The Ultimate Guide To
                      Security Awareness Training

                      Old-school awareness training never really hacked it. Learn about why you need
                      new-school security awareness training.

                      What Is Security Awareness Training?

                      Security awareness training is a form of education that seeks to equip members of an organization with the information they need to protect themselves and their organization's assets from loss or harm. For the purposes of any security awareness training discussion, members of an organization include employees, temps, contractors, and anybody else who performs authorized functions online for an organization.

                      Organizations that must comply with industry regulations or frameworks such as PCI (Payment Card Initiative), HIPAA (Health Insurance Portability and Accountability Act of 1996), the Sarbanes-Oxley reporting requirements, NIST or ISO usually deliver security awareness training to all employees once or perhaps twice a year.

                      And even though it may not be required by Small and Medium Enterprises for compliance reasons, they can also benefit from training their employees to avoid cyberheists through phishing attacks, account takeovers, or other well-known means that cybercriminals use to misappropriate company funds.

                      Why Security Awareness Training?

                      To be aware, you need to be able to confront (face things as they are). KnowBe4 helps employees confront the fact bad guys are trying to trick them. Once they confront that, they become aware and able to detect these scam emails and can take appropriate action like deleting the email or not clicking a link. 

                      Cybercrime is moving at light speed. A few years ago, cybercriminals used to specialize in identity theft, but now they take over your organization’s network, hack into your bank accounts, and steal tens or hundreds of thousands of dollars. Organizations of every size and type are at risk. Are you the next cyber-heist victim? You really need a strong human firewall as your last line of defense.


                      2019 Gartner Magic Quadrant Report for Security Awareness CBT

                      Gartner has positioned KnowBe4 as highest and furthest overall Leader in the security awareness computer-based training (CBT) market, based on our ability to execute and completeness of vision. We believe this placement in the Leaders' Quadrant validates our mission to enable employees to make smarter security decisions within client organizations has been successful using world-class training and simulated phishing to improve their security posture and mitigate risk. Read the Security Awareness CBT report to find out what we believe sets KnowBe4 apart.

                      Download Your Complimentary Copy of the Report 

                      How To Run A Successful Program In Your Organization

                      Critical Components of a Security Awareness Program

                      • Content - Content is king! As humans we all prefer different types and styles of content. Don’t approach content in your program as one size fits all. Match different content types to different roles in your organization.
                      • Executive Support & Planning - Materials that will help you continue to prove the value of the program to your executive team, and also to show auditors/regulators that you are doing the right thing.
                      • Campaign Support Materials - A successful program shouldn’t be ‘one and done’, treat it as a marketing endeavor. Once-a-year, ‘check the box’ training will not work toward changing user behavior. Continuously presenting the information in different ways, when it coincides with the context of their life, is what will influence their decisions and make it EASIER for users to make smarter choices.
                      • Testing - People need to be put in a situation where they will have to make a decision that will determine if the organization gets breached or not. Phishing simulations prompt users to either click a link, report the phish, or do nothing. You want to give them an opportunity to report phishing attempts and help the organization increase resilience. If they do fall for the phish, you want the ability to do training then and there to create a learning moment. Doing nothing isn't ideal as it leaves the potential threat out there and there's an opportunity for others in the organization to click.
                      • Metrics & Reporting - You need to be able to show you are closing security gaps. Reporting is also useful for optimizing campaigns based on past results. You want to be able to see what is working well and what can be improved upon.
                      • Surveys/Assessments - These types of tools can help you understand the attitudes of your organization and how well your program is resonating with your people so you can adapt. Think of it as a pulse check of subtle nuances that are different than metrics/reporting such as opinions, frame of mind, etc.

                      Here's a sobering truth: Your awareness program and content are the visible ‘face’ of your department to the rest of the organization. Especially if you are in a larger organization, a good portion of your coworkers don't know you, they only know what your department produces. For that reason, it HAS to be as good or better than anything else the organization is doing. Otherwise, security is seen as 'other', unimportant, an afterthought.

                      Program Development 

                      Learning doesn't just happen at one point in time, we need to think about the entire context of user experience. Consider this 70:20:10 model for learning and development:


                      • 10% Formal - Structured learning, LMS courses, training days, etc. This is about the maximum amount of time you can allot per user for formal training. You need to be thinking about ways to address the other 90% of someone's experience in the organization.
                      • 20% Informal - This would include asking others, collaborating, webinars, watching videos, reading, etc. Think about how to build an informal community for users to know where to go to get the information they need when they are actually seeking it out.
                      • 70% Experiencial - On-the-job, social, in the workflow, corporate and departmental culture. From a security aspect, if we are ignoring that 70% social/cultural component, we're putting ourselves at a disadvantage. Think about ways to address that entire 100%. Vendor support systems can help.

