← Patterns / SP-014

Awareness and Training Pattern

Every security control ultimately depends on people. Firewalls can be misconfigured, access policies can be overridden, encryption can be bypassed -- and in almost every case, a human decision is in the chain. The Awareness and Training pattern addresses the most persistent and exploitable vulnerability in any security architecture: human behaviour. This is not a pattern about annual compliance checkboxes. Organisations that treat awareness as a yearly e-learning module followed by a quiz are measuring completion rates, not security outcomes. Effective awareness and training programs are continuous, role-targeted, behaviour-changing, and measurable. They create a security culture where reporting a suspicious email is instinctive, where developers think about input validation before they write code, and where executives understand that security investment is risk management, not cost overhead. The pattern operates across three tiers. First, baseline awareness for all personnel: organisation-wide security culture, acceptable use, data handling, physical security, and social engineering recognition. Second, role-based training for positions with elevated security responsibilities: system administrators, developers, incident responders, data handlers, and privileged access holders. Third, specialist certification and continuous development for security professionals, auditors, and compliance officers. Third-party personnel -- contractors, consultants, outsourced service providers -- require equivalent coverage. An organisation's security posture is only as strong as the least-aware person with access to its systems. Supply chain breaches increasingly originate from compromised third-party credentials obtained through social engineering attacks that proper awareness training would have prevented. The pattern also addresses the measurement problem. Traditional metrics (completion rates, quiz scores) measure participation, not effectiveness. Modern programs use phishing simulation click rates over time, time-to-report for suspicious activity, incident volumes by category, and pre/post assessment scores to demonstrate genuine behavioural change. These metrics feed back into program design, creating an adaptive loop where training content evolves in response to observed weaknesses.
Release: 26.02 Authors: Aurelius, Vitruvius Updated: 2026-02-06
Assess
image/svg+xml Actor: IT Security Manager Actor: Remote Worker AT-01 Security AwarenessAnd Training Policy.. AT-02 Security Awareness AT-03 Security Training PL-04 Rules Of Behavior PS-01 Personnel SecurityPolicy And Procedur.. PS-02 PositionCategorization PS-06 Access Agreements PS-07 Third-PartyPersonnel Security PS-08 Personnel Sanctions RA-03 Risk Assessment AT-04 Security TrainingRecords S A Contract OSA is licensed according to Creative Commons Share-alike.Please see:http://www.opensecurityarchitecture.org/about/license-terms. Actor: Office Worker Intranet channel andInformation Library Targeted email Computer Based Training Reporting Physical mediaLeaflet, Placard, Poster etc Policies andStandards Emerging Threatsand Risks Actor: 3rd Party Awareness programcontent, delivery channels,and media determined byorganization policies,working environments,culture, and modifiedaccording to emergingthreats Reporting on training,access to intranet channeland information libraryallows content andschedule to be fine tuned Awareness and trainingmodified by job role,employment or 3rd partycontract includes securityobligations, induction trainingincludes security elements

