WOLF//SEC
← Domain 5
OBJECTIVE 5.6 Given a scenario (PBQ-likely)

Implement security awareness practices

This is a PBQ objective. Expect to design awareness programs, evaluate phishing scenarios, and select appropriate training responses for described situations.

Phishing Campaigns

Internal Phishing Simulations

Controlled phishing emails sent to your own employees to test awareness.

Campaign elements:

  • Pretexting: Crafting a believable scenario (package delivery, password reset, CEO request)
  • Indicators to test for: Typosquatted domains, urgency language, suspicious sender, mismatched URLs, unusual requests
  • Metrics: Click rate, credential submission rate, reporting rate
  • Follow-up: Immediate training notification for users who click. Not punitive — educational.

Recognizing Phishing

Users should be trained to check:

  • Sender address: Does it match the organization? Look for subtle misspellings.
  • Links: Hover before clicking. Does the URL match the claimed destination?
  • Urgency and pressure: “Your account will be locked in 30 minutes” is a manipulation tactic
  • Unexpected attachments: Especially executables, macro-enabled documents, or compressed files
  • Requests for credentials: Legitimate organizations don’t ask for passwords via email

Reporting Mechanisms

  • Dedicated phishing report button in email client (integrates with security tools)
  • Clear escalation path — users must know who to contact and that reporting is encouraged
  • Recognition for reporting — reward the behavior you want to see

Anomalous Behavior Recognition

Training users to recognize and report behavior that deviates from normal:

User Behavior

  • Colleague accessing systems they don’t normally use
  • After-hours access from unusual locations
  • Large data transfers or downloads
  • Requests to bypass security controls
  • Changes in behavior pattern (disgruntled indicators)

System Behavior

  • Unexpected pop-ups, slowdowns, or crashes
  • Applications launching without user action
  • New/unknown programs installed
  • Disabled security software
  • Unusual network activity (lights flashing on hardware, unexpected connections)

Risky Behavior

  • Sharing passwords or credentials
  • Using personal devices for work without authorization
  • Connecting to unsecured WiFi for work
  • Tailgating (allowing unauthorized people through secured doors)
  • Leaving screens unlocked and unattended

User Guidance and Training

Security Training Program

  • Onboarding: Security fundamentals during new employee orientation. AUP acknowledgment.
  • Annual refresher: Updated content reflecting current threats. Mandatory for all employees.
  • Role-based: Additional training for high-risk roles (finance, IT admins, executives)
  • Event-driven: Training triggered by security incidents, new threats, or policy changes

Social Engineering Awareness

  • How pretexting works — attackers build rapport and trust before making requests
  • Authority bias — people comply with perceived authority figures without questioning
  • Urgency manipulation — artificial deadlines pressure people into skipping verification
  • Quid pro quo — offering something in exchange for information (“free tech support” calls)
  • Physical social engineering — tailgating, dumpster diving, shoulder surfing

Insider Threat Awareness

  • Recognizing behavioral indicators of potential insider threats
  • Reporting channels that are accessible and confidential
  • Understanding that insider threats include unintentional actions (not just malice)
  • Separation of duties and least privilege as organizational safeguards

Operational Security (OPSEC)

  • What information about the organization is safe to share publicly
  • Social media awareness — don’t post about internal systems, building layouts, or security procedures
  • Travel security — public WiFi risks, physical device security, visual eavesdropping
  • Clean desk policy — sensitive documents secured when not in use

Awareness Program Development

Methods

  • Computer-based training (CBT): Online modules with quizzes. Scalable, trackable.
  • Simulated phishing: Practical testing of email awareness. Most impactful training method.
  • Tabletop exercises: Discussion-based scenarios for incident response teams
  • Lunch-and-learns: Informal security awareness sessions
  • Posters, newsletters, intranet: Ambient awareness reinforcement
  • Gamification: Leaderboards, badges, competitions to drive engagement

Metrics and Effectiveness

  • Phishing simulation click rates (should trend downward over time)
  • Training completion rates
  • Incident reporting rates (should trend upward — more awareness = more reporting)
  • Time to report (faster = better awareness)
  • Reduction in security incidents caused by user error

Executive Buy-In

  • Program must have visible executive support
  • Budget allocation tied to risk reduction metrics
  • Regular reporting to leadership on program effectiveness

Offensive Context

Social engineering is the offensive technique that bypasses every technical control. Firewalls, encryption, zero-trust architecture — none of it matters if someone hands over their credentials to a convincing phishing email. Security awareness training is the defensive counter to social engineering, and it works best when it’s informed by actual offensive techniques. A phishing simulation designed by someone who understands how real attackers craft pretexts is more effective than a generic “don’t click suspicious links” CBT module. The attacker’s playbook should inform the defender’s training curriculum.