                      The Five Moments of Need

                      1. For the first time
                      2. Wanting to learn more
                      3. Trying to apply knowledge and/or remember
                      4. When something goes wrong
                      5. When something changes

                      Think About Learner Profiles/Segments Where Possible

                      The types of information and cultures of different departments vary. You need powerful ways to split your user population into groups. This allows you to measure them and train them in ways that best resonate with their individual needs and learning styles.

                      "3 truths about human nature. We’re lazy, social,  and creatures of habit. Design products for this reality." - BJ Fogg, Behavioral Researcher

                      The Four Stages of Competence

                      1. Lack of Awareness - Unconscious Incompetence or "I don't know that I don't know something." They are blissfully unaware and their behavior will reflect that.
                      2. Awareness - Conscious Incompetence or "I know that I don't know something." They now realize they don't have all the knowledge and tools they need. We can hope that will move them to the next stage.
                      3. Step-by-step - Conscious Competence or "I know something, but I have to think about it as I do it." They either need to access stored information or really intentionally weigh all the options then come to the right conclusion.
                      4. Skilled Stage - Unconscious Competence or "I know something so well that I don't have to think about it." This is where most of us are with pattern-based behaviors like driving, brushing our teeth, etc. At some point these things were difficult, and we can actually build up to this stage.


                      The problem is that traditional programs fail by leaving users to linger in stages 1 and 2. Design your program to push them all the way through to stage 4. Getting users to stage 4 with constant training and simulation is ideal and cultivates the kind of behavior that can protect you from a breach.

                      Plan like a Marketer. Test like an Attacker.

                      Multi channel campaign - different types of content at different times targeting different audiences going through different channels so you have a constant barrage of information and working within the context that those different people are in. You need to be constantly building reflexes and building muscle memory for your people, which is where the testing component comes in. No matter which tool you use, even if you are using a homegrown program, you need to send a social engineering test like a phishing test to users at least every 30 days. By doing both training and testing, you are running a hearts and minds campaigns like a marketer would. Over a period of time through different channels/mediums you can start build influence in the mind. Supplementing that with frequent phishing attacks you are building the muscle memory on top of that so users naturally react in the right way. That's the key to building resilience.


                      Buyers Guide-SOCIAL

                      On-Demand Webinar: Critical Considerations When Choosing Your Security Awareness Training Vendor

                      In this webinar Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer and former Gartner Analyst, steps you through key measures to help you make an informed security awareness decision for your organization.

                      Watch Now

                      Variety of Content

                      More than just formal training

                      When you think of security awareness training content, the first thing that comes to mind is probably traditional courses in an LMS. It's so much more than that! Other examples include videos, games, blog, webinars, posters, messaging on swag, self-produced content, newsletters, email content, etc. Anything you can deliver that conveys your message and elicits some kind of thinking, engagement or reaction is considered content.

                      Make your content interesting and relevant to your uses

                      This is important when it comes to training because if content isn’t appealing to the audience it’s in front of, it doesn’t feel relevant to them and won’t stick with them. Relevance is key. The human mind learns through storytelling, security awareness training is no different. A story contains contextual information that a boring, written policy simply cannot. People learn in many different ways and naturally gravitate toward different types of content, so it makes sense that if you use a one-dimensional approach in training, you are going to lose a huge part of your audience. You want to come to the learner with content suited for them rather than try to make them learn in one certain way.

                      And don’t just add more content for the sake of having more content. A diverse portfolio of different types of content will get the message to resonate. Repetition is key for knowledge to stick, and you need to have variety to go along with a repetitive message. Showing the same exact course over and over isn’t going to make much of a difference. If you're not sure where to begin, you're not alone. Many vendors can provide recommendations and best practices. Start there and adjust over time according to what works for your environment.


                      Inside Man - Security Awareness Video Series

                      The Inside Man is KnowBe4’s first custom network-quality video series that delivers an entertaining movie-like experience for your users and makes learning how to make smarter security decisions fun and engaging. From social engineering and passwords, to social media and travel, The Inside Man reveals how easy it can be for an outsider to penetrate your organization’s security controls and network.

                      Want access to all 12 episodes and check out all our great security awareness training content?

                      It’s easy! You can now get access to our ModStore Preview Portal to see the world's largest library of security awareness content; including 900+ interactive modules, videos, games, posters, and newsletters. You can easily browse, search by title, category, language or content topics. See how entertaining security awareness training can be!

