MGT433: Managing Human Risk: Mature Security Awareness Programs

SANS Security Awareness Professional (SSAP)
SANS Security Awareness Professional (SSAP)
  • In Person (2 days)
  • Online
12 CPEs

Organizations have invested a tremendous amount of money and resources into securing technology, but little if anything into securing their workforce. As a result, people, not technology, have become the primary attack vector for cyber attackers. The most effective way to manage your organization's human risk is to establish a mature security awareness program that goes beyond compliance, changes people's behaviors, and ultimately creates a secure culture. This two-day intensive course, to include five interactive labs, will teach you the key concepts and skills needed to do just that, whether you are establishing a new program or maturing an existing one.

What You Will Learn

People are the primary attack vector. Manage your human risk.

Learn the key lessons and the roadmap to build a mature awareness program that your workforce will love and that has an impact you can measure. Apply models such as the BJ Fogg Behavior Model, AIDA Marketing funnel, and Golden Circle, and learn about the Elephant vs. the Rider.

The course content is based on lessons learned from hundreds of security awareness programs from around the world. You will learn not only from your instructor, but from extensive interaction with your peers. Finally, through a series of labs and exercises, you will develop your own custom plan to implement as soon as you return to your organization.

This is an absolutely fantastic course. Lance is a great presenter and held my interest through the entire course. The material is so valuable, I can't wait to go back and map out my plans on how I'm going to use it.  Lesley Swann, Baker Donelson


  • Align your security awareness program with your organization's strategic security priorities
  • Effectively identify, prioritize and manage your organizations top human risks.
  • More closely integrate your security awareness efforts with your security teams overall risk management efforts.
  • Make the most of your investment by sustaining your security awareness program long term, going beyond changing behavior to changing culture


  • Understand the Security Awareness Maturity Model and how to leverage it as the roadmap for your awareness program
  • Implement key models for learning theory, behavioral change, and cultural analysis
  • Explain the difference between awareness, education, and training
  • Identify the maturity level of your existing awareness program and the steps to take it to the next level
  • Ensure compliance with key standards and regulations
  • Define human risk and explain the three different variables that constitute it
  • Explain risk assessment processes
  • Leverage the latest in Cyber Threat Intelligence and describe the most common tactics, techniques, and procedures used in today's human-based attacks
  • Identify, measure, and prioritize your human risks and define the behaviors that manage those risks
  • Measure the impact of your awareness program, track reduction in human risk, and communicate the program's value to leadership


A big part of the course is not only learning but applying what you learn working as groups with your peers. Not only does this provide you a far better understanding and application of course content, but enables you to interact and learn from others. This two day course has five labs. Each lab is approximately 20-30 minutes to complete as a team, with another 20-30 minutes of group discussion, for a total time of three to four hours.

  • Lab 1: Read, analyze and identify the top human risks based on the Verizon Bata Breach Investigations Report
  • Lab 2: Review, identify and prioritize the top human risks in your organization.
  • Lab 3: Identify and document the top behaviors (learning objectives) that manage those risks.
  • Lab 4: Leverage the AIDA marketing model to engage and communicate to your workforce about a new tool roll-out.
  • Lab 5: Create a strategic engagement plan on how you will effectively communicate to and engage your workforce to manage a specific human risk.

What MGT433 Students Are Saying About the Labs

"Just what I needed." - Philippe Vaquer, Bureau Veritas

"Incredibly useful and supportive to the learning." - William Edwards, HM Land Registry

"The labs presented an effective way to grasp the material and present to others for good feedback." - Michael U., US Government

"I enjoyed learning from other attendees during the breakout session. It's really good to hear about how other organizations implement their programs. Sharing best practices has been really insightful." - Angela Childs


  • Section 1: Learn the fundamentals of security awareness programs followed by identifying and prioritizing the key human risks you will be managing.
  • Section 2: Learn how to engage, train and motivate your workforce to change and exhibit secure behaviors and measure the impact of that change.

NOTE: This class is designed as a beginner to intermediate level course. Highly experienced security awareness professionals or senior security leaders should consider the more advanced five-day MGT521: Leading Cybersecurity Change: Building a Security-Based Culture.



This course provides you with the opportunity to join the SANS Security Awareness Community Forum, a private, invitation-only community of over 1,500 awareness officers who share resources and lessons learned. In addition, you will receive the following with the course:

  • Printed + Electronic course books that include slides with detailed notes for each slide
  • Printed + Electronic lab book
  • Digital Download Package containing digital copies of all the labs, supplemental materials, reports, templates and examples
  • MP3 audio files of the complete course lecture
  • One 90-day license to the entire SSA library of content. Read the FAQ here.


MGT521: Leading Cybersecurity Change: Building a Security-Based Culture: This course takes MGT433 to the next level by teaching you how to leverage the principles of organizational change in order to develop, maintain, and measure a security-driven culture.

MGT512: Security Leadership Essentials for Managers: This course provides an overview of how to manage different security technologies, controls, and frameworks, and how they work together. It's an excellent way to better understand how awareness of human risk and knowing how to manage it partners with other elements of security.

MGT514: Security Strategic Planning, Policy, and Leadership. This is SANS' most advanced course for senior security leaders, CSOs. and CISOs. It's an excellent way to better understand how awareness of human risk and knowing how to manage it support your organization at a strategic level.

