over compliance, realistic scenarios, connect to real incidents, self-paced learning
Behavior Change Models
- Fogg Behavior Model — Behavior = Motivation + Ability + Prompt; increase motivation, reduce friction, effective prompt timing
- COM-B Model (Capability, Opportunity, Motivation → Behavior)
- Habit formation — cue → routine → reward; making secure behaviors automatic
- Fear appeals — Protection Motivation Theory; fear works only when paired with clear efficacy; without efficacy creates helplessness
Memory and Retention Science
- Spacing effect — distributed practice over time produces better retention than massed practice; monthly microlearning beats annual marathon
- Testing effect — retrieval practice (quizzes) enhances long-term memory more than re-reading
- Interleaving — mixing different topics produces better transfer learning
- Elaborative interrogation — explaining why something is true deepens understanding
- Dual coding — combining visual and verbal information improves retention
- Cognitive load theory — working memory is limited; microlearning (3–5 min) over 45-min annual training
Instructional Design Models
- ADDIE — Analysis, Design, Development, Implementation, Evaluation
- SAM (Successive Approximation Model) — iterative; rapid prototyping; getting feedback early
- Bloom's Taxonomy — Remember → Understand → Apply → Analyze → Evaluate → Create
- Writing SMART learning objectives — Specific, Measurable, Achievable, Relevant, Time-bound
Kirkpatrick Evaluation Model
- Level 1: Reaction — did participants find the training satisfying and relevant? (survey)
- Level 2: Learning — did participants gain knowledge or skills? (quiz, assessment)
- Level 3: Behavior — are participants applying what they learned? (simulation results, manager observation)
- Level 4: Results — did training improve business outcomes? (reduced PPP, fewer incidents)
- Limitation of Level 1 alone — "I liked the training" does not mean behavior changed
Content Development
- Microlearning modules — 3–5 minutes; single learning objective; mobile-friendly
- Video production basics — screen recording (Camtasia, Loom); webcam recording; quality minimums
- Interactive elements — branching scenarios; quizzes; drag-and-drop; engagement vs passive
- Infographics and visual communication — conveying security concepts visually; sharing-friendly
- Gamification — points, badges, leaderboards; used carefully; competitive elements can backfire
- Storytelling in security — narrative format; "here's what happened to someone like you"
- Accessibility — captions for video; alt text; color contrast; ADA/WCAG compliance
Certifications
- ATD CPTD or APTD — instructional design credentials that complement security knowledge
- SSAP (Security Awareness and Training Professional) — awareness-specific
Resources
- "Design for How People Learn" by Julie Dirksen (book, essential)
- "Security Awareness: Applying the Art of Persuasion to Cybersecurity" by Perry Carpenter (book)
- ATD (Association for Talent Development) resources (some free)
Stage 02
Phishing Simulation Program Design
Phishing simulations are the single most effective component of security awareness programs, and the easiest to execute badly.
Phishing Simulation Purpose and Research
- Purpose — measuring susceptibility baseline; identifying highest-risk individuals; building recognition skills through low-stakes practice
- Not for punishment, humiliation, or discipline
- ETH Zurich / NDSS 2025 research — bonus incentives, personal tragedy, severe consequence simulations cause backlash and trust damage; non-punitive approach maintains trust
- Click rates industry benchmarks — initial PPP 25–35%; after 12 months drops to under 5% (KnowBe4)
- Reporting rates — increasingly tracked as positive behavior indicator; goal is reporters not non-clickers
Establishing the Baseline
- Run baseline simulation before any training — establishes starting point for measuring improvement
- Use a representative sample or all-employee simulation
- Consistent template difficulty for baseline comparison over time
- Document baseline by department, role, tenure — high-risk group identification
Template Selection and Difficulty Tiering