                      Get Access Now! >>

                      The 8th Layer in Security, Building The Human Firewall

                      To realize a more fully developed security stack, you need to empower the 8th Layer of security, the human layer. Reporting phishing and other suspected security incidents should be encouraged.  By receiving positive reinforcement for engaging in incident reporting, employees are more likely to engage in a future reporting; and that proactive reporting and positive reinforcement creates a virtuous cycle resulting in faster response times. 

                      The Open System Interconnection (OSI) model is one of the core concepts when managing a network. The OSI model refers to a computer network framework which is comprised of seven layers and acts as a roadmap of what is happening within a network 

                      8th Layer in Security The Human Firewall

                      1. Physical Layer. The hardware layer of the OSI model which includes network elements such as cables and ethernet. 
                      2. Datalink Layer. Handles node-to-node data transfers. A node can be defined as a computer or some other device such as a printer. 
                      3. Network Layer. This layer deals with most of the routing within a network.  
                      4. Transport Layer. The layer responsible for transferring data between end systems and hosts. It dictates what gets sent where, and how much of it gets sent. In the event that something goes wrong, the Transport Layer also has the responsibility of end-to-end error recovery.
                      5. Session Layer. The layer responsible for establishing, maintaining and ending connections between different applications. This layer controls the terms on which applications interact with each other. 
                      6. Presentation Layer. Designed to prepare and translate data from the network format to the application format or vice versa. 
                      7. Application Layer. This is the layer that users actually interact with, like using Google Chrome or Skype for example.

                      With the bad guys knowing your untrained users are the weakest link into your network, it is more important than ever to dd the 8th layer of Security Awareness. Today’s email filters have an average 10-15 percent failure rate; and about 30 percent of data breaches are caused by repeat offenders from within the organization.  You need a strong human firewall as your last line of defense.

                      Avoid Potential Pitfalls in Phishing Your Users

                      Five Principles to build positive anti-phishing behavior management programs


                      Shifting organizational behavior requires a recognition that simply exposing employees to security-related information will never be enough. Instead, it is imperative to train secure reflexes through intentional and methodical simulated testing so that employees are continually exposed to the situations in which you hope they will exhibit secure behavior.

                      Some security and organizational leaders might be hesitant to phish their users, fearing that end-users or managers could react negatively to the experience. In fact, some organizations may even have horror stories of phishing simulations that have backfired, resulting in more harm than good. Yet, security leaders, auditors, and adult-learning experts agree that the best way to train secure reflexes is through simulation (not information).

                      It is possible to work through concerns related to simulated phishing and, in fact, make the experience positive for end-users and management alike. Use the following five principles to build a positive anti-phishing behavior management program:

                      1. Frame the program with a positive tone: the way that employees react to simulated phishing events is directly related to the way that you message the program. If employees feel that your main goal is to trick them and make them fail, then they will view you as an adversary. It is much better to position your program as something that you are doing for the good of the organization and the employees within it. In short, your message is that you are running these campaigns for the same reasons that you conduct events like fire-drills. For people’s ultimate safety and preservation.
                      2. Be intentional about your ‘post click’ landing pages: The time immediately following a phishing test failure is your most critical messaging moment. Employees will naturally feel the most vulnerable and sensitive when they’ve fallen for a simulated attack. If you are directing them to a landing page that lets them know they’ve failed, it is important that you account for their heightened emotional state. Use the learning moment – but be extra careful not to heap shame on the employee. Instead, be friendly and to the point. Additionally, your messaging for any follow-up training should not be framed in shame or condemnation; it should remind them of the program, why tests like these are important, and how we all struggle to retrain human nature.
                      3. Empower them with new behaviors: Give your employees the power to build new behavioral patterns by offering them replacement behaviors. Humans struggle with simply removing a behavioral pattern. It can actually be easier to replace one behavior with another. For phishing simulation tests, we consider it best practice to have your employees report the simulated phish by clicking on our free Phish Alert Button (PAB). This not only gives them a replacement behavior, but can also give them a positive reinforcement by displaying congratulatory message for reporting the simulated phish. For organizations that have not deployed the PAB, train them to think, “when in doubt, throw it out,” so that their replacement behavior is simply deleting emails that are worrisome.
                      4. Measure and train at their individual competency – and train for improvement: In all organizations, there are different levels of employee sophistication in detecting simulated phish. You will have some employees who almost never fall victim to phishing tests, and some who fall victim much more often. Because your employees have different levels of maturity in detecting phish, it can be extremely useful to train employee groups at their current level of competence, so they can improve. For the same reason that we don’t expect grade school students to do college-level math, we shouldn’t expect employees to immediately become expert phish detectors. Consider a tiered system of phishing training for your users to train them according to their current level of competence and allowing them to grow over time.
                      5. Phish frequently: A pattern of frequent simulated phishing tests let employees know simulated phishing is a part of your security culture -- that this is standard practice because frequent training provides the best chance at developing proper reflexive behaviors. Organizations that only conduct yearly or quarterly simulated phishing are actually only performing baselining measurements – not training secure reflexes. Monthly – or, better yet – bi-weekly simulated phishing training will let employees know that they should always be on the lookout for the next phish to land in their inbox, and that they can always show improvement because the next test is not far away.