Syllabus (12 CPEs)

  • Overview

    The first course section begins with the fundamentals by specifically answering two questions: What is awareness and how do we define it? What is human risk and how can awareness programs enable us to effectively manage it? We then cover the most critical foundations for a successful program, which include leadership support, a program charter, and an advisory board. We'll cover the science of behavior change and the two pillars of a strategy that supports that change. We then do a deep dive into identifying and prioritizing your organization's top human risks and the behaviors to manage those risks.

    • Identifying the top, most common human risks
    • Identifying the top three human risks to your own organization
    • Defining the key behaviors to manage a specific human risk
    • The five stages of the Security Awareness Maturity Model
    • The learning continuum: awareness, training, and education
    • The definition of human risk and the three variables that define it
    • Why humans are so vulnerable and the latest methods cyber attackers use to exploit these vulnerabilities
    • Steps to gain and maintain leadership support for your program
    • How to develop and leverage an effective Advisory Board
    • The B.J. Fogg Behavior Model and how it applies to your overall strategy of changing workforce behavior
    • Developing a strategic plan that prioritizes your organization's human risk and the behaviors to manage those risks, and that enables changing those behaviors.
    • A walk-through on how to conduct a human risk assessment and how to prioritize your organization's top human risks, including leveraging the latest in Cyber Threat Intelligence (CTI): NOTE: This section includes two interactive labs. In the first lab you will analyze a security report and identify the most common risks to your industry. In the second lab, you will identify the top three human risks to your organization.
    • An analysis of how to identify and prioritize the key behaviors that manage your organization's top human risks, including an overview of learning objectives.
  • Overview

    The second course section begins with how to change behaviors at an organizational level, with a focus on building a customized engagement strategy unique to your organization's structure and culture. We then go into the different outreach and training categories and modalities before transitioning into a look at how to sustain change over the long term and impact culture. Finally, we'll explore how to measure the impact of your program and communicate that impact to leadership. We finish the section with a focus on how to put this all together and effectively implement your program.

    • Create a communications plan for a tool roll-out
    • Develop a customized engagement strategy to manage a specific human risk
    • Introduction of the Golden Circle and the importance of "why"
    • How you can effectively create an engagement strategy leveraging the AIDA marketing model
    • Elements of cultural analysis
    • Top tips for effective translation and localization
    • The effective use of imagery, with a focus on diverse or international environments
    • The two different training categories, primary and reinforcement, and the roles of each
    • How to effectively develop and provide instructor-led training (ILT)
    • How to effectively develop and provide virtual live training (VLT)
    • How to effectively develop and deploy computer-based training (CBT)
    • Different reinforcement methods, including newsletters, fact sheets, posters, internal social media, hosted speaker events, hacking demos, scavenger hunts, virtual lunch-and-learns, and numerous other training activities.
    • Sustaining an effective culture impact over the long term
    • How to design, deploy, and leverage metrics to measure the impact of your awareness program
    • Walk-through of the final planning and execution steps, including documenting a comprehensive project plan

SANS Security Awareness Professional

Organizations seek proven leaders who have the expertise and skills to effectively manage and measure human risk. The SANS Security Awareness Professional (SSAP) provides not only this expertise, but also signifies, documents and certifies that the holder has met the requirements to elevate the overall security behavior of the workforce.

The first step to achieving your SSAP is taking the two-day SANS MGT433 course on building mature awareness programs. In this course, you’ll learn how to:

  • Gain and maintain leadership advocacy for your security awareness program. Identify and document target groups and deploy relevant training.
  • Effectively engage and communicate across the organization, addressing culture, role and generational challenges, nationalities and languages.
  • Sustain your security awareness program, including implementing advanced programs, such as ambassador programs.
  • Understand and use the five stages of the Security Awareness Maturity Model as a benchmark for your awareness program success.
  • Measure the impact of your awareness program, track reduction in human risk and communicate the program's value to leadership.
  • Apply key models for learning theory, behavioral change and cultural analysis.


This is a non-technical course designed for both new security awareness professionals and experienced ones who looking to expand and grow their awareness skills and expertise. While an understanding of cybersecurity risk and / or a technical background can help, it is in no way required.

Author Statement

"Having been actively involved in information security for more than 20 years, I have seen one constant factor: people are the number one attack vector for cyber attackers because we fail to properly invest in people and secure them. Once trained, your workforce will become your greatest asset, not only to prevent incidents but also to quickly identify and report them, resulting in a far more resilient organization. I am extremely excited about MGT433, as it provides organizations with the skills, resources, and community they need to build a mature security awareness program that effectively manages and measures human risk."

- Lance Spitzner

"Lance is a great speaker. Love the charisma, the energy, and the banter." - Chris Cioffi, Western Power Distribution


The 'Who' and 'What' of training and awareness is just what I needed to take back home.
David N.
US Federal Department
Soup to nuts, this course covers the entire designing, building, deploying and measuring of an effective security awareness program.
Chris Sorensen
GE Capital
This course has content every employee can use. Whether from a large company or small. It has sound starting point everyone can use.
Donna Hickman
GE Capital Retail Bank

    Register for MGT433

    • In Person

    Training events and topical summits feature presentations and courses in classrooms around the world.

    Learn more
    • Live Online

    Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

    Learn more
    • OnDemand

    Study and prepare for GIAC Certification with four months of online access. Includes labs and exercises, and support.

    Learn more