- Easy — generic, obvious phishing with clear warning signs (typos, suspicious sender, urgent action)
- Medium — branded templates mimicking real services (Microsoft, DocuSign, FedEx)
- Hard — targeted templates using internal-looking content (IT policy update, HR document signature)
- Very Hard — spear-phishing style with department-specific context
- Progression — start at medium; increase difficulty as click rates fall
- Role-appropriate templates — Finance (invoice fraud), HR (resume submissions), IT (password expiry), Executives (M&A documents), All employees (package delivery)
- AI-generated phishing training — deepfake voice and video simulation for executive and finance teams
- QR code simulation — increasingly relevant as quishing rises
Simulation Schedule
- Frequency — minimum quarterly; best practice monthly or bi-monthly
- Unpredictability — send at different times; no patterns employees can learn to avoid
- No advance warning of specific dates
- Avoid sensitive periods — layoffs, major company crises, natural disasters
- Avoid exploiting genuine tragedies — NDSS 2025 documented backfire effects
Point-of-Failure Training
- When an employee clicks: immediate, brief, non-punitive training
- Just-in-time training is more effective than after-the-fact training — caught in the moment
- Remedial training for repeated clickers — additional targeted modules; support not punishment
- Positive reinforcement for reporters — acknowledging and thanking employees who report suspicious emails
Reporting and Analysis
- Click rate — percentage who clicked the link
- Credential submission rate — percentage who entered credentials on the phishing page
- Report rate — percentage who reported the simulation to security team
- Repeat offender rate — employees clicking multiple simulations
- Trend analysis — improvement over time by department; persistent high-risk groups
- Demographic analysis — new employees more susceptible? certain departments? roles?
- Correlation with incidents — high-click departments experiencing more real incidents?
- Executive reporting — progress toward goals; heat maps; ROI calculation
Stage 03
Security Awareness Platforms
The platform is the operational backbone of the program. Deep platform proficiency is what makes programs scalable.
KnowBe4 — Market Leader
- KnowBe4 platform — Phishing (template library 20,000+, campaigns, Smart Groups), Training (content library, custom upload, learning paths), Reporting (dashboards, 60+ reports), Smart Groups (automated user segmentation)
- Key features — automated baseline + auto training assignment, Smart Groups conditional logic, vishing templates (add-on), USB drop testing (add-on), AI-powered simulations, SCORM upload, AD/Azure AD sync, API integration
- Phish-prone Percentage (PPP) — KnowBe4's primary metric; percentage of organization susceptible
- Reporting for compliance — HIPAA, PCI-DSS, GDPR, NIST training documentation
Other Platforms
- Proofpoint Security Awareness Training — Strong integration with Proofpoint email security; Very Attacked People (VAP) reporting; targeted attack protection + awareness
- Cofense (formerly PhishMe) — simulation-focused; Cofense Reporter one-click button; threat intelligence integration; triage platform
- Terranova Security / Microsoft Security Awareness — M365 Defender Attack Simulator; native to Microsoft environment; Terranova content library
Platform Selection
- KnowBe4 (largest content, breadth, SMB), Proofpoint (email security + awareness integration, enterprise), Cofense (high-volume phishing simulation + rapid reporting), Microsoft Attack Simulator (free with Defender P2; basic)
LMS Integration
- Many organizations run security training through existing LMS — Cornerstone, Workday Learning, SAP SuccessFactors
- SCORM compliance — standard packaging format allowing modules to run in any LMS
- xAPI (Tin Can API) — more detailed learning data tracking; increasingly replacing SCORM
- Benefits — SSO, unified reporting, HR integration. Drawbacks — LMS may lack phishing simulation; two-platform approach needed
Stage 04
Program Design and Strategy
A mature security awareness program is more than phishing simulations and compliance training. It is a behavior change program with a defined strategy.