                      Creating your anti-phishing behavior management program according to these five principles while ensure that your program is seen as something that builds-up employees rather than tearing them down. These principles are aimed at recognizing that humans can become an effective last line of defense for your organization when given proper training, motivation, and support.

                      Avoid these top 10 security awareness training program fails


                      We want you and your employees to enjoy the benefits of a great security awareness training program without experiencing the pain and setbacks associated with missteps. Set your organization up for success by avoiding these common security awareness program fails:
                      1. Avoid singling out users that click on a phishing link and making a public example of them. Do not punish employees that make mistakes early on.
                      2. Avoid sending phishing campaigns only every 90 days. Quarterly phishing tests really just take a baseline, whereas phishing users at least once a month is an effective method to groove in making smart security decisions.
                      3. Avoid sending the same phishing template instead of randomizing the templates to each user, and running campaigns on predictable times like every Monday afternoon.
                      4. Avoid starting out with 5-star phishing templates that are too difficult to identify.
                      5. Avoid sending only phishing attacks and overlooking stepping users through interactive training.
                      6. Avoid forgetting to emphasize that this program will also help your users to keep their family safe online.
                      7. Avoid forcing the program through your users throats, and bypassing getting C-level air cover for the program. You want as much buy-in from the get-go as possible.
                      8. Avoid neglecting to inform key stakeholders, department managers and tech support before you send the initial baseline test.
                      9. Avoid not reporting the positive results to the stakeholders with graphics that show improvement over time.
                      10. Avoid not having a good procedure / process that allows users to report phishing emails that they found in their inbox, and not having a Social Engineering Incident Response program.

                      Follow these guidelines to ensure the success of your program. Need help getting started? KnowBe4's Automated Security Awareness Program takes away all the guesswork. Answer 15-25 questions about your goals and organization and get your customized program in just 10 minutes!

                      * This list is also available as an infographic


                      How many of your users would click on a phishing link?

                      Find out what percentage of your users are Phish-prone? with your free Phishing Security Test. Why? If you don't do it yourself, the bad guys will. Plus, see how you stack up against your peers with phishing Industry Benchmarks. Start phishing your users now. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

                      Go Phishing Now!

                      When To Go Pro

                      The difference between knowing you can do it on your own, and getting to the point of feeling stretched and needing to bring someone in

                      Ask yourself, do you have the capacity and capability and talent within the organization to be able to put out a product that will actually drive quality training and the behavior change you’re looking for? Even organizations that have dedicated internal training teams can struggle with this.

                      Usually, taking that next step in looking for an outside vendor means you are looking for help with frequency, providing the right kind of content, and the ability to couple that with the correct activities that should be happening like simulated phishing. It can be appealing to do it on your own because you have complete control. However, everything is manual and it’s really hard to be good at (let alone have time for) creating a really robust security awareness program with a good variety of content.

                      Something to look at as you’re evaluating the market is that potential vendors have content available in a variety of flavors, lengths, languages, role-specific, etc. to fit the needs of different users across your organization. Having ways to repeat the same messaging without using the exact same training is important. Maybe you have a handful of topics you need to reinforce throughout the year. Without having a library of different types of content, the messaging falls flat over the course of a year. A good example of the most effective way to accomplish that would be: have a definitive piece of content that you deliver annually, that is what you use to check the box on compliance requirements. Then you have supplemental content that reinforces the annual training. As you’re looking at vendors, evaluate if they would only be fulfilling the annual training and in that case, necessitate a secondary or tertiary vendor to build up that content library you will need.

