Top Cybersecurity Training Protects Your Assets - Learn From the BEST and Apply New Knowledge Immediately!

2-Day Firehose Training | May 26 - Live Online

Virtual, US Eastern | Tue, May 26 - Fri, May 29, 2020

MGT433: SANS Security Awareness: How to Build, Maintain, and Measure a Mature Awareness Program

Wed, May 27 - Thu, May 28, 2020

Associated Certification: SANS Security Awareness Professional (SSAP)

 Watch a free preview of this course

Course Syllabus  ·  12 CPEs  ·  Laptop Not Needed
Instructor: Lance Spitzner

Organizations have invested a tremendous amount of money and resources into securing technology, but little if anything into securing their workforce. As a result, people, not technology, have become the most common target for cyber attackers. The most effective way to secure the human element is to establish a mature security awareness program that goes beyond just compliance, changes peoples' behaviors and ultimately creates a secure culture. This intense two-day course will teach you the key concepts and skills needed to do just that, and is designed for those establishing a new program or wanting to improve an existing one. Course content is based on lessons learned from hundreds of security awareness programs from around the world. In addition, you will learn not only from your instructor, but from extensive interaction with your peers. Finally, through a series of labs and exercises, you will develop your own custom security awareness plan that you can implement as soon as you return to your organization.

You Will Learn:

  • The Security Awareness Maturity Model and how to leverage it as the roadmap for your awareness program
  • How to gain and maintain leadership support for your program
  • Key models for learning theory, behavioral change and cultural analysis
  • How to identify different target groups and deploy role based training.
  • How to effectively engage and communicate to your workforce, to include addressing the challenges of different roles, generations and nationalities
  • How to sustain your security awareness program long term, including advanced programs such as gamification and ambassador programs
  • How to measure the impact of your awareness program, track reduction in human risk, and communicate the program's value to leadership

Course Syllabus

Lance Spitzner
Wed May 27th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET

CPE/CMU Credits: 6

  • The five stages of the Security Awareness Maturity Model
  • The three variables of risk and their role in awareness
  • Why humans are so vulnerable and the latest methods cyber attackers use to exploit these vulnerabilities
  • The learning continuum: awareness, training, and education
  • Steps to gaining and maintaining leadership support
  • How to develop and leverage an effective Advisory Board
  • B.J. Fogg Behavior Model and how it applies to your overall strategy of changing workforce behavior
  • Developing a strategic plan based on three key questions: Who, What, and How
  • Who: Identifying the different targets of your awareness program. Whose behaviors do you want to change? NOTE: This section includes an interactive group lab where you identify and analyze key target groups in your organization
  • What: Identifying and prioritizing the top human risks to your organization and the behaviors that will most effectively manage those risks. NOTE: This section includes two interactive labs, one conducting a qualitative risk analysis for your organization and a second lab on behavioral management by defining key learning objectives

Lance Spitzner
Thu May 28th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET

CPE/CMU Credits: 6

  • How: How will you communicate your program and train your workforce. This includes defining why cybersecurity is important to your organization, different training modalities and the most successful strategies to engage people.
  • The effective use of imagery, to include imagery within diverse or international environments
  • Top tips for effective translation / localization
  • The two different communication methods: primary and reinforcement, and the advantages / disadvantages of each
  • How to effectively develop and provide instructor-led training (ILT)
  • How to effectively develop and deploy online / computer based training (CBT)
  • Different reinforcement methods, including newsletters, fact sheets, posters, internal social media, hosted speaker events, hacking demos, escape rooms, lunch-n-learns and numerous other training activities. NOTE: This section includes an interactive lab combining a cultural analysis, communication methods, and different training modalities
  • Long term sustainment for effective culture impact, to include gamification and ambassador programs
  • Design, deploy, and leverage metrics to measure the impact of your awareness program, including how to effectively establish a global phishing program and measure culture. Note: This section includes an interactive lab in identifying and defining the top security awareness metrics specific to your program.
  • Walking through the final planning and execution steps, to include documenting a comprehensive project plan

Additional Information

  • Security awareness / communication officers
  • Chief Security Officers, Risk Officers and security management officials
  • Security auditors, and governance, legal, privacy or compliance officers
  • Training, human resources and communications staff
  • Representatives from organizations regulated by industries such as HIPAA, GDPR, FISMA, FERPA, PCI-DSS, ISO/IEC 27001 SOX, NERC, or any other compliance-driven standard
  • Anyone involved in planning, deploying or maintaining a security education, training or communications program
  • Opportunity to join the SANS Security Awareness Community Forum, a private, invite-only community of over 1,000 awareness officers who share resources and lessons learned
  • Electronic Courseware that include printed slides and detailed notes for each slide
  • Electronic lab book
  • Digital Download Package containing digital copies of all the labs, supplemental materials, reports, and examples
  • MP3 audio files of the complete course lecture
  • Identify the maturity level of your existing awareness program and the steps to take it to the next level
  • Explain the difference between awareness, education, and training
  • Explain the three different variables of risk and how they apply to managing human risk and security awareness training
  • Explain why people are vulnerable and how cyber attackers are actively exploiting these vulnerabilities
  • Gain and maintain long-term leadership support for your program
  • Identify the different targets of your awareness program and build a role-based training program
  • Characterize the culture of your organization and determine the most effective communication methods and training modalities for that culture
  • Identify, measure, and prioritize your human risks
  • Design and implement key metrics to measure the impact of each stage of your awareness program, to include measuring compliance, behaviors, and culture

"The 'Who' and 'What' of training and awareness is just what I needed to take back home." - David Nix, Department of Energy

"Soup to nuts, this class covers the entire designing, building, deploying and measuring of an effective security awareness program." - Chris Sorensen - GE Capital

"MGT433 gives great view on how to build a full security program." - Eman Al Awadhi, TRA

For those of you who are looking to get involved in this field, or are already involved but looking to grow, consider reading this blog on how to develop your career path.

Author Statement

Having been actively involved in information security for more than 20 years, I have seen one constant factor: people are the number one target for cyber attackers because we fail to properly invest in and secure them. Once trained, your workforce will become your greatest asset, not only in preventing incidents but being able to quickly identify and report them, developing a far more resilient organization. I am extremely excited about MGT433, as we provide organizations with the skills, resources and community they need to build a high-impact security awareness program that will not only change behaviors, but also measure that change.

- Lance Spitzner