Chapter 6 will detail how to create a corporate security awareness training (SAT) policy and finish with an example document. If you don't have to create corporate SAT policies, you might consider skipping this chapter. However, it contains concepts and ideas to consider even if you don't need a formal policy. Most people involved in SAT programs will benefit from reading this chapter.

Much of this information was previously included in a KnowBe4 whitepaper written by the author: www.knowbe4.com/typ-wp-example-sat-policy-guide.

Getting Started with Your SAT Policy

Fighting any cybersecurity threat means crafting a detailed, layered, defense-in-depth set of mitigations, including policies, technical defenses, and training. So far, despite more than three decades of the best technical defenses, social engineering and phishing attacks continue to get to end users. End users must be taught how to recognize social engineering and phishing threats and how to treat and appropriately report them. Accordingly, security awareness training (SAT) is among the most high-value mitigations any organization can perform to significantly reduce cybersecurity risk.

All security mitigations should have policies directing their application and use. All SAT programs should begin with or be driven by an SAT policy document. The beginning of this chapter covers the various components that should be covered by any SAT policy. The chapter finishes with a ...