The Best Cybersecurity Training in the World - No Travel Required! Learn More

Network Security 2012

Las Vegas, NV | Sun, Sep 16 - Mon, Sep 24, 2012
This event is over,
but there are more training opportunities.

MGT433: Securing The Human: Building and Deploying an Effective Security Awareness Program

Sun, September 23 - Mon, September 24, 2012

I'm running a global program as a team of one. The networking is invaluable.

Janet Roberts, American Express Co.

The course covered how to create a comprehensive program and gave me many more ideas and inspiration (really!) to hit the ground running. Learned from hearing fellow students' feedback. Also felt good about what I've done thus far!

Yvonne Bashor, Oregon Legislature

Organizations have invested in information security for years now. Unfortunately, almost all of this effort has been focused on technology with little, if any, effort on the human factor. As a result, the human is now the weakest link. From RSA and Epsilon to Oak Ridge National Labs and Google, the simplest way for cyber attackers to bypass security is to target your employees. One of the most effective ways to secure the human is an active awareness and education program that goes beyond compliance and changes to behaviors. In this challenging course you will learn the key concepts and skills to plan, implement, and maintain an effective security awareness program that makes your organization both more secure and compliant. In addition, you will develop metrics to measure the impact of your program and demonstrate value. Finally, through a series of labs and exercises, you will develop your own project and execution plan, so you can immediately implement your customized awareness program upon returning to your organization.

Course Syllabus

Lance Spitzner
Sun Sep 23rd, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


  • Defining the elements of risk and their role in awareness
  • Why humans are so vulnerable and how cyber attackers exploit these vulnerabilities
  • Defining awareness, training, and education
  • Getting both management support and a budget
  • Determining strategic issues including: building a steering committee, documenting an awareness policy, developing overall goals, and identifying limitations
  • How to structure a large, enterprise solution that scales for multiple business units
  • How to build a modular program that can adapt to your organization's changing needs
  • Who - Identifying the different targets of your awareness program
  • What - Identifying and prioritizing the topics that will have both the greatest impact for your organization and ensure you are compliant
  • Creating and documenting lesson objectives for each of your topics

Lance Spitzner
Mon Sep 24th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


  • How - Identify the most effective communication methods for your organization's culture
  • The two different communication methods: Primary and Reinforcement
  • The advantages, disadvantages, and what works for the two different primary methods: instructor led and computer based training
  • The options for deploying computer based training, and their advantages and disadvantages, including use of a Learning Management System (LMS)
  • Different reinforcement methods, including newsletters, posters, and screensavers
  • Leveraging imagery for your awareness program
  • How to present, including ten key steps to success and ten mistakes to avoid
  • Developing an execution plan and execution checklist
  • Designing and using metrics to track both the compliance and the impact of your program, including awareness assessments
  • Updating and improving your program

Additional Information

"The Who and What of training and awareness is just what I needed to take back home." - David Nix - Department of Energy

"Soup to nuts, this class covers the entire designing, building, deploying and measuring an effective security awareness program." - Chris Sorensen - GE Capital

  • Security awareness training officers
  • Chief Security Officers (CSO's) and security management
  • Security auditors, governance, and compliance officers
  • Training, human resources and communications staff
  • Organizations regulated by Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), Family Educational Rights and Privacy Act (FERPA), Payment Card Industry-Data Security Standards (PCI-DSS), ISO/IEC 27001, Family Educational Rights and Privacy Act (FERPA), Sarbanes-Oxley Act (SOX), or any other compliance driven standards.
  • Anyone responsible for planning, deploying, or maintaining an awareness program

Author Statement

After being actively involved in information security for over fifteen years I have seen one constant factor, employees are the weakest link. What amazes me is so many people agree on this point, but so few organizations do anything about it. I'm determined to change that. I am extremely excited about Securing the Human, as we provide organizations the skills they need to build an effective awareness program and secure their employees. By securing the human, organizations will not only be fully compliant but be far more secure then they could ever be with just technology alone. - Lance Spitzner