                      5 Ways Vendors Can Help To Improve Your Program:

                      • Continuous production of quality materials - updating content monthly is undoable for most organizations
                      • Being able to put out content that aligns your key topics with current news
                      • Expertise on topic, production, writing, filming, animation, plus technical aspects around things like phishing and social engineering
                      • Also - be honest with yourself about ROI. Think about the time you are spending on your program. Most of the time you will find that a program through a vendor is actually a fraction of the cost
                      • Vendors can provide a level of engagement, service and consistency that would be hard to do on your own


                      Investing in a program and not having any insight to prove its value is a huge problem. Easy access to reporting data is an absolute necessity. It’s easy to get lost in a ton of metrics, but best to focus on a few areas that show changes in behavior and can consistently be validated through easily accessible tools.

                      Three key areas to make sure you are covering include: an understanding what is most valuable to measure, having the tools that allow you to easily grab the data you need when you need it, and having a narrative that goes along with the reporting. Most of the time, executives are just seeing high-level numbers with no context. Having a meaningful story is much more effective at illustrating a narrative that shows movement of the behavioral change of an organization.

                      How to Gain and Maintain Executive Support for Your Security Awareness Program

                      How to work through "push back" when seeking to implement security awareness and training programs


                      With so many regulations and audit standards requiring organizations to provide critical security-related information and training programs for their employees, it can be shocking that security leaders often encounter high-level "push back" when seeking to implement security awareness and training programs.

                      To overcome this situation, propose your program in a way that addresses executive concerns, links to corporate objectives, and tells a story. This is accomplished in three steps:

                      1. Seek first to understand

                        Habit five of Stephen Covey's "Seven Habits of Highly Effective People" states, "Seek first to understand, then to be understood." Dr. Covey writes,

                        "If you're like most people, you probably seek first to be understood; you want to get your point across. And in doing so, you may ignore the other person completely, pretend that you're listening, selectively hear only certain parts of the conversation or attentively focus on only the words being said, but miss the meaning entirely. So why does this happen? Because most people listen with the intent to reply, not to understand. You listen to yourself as you prepare in your mind what you are going to say, the questions you are going to ask, etc. You filter everything you hear through your life experiences, your frame of reference. You check what you hear against your autobiography and see how it measures up. And consequently, you decide prematurely what the other person means before he/she finishes communicating."

                        It is vital to recognize that most business leaders (and end users) simply will not care about security in the same way that a security professional does. People don't care about security for the sake of security alone. What they care about is the result that a sound security strategy can provide and the impacts/risks associated with the lack of a sound security strategy. Use this understanding to inform the methods that you use to engage the organization and business leaders.

                      2. Take Genuine Interest and See the Motivation Behind Any Concerns
                        So, what motivates a business leader? The answer is: business risks and business outcomes. Therefore, it is helpful to position your security awareness and training program in this context. To do this, consider highlighting the following:
                          • Issues associated with behavior-related risks. It's important to speak to the traditional factors related to the possibility of data breach and negative PR. But don't stop there — behavior-related risk is broader and gets into areas related to system stability, continuity of operations, employee morale and productivity, proper handling of intellectual property, and more.
                          • Regulatory and audit requirements. Here is where you get to highlight the slew of regulations and audit requirements that mandate awareness and training programs.
                          • Industry best practice and competitor benchmarking. Decision makers are very interested in understanding where their organization stands relative to peer organizations. A few data points that decision makers may find interesting include: what are the standard topics that organizations like us train on? What is the average phish-prone percentage for organizations like ours, and how do we compare? What are the greatest behavior-related risks for organizations like us? How much do other organizations spend on security awareness and training programs?
                          • A sense of respect for everyone's time. Time is your employee's most valuable resource. It's important that your security awareness and training program respect this fact by not exposing employees to information that is irrelevant or unnecessary. Where possible, provide data points to demonstrate that your awareness and training efforts will have a positive payback for the organization.
                          • Evidence that you have an informed plan. Give your executive team confidence in your program by eliminating as much uncertainty as possible. Often, security leaders embark on awareness and training programs that are amorphous and without a clear sense of direction. Eliminate uncertainty and/or smooth-out any potential future conflicts by sharing a well-formed plan that removes the guesswork.
                      3. Connect Your Security Awareness Program to Organizational Outcomes
                        Where possible, you need to speak the language of "the business" and report in a way that shows relevance to organizational outcomes. Notice that this is directly related to the other points mentioned in this article. In order to report in a relevant way, you first need to understand your organization's targets and the agreed-upon risks.

                        When reporting your security awareness successes, continue to remind the executive team why the program is important, and how the activities and metrics connect with the motivations outlined in points 1 and 2, above. In the end, many of the metrics can be the same as you would normally report (for example, course completion rates, phishing test outcomes, and so on), but the difference here is that you are able to put these numbers into context. This context is used to tell the story of how your security awareness and training program is strengthening the overall security culture of the organization, thereby reducing risk, potentially increasing productivity, and having a positive impact on the organization's ability to execute.