Audience Segmentation
- All employees — baseline security awareness; phishing; password hygiene; data handling; physical security
- Finance and accounting — BEC; wire transfer fraud; invoice scams; CFO fraud
- HR — resume-based phishing; employee data handling; PII in HR systems
- IT and developers — privileged access; phishing with technical lures; secure coding (developers)
- Executives and board — whaling; spear phishing; vishing; CEO fraud
- Customer service — social engineering attempts by callers; verification procedures
- New employees — heightened susceptibility in first 30–90 days; onboarding training priority
- Remote workers — home network security; public WiFi risks; secure home environments
- Third-party contractors — often in scope for regulatory requirements; lighter-weight training
Training Content Calendar
- Annual compliance training — full security awareness course meeting regulatory requirements
- Monthly microlearning — topical 3–5 minute modules; timed to threat intelligence and seasonal threats
- Quarterly phishing simulations — minimum; monthly preferred
- Cybersecurity Awareness Month (October) — annual campaign; coordinated activities; leadership visibility
- Just-in-time training — triggered by major incident, new attack technique, compliance finding
- Onboarding — security training in first week; before system access granted if possible
- Role-specific modules — launched after all-employee baseline; targeted by job function
Curriculum Design
- Phishing recognition — email, SMS, voice, QR codes; warning signs; reporting procedure
- Password security and MFA — strong passwords; password manager adoption; MFA enrollment
- Social engineering defense — verification procedures; skepticism toward unsolicited contact
- Data handling and classification — what is sensitive; how to handle and share
- Physical security — clean desk; screen locks; tailgating prevention; visitor management
- Safe internet and device usage — public WiFi; personal device use; downloading software
- Remote work security — home network; secure connections; family member access
- Incident reporting — when and how to report; no-blame reporting culture
- AI and deepfake awareness — recognizing AI-generated content; verification for unusual requests
- Ransomware awareness — recognizing delivery; what to do if infected; reporting
Culture Building — Beyond Compliance
- Tone from leadership — CISO and executive champions signal that security matters
- Security champions program — embedding enthusiastic security advocates in each business unit
- Blameless incident reporting — making it safe to report security mistakes; learning not punishment
- Security communications — regular non-training comms (security tips, threat alerts, win stories)
- Gamification — security quizzes; team competitions (avoid if competitive culture turns negative)
- Recognition — acknowledging employees who report real phishing; celebrating security wins
- Measurement — Security Culture Survey (KnowBe4) measures attitudes and behaviors
Program Maturity Assessment
- Maturity levels — L1 annual compliance only, L2 regular sims + annual + basic reporting, L3 monthly micro + role-based + trends, L4 behavior change measured + culture + JIT, L5 threat-intel-integrated + risk-based + quantified risk reduction
Stage 05
Metrics, Reporting, and Program Effectiveness
Input Metrics (what we do)
- Training modules launched per quarter
- Simulations executed per quarter
- Content refresh rate — how often training content is updated
- Coverage — percentage of employees reached by training
Output Metrics (what happens)
- Training completion rate — by department; by program; overall
- Phish-prone Percentage (PPP) trend — over time; segmented by department/role
- Simulation click rate — per campaign; trend over time
- Simulation credential submission rate — more severe action than clicking
- Reporting rate — percentage of simulations reported; percentage of real suspicious emails reported
- Repeat click rate — employees clicking multiple simulations
Outcome Metrics (what changes)
- Reduction in PPP from baseline — primary effectiveness measure
- Improvement in report rates — building a reporting culture
- Security Culture Score — KnowBe4 Security Culture Survey or equivalent
- Reduction in email-related security incidents — correlation with training
- Reduction in credential compromise incidents — fewer phishing-delivered credential thefts
Business Impact Metrics
- Cost avoidance — estimating financial risk reduced by awareness program
- Incident cost comparison — pre/post training period incident costs
- Benchmark comparison — industry PPP vs organization
- Regulatory compliance status — training completion rates meeting audit requirements
Executive Reporting
- Board reporting — PPP trend over 12 months with goal line
- Department heat map — highest-risk areas
- Training completion rates for regulatory compliance
- Summary — are we better or worse than last quarter?
- Business case — program cost vs risk reduction value
- Dashboard design — visual; trend-focused; not raw data dumps
- Regulatory evidence packaging — exporting completion records for audits
Continuous Improvement
- Quarterly program review — metrics analysis; content freshness; platform optimization
- Annual program review — full curriculum review; goal setting; budget justification
- Threat landscape monitoring — adjusting content to current attack techniques
- Industry benchmarking — comparing PPP and completion rates to sector peers
- Employee feedback — incorporating learner feedback on content quality and relevance
- A/B testing training approaches — different content formats; different delivery schedules
Stage 06
Communication and Stakeholder Management
Security awareness managers are communicators. The ability to create messages that resonate, build relationships with business units, and report persuasively to leadership determines program success.
