Four steps to a fully automated security awareness program

Post hero image

Table of contents

Within the security awareness industry, the level of automation in delivering training is becoming increasingly important. Security teams are frequently overworked. CIOs are always looking for more talent and resources to join their team. Security professionals are high in demand, short in supply, and costly. This is why it´s important to apply automation in many areas of your security program to conserve resources.When developing security awareness training, there are several components that can be automated. This article will paint you a picture of what full automation in phishing training could look like for your organization in each of the four phases of training, from start to finish.

1. Planning and Content Creation


Planning requires significant time and resource investment. If training is going to be delivered in multiple languages, the security team will need to hire professional translators or procure the help from multilingual team members.One or more team members will need to research the latest trends in attacks on a monthly basis and create new templates to ensure content stays relevant and fresh. Those templates will also have to be translated into each language. The frequency of attacks will have to be determined several months in advance to plan which employees will be in charge of sending out the simulated phishing emails.


The language of content can be set up and modified easily by the employee or administrators at any time. Content is handled by the vendor, updated regularly, and translated across all languages. Time and cost savings can be significant when there are no internal team members working for hours on the planning and content creation phase.Vendors often have intelligence from a high volume of reported threats that they can utilize to develop up to date and relevant training content. In some solutions, onboarding support is provided reducing the manual work required for communication efforts as well.

2. Training Development and Personalization


The same initial tests are sent out to all employees. Within a few weeks, each employee is grouped into a particular category based on whether they passed, failed, or did not interact in the initial training simulations. The categories can vary significantly across organizations, but one example could be that failed participants receive 3 extra simulations during a particular time frame (next 6 months) and continued failure would result in extra training (videos, classroom lectures, etc.).The training frequency is limited as each simulation requires time investment from the security team. Even when employees are offered different training paths, the quantity and level of individualization will be limited as security teams don´t have unlimited resources to develop a unique training path for every employee. The main areas of personalization may be the language of the content and department-specific content, and likely little attention is focused on adapting training to each employee´s individual skill level.


With full automation, training can be randomly sent out to employees. Based on the knowledge and skill level determined after the initial simulations, a personalized learning path can be created on an individual level with the help of machine learning.The frequency of training can be increased to upwards of 36-48 simulations sent per year to each employee. Each of those can also be adapted to the particular learning path of the employee. This keeps employees on their toes with frequent training that can help with the behavior change many CISOs desire. Security teams do not utilize any resources for this part of training execution in full automation.

3. Threat Identification, Classification, and Escalation


When developing security training internally, manually developed phishing simulations will often end up in the same email inbox or the same dashboard as real threats, depending on the company´s threat reporting process. When employees accidentally click on malicious content, the process for notifying the security team often requires significant communication back and forth with the employee to understand what was clicked, what information was downloaded, etc. Employees have to call a number or email someone when they make a mistake, and as Kaspersky mentions, employees don´t want to do that as it is a cumbersome process. This wastes valuable time that security team members could use to detect and block the attacker from pushing further into their company´s infrastructure.


Threat identification is handled with a report button and employees click this button for two reasons:

  1. If they have discovered a possible phish email and want to report it for analysis
  1. If they have made a mistake and they realized they have interacted with a possible phish email

In the reporting process, simulated attacks are not escalated to the security team. All training is done directly through the employee´s email client which improves the employee experience without hindering the security team´s operations. Anything suspicious can be escalated automatically to security teams based on the organization´s requirements after the report button is clicked by the employee.If employees do interact with a phishing email by downloading content, clicking links, entering a password, etc. they can select those options in the reporting section. This eliminates the need for a security team member to find out the details over the phone or by email of what happened since the information is visible in their threat dashboard.

4. Tracking and Evaluating Employee Progress


Employee evaluation in manually operated phishing training usually involves a scorecard of how employees performed on the latest attacks. Reports are usually looked at from an organizational level to assess the level of vulnerability, as those report designs and layouts may have to be manually created by security team members.


With an automated solution, evaluating employee progress is simple and easy to do. Administrators can check at any time how a particular employee, department, or geographic location is doing in the training. Progress can be tracked over various periods of time with a simple click in the admin dashboard. Report design is developed by the vendor based on key criteria identified by the organization, and the administrators can input more details to customize the report generated for them.

Comparing manual and automated security awareness training

manual and automated phishing training comparison
Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this