                      "Culture eats strategy for breakfast." - Peter Drucker, Management Consultant, Educator and Author

                      Maintaining Executive Support for Your Program

                      Communication Strategy is Key

                      Any time you are presenting data numbers, don’t leave the interpretation up for chance. The ‘what’ is the data, with every ‘what’ comes a so what? meaning what does that data actually mean? and a now what?, or what do we do in light of that information? Any time you have a what, you need to answer the so what and the now what, otherwise you’re leaving one or both of those things up for interpretation and that’s a chance you cannot afford to take. Your communication strategy throughout the whole process is key. You want to tell a memorable story, the moral being you need security awareness training. Use statistics and charts and graphs to support that story.

                      Capturing Executive Attention

                      What’s in it for them - Answer the "so what" question. Answer specifically for each member of the executive team what is going to matter most for them with the output of a security awareness training program. This can be talked about positively - increased resiliency that leads to stabilization of environment, higher employee productivity or negatively - pain that can be avoided when this is done right (data doesn’t get exposed, users don’t get compromised, etc.).

                      Outline clear connections - Showing connection between the action of training and things that are important for that executive. Could be a specific system, business outcome, specific project, a regulation they are accountable for.

                      Measurement and stories - Talk about what is going to be measured, how it will be presented, and use that to get into the morality (this is what goes wrong without a security awareness program, here is what can go right, etc.)

                      Be on the Lookout for Ways To:

                      • Align your program to the organization’s strategy, mission, and initiatives. This can get heads around the table nodding.
                      • Tie your program to compliance requirements. For most major security best practices, audit requirements and regulatory requirements, security awareness training IS a requirement.
                      • Use current events and stories about organizations that are similar to yours in terms of industry, size, or other demographic characteristics. Note: Be careful not to do this in a way that will be perceived as alarmist or as fear mongering. The closer to home it feels, the more real it becomes in their minds.
                      • Map your program to established industry best practices (such as the NIST Cybersecurity Framework, the National Association of Corporate Directors guidance on cybersecurity, and so on).

                      Use SMARTER Goals

                      Show that you are being very intentional about starting your program and you will more likely get the support, budget and resources you need to get it started. Use a SMARTER goal-setting framework, goals should be Specific, Measurable, Actionable, Risky, Time-keyed, Exciting and Relevant.

                      Goals like "The goal is to reduce our phish-prone percentage" or "To be able to engage employees so they are more aware of the risks and threats around them" are not specific or measurable and are certainly not exciting. An example of a SMARTER goal would be: We are going to reduce our phish-prone percentage from an initial baseline of 30% down to 15% within the next 45 days. You will know for sure whether you’ve hit the goal or not once that 45 days is up. With this framework in mind, it is much easier to build out your training plan and reporting schedule around these types of goals.

                      Brainstorming Worksheet for Gaining Support

                      We recommend filling something like the below sheet out for each executive you need to get buy-in from. This isn’t to share with anyone, it’s a tool for you to help before you start meeting with your executive team. Find ways to amplify their value proposition and address or minimize their concerns early on. Try to have one-on-one conversations before you officially ask for support so there are no major surprises when that time comes.

                      Support Worksheet

                      It's a Marathon, not a Sprint

                      It's very important that you present this as an ongoing program from the very beginning - not a one and done. Think about the difference between an event and an ongoing effort… and the difference between a sprint and a marathon. Time and consistency make a BIG impact in changing behavior for the better.


                      Watch the full webinar: How To Gain and Maintain Executive Support for Security Awareness Training

                      In this webinar, Perry Carpenter, Chief Evangelist and Strategy Office at KnowBe4, helps you detangle the complicated web of politics around securing executive support for security awareness training.

                      Watch Now

                      The 2019 Phishing By Industry Benchmarking Report

                      The 2019 Phishing By Industry Benchmarking Report compiles results from the second annual study by KnowBe4 and reveals at-risk users across 19 industries that are susceptible to phishing or social engineering attacks. Taking it a step further, the research reveals radical drops in careless clicking after 90 days and 12 months of simulated phishing testing and security awareness training.

                      Get The Whitepaper >>

                      2019 Phishing By Industry Benchmarking Report_Thumbnail

                      Awareness Posters

                      Awareness posters are great to display in the office as a reminder for the whole organization to keep security top of mind. Posters should be changed frequently enough so the message doesn't get stale. These high-res JPGs are suitable for printing:

                      See All Security Awareness Posters >>

                      On-Demand Webinars


                      In the Hot Seat: Three Experts Tackle 10 Critical Security Awareness Issues

                      Three experts. 10 hot topics. Sixty minutes. What happens when you lock highly opinionated security awareness experts in a room with a microphone and a list of top security issues facing your organization? This is your chance to find out!

