Managing Human Risk: Mature Security Awareness Programs

What You Will Learn

Course Overview

Organizations have invested a tremendous amount of money and resources into securing technology, but little if anything into securing their workforce. As a result, people, not technology, have become the primary attack vector for cyber attackers. The most effective way to manage your organization's human risk is to establish a mature security awareness program that goes beyond compliance, changes people's behaviors, and ultimately creates a secure culture. This two-day intensive course will teach you the key concepts and skills needed to do just that, whether you are establishing a new program or maturing an existing one. The course content is based on lessons learned from hundreds of security awareness programs from around the world. You will learn not only from your instructor, but from extensive interaction with your peers. Finally, through a series of labs and exercises, you will develop your own custom plan to implement as soon as you return to your organization.

This Course Will Prepare You to:

Understand the Security Awareness Maturity Model and how to leverage it as the roadmap for your awareness program
Gain and maintain leadership support for your program, including aligning the program with your organization's strategic priorities
Implement key models for learning theory, behavioral change, and cultural analysis
Explain the difference between awareness, education, and training
Identify the maturity level of your existing awareness program and the steps to take it to the next level
Ensure compliance with key standards and regulations
Define human risk and explain the three different variables that constitute it
Explain risk assessment processes
Leverage the latest in Cyber Threat Intelligence and describe the most common tactics, techniques, and procedures used in today's human-based attacks
Identify, measure, and prioritize your human risks and define the behaviors that manage those risks
Define and build a role-based training program to manage your organization's human risks
Effectively engage, train, and communicate with your workforce, including by addressing the challenges of different cultures, generations, and nationalities
Sustain your security awareness program over the long term, going beyond changing behavior to changing culture
Measure the impact of your awareness program, track reduction in human risk, and communicate the program's value to leadership

NOTICE TO STUDENTS

This class is designed as a beginner to intermediate level course. Highly experienced security awareness professionals or senior security leaders should consider the more advanced five-day MGT521: Leading Cybersecurity Change: Building a Security-Based Culture

WHAT YOU WILL RECEIVE

This course provides you with the opportunity to join the SANS Security Awareness Community Forum, a private, invitation-only community of over 1,500 awareness officers who share resources and lessons learned. In addition, you will receive the following with the course:

Printed + Electronic course books that include slides with detailed notes for each slide
Printed + Electronic lab book
Digital download package containing digital copies of all the labs, supplemental materials, reports, and examples
MP3 audio files of the complete course lecture
One 90-day license to the entire SSA library of content. Read the FAQ here

ADDITIONAL RESOURCES

For those of you who are looking to get involved in this field, or are already involved but looking to grow, consider reading this blog on how to develop your career path.

2021 Security Awareness Report (TM): Managing Human Risk

WHAT TO TAKE NEXT

MGT521: Leading Cybersecurity Change: Building a Security-Based Culture. This course takes MGT433 to the next level by teaching you how to leverage the principles of organizational change in order to develop, maintain, and meausre a security-driven culture.

MGT512: Security Leadership for Managers. This course provides an overview of how to manage different security technologies, controls, and frameworks, and how they work together. It's an excellent way to better understand how awareness of human risk and knowing how to manage it partners with other elements of security.

MGT514: Security Strategic Planning, Policy, and Leadership. This is SANS' most advanced course for senior security leaders, CSOs. and CISOs. It's an excellent way to better understand how awareness of human risk and knowing how to manage it support your organization at a strategic level.

Syllabus (12 CPEs)

Download PDF

Overview
The first course section begins with the fundamentals by specifically answering two questions: What is awareness and how do we define it? What is human risk and how can awareness programs enable us to effectively manage it? We then cover the most critical foundations for a successful program, which include leadership support, a program charter, and an advisory board. We'll cover the science of behavior change and the two pillars of a strategy that supports that change. We then do a deep dive into identifying and prioritizing your organization's top human risks and the behaviors to manage those risks.
Topics
- The five stages of the Security Awareness Maturity Model
- The learning continuum: awareness, training, and education
- The definition of human risk and the three variables that define it
- Why humans are so vulnerable and the latest methods cyber attackers use to exploit these vulnerabilities
- Steps to gain and maintain leadership support for your program
- How to develop and leverage an effective Advisory Board
- The B.J. Fogg Behavior Model and how it applies to your overall strategy of changing workforce behavior
- Developing a strategic plan that prioritizes your organization's human risk and the behaviors to manage those risks, and that enables changing those behaviors.
- A walk-through on how to conduct a human risk assessment and how to prioritize your organization's top human risks, including leveraging the latest in Cyber Threat Intelligence (CTI): NOTE: This section includes two interactive labs. In the first lab you will analyze a CTI report and identify the most common risks to your industry. In the second lab, you will identify the top three human risks to your organization.
- An analysis of how to identify and prioritize the key behaviors that manage your organization's top human risks, including an overview of learning objectives. NOTE: This section includes an interactive lab on defining the key behaviors to manage a specific human risk.
Overview
The second course section begins with how to change behaviors at an organizational level, with a focus on building a customized engagement strategy unique to your organization's structure and culture. We then go into the different outreach and training categories and modalities before transitioning into a look at how to sustain change over the long term and impact culture. Finally, we'll explore how to measure the impact of your program and communicate that impact to leadership. We finish the section with a focus on how to put this all together and effectively implement your program.
Topics
- Introduction of the Golden Circle and the importance of "why"
- How you can effectively create an engagement strategy leveraging the AIDA marketing model
- Elements of cultural analysis
- Top tips for effective translation and localization
- The effective use of imagery, with a focus on diverse or international environments
- The two different training categories, primary and reinforcement, and the roles of each
- How to effectively develop and provide instructor-led training (ILT)
- How to effectively develop and provide virtual live training (VLT)
- How to effectively develop and deploy computer-based training (CBT)
- Different reinforcement methods, including newsletters, fact sheets, posters, internal social media, hosted speaker events, hacking demos, scavenger hunts, virtual lunch-and-learns, and numerous other training activities. NOTE: This section includes an interactive lab challenging you to conduct a cultural analysis of your organization and develop a customized engagement strategy.
- Sustaining an effective culture impact over the long term
- How to design, deploy, and leverage metrics to measure the impact of your awareness program
- Walk-through of the final planning and execution steps, including documenting a comprehensive project plan

SANS Security Awareness Professional

The SSAP credential signifies, documents, and certifies that the holder possesses the expertise and skills to effectively manage and measure human risk. These professionals are responsible for elevating the overall security behavior of the workforce through the use of effective ongoing learning programs.

Areas Covered:

Five stages of the Security Awareness Maturity Model
Impact measurement and communication of awareness program performance
Key models for learning theory, behavioral change, and cultural analysis

Prerequisites

This is a non-technical course designed for both new security awareness professionals and experienced ones who looking to expand and grow their awareness skills and expertise. While an understanding of cybersecurity risk and / or a technical background can help, it is in no way required.

Author Statement

"Having been actively involved in information security for more than 20 years, I have seen one constant factor: people are the number one attack vector for cyber attackers because we fail to properly invest in people and secure them. Once trained, your workforce will become your greatest asset, not only to prevent incidents but also to quickly identify and report them, resulting in a far more resilient organization. I am extremely excited about MGT433, as it provides organizations with the skills, resources, and community they need to build a mature security awareness program that effectively manages and measures human risk."

- Lance Spitzner

"Lance is a great speaker. Love the charisma, the energy, and the banter." - Chris Cioffi, Western Power Distribution

Ways to Learn

OnDemand

Study and prepare for GIAC Certification with four months of online access. Includes labs and exercises, and support.

Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

Who Should Attend MGT433?

