Social Engineering Awareness Programs: Part 5



The opinions expressed in this post do not necessarily reflect those of Joe’s employers: past, present, or future. While I am a security professional, I am not your security professional. The data included in this post is sound by current industry parameters, your mileage may vary.


Now that the program has been implemented and we have planned for the good and the bad, now we perform the ugly per se. This is when we maintain the program to keep the culture in place while addressing new issues and reinforcing the knowledge and application of concepts from the training in a practical environment. While I called this ugly earlier, it is actually easy as long as it is actively maintained.

THE Maintenance

In this phase, we continue to educate the people and test them. The main training should be provided annually or semi-annually. On a monthly basis, I recommend using a Security Thought of the Month (STOM) program to convey concepts (that can be used in and outside of both information security and social engineering) to people (users) in small tidbits. In a 4 week cycle, the program can run as such:

  1. Send a short email (3-5 paragraphs) to all users explaining the absolute core concepts of the topic. This should be very elementary and only lay the foundation for the remaining weeks.
  2. Send a couple of paragraphs to build on the initial email. Start to explain the applicability of the topic and its concepts.
  3. Send a couple more paragraphs with slightly more advanced concepts than week 2. This should being to discuss attacks and defenses.
  4. Send a conclusion paragraph that tells the users what the organization expects and required actions. Convey their role in the process and empower them to make the right decision. Leave the door open for questions.

Next comes the dreaded and unpopular part of maintenance: testing. In this part of maintenance, you will send phishing emails. They can either developed in house or via a service like PhishMe. They should not go to all of the organization, but rather in 3 or 4 groups. This prevents people from alerting others of the test and since it will be known that testing may occur, it will keep the users on their toes with heightened awareness.

I recommend sending a minimum of 1; ideally 2 or 3 emails to a user annually. If the user falls victim, conduct remedial training and include them in the next cycle. In the remedial training, explain that this was a test and reiterate the proper steps and procedures. Reinforcement is better than punishment, unless malicious intent was involved. As with any process, review this annually and refresh the training and concepts to include the most current threats and trends so users are up to date with what they may see.


In conclusion, a social engineering awareness program can be a low cost tool to help save your organization from disaster. From a realistic perspective, this program should cover all aspects of the life cycle and includes planning for obstacles. The methods provided in this blog series will help to enhance the security of your organization. The framework can be applied to other aspects of information security as well. I hope that you will be able to apply this in your organization and see the same success that I have.

Social Engineering Awareness Programs: Part 1
Social Engineering Awareness Programs: Part 2
Social Engineering Awareness Programs: Part 3
Social Engineering Awareness Programs: Part 4

Enter your email address:

Delivered by FeedBurner


* indicates required

About Joe Gray

Joe Gray is a native of East Tennessee. He joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Since leaving the Navy, Joe has lived and worked in St. Louis, MO, Richmond, VA, and Atlanta, GA. His primary experience is in the Information Assurance (IA) and Cyber Security compliance field. He has worked as a Systems Engineer, Information Systems Auditor, Senior UNIX Administrator, Information Systems Security Officer, and Director of IT Security. Joe is in pursuit of his PhD in Information Technology (with focus in Information Assurance and Security). His undergraduate and graduate degrees are also in Information Technology (with focus in Information Assurance and Security) from Capella University, where he graduated Summa Cum Laude for both degrees and completed a Graduate Certificate in Business Intelligence. He also is a part-time (Adjunct) Faculty at Georgia Gwinnett College. Joe holds the (ISC)² CISSP-ISSMP, GIAC GSNA, CompTIA Security+, CompTIA Network+, and CompTIA A+ certifications. In his spare time, Joe enjoys reading news relevant to information security, blogging, bass fishing, and flying his drone in addition to tinkering with and testing scripts in R and Python.