Security Awareness Training
Course Summaries

CORE Security Awareness Training

Intro to Security Awareness

The introductory lesson for Security Mentor’s security awareness training shows why each person is critical to security, and how the actions of one person, even if unintentional or unknowing, can put their organization at risk.

Office Security

The office security lesson focuses on both internal and external threats to information security in personal office spaces. Through lesson interactions, trainees learn to identify and remove office security risks. Afterwards, trainees assess their own office security through a series of questions.

Computer Security

The computer security lesson teaches how layers of security are important to protect computing devices. Topics covered include: firewalls, anti-malware, software auto-updating, data backups, and safe software installation.

Password Security

In the password security lesson, trainees interactively learn what makes a strong password and then are given techniques for creating strong, memorable passwords. The second half of the lesson focuses on securely storing and managing passwords.

Email Security

The email security lesson first describes general threats by email including malicious links, attachments with malware, and spam. This is followed by tips on how to deduce the safety of email messages. Lesson interactions teach trainees how to look for clues of a malicious email, and receive feedback based on their choices.

Web Security

The web security lesson first teaches about the cyber risks that employees face when on the Web. Trainees next learn about safe web searching techniques, general browser security and configuration settings, SSL, and protecting against web attacks.


The phishing lesson delves into what phishing is and why people fall for phishing scams and cyber attacks. Spear phishing is given special attention in the lesson. Employees learn how to identify a phishing email by looking for clues, including how to identify a phishing link. Trainees then complete interactions designed to reinforce the cyber security skills that they learned in the lesson.

Mobile Security

The mobile security lesson discusses the pervasiveness of mobile devices and the cyber risks associated with them, particularly for data breaches. Best practices are given for protecting common mobile devices like smartphones, laptops, and mobile storage, as well as for using technologies like Bluetooth, WiFi networking, and how to securely dispose of a mobile device.

Information Protection

The information protection lesson discusses what the risks are when sensitive information is exposed. The lesson introduces three different types of sensitive information: Personally Identifiable Information (PII), Protected Health Information (PHI), and business confidential information. Examples are given for each. Through exercises, employees learn to identify documents that contain sensitive information, and are given feedback on their choices. The remainder of the lesson focuses on how to protect and manage sensitive information.

Social Networking

Social networking impacts everyone, whether through direct participation or through associations. The social networking lesson teaches why security is so important in social networking. Topics addressed include choosing online relationships, personal information to keep private online, and business information to protect. Phishing and malware on social networks are also discussed.

Public WiFi

Public WiFi is everywhere and so easy to use, but what are the risks and how can they be avoided? The Public WiFi lesson first teaches about what malicious hotspots are and then introduces trainees to SSL and VPN. Next, the lesson covers topics including how to avoid malicious hotspots, a summary of the best practices for using public WiFi, and the danger of connecting Ad Hoc to other computers.

Incident Reporting

In the incident reporting lesson, employees learn how to recognize a variety of security incidents through interactive exercises. The lesson covers the information that should be included when reporting a cybersecurity incident. Finally, the lesson also discusses why people sometimes don’t report security incidents and the importance or reporting security incidents quickly.

ADVANCED Security Awareness Training

Social Engineering

The Social Engineering lesson first explains what social engineering is, followed by a discussion of why social engineers target employees. Trainees then learn about different social engineering tactics. Finally, through a series of role-playing interactions, employees learn to identify and thwart social engineering attacks done by vishing, phishing, and social networking, as well as USB drop attacks and in-person social engineering attacks.

Data Loss Prevention (DLP)

The lesson starts with a definition of Data Loss Prevention (DLP), followed by a discussion of the different DLP tools that organizations may use. Next, the causes of data leaks are explored. Trainees next examine the services and technologies they use and how data can be put at risk of being exposed. The second half of the lesson focuses on seven common areas where end users lose data, and how data loss can be prevented.

Safe Disposal

The Safe Disposal lesson begins by introducing why people dumpster dive, followed by the locations where improperly disposed data is often found. Real cases of improper paper disposal are presented. Employees next evaluate a series of documents, decide whether the information is sensitive, and how the documents should be disposed. The lesson concludes with a series of interactions designed to teach about the proper disposal of devices and the management of voice data.