Security awareness / communication officers
Chief Security Officers, Risk Officers and security management officials
Security auditors, and governance, legal, privacy or compliance officers
Training, human resources and communications staff
Representatives from organizations regulated by industries such as HIPAA, GDPR, FISMA, FERPA, PCI-DSS, ISO/IEC 27001 SOX, NERC, or any other compliance-driven standard
Anyone involved in planning, deploying or maintaining a security education, training or communications program

See prerequisites

Reviews

This course has content every employee can use. Whether from a large company or small. It has sound starting point everyone can use.

Donna Hickman

GE Capital Retail Bank

The 'Who' and 'What' of training and awareness is just what I needed to take back home.

David N.

US Federal Department

Soup to nuts, this course covers the entire designing, building, deploying and measuring of an effective security awareness program.

Chris Sorensen

GE Capital

Timezone

Africa/Abidjan

Africa/Accra

Africa/Addis Ababa

Africa/Algiers

Africa/Asmara

Africa/Asmera

Africa/Bamako

Africa/Bangui

Africa/Banjul

Africa/Bissau

Africa/Blantyre

Africa/Brazzaville

Africa/Bujumbura

Africa/Cairo

Africa/Casablanca

Africa/Ceuta

Africa/Conakry

Africa/Dakar

Africa/Dar es Salaam

Africa/Djibouti

Africa/Douala

Africa/El Aaiun

Africa/Freetown

Africa/Gaborone

Africa/Harare

Africa/Johannesburg

Africa/Juba

Africa/Kampala

Africa/Khartoum

Africa/Kigali

Africa/Kinshasa

Africa/Lagos

Africa/Libreville

Africa/Lome

Africa/Luanda

Africa/Lubumbashi

Africa/Lusaka

Africa/Malabo

Africa/Maputo

Africa/Maseru

Africa/Mbabane

Africa/Mogadishu

Africa/Monrovia

Africa/Nairobi

Africa/Ndjamena

Africa/Niamey

Africa/Nouakchott

Africa/Ouagadougou

Africa/Porto-Novo

Africa/Sao Tome

Africa/Timbuktu

Africa/Tripoli

Africa/Tunis

Africa/Windhoek

America/Adak

America/Anchorage

America/Anguilla

America/Antigua

America/Araguaina

America/Argentina/Buenos Aires

America/Argentina/Catamarca

America/Argentina/ComodRivadavia

America/Argentina/Cordoba

America/Argentina/Jujuy

America/Argentina/La Rioja

America/Argentina/Mendoza

America/Argentina/Rio Gallegos

America/Argentina/Salta

America/Argentina/San Juan

America/Argentina/San Luis

America/Argentina/Tucuman

America/Argentina/Ushuaia

America/Aruba

America/Asuncion

America/Atikokan

America/Atka

America/Bahia

America/Bahia Banderas

America/Barbados

America/Belem

America/Belize

America/Blanc-Sablon

America/Boa Vista

America/Bogota

America/Boise

America/Buenos Aires

America/Cambridge Bay

America/Campo Grande

America/Cancun

America/Caracas

America/Catamarca

America/Cayenne

America/Cayman

America/Chicago

America/Chihuahua

America/Coral Harbour

America/Cordoba

America/Costa Rica

America/Creston

America/Cuiaba

America/Curacao

America/Danmarkshavn

America/Dawson

America/Dawson Creek

