User Awareness &
Training Playbook
Technology controls stop known threats. Your people stop the unknown ones — but only if they know what to look for. This playbook builds a sustainable security culture through structured training, phishing simulations, and a clear framework for what to do when something looks wrong.
Purpose & Objectives
The goal of this playbook is to build a genuine security culture — not a compliance checkbox. Staff who understand why security matters, what good looks like, and how to report concerns are exponentially more valuable than any firewall.
Build Awareness
Ensure every staff member can identify the most common threats — phishing, social engineering, and malicious links — and knows the right response.
Create a Reporting Culture
Staff should feel safe reporting suspicious activity without fear of blame. Early reporting stops incidents before they escalate.
Meet Compliance Obligations
ACSC Essential Eight ML2+, the Privacy Act, and cyber insurance policies increasingly require documented security training programs.
Reduce Incident Rate
Measure phishing click rates, incident reports, and near-miss reports over time. The goal is continuous improvement, not perfection.
Target Audience & Role Differentiation
Security training is not one-size-fits-all. Content should be adapted based on the risk profile and responsibilities of each role group.
General Users
All employees, contractors, and third-party partners with access to business systems. Core topics: phishing recognition, password hygiene, incident reporting, physical security, and data handling basics.
IT Staff & System Administrators
Additional training on secure configuration, privileged account management, patch management, incident response procedures, and ACSC Essential Eight technical controls.
Directors & Business Owners
Spear-phishing and BEC targeting, board-level responsibility for security governance, cyber insurance obligations, privacy breach notification requirements, and risk-based decision making.
Core Training Topics
Phishing & Social Engineering
The leading cause of breaches. Staff must learn to recognise suspicious sender addresses, urgency tactics, unexpected attachments and links, impersonation of known brands or colleagues, and requests for credentials or payments via email.
Password Security & MFA
Covers the password policy (covered in the Password Security Playbook), the importance of unique passwords, how to use a password manager, and how to respond to unexpected MFA prompts. Reference the full Password Security Playbook for complete guidance.
Data Privacy & Handling
What constitutes sensitive data in your context (client financial data, health records, personal information, legal documents), how to handle it appropriately, and what constitutes a notifiable data breach under the Australian Privacy Act.
Physical Security
Clean desk policy, screen lock habits, tailgating prevention, visitor management, secure disposal of physical documents, and the risks of using personal devices for work without IT oversight.
Safe Use of Cloud & SaaS Applications
What can and cannot be stored in personal cloud storage, how to share files securely in SharePoint/OneDrive, Teams data governance, and the risks of connecting unapproved apps to M365 via OAuth.
Recognising & Reporting Incidents
How to identify a potential incident, who to contact, what information to preserve, and what not to do. The emphasis is on removing the fear of reporting — near-misses should be celebrated, not penalised.
Training Delivery Methods
Effective security awareness requires a mix of formats. No single method reaches every learning style or builds lasting habits on its own.
Phishing Simulations
Simulated phishing campaigns using platforms like KnowBe4 send realistic-looking phishing emails to staff. Those who click receive immediate, non-punitive micro-training. Track click rates over time to measure improvement.
E-Learning Modules
Self-paced online courses with knowledge checks. Scalable, trackable, and flexible. Best for covering policy content, compliance requirements, and foundational topics at onboarding.
Live Workshops & Webinars
Instructor-led sessions work best for complex topics (BEC scenarios, incident response) and for executive audiences. Interactive Q&A sessions surface real concerns staff wouldn't raise in a module.
Quick Reference Materials
One-page guides, cheat sheets, and posters for common scenarios — how to report a phishing email, what to do if you think you've been compromised, password creation guidance. Place them visibly in the workplace.
Security Briefings & Newsletters
Brief monthly updates (email or Teams message) highlighting recent threat trends, any incidents in your industry, and reminders of key policies. Keep them short and specific — not generic IT updates.
Onboarding Security Induction
Every new hire should complete security training before or on day one — before they have access to business systems. Cover the key policies, how to report issues, and who their IT contact is.
Training Schedule
Measuring Effectiveness
Training that isn't measured isn't managed. These are the metrics that matter for a security awareness program.
Percentage of simulated phishing emails that result in a click. Target below 5% after 6 months. Track by department to identify high-risk groups.
Percentage of simulated phishing emails that are correctly reported. High report rates indicate strong awareness. This matters more than click rate.
Percentage of staff who complete mandatory training modules on time. Non-completions should be flagged to managers within 7 days of the deadline.
Number of security incidents or near-misses reported by staff. Increasing reports often means improving culture — not more incidents. Celebrate reporting.
Building an Incident Reporting Culture
The biggest obstacle to early incident detection is fear. Staff who think they'll be blamed for clicking a phishing link will stay silent — and a contained incident becomes a full breach.
Make Reporting Easy
Staff should be able to report suspicious emails with one click. Microsoft Defender's Report Message button in Outlook is the standard for M365 environments.
Celebrate Near-Misses
When someone reports a phishing email they nearly clicked — that's a win. Acknowledge it publicly (with permission). It signals that reporting is valued, not punished.
No-Blame Policy for Reported Incidents
If a staff member reports an incident they caused, the response must be supportive, not punitive. The goal is containment and learning. Blame drives incidents underground.
Share Learnings (Without Embarrassment)
After any incident, share the key lessons with the team in a de-identified way. "Someone in the business received a convincing phishing email last month — here's what it looked like" is more effective than a generic warning.
Roles & Responsibilities
- Complete mandatory training within required timeframes
- Report suspicious emails and activity immediately
- Follow password and MFA policy
- Raise security concerns without fear
- Design, schedule, and run training programs
- Manage phishing simulation platform and report results
- Respond to reported incidents promptly
- Review and update training content annually
- Champion security culture visibly — participate in training
- Ensure staff have time allocated for training
- Enforce policy for persistent non-compliance
- Approve budget for security awareness tools
Recommended Tools & Platforms
KnowBe4
Industry-leading security awareness platform with thousands of phishing templates, automated training campaigns, and reporting dashboards. Ideal for businesses wanting a dedicated awareness program without heavy IT overhead.
Microsoft Defender for Office 365
Native M365 tooling including Attack Simulator (phishing simulations) and the Report Message button. Good for basic simulation and awareness within the Microsoft stack without additional licensing.
Proofpoint Security Awareness
Enterprise-grade platform with strong content libraries and threat intelligence integration. Better suited to larger organisations with dedicated security teams.
Learning Management System (LMS)
A central platform for tracking module completion and compliance. Options range from Microsoft Viva Learning (M365 native) to dedicated platforms like TalentLMS or Docebo depending on scale.
Want to Build a Training Program for Your Team?
Melbits can design and run a security awareness program for your Melbourne business — phishing simulations, training modules, and ongoing reporting. Book a consultation to discuss your needs.