                      Watch Now


                      Empowering Your Human Firewall: The Art and Science of Secure Behavior

                      You know that "security awareness" is key to a comprehensive security strategy. But just because someone is aware doesn't mean they care. So how can you design programs that work with, rather than against, human nature? Here's the great news. Creating a security awareness strategy that not only educates but reinforces good behaviors can be achieved and we'll show you how.

                      Watch Now

                      what keeps you up at night CROPPED-1

                      What Keeps IT Pros Like You Up at Night

                      Microsoft MVP, Nick Cavalancia, and KnowBe4's Security Awareness Advocate, Erich Kron, are here to help you sort out what should keep you up and what other IT pros like you really have a handle on as they discuss the results of KnowBe4’s 2019 What Keeps You Up At Night Report.

                      Watch Now


                      The Real World: New-School Security Awareness Training... From the Trenches

                      his is the true story of an IT Manager who was tired of his users clicking on everything and wanted to teach them a lesson… in a good way. Find out what happens, when you stop being polite and start getting real. The Real World: New-School Security Awareness Training!

                      Watch Now


                      Counter the Careless Click: Tools to Help You Train Your Users

                      View this 30-minute webinar “Counter the Careless Click: Tools to Help You Train Your Users” where Erich Kron CISSP, Security Awareness Advocate of KnowBe4, will provide a practical session with tips and free tools you can implement now to help you create your “human firewall”.

                      Watch Now


                      Making Awareness Stick: Secrets to a Successful Security Awareness Training Program

                      With 91% of data breaches being the result of human error, security leader, auditors, and regulators are increasingly focused on creating an effective security awareness and training program that focuses on the human side of security. Join our guest speaker, Nick Hayes from Forrester Research, and KnowBe4's own Perry Carpenter for results-focused strategies and insight for building a world class security awareness training program.

                      Watch Now

                      Case Studies


                      Nonprofit Case Study

                      The Alliance for Strong Families and Communities aimed to train their staff and enrich their security posture. See how KnowBe4's integrated security awareness training and simulated phishing platform helped them to reduce their Phish-Prone Percentage from 36% to 2.2% within 12 months.

                      “By employing that automated, immediate remediation training, we know that it’s only a matter of time before our PPP is back down to 2%. It’s our job to make sure our people are cognizant and skeptical of threats so they can stay secure, and KnowBe4 is helping us do just that,”

                        - G.M., Systems Administrator and Supervisor

                      See the Case Study 


                      Education Case Study

                      After an Illinois school district fell victim to a DDoS attack, security and phishing became a higher priority. They needed a better way to protect sensitive data and ensure adherence to The Family Educational Rights and Privacy Act. See how they were able to reinforce cautious vetting of emails amongst staff members with phishing and training campaigns.

                      “My staff is excellent at teaching, but aren’t as experienced with technology, and they don’t have time in their busy days to gain a better understanding of technology and information security. The KnowBe4 Security Awareness Training model was a way to get their attention and their interest. ‘You just got had with a phishing email’ stands out and would grab anyone’s attention!”

                       - D.R., CETL, Director of Technology

                      See the Case Study 


                      Software Provider Case Study

                      TXT e-solutions was well aware of of the problems that organizations face with social engineering attacks, which is why they believe that educating employees about the dangers is so important. Given the ISO 27001 compliance requirement, their desire to strengthen the company's security culture and their need to satisfy GDPR compliance requirements, they found KnowBe4 to be the best fit to meet their needs.

                      “In order to fight an ongoing threat of phishing, we have adopted the KnowBe4 security awareness platform to educate our users about phishing and anti-phishing techniques, use security protection and report suspicious activities. By doing so, we have reduced exposure to fraud and identity theft. The most effective fix to phishing is training and KnowBe4 is the right tool for it. Phishing and training campaigns have proven to be effective; we have fewer users clicking on phishing emails since the beginning. You can easily change the difficulty levels of the email campaigns for your more experienced users. KnowBe4 helps us to raise awareness of social engineering attacks. Great company; good pricing; solid training. Highly recommended.”

                       - A.U., Group IT Network Engineer

                      See the Case Study 

                      Free Tools


                      ModStore Training Preview

                      The world's largest library of security awareness training content is now just a click away!