America/Denver

America/Detroit

America/Dominica

America/Edmonton

America/Eirunepe

America/El Salvador

America/Ensenada

America/Fort Nelson

America/Fort Wayne

America/Fortaleza

America/Glace Bay

America/Godthab

America/Goose Bay

America/Grand Turk

America/Grenada

America/Guadeloupe

America/Guatemala

America/Guayaquil

America/Guyana

America/Halifax

America/Havana

America/Hermosillo

America/Indiana/Indianapolis

America/Indiana/Knox

America/Indiana/Marengo

America/Indiana/Petersburg

America/Indiana/Tell City

America/Indiana/Vevay

America/Indiana/Vincennes

America/Indiana/Winamac

America/Indianapolis

America/Inuvik

America/Iqaluit

America/Jamaica

America/Jujuy

America/Juneau

America/Kentucky/Louisville

America/Kentucky/Monticello

America/Knox IN

America/Kralendijk

America/La Paz

America/Lima

America/Los Angeles

America/Louisville

America/Lower Princes

America/Maceio

America/Managua

America/Manaus

America/Marigot

America/Martinique

America/Matamoros

America/Mazatlan

America/Mendoza

America/Menominee

America/Merida

America/Metlakatla

America/Mexico City

America/Miquelon

America/Moncton

America/Monterrey

America/Montevideo

America/Montreal

America/Montserrat

America/Nassau

America/New York

America/Nipigon

America/Nome

America/Noronha

America/North Dakota/Beulah

America/North Dakota/Center

America/North Dakota/New Salem

America/Nuuk

America/Ojinaga

America/Panama

America/Pangnirtung

America/Paramaribo

America/Phoenix

America/Port-au-Prince

America/Port of Spain

America/Porto Acre

America/Porto Velho

America/Puerto Rico

America/Punta Arenas

America/Rainy River

America/Rankin Inlet

America/Recife

America/Regina

America/Resolute

America/Rio Branco

America/Rosario

America/Santa Isabel

America/Santarem

America/Santiago

America/Santo Domingo

America/Sao Paulo

America/Scoresbysund

America/Shiprock

America/Sitka

America/St Barthelemy

America/St Johns

America/St Kitts

America/St Lucia

America/St Thomas

America/St Vincent

America/Swift Current

America/Tegucigalpa

America/Thule

America/Thunder Bay

America/Tijuana

America/Toronto

America/Tortola

America/Vancouver

America/Virgin

America/Whitehorse

America/Winnipeg

America/Yakutat

America/Yellowknife

Antarctica/Casey

Antarctica/Davis

Antarctica/DumontDUrville

Antarctica/Macquarie

Antarctica/Mawson

Antarctica/McMurdo

Antarctica/Palmer

Antarctica/Rothera

Antarctica/South Pole

Antarctica/Syowa

Antarctica/Troll

Antarctica/Vostok

Arctic/Longyearbyen

Asia/Aden

Asia/Almaty

Asia/Amman

Asia/Anadyr

Asia/Aqtau

Asia/Aqtobe

Asia/Ashgabat

Asia/Ashkhabad

Asia/Atyrau

Asia/Baghdad

Asia/Bahrain

Asia/Baku

Asia/Bangkok

Asia/Barnaul

Asia/Beirut

Asia/Bishkek

Asia/Brunei

Asia/Calcutta

Asia/Chita

Asia/Choibalsan

Asia/Chongqing

Asia/Chungking

Asia/Colombo

Asia/Dacca

Asia/Damascus

Asia/Dhaka

Asia/Dili

Asia/Dubai

Asia/Dushanbe

Asia/Famagusta