Internet of Things (IoT)

The Internet of Things (IoT) security awareness lesson first defines what the Internet of Things is. Examples of IoT devices are discussed, as well as how they are used in people’s personal lives, in the workplace, and in industry and the public sector. Next the lesson explains how IoT works, followed by an examination of the main security, privacy, and personal safety concerns related to IoT. Finally, the lesson concludes with advice on how to use IoT securely.

Cloud Security

The Cloud Security lesson begins by explaining what cloud computing is and how it differs from local computing. Next trainees learn about how the cloud is used by businesses and by home users. Common causes of cybersecurity incidents in the cloud are then explored, as well as the possible outcomes of those cybersecurity incidents. The lesson emphasizes how employees’ actions are critical to preventing the cyber security mistakes that result in cyber security incidents. Finally, the lesson addresses what each person needs to do to avoid the dangers to the information security of data that is used and/or stored in the cloud.


The Privacy lesson starts by defining data privacy, explaining why it is important to protect private data, and the different types of private data that need to be protected. Next the lesson addresses the repercussions if private data is exposed. Examples of privacy laws from several different regions worldwide are discussed next. The remainder of the lesson focuses on employee responsibilities when collecting, storing, sharing, transmitting and disposing of private data.

Working Remotely

The Working Remotely security awareness lesson begins by providing examples of remote working locations followed by an explanation of the security risks. The lesson focus is on how employees can be more cyber secure when working remotely, covering topics including: data security, data encryption, computer hygiene, access control, network security, physical security, and remote work in public places.

Travel Security

The Travel Security lesson first presents the risks when people travel, then engages the trainee to self-assess their own travel risk profile. Next trainees learn how to protect themselves when traveling including travel preparation, traveling in a vehicle, traveling around town, air travel, hotels, connecting to remote networks, and using social media while traveling.

Insider Threat

The Insider Threat training lesson first teaches employees about the different types of unintentional insider threats and then how employees themselves can avoid becoming an unintentional insider threat. Next, the lesson discusses the cyber security threats arising from malicious insiders. Then, the lesson explores the motivations behind why people become malicious insiders, and discusses how to recognize behavioral signs that can reveal malicious insider activity. The lesson concludes by discussing what employees can do if they suspect someone is an insider threat.


The Ransomware lesson begins by discussing what ransomware is and the threat that ransomware poses to businesses and individuals. Trainees next learn how you can get ransomware, the consequences of ransomware, and how to protect against ransomware. Then the lesson transitions to discussing what the signs of ransomware are and what you can do if you get ransomware. The lesson concludes with a fun, sticky game that reinforces the main learning points in the lesson.

ROLE-BASED & COMPLIANCE Security Awareness Training

System Administration

The System Administration lesson is the first security awareness training lesson in Security Mentor’s ROLE-BASED curriculum. It covers cybersecurity topics about which System Administrators need to be informed. The lesson begins by explaining why cyber security is so important for system administrators, and defines some of the basic tenets of security including the AIC triad, compliance, defense in depth, and resilience. Next the lesson addresses how system administrators can secure against hackers, malware, malicious insiders, and other types of cybersecurity incidents. Topic areas covered include access control, threats & vulnerabilities, data protection, security tools, and incident response.


The HIPAA lesson is part of our ROLE-BASED and COMPLIANCE security awareness training curriculum. At a high level, the HIPAA lesson presents topics that users subject to HIPAA (Health Insurance Portability and Accountability Act) compliance need to be informed. The lesson begins by explaining what the HIPAA Privacy Rule and HITECH Act are, who must comply with HIPAA regulations, what Protected Health Information (PHI) is, and the 18 HIPAA Identifiers of PHI. Next, the lesson addresses when PHI has to be protected, permitted uses and disclosures of PHI, and PHI safeguards that are required by HIPAA. The lesson concludes by discussing the release of PHI and the HIPAA requirement to report potential breaches.