This program is designed to equip security managers, awareness specialists, and HR professionals with the psychological and strategic tools to build, manage, and measure a high-impact security culture and awareness program:

• Security Awareness and Training (SAT) Specialists.
• CISO and Security Directors.
• HR and Internal Communications Teams.
• Compliance and GRC Professionals.
• Internal Auditors.
• SOC/Incident Response Team Members.
• Department Heads and Team Leads.

• Group activities designing a 12-month security awareness communications calendar.
• Hands-on exercise creating a non-punitive response policy for a failed phishing test.
• Case studies on major breaches where human error was the root cause.
• Discussions on the ethical use of gamification and internal security measurements.
• Role-playing a presentation to a CEO to gain buy-in for a culture change program.

Unit 1: Foundations of Security Culture

• The difference between Security Awareness, Training, and Culture.
• Psychology of security behavior change and decision-making.
• Understanding cognitive biases and how they affect security decisions.
• The critical role of leadership and management in setting culture tone.

• Deep dive into common social engineering tactics and techniques.
• Understanding the psychology of persuasion and influence in attacks.
• Building and running a continuous, risk-based phishing simulation program.
• Analyzing and communicating phishing simulation results effectively.

Unit 2: Designing the Awareness Program

• Conducting a security culture assessment and identifying high-risk groups.
• Tailoring content for specific roles (Executives, Developers, Finance, etc.).
• Strategies for continuous, just-in-time, and micro-learning content delivery.
• Creating a communications plan and brand for the security program.

• Applying gamification principles to motivate and sustain engagement.
• Designing recognition and reward programs for security advocates/champions.
• Using storytelling and real-world examples to make security memorable.
• Leveraging internal communication channels (e.g., Slack, newsletters, town halls).

Unit 3: Security Champions and Developers

• Defining the structure, roles, and responsibilities of Security Champions.
• Strategies for recruiting and empowering cross-functional champions.
• Developing specialized training and resources for the champions network.
• Measuring the impact and ROI of the Security Champions program.

• Moving beyond generic training to secure coding and AppSec education.
• Integrating hands-on, contextualized training into the DevSecOps pipeline.
• Managing and measuring the compliance of development teams.
• Cultivating a "security-first" mindset within product development.

Unit 4: Measuring and Reporting Culture

• Developing quantitative and qualitative metrics for measuring culture change.
• Using behavioral data (phishing click rates, clean desk policy adherence) as metrics.
• Designing an annual or semi-annual security culture survey.
• Translating culture metrics into business risk terms for executive reporting.

• Developing a compelling narrative that links culture to breach reduction.
• Presenting SAT program results and budget justification.
• Communicating incidents as opportunities for cultural learning.
• The role of internal audit in assessing security awareness and culture.

Unit 5: Advanced Topics and Future Trends

• Identifying behavioral indicators of malicious and negligent insider threats.
• Developing a non-punitive, supportive policy for reporting mistakes.
• The importance of off-boarding security awareness and controls.
• Integration of Human Risk Management (HRM) tools and processes.

• Leveraging AI/ML to personalize awareness content and delivery.
• Awareness for remote workers, contractors, and third parties.
• Embedding security awareness into new technologies (IoT, cloud, etc.).
• The evolving role of the CISO as the Chief Culture Officer.