Click any control badge to view its details. Download SVG

Key Control Areas

  • Security Awareness Program (AT-02, AT-01): The awareness program is the foundation. It must reach all personnel including employees, contractors, temporary staff, and third parties with system access. Content should cover: recognising social engineering and phishing attempts, data classification and handling obligations, acceptable use of systems and services, physical security (tailgating, clean desk, secure printing), incident reporting procedures, and the consequences of policy violations. Delivery should be continuous and multi-channel -- not a single annual session. Techniques include simulated phishing campaigns, short-form video, posters in common areas, security newsletters, gamified learning, and real-world case studies drawn from actual incidents (anonymised) within the organisation or industry. The program must be documented with clear ownership, typically shared between the CISO function and internal communications.
  • Role-Based Security Training (AT-03, PS-02, AT-04): Generic awareness is necessary but insufficient. Personnel in security-sensitive roles require targeted training calibrated to their specific risks and responsibilities. Position categorisation (PS-02) identifies which roles require enhanced training: system administrators need training on secure configuration and privilege management; developers need secure coding, OWASP Top 10, and secure SDLC practices; data handlers need classification procedures and breach notification obligations; executives and board members need governance-level risk understanding and decision-making frameworks; incident responders need exercise-based training on detection, containment, and evidence preservation. Training records (AT-04) must demonstrate that the right people received the right training at the right time -- this is a core audit evidence requirement across ISO 27001, SOC 2, PCI DSS, and most regulatory frameworks.
  • Personnel Security Lifecycle (PS-03, PS-04, PS-05, PS-06): Security awareness is not a point-in-time event -- it follows the personnel lifecycle. Pre-employment screening (PS-03) establishes the baseline: background checks proportionate to role sensitivity, verification of qualifications and references, and criminal record checks where legally permitted and role-appropriate. Access agreements (PS-06) ensure personnel formally acknowledge their security obligations before receiving system access. When personnel transfer between roles (PS-05), training must be updated to reflect new responsibilities and access levels -- a developer moving into a DevOps role inherits new privileged access that requires corresponding training. At termination (PS-04), off-boarding procedures must include return of assets, access revocation, and reminders of continuing obligations such as NDAs and data handling commitments.
  • Third-Party Personnel Security (PS-07, PS-08, SA-09 from related patterns): Third parties with access to organisational systems or data represent a significant and growing attack surface. Awareness requirements should be contractually mandated and verified. This includes: requiring third-party personnel to complete organisation-specific security awareness training before receiving access; including security training obligations in vendor contracts and SLAs; conducting periodic assessments of third-party security awareness posture; and ensuring sanctions (PS-08) can be applied for third-party security violations through contractual mechanisms. The organisation should maintain a register of third-party personnel with system access and their training completion status.
  • Incident Response and Reporting Culture (IR-02, PL-04): A well-trained workforce is the best early warning system. Staff who recognise and promptly report suspicious activity dramatically reduce attacker dwell time. Incident response training (IR-02) should be practical and exercise-based: tabletop exercises for management, hands-on simulations for technical staff, and clear, simple reporting procedures for all personnel. Rules of behaviour (PL-04) should explicitly define what constitutes a reportable event and emphasise that reporting is always the right action -- even false positives. A blame-free reporting culture is essential; organisations that punish staff for falling victim to sophisticated social engineering attacks drive incidents underground rather than eliminating them.
  • Contingency and Business Continuity Awareness (CP-03): Personnel must understand their roles during disruptive events. Contingency training ensures staff know the business continuity plan, their responsibilities during an incident, communication procedures when primary channels are unavailable, and recovery priorities. This is especially important for personnel who do not work in IT or security but whose cooperation is essential during a crisis. Regular exercises validate that training has been effective and identify gaps.
  • Risk-Informed Program Design (RA-03): The awareness and training program should be driven by risk assessment, not by generic templates. Identify the organisation's actual threat landscape: what social engineering techniques are being used against your industry? What are the most common causes of security incidents in your organisation? Where are the knowledge gaps? Use threat intelligence, incident data, and phishing simulation results to continuously refine training content and targeting. A financial services firm facing business email compromise should weight training differently from a healthcare organisation facing ransomware delivered via phishing.

When to Use

All organisations that employ people or engage third parties with system access should implement this pattern. It is universally applicable and is a mandatory requirement under virtually every compliance framework (ISO 27001 A.6.3, NIST CSF GV.AT, PCI DSS 12.6, SOC 2 CC1.4, CIS Control 14). Specific triggers for enhanced investment: high phishing click rates in simulation; repeat security incidents caused by human error; regulatory findings citing training deficiencies; significant organisational growth or transformation; adoption of new technologies (cloud, AI, remote work) that change the risk profile; or industry-specific regulations mandating awareness programs (financial services, healthcare, critical infrastructure).

When NOT to Use

There are no legitimate contra-indications for this pattern. Any organisation with personnel and information systems requires security awareness. The scope and depth should be proportionate to the organisation's risk profile, but a zero-investment approach is never appropriate. Even very small organisations benefit from basic security hygiene awareness.

Typical Challenges

Engagement fatigue is the primary challenge: staff who view security awareness as a bureaucratic checkbox will not change behaviour regardless of content quality. Combat this through variety in delivery, relevance to role, real-world examples, and executive visible participation. Measuring genuine effectiveness versus completion rates requires investment in simulation tools and analytics. Budget constraints often reduce awareness programs to the minimum required for compliance, which is insufficient for actual risk reduction. Reaching third-party personnel who may not use the organisation's systems for training delivery. Keeping content current as threats evolve -- phishing techniques, social engineering tactics, and technology risks change faster than annual training cycles. Multilingual and multi-cultural workforces require localised content. Remote and hybrid workforces are harder to reach with physical security messaging and more susceptible to certain attack vectors. Shadow IT and personal device usage create awareness gaps that organisational training cannot fully address. Balancing security messaging with productivity -- excessive warnings create alert fatigue and are counterproductive.

Threat Resistance

Social engineering and phishing -- the most common initial attack vector in breach data year after year, with trained staff providing the primary defence layer. Business email compromise targeting finance and executive personnel. Insider threats, both malicious and negligent -- awareness of monitoring, policy, and consequences deters deliberate misuse while training reduces accidental incidents. Credential compromise through weak passwords, password reuse, and credential sharing -- awareness drives adoption of password managers and MFA. Data handling errors including misclassification, misdirected communications, and improper disposal. Physical security breaches including tailgating, unsecured workstations, and improper document disposal. Shadow IT and unauthorised service usage where employees bypass approved channels. Regulatory non-compliance where training requirements are unmet. Supply chain and third-party personnel exploitation. Delayed incident reporting that increases attacker dwell time and breach impact.

Assumptions

The organisation has a defined information security policy framework that awareness and training can reference. Management commitment exists to fund and support the program -- awareness without executive sponsorship is performative. Personnel have allocated time for training activities during working hours. The organisation has mechanisms to track training completion and measure effectiveness. For third-party coverage, contractual authority exists to mandate training compliance. Content delivery infrastructure (LMS, email, intranet) is available. The threat landscape is dynamic and the program must adapt -- training content from two years ago is already partially obsolete.

Developing Areas

  • AI-generated phishing is rendering traditional awareness training increasingly inadequate. Large language models produce grammatically flawless, contextually personalised phishing emails that lack the spelling errors and awkward phrasing that users were trained to detect. AI-generated voice clones (vishing) and real-time video deepfakes in video calls are emerging attack vectors that existing training programmes do not address. The training industry is scrambling to develop exercises that teach users to verify requests through out-of-band channels rather than relying on content-based detection of social engineering attempts.
  • Measuring security culture as distinct from training compliance is an evolving discipline with no consensus methodology. Traditional metrics (completion rates, phishing simulation click rates) measure behaviour in test conditions, not genuine cultural embedding. Emerging approaches use sentiment analysis of internal communications, voluntary security reporting rates, time-to-report for genuine incidents, and anonymous culture surveys with psychometric frameworks adapted from safety culture research. However, correlating these culture metrics with actual security outcomes (breach rates, incident severity) requires longitudinal data that most organisations have not yet accumulated.
  • Personalised adaptive training platforms that adjust content difficulty, topic selection, and delivery frequency based on individual user behaviour are emerging but adoption is limited. These platforms use machine learning to identify which users are most susceptible to specific attack types and deliver targeted micro-training at the moment of highest receptivity. Early evidence suggests 30-40% better retention compared to one-size-fits-all annual training, but the data requirements for personalisation raise privacy concerns that European organisations in particular must navigate carefully under GDPR worker monitoring provisions.
  • Deepfake awareness for voice and video communications is becoming an urgent training need as the technology required to clone voices from short audio samples becomes freely available. Reported incidents of AI-generated voice calls impersonating executives to authorise wire transfers have increased dramatically, with individual losses exceeding $25 million in documented cases. Training programmes must now cover verification procedures for verbal instructions, particularly for financial transactions and privileged access requests, but the training content and simulation tools for deepfake awareness are still in early development.
AT: 5CP: 1IR: 1PL: 1PS: 8RA: 1
AT-01 Security Awareness And Training Policy And Procedures
AT-02 Security Awareness
AT-03 Security Training
AT-04 Security Training Records
AT-05 Contacts With Security Groups And Associations
CP-03 Contingency Training
IR-02 Incident Response Training
PL-04 Rules Of Behavior
PS-01 Personnel Security Policy And Procedures
PS-02 Position Categorization
PS-03 Personnel Screening
PS-04 Personnel Termination
PS-05 Personnel Transfer
PS-06 Access Agreements
PS-07 Third-Party Personnel Security
PS-08 Personnel Sanctions
RA-03 Risk Assessment