Security Communication Principles
- Plain language — avoid security jargon with general employees; "suspicious email" beats "potential spearphishing attempt"
- Relevance — "how this affects you and your family" beats "how this affects the company"
- Action-oriented — every communication should end with a specific action the reader can take
- Timeliness — security alerts sent promptly when relevant; stale threat news isn't acted on
- Tone — helpful and supportive, not accusatory or condescending
- Multi-channel — email, intranet, Slack/Teams, digital signage, posters, team meetings
Communication Templates
- Phishing alert — "increased [type] phishing targeting our industry; here's what it looks like and what to do"
- Security tip of the week/month — single actionable tip; non-technical language
- Incident near-miss notification — "an employee caught and reported an attempted BEC attack last week"
- Policy change notification — "we have updated our [policy]; here's what changed"
- Cybersecurity Awareness Month campaign — October; themed content; leadership messages; competitions
Building Relationships Across the Organization
- HR partnership — onboarding, completion tracking, privacy of simulation results
- Legal partnership — what can be shared about incidents; NDA implications for vendor training
- Communications/Marketing — consistent tone and brand; getting messages amplified
- IT partnership — technical configuration of awareness platform; integration with email gateway
- Business unit liaisons — security champions; advocates within departments; feedback on content
- Vendor management — managing SAT platform vendors; content licensing; contract negotiation
Managing Resistance to Security Training
- "This is a waste of time" → Show PPP data and breach cost context; make relevant to role
- "My team is too busy" → Offer microlearning format; schedule during lower-intensity periods
- "This is too basic" → Offer advanced content tracks; role-specific specialized training
- "Phishing simulations feel like entrapment" → Explain purpose; non-punitive framing; cite NDSS research
- Executive buy-in — individual meeting with CISO support; regulatory obligation; competitor breach news
- Compliance lever — regulatory requirements often the most effective alignment tool
Stage 07
Hands-On Practice & Portfolio
Building Experience
- Administer a security awareness program — operating platform, running simulations, reporting
- Develop original training content — writing scripts; recording microlearning modules; building scenarios
- Present program metrics to leadership — key communication skill; practice with real data
- Security champion program participation — running or being one
- Complete platform admin training — KnowBe4, Proofpoint, or Cofense
What to Document on LabList
- Program design documents — strategy; content calendar; simulation plan
- Metrics dashboards and reports — sample executive report showing PPP trend and completion
- Content samples — scripts, module outlines, communication templates
- Campaign case studies — "Cybersecurity Awareness Month 2025: what we did, what we measured"
- Cert progression — Security+ + SSAP or CPTD documented with context
FAQ
Common questions
How long does it take to become a Security Awareness Manager?
2–3 years optimistic at 20–25 hours/week, 3–5 years realistic. The role is more accessible than most security positions because it emphasizes communication, program management, and adult learning alongside technical security knowledge. Entry paths include security analyst with communication skills, training/L&D professional with security knowledge, or compliance analyst taking on awareness responsibilities. Senior roles require demonstrated behavior change measurement, not just program execution.
Which certifications matter for SAW roles?
Security+ for technical foundation. SSAP (Security Awareness and Training Professional) is purpose-built and growing. CISA for organizations with audit functions. ATD CPTD or APTD for instructional design depth. KnowBe4 Security Awareness Specialist for KnowBe4 shops. No single dominant credential exists yet — the field is consolidating.
Do I need a degree?
Most SAW managers hold a bachelor's, often in communications, education, business, or security. Career-changers from training, learning & development, communications, or compliance backgrounds transition routinely. What you do need: communication clarity for non-technical audiences, instructional design instincts, and platform fluency (KnowBe4 or Proofpoint). The job is 60% communication and program management, 40% security knowledge.
What separates a hired SAW Manager?
Quantified program impact evidence. 'I reduced our Phish-prone Percentage from 28% to 11% over 18 months' demonstrates ownership; 'I ran phishing simulations and training campaigns' describes task execution. Other differentiators: writing portfolio (security tips, campaign copy, module scripts, executive reports), behavior change framing over compliance framing, and demonstrated stakeholder relationship management. Human error is involved in 60–74% of all security breaches (Verizon DBIR 2025).