Social Engineering Awareness Programs: Part 5



The opinions expressed in this post do not necessarily reflect those of Joe’s employers: past, present, or future. While I am a security professional, I am not your security professional. The data included in this post is sound by current industry parameters, your mileage may vary.


Now that the program has been implemented and we have planned for the good and the bad, now we perform the ugly per se. This is when we maintain the program to keep the culture in place while addressing new issues and reinforcing the knowledge and application of concepts from the training in a practical environment. While I called this ugly earlier, it is actually easy as long as it is actively maintained.

THE Maintenance

In this phase, we continue to educate the people and test them. The main training should be provided annually or semi-annually. On a monthly basis, I recommend using a Security Thought of the Month (STOM) program to convey concepts (that can be used in and outside of both information security and social engineering) to people (users) in small tidbits. In a 4 week cycle, the program can run as such:

  1. Send a short email (3-5 paragraphs) to all users explaining the absolute core concepts of the topic. This should be very elementary and only lay the foundation for the remaining weeks.
  2. Send a couple of paragraphs to build on the initial email. Start to explain the applicability of the topic and its concepts.
  3. Send a couple more paragraphs with slightly more advanced concepts than week 2. This should being to discuss attacks and defenses.
  4. Send a conclusion paragraph that tells the users what the organization expects and required actions. Convey their role in the process and empower them to make the right decision. Leave the door open for questions.

Next comes the dreaded and unpopular part of maintenance: testing. In this part of maintenance, you will send phishing emails. They can either developed in house or via a service like PhishMe. They should not go to all of the organization, but rather in 3 or 4 groups. This prevents people from alerting others of the test and since it will be known that testing may occur, it will keep the users on their toes with heightened awareness.

I recommend sending a minimum of 1; ideally 2 or 3 emails to a user annually. If the user falls victim, conduct remedial training and include them in the next cycle. In the remedial training, explain that this was a test and reiterate the proper steps and procedures. Reinforcement is better than punishment, unless malicious intent was involved. As with any process, review this annually and refresh the training and concepts to include the most current threats and trends so users are up to date with what they may see.


In conclusion, a social engineering awareness program can be a low cost tool to help save your organization from disaster. From a realistic perspective, this program should cover all aspects of the life cycle and includes planning for obstacles. The methods provided in this blog series will help to enhance the security of your organization. The framework can be applied to other aspects of information security as well. I hope that you will be able to apply this in your organization and see the same success that I have.

Social Engineering Awareness Programs: Part 1
Social Engineering Awareness Programs: Part 2
Social Engineering Awareness Programs: Part 3
Social Engineering Awareness Programs: Part 4

Enter your email address:

Delivered by FeedBurner


* indicates required

About Joe Gray

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading.