Employees see phishing lures, not IOCs.

TL;DR—

The final post in this six-part blog series on must-ask questions when creating net-new awareness training.

Whenever possible, Fable Security asks its clients, “Do you have a screenshot or transcript from a real-world cyber attack?”
Many incident reports and threat intelligence reports focus too much on backend technical indicators, rather than an employee’s frontend experience of the attack—which make them difficult to reference for awareness training.
Useful awareness training “artifacts” can include:
- - Screenshots
  - Transcripts
  - Application walkthroughs
  - Organization policies
See “Five must-ask questions for security training that changes employee behavior” for more questions Fable Security asks our clients before creating short-yet-impactful briefings!

Ignore the “backend” technical bits and focus on your employees’ “frontend” experience

New Fable Security clients occasionally request briefings based on a specific security incident or new threat research.

However, these documents often gloss over what an employee would see or experience during a similar attack on your organization, focusing instead on indicators of compromise (IOCs) that your security teams need for blocking and threat hunting.

For example:

This threat intelligence writeup mentions that a threat actor “uses social engineering” to gain initial access, but fails to describe specific techniques or patterns relevant for an employee. (“Social engineering” covers a lot of different ways to trick employees into granting access!)
This attack report shows a diagram pointing out that a victim downloads a malicious file to begin the attack on a managed endpoint, but NOT how the attacker tricked the employee into the download or otherwise disguised the malicious file.

Compare those reports to this Bitdefender writeup, which walks through how a victim accidentally installed a malicious application that dropped malware—not security clients—on a victim’s mobile device.

It even has screenshots of what a victim saw when the campaign was live!

So instead of going with the first source you find to mention an attack or technique you’d like to train on, spend a little time tracking down a source that has frontend screenshots or an attack overview that includes what a victim does during the attack.

Because your employee will never bother pasting in hash values to block malicious files on their laptop… but they will see a malvertising Facebook ad trying to push a fake Microsoft 11 license update, or a phishing email that slips past your gateway.

Example details and artifacts useful for security awareness training

Some extremely useful artifacts that will make your security awareness training relevant and contextualized for your end users include:

Screenshots of phishing lures, malvertising ads, example SMS phishing texts—any “real life” pictures you can find will tell an incredible story!
Transcripts from voice phishing attacks, so employees can read (and maybe hear!) how effective attackers are at generating urgency.
Application walkthroughs to help people deploy the controls you’re requesting.
- For example, if you’re asking employees to set up a password manager, look for a “how to” video from your vendor to help walk people through the setup.
- Video clips are often more helpful than screenshot series for this type of briefing, but ordered screenshots are better than nothing.
Organizational policies! This category can cover both actual documentation and referenced internal resources in your training.
- If you say “reach out to Security,” make sure you give the link to an intake form or the email address you want employees reaching out to!
- Whenever you’re tempted to say “see our acceptable use policy” or “only download from the approved software portal”…. Don’t expect people to look it up or go to the portal if you don’t give them a fast way to access it.

Ultimately, while you can create effective and useful security awareness training without answering this or any other question in our series….

…Answering these five questions—and tracking down the related resources—before you spend a lot of time on communications or briefings will greatly improve your program’s chances of producing true behavior change that better secures your organization.

(And, if you’re interested in learning more about building an effective security awareness program that raises the bar from “just awareness” to “improved security outcomes”… have you seen our “Modern Human Risk Management for Dummies” guide? Feel free to download it—no email- or form-strings attached.)