Need some advise on implementing Security Awareness Training within my company

Posted on 2014-08-15
Last Modified: 2016-05-12
I am having difficulties having my employees sign/up and complete the mandatory online training (Knowbe4). What action(s) should I take for those that have not signed up and completed the courses before the deadline which is  fast approaching? Please list some corrective actions items I can use to get them to complete the courses.
Question by:freebeee01
    LVL 5

    Accepted Solution

    Start with buy-in from upper management, then work with HR and make it clear that there are consequences for not attending.  And make sure there are consequences.  Security awareness is never something people want to take time for.  They won't do it on their own.
    LVL 60

    Expert Comment

    punitive action will not bode any benefits or greater awareness. now is the carrot to pull them for the learning and if possible allocate a time to have all go to terminal and run the elearning through (of course their supervisor (or senior) give the "ok") - dont let it be a chance for them to "skip" important work or meeting.

    - another means is at login "force" the run through or reminder splashboard and even better they can only use notebk if they complete the elearning series

    - Plan early and schedule, best if they can do it within a period and save where they stop and come back to finish when time is convenient

    - make awareness how long it take to complete the elearning series and the certificate of completion to be submit to their superior and eventually to send to cooridnator for compilation to update mgmt the org security healthscore card - this may get some on the move since mgmt is to be informed subsequently on results too..

    - top down tend to be more viable then technical means or even multiple reminder ... make this a company policies and have regular taking such as competency profile (include in thier "CV"). I will try to avoid the "shame" scheme to flag those "missing in action" or neligents
    LVL 10

    Assisted Solution

    by:Scott Thomson
    First the guys are correct. start with upper management and let them know how important this is. Any kind of chart or statistic that scares the living hell out of them should be a good way to get their approval. especially when you mention that not having users complete security policy training might end up bighting them as the manager/ceo/boss man

    Then you need to make it very simple. a very quick harsh "punishment" for not completing the security course. Any users who have not completed the course and accepted the IT agreement will have their access disabled because they are deemed as a security risk until this training is completed.

    As neo said in the matrix - "the problem is choice" if the user has a choice they will wait and wait and wait.. make them and management believe there are only 2 choices
    1. the sensible choice of security training
    2. Disabled account and no access etc.

    This will force the management of that particular team to do your job for you and chase up their team so they are not sitting there useless when the date passes.


    As to how to implement that system
    - Set all AD accounts (minus service accounts) to expire on a certain date)
    - For each printed certificate that you get you remove that expiry.
    - This way only the people who haven't completed it have expiry dates.
    LVL 60

    Expert Comment

    Sometimes we just need some mandate to get this going for Employees as well - take a sample of the responsibility of individual spelled out and sign off in agreement to fulfil ...

    Author Comment


    I like your comment, which makes perfect sense. Two more weeks left before the deadline and I still have a number of people who have not yet completed the training. I think at this point, I need to send an email to the management team to have there subordinates complete and acknowledge the security policy, and also an email targeting those that have not completed their training that there account will be locked if they do not complete it before the deadline.

    That said, can someone please help me come up with an email template for:

    1) Email to management team to encourage their subordinates to complete and acknowledge the security policy.
    2) Email indicating there account will be locked if they do not complete training before the deadline, because they are deem a security risk.

    The challenge is dealing with the executives, who thinks they are to good for this and it's a waste of time. I'm sure I will have the buy in from my VP of IT to locked out users, but I'm sure the executives will have a fit about that.
    LVL 60

    Expert Comment

    it will be best drafted by someone in your organisation corp comms but you can share the "meat".. it probably should cover some background on the numerous reminder (period) and the responsibility for all including from bottom to top level to comply. The tone will probably has to be more "harsh" and direct to point (no long email)

    You must ensure through the broadcast and message that each staff has due diligence to make sure attendance to the training and acknowledged in compliance to the completion of the training. This is in all mean adhered in accordance with the Organisation mandate and standard....

    Employees are responsible for exercising good judgment regarding the reasonableness of fulfilling the training. There is accommodation to make conveniences such that Individual in each departments can be attended to the etraining etc. In the absence of any reasonable failure in attendance and completion, each should be guided by departmental policies on declaring early to the superior and make due care to complete in approved later date. Any further uncertainty, each should consult their supervisor or manager promptly.

    Any employee found to have not been able to fulfil this requirement and policy, will be subject to disciplinary action, up to and including termination of employment.

    Author Comment


    I think that is to harsh. Let's keep it short and to the point. Is there anyone who can help me generate two email templates as I specified above?
    LVL 60

    Assisted Solution

    Sure I believe it is easier to tone down than tone up ... I am sure you can find some template from the following writeup.

    The Employee Wins.
    One of the most difficult things to implement in a company is change. Change comes hardest at the employee level. There is always some new program or other being foisted on them to improve their production, their motivation, and their corporate life as a whole. A successful security awareness program is neither a frontal assault upon them, nor is it a manipulative device to garner change. Instead, an effort to raise awareness of security issues around them is introduced. Awareness of behaviors that invite loss of personal privacy through social engineering, awareness of not only what is policy and how to respond to deviations or violations of it, awareness of the role each employee plays in the defense of company information.

    This is a Win for Management.
    This is a win for management because of a new awareness becomes a culture change instead of a short-lived dying program. This can be accomplished by maximizing the reach of the program with a consistent message. The key is the consistency of the message. Security is everyone’s job.

    If we are to survive, we must survive on the Internet. To survive on the Internet, we must be aware of how to safeguard company assets. We must have a Security Awareness program and a security policy. Why not benefit everyone by leveraging one from the other.

    Sec U R IT y - Tag! You're it!
    Have a slogan

    More tips

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Suggested Solutions

    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    With the shift in today’s hiring climate (, many companies are choosing to hire freelancers to get projects completed efficiently and inexpensively…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now