
Course Overview
Organizations have invested a tremendous amount of money and resources into securing technology, but little if anything into securing their workforce. As a result, people, not technology, have become the primary attack vector for cyber attackers. The most effective way to manage your organization's human risk is to establish a mature security awareness program that goes beyond compliance, changes people's behaviors, and ultimately creates a secure culture. This two-day intensive course will teach you the key concepts and skills needed to do just that, whether you are establishing a new program or maturing an existing one. The course content is based on lessons learned from hundreds of security awareness programs from around the world. You will learn not only from your instructor, but from extensive interaction with your peers. Finally, through a series of labs and exercises, you will develop your own custom plan to implement as soon as you return to your organization.
This Course Will Prepare You to:
- Understand the Security Awareness Maturity Model and how to leverage it as the roadmap for your awareness program
- Gain and maintain leadership support for your program, including aligning the program with your organization's strategic priorities
- Implement key models for learning theory, behavioral change, and cultural analysis
- Explain the difference between awareness, education, and training
- Identify the maturity level of your existing awareness program and the steps to take it to the next level
- Ensure compliance with key standards and regulations
- Define human risk and explain the three different variables that constitute it
- Explain risk assessment processes
- Leverage the latest in Cyber Threat Intelligence and describe the most common tactics, techniques, and procedures used in today's human-based attacks
- Identify, measure, and prioritize your human risks and define the behaviors that manage those risks
- Define and build a role-based training program to manage your organization's human risks
- Effectively engage, train, and communicate with your workforce, including by addressing the challenges of different cultures, generations, and nationalities
- Sustain your security awareness program over the long term, going beyond changing behavior to changing culture
- Measure the impact of your awareness program, track reduction in human risk, and communicate the program's value to leadership

What You Will Receive
This course provides you with the opportunity to join the SANS Security Awareness Community Forum, a private, invitation-only community of over 1,500 awareness officers who share resources and lessons learned. In addition, you will receive the following with the course:
- Printed + Electronic course books that include slides with detailed notes for each slide
- Printed + Electronic lab book
- Digital download package containing digital copies of all the labs, supplemental materials, reports, and examples
- MP3 audio files of the complete course lecture
- One 90-day license to the entire SSA library of content. Read the FAQ here.
Additional Resources
For those of you who are looking to get involved in this field, or are already involved but looking to grow, consider reading this blog on how to develop your career path.
What to Take Next
MGT512: Security Leadership for Managers. This course provides an overview of how to manage different security technologies, controls, and frameworks, and how they work together. It's an excellent way to better understand how awareness of human risk and knowing how to manage it partners with other elements of security.
MGT514: Security Strategic Planning, Policy, and Leadership. This is SANS' most advanced course for senior security leaders, CSOs. and CISOs. It's an excellent way to better understand how awareness of human risk and knowing how to manage it support your organization at a strategic level.
MGT521: Leading Cybersecurity Change: Building a Security-Based Culture. This course will enable you to go beyond just changing behavior and learn how to truly impact your organization's culture.
"Having been actively involved in information security for more than 20 years, I have seen one constant factor: people are the number one attack vector for cyber attackers because we fail to properly invest in people and secure them. Once trained, your workforce will become your greatest asset, not only to prevent incidents but also to quickly identify and report them, resulting in a far more resilient organization. I am extremely excited about MGT433, as it provides organizations with the skills, resources, and community they need to build a mature security awareness program that effectively manages and measures human risk."
- Lance Spitzner
"Lance is a great speaker. Love the charisma, the energy, and the banter." - Chris Cioffi, Western Power Distribution