Asia/Gaza

Asia/Harbin

Asia/Hebron

Asia/Ho Chi Minh

Asia/Hong Kong

Asia/Hovd

Asia/Irkutsk

Asia/Istanbul

Asia/Jakarta

Asia/Jayapura

Asia/Jerusalem

Asia/Kabul

Asia/Kamchatka

Asia/Karachi

Asia/Kashgar

Asia/Kathmandu

Asia/Katmandu

Asia/Khandyga

Asia/Kolkata

Asia/Krasnoyarsk

Asia/Kuala Lumpur

Asia/Kuching

Asia/Kuwait

Asia/Macao

Asia/Macau

Asia/Magadan

Asia/Makassar

Asia/Manila

Asia/Muscat

Asia/Nicosia

Asia/Novokuznetsk

Asia/Novosibirsk

Asia/Omsk

Asia/Oral

Asia/Phnom Penh

Asia/Pontianak

Asia/Pyongyang

Asia/Qatar

Asia/Qostanay

Asia/Qyzylorda

Asia/Rangoon

Asia/Riyadh

Asia/Saigon

Asia/Sakhalin

Asia/Samarkand

Asia/Seoul

Asia/Shanghai

Asia/Singapore

Asia/Srednekolymsk

Asia/Taipei

Asia/Tashkent

Asia/Tbilisi

Asia/Tehran

Asia/Tel Aviv

Asia/Thimbu

Asia/Thimphu

Asia/Tokyo

Asia/Tomsk

Asia/Ujung Pandang

Asia/Ulaanbaatar

Asia/Ulan Bator

Asia/Urumqi

Asia/Ust-Nera

Asia/Vientiane

Asia/Vladivostok

Asia/Yakutsk

Asia/Yangon

Asia/Yekaterinburg

Asia/Yerevan

Atlantic/Azores

Atlantic/Bermuda

Atlantic/Canary

Atlantic/Cape Verde

Atlantic/Faeroe

Atlantic/Faroe

Atlantic/Jan Mayen

Atlantic/Madeira

Atlantic/Reykjavik

Atlantic/South Georgia

Atlantic/St Helena

Atlantic/Stanley

Australia/ACT

Australia/Adelaide

Australia/Brisbane

Australia/Broken Hill

Australia/Canberra

Australia/Currie

Australia/Darwin

Australia/Eucla

Australia/Hobart

Australia/LHI

Australia/Lindeman

Australia/Lord Howe

Australia/Melbourne

Australia/NSW

Australia/North

Australia/Perth

Australia/Queensland

Australia/South

Australia/Sydney

Australia/Tasmania

Australia/Victoria

Australia/West

Australia/Yancowinna

Brazil/Acre

Brazil/DeNoronha

Brazil/East

Brazil/West

CET

CST6CDT

Canada/Atlantic

Canada/Central

Canada/Eastern

Canada/Mountain

Canada/Newfoundland

Canada/Pacific

Canada/Saskatchewan

Canada/Yukon

Chile/Continental

Chile/EasterIsland

Cuba

EET

EST

EST5EDT

Egypt

Eire

Etc/GMT

Etc/GMT+0

Etc/GMT+1

Etc/GMT+10

Etc/GMT+11

Etc/GMT+12

Etc/GMT+2

Etc/GMT+3

Etc/GMT+4

Etc/GMT+5

Etc/GMT+6

Etc/GMT+7

Etc/GMT+8

Etc/GMT+9

Etc/GMT-0

Etc/GMT-1

Etc/GMT-10

Etc/GMT-11

Etc/GMT-12

Etc/GMT-13

Etc/GMT-14

Etc/GMT-2

Etc/GMT-3

Etc/GMT-4

Etc/GMT-5

Etc/GMT-6

Etc/GMT-7

Etc/GMT-8

Etc/GMT-9

Etc/GMT0

Etc/Greenwich

Etc/UCT

Etc/UTC

Etc/Universal

Etc/Zulu

Europe/Amsterdam

Europe/Andorra

Europe/Astrakhan

Europe/Athens

Europe/Belfast

Europe/Belgrade

Europe/Berlin

Europe/Bratislava

Europe/Brussels

Europe/Bucharest

Europe/Budapest

Europe/Busingen

Europe/Chisinau

Europe/Copenhagen

Europe/Dublin

Europe/Gibraltar

Europe/Guernsey

Europe/Helsinki

Europe/Isle of Man

Europe/Istanbul

Europe/Jersey

Europe/Kaliningrad

Europe/Kiev

Europe/Kirov

Europe/Lisbon

Europe/Ljubljana

Europe/London

Europe/Luxembourg

Europe/Madrid

Europe/Malta

Europe/Mariehamn

Europe/Minsk

Europe/Monaco

Europe/Moscow

Europe/Nicosia

Europe/Oslo