                      In your fight against phishing and ransomware you can now deploy the best-in-class phishing platform combined with the world's largest library of security awareness training content; including 900+ interactive modules, videos, games, posters and newsletters. Get access to the full library now!

                      Start Your Preview


                      Automated Security Awareness Program

                      Get Your Free Automated Security Awareness Program (ASAP)!

                      Many IT pros don’t exactly know where to start when it comes to creating a security awareness program that will work for their organization. ASAP allows you to build a customized Security Awareness Program for your organization that will help you to implement all the steps needed to create a fully mature training program in just a few minutes.

                      Get Started Now

                      KnowBe4 Security Awareness Training

                      2019-ChartOld-school awareness training never really hacked it. Herding your users in the break-room, keeping them awake with coffee and donuts and subjecting them to death-by-PowerPoint gave traditional awareness training a bad rap.

                      KnowBe4 is your platform for new-school security awareness training. We help you keep your users on their toes with security top of mind. With this new-school integrated platform you can train and phish your users, see their Phish-prone percentage? and their Risk Score improve over time and get measurable results.

                      Whether you're a small business, enterprise, or are looking to partner with KnowBe4, we will suggest best practices for your size/type of organization!



                      What Makes KnowBe4 Unique?

                      • Flexible and adaptive: Greater context-awareness and real-time intervention
                      • Focus on time savings: Micro-learning, behavioral baselining, test-outs, fine-grained roles/rules
                      • Smarter: Broader use of AI and machine learning
                      • Plug-able: More integrations with 'traditional' security tools
                      • Sneakier: Better automated social engineering use cases
                      • Sensitive: Learner sensitive and aware
                      • More flavorful: more variety of content, styles, tones, formats, etc.
                      • Assistive: Will naturally encourage greater program maturity

                      We have the largest content library in the world . We are the largest security awareness training provider in the world. With over 30,000 customers (and counting), nearly 1,000 employees, and offices in 9 countries, KnowBe4 is the world's most-popular and most proven security awareness vendor.

                      Testimonials and Reviews


                      Keep Users Vigilant About Cybersecurity

                      Melody was referred to KnowBe4 and immediately began phishing campaigns for her staff, telling only one other partner. Based on initial results, they identified the need for staff training and got buy-in from the rest of their partners. She trains staff to be vigilant about phishing and ransomware attacks and KnowBe4 makes her job easier because of the available resources on the platform.


                      Why You Need To Invest In Your Human Firewall

                      Jesse got his CISO involved with KnowBe4 from the beginning and had top-down buy-in. When they started phishing their users they had a 23% click rate. Based on reported results from training and phishing campaigns, they are getting more buy-in from across the organization. He recommends KnowBe4 and thinks not enough organizations invest in the human element of cybersecurity.


                      How KnowBe4 Helps IT Sleep Better at Night

                      Nelson is the IT Director for a nonprofit that was hit with a ransomware attack a few years ago. While the attack was caught immediately and they were able to restore their files, they realized they needed help. He phishes users weekly and went from a 33% Phish-prone rate to less than 1%. Since starting KnowBe4, he sleeps better at night and users are constantly aware of cyberattacks.

                      What People Are Saying About KnowBe4


                      Request A Demo

                      Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

                      Get a product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform. In this live one-on-one demo we will show you how easy it is to train and phish your users.

                      Request A Demo


                      Get A Quote

                      Today, your employees are frequently exposed to advanced phishing and ransomware attacks. You need New-school Security Awareness Training.

                      KnowBe4 is the world’s most popular integrated Security Awareness Training and Simulated Phishing platform. 

                      Your users are your last line of defense. Find out how affordable creating a "Human Firewall" is. Get a quote for your organization now and be pleasantly surprised.

                      Get Your Best Price

                      Security Awareness Training In The News

                      FBI Internet Crime Report Released: The Evolving Threat and Importance of Reporting

                      The FBI's Internet Crime Complaint Center released its 2019 Internet Crime Report, and by no surprise the bad guys and new scams show no signs of stopping anytime soon. Last year the highest dollar losses and complaints were reported since the center was ...

                      Seasonal Scams: Valentine's Day Edition

                      Romance scams and confidence scams cause both emotional and financial pain.   According to the latest FBI's  Internet Crime Complaint Center (IC3) figures for 2019, confidence/romance scams cost victims an astounding $475,014,032.

                      DOJ Charges Hackers from the Chinese People Liberation Army with 2016 Equifax Data Breach

                      Four hackers have been charged with hacking the U.S. credit reporting agency where data on U.S. citizens and proprietary Equifax secrets were stolen.

                      Get the latest about social engineering

                      Subscribe to CyberheistNews