Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


What are some good questions to ask a service provider about Security Awareness Training that they have to offer?

Posted on 2014-07-30
Medium Priority
Last Modified: 2014-08-15
We are looking at a provider called "Knowbe4". I want to come up with some questions about there services to dig deeper into what they can provide as far as security awareness. Before I have a meeting/call with them, I want to know what questions should I be asking them to make sure I get what I need out of there services? Please list a few high level questions. Thank you.
Question by:freebeee01
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 21

Expert Comment

ID: 40229857
I would like to know how the training provider would push for changing the status quo. What means would they have as their primary channel for awareness training. I mean videos or Powerpoint slides are good, but how can we make it better? Making the training fun and interactive would help drive the points home.

Awareness programs and security trainings are 2 separate things. How would they be able to influence the behavior change in your users? All of your users, don't skip on the per-diems or contract emps. Awareness should not be just a “check the box" exercise.
LVL 21

Expert Comment

ID: 40229861
Also, how would they provide measurement? How would the awareness be measured?

Accepted Solution

Sean Jackson earned 1500 total points
ID: 40230092
I would want to see some metrics from past engagements they've done.  Those could be redacted to protect the innocent, of course.

I would ask if they distribute materials among the staff, or is it all in a dark conference room with a powerpoint presentation.  Do they do it in smaller groups, one on one, etc?

I would ask how often they update their training materials.  Are they aware of the latest threats and vulnerabilities?  

Do their trainers hold any security certifications?

Do the OWNERS have any security certifications?  This would be a very good indicator on if the company is truly focused on security awareness or just making some money.
10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.


Author Comment

ID: 40230202
Those are some good questions. I need a few more. Something along the lines of how should I execute or implement this in my environment, so forth and so on.

Expert Comment

by:Sean Jackson
ID: 40230249
I would anticipate they would address those questions in your initial conversation.

Meaning, they're going to bring it up, not you.

Author Comment

ID: 40231010
This is SAAS (100% Cloud base training). I will be the facilitator/trainer for my company responsible for registering users,  reminding users to sign up for the training and do the exercise. The service will also provide templates that I can send to my users as an email to test them after they receive the training. I have a few questions for those that have incorporated this in there place of work.

1. What are some ideas to make training fun and interactive?

2. What are some corrective options/actions to deal with my employees who fail the PST (Phishing Security Test) after they have been given the training?

3.  What is the best approach to incorporate security awareness for new employees during their orientation when they hop on board? Maybe train HR personal so they will know how to provide a brief overview to the new employees in a form of a slide show, video, etc? I dont know, what's the best approach? Does anyone have any experience with this?

4, Also thinking about placing posters in certain areas of our building to encourage people to take the training, are there any posters online so that I can print it out?

5. How often should do the PST with my users, and why?

Anything else creative that I can do, let me know.

Assisted Solution

by:Sean Jackson
Sean Jackson earned 1500 total points
ID: 40232225
I would not make it optional to attend the training, and for that, you need support from above.  Make the training available to them at times that are more convenient if you can't do it all at once.  If it's optional, no one is going to attend.

A good way to get this buy off would be to run a Phishing test (authorized by whomever has authority, of course) before the training, and show the results to management.  Show them just how bad it is, and how the training will directly address that vulnerability.

Training being fun and interactive? Show some examples?  I always like to use the balloon / yelling overwhelming scene from Sneakers to show how hackers can distract the victim and get them to follow instructions.

I have 'gamified' security awareness by creating a quiz system when users logged into the corporate admin area, they'd get one question, they had the option to postpone the question (if they were putting out some kind of fire), and if they got it right, they got a clip from Monty Python or something.  If they got it wrong, they got the troll being flung into the pit from The Holy Grail.  On the backend, we were able to see who was answering what questions wrong, what questions always had wrong answers (need more training), who was getting lots of questions wrong (need more individual training), and who was always getting things right.  Those in the last group got recognized and occasionally gift carded or lunch bought.

I would test Phishing every six months or so, assuming an external party hasn't tested it already for you (and you knew about it).

I know of no posters to help you.

If someone fails the testing, don't make them feel stupid, bad, or they should be in trouble.  Security isn't supposed to do any of those things.  Help them learn how to be more careful, more cautious about what they see in email.  It's not only going to help the company, it will help them personally to think a little more carefully about their interactions.  That means it can help them at home too.

I'm gladdened to see you're taking on this endeavor.  It can be tough.  Good job.

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question