Europe/Paris

Europe/Podgorica

Europe/Prague

Europe/Riga

Europe/Rome

Europe/Samara

Europe/San Marino

Europe/Sarajevo

Europe/Saratov

Europe/Simferopol

Europe/Skopje

Europe/Sofia

Europe/Stockholm

Europe/Tallinn

Europe/Tirane

Europe/Tiraspol

Europe/Ulyanovsk

Europe/Uzhgorod

Europe/Vaduz

Europe/Vatican

Europe/Vienna

Europe/Vilnius

Europe/Volgograd

Europe/Warsaw

Europe/Zagreb

Europe/Zaporozhye

Europe/Zurich

GB-Eire

GMT

GMT+0

GMT-0

GMT0

Greenwich

HST

Hongkong

Iceland

Indian/Antananarivo

Indian/Chagos

Indian/Christmas

Indian/Cocos

Indian/Comoro

Indian/Kerguelen

Indian/Mahe

Indian/Maldives

Indian/Mauritius

Indian/Mayotte

Indian/Reunion

Iran

Israel

Jamaica

Japan

Kwajalein

Libya

MET

MST

MST7MDT

Mexico/BajaNorte

Mexico/BajaSur

Mexico/General

NZ-CHAT

Navajo

PRC

PST8PDT

Pacific/Apia

Pacific/Auckland

Pacific/Bougainville

Pacific/Chatham

Pacific/Chuuk

Pacific/Easter

Pacific/Efate

Pacific/Enderbury

Pacific/Fakaofo

Pacific/Fiji

Pacific/Funafuti

Pacific/Galapagos

Pacific/Gambier

Pacific/Guadalcanal

Pacific/Guam

Pacific/Honolulu

Pacific/Johnston

Pacific/Kiritimati

Pacific/Kosrae

Pacific/Kwajalein

Pacific/Majuro

Pacific/Marquesas

Pacific/Midway

Pacific/Nauru

Pacific/Niue

Pacific/Norfolk

Pacific/Noumea

Pacific/Pago Pago

Pacific/Palau

Pacific/Pitcairn

Pacific/Pohnpei

Pacific/Ponape

Pacific/Port Moresby

Pacific/Rarotonga

Pacific/Saipan

Pacific/Samoa

Pacific/Tahiti

Pacific/Tarawa

Pacific/Tongatapu

Pacific/Truk

Pacific/Wake

Pacific/Wallis

Pacific/Yap

Poland

Portugal

ROC

ROK

Singapore

Turkey

UCT

US/Alaska

US/Aleutian

US/Arizona

US/Central

US/East-Indiana

US/Eastern

US/Hawaii

US/Indiana-Starke

US/Michigan

US/Mountain

US/Pacific

US/Samoa

UTC

Universal

W-SU

WET

Zulu

Filters:

Register for MGT433

In Person

Training events and topical summits feature presentations and courses in classrooms around the world.

Learn more

Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

Learn more

OnDemand

Study and prepare for GIAC Certification with four months of online access. Includes labs and exercises, and support.

Learn more

MGT433: Managing Human Risk: Mature Security Awareness Programs

SANS Security Awareness Professional (SSAP)

Course Authors:

Lance Spitzner

What You Will Learn

Syllabus (12 CPEs)

Overview

Topics

Overview

Topics

SANS Security Awareness Professional

Prerequisites

Author Statement

Ways to Learn

Who Should Attend MGT433?

Reviews

Filters:

Register for MGT433

Loading...

MGT433: Managing Human Risk: Mature Security Awareness Programs

SANS Security Awareness Professional (SSAP)

Course Authors:

Lance Spitzner

What You Will Learn

Syllabus (12 CPEs)

Overview

Topics

Overview

Topics

SANS Security Awareness Professional

Prerequisites

Author Statement

Ways to Learn

Who Should Attend MGT433?

Related Programs

Reviews

Filters:

Register for MGT433

Loading...