On this page

Download the SACSF Guideline 19.0 - Cyber Security Awareness and Training

Purpose

This guideline defines how South Australian (SA) Government agencies can implement and manage a cyber security awareness and training (CSAT) program.

Background

Cyber security is fundamental to the successful operations of the SA Government. Cyber security risks are ever evolving, and education plays a crucial role in protecting the government against emerging cyber threats. By enhancing the CSAT program in agencies, we can empower individuals to recognise potential threats and take appropriate action.

The SA Cyber Security Framework (SACSF) has been developed to standardise and guide the approach for establishing, implementing, maintaining, and continually improving the cyber security posture of SA Government agencies.

Government agencies rely on their staff to assist in managing cyber security risks. This can be achieved by ensuring appropriate CSAT is designed and provided to staff to assist them in understanding their cyber security responsibilities.

Scope

This guideline has been developed to assist SA Government agencies in addressing their CSAT practices and responsibilities. It has been informed by national and international best practice[1], is provided as a guide only and cannot be used for auditing purposes.

Agencies should take a risk-based approach to cyber security responsibilities, training and awareness. This includes performing an agency self-assessment using the maturity model in Appendix One to assist in defining appropriate cyber security responsibilities, and an awareness and training plan.

The SACSF applies to South Australian public sector agencies (as defined in section 3(1) of the Public Sector Act 2009 and to any other person or organisation that is generally subject to the direction of a Minister of the Crown; all of which are referred to in this guideline as “Agencies”.

The SACSF policy statements related to this guideline are:

  • SACSF Policy Statement 1.2: Organisational Structure and Staff Responsibilities - A structure for managing cyber security must be embedded into the agency's governance framework. Roles and responsibilities for cyber security must be formally assigned by senior leadership, demonstrating commitment to providing suitable resources to manage the agency’s cyber security program. Personnel and contractors must be provided with information and training to support awareness of their collective responsibility to foster a positive security culture.
  • SACSF Policy Statement 3.1: Personnel Security Lifecycle – Agencies must assess the suitability of new and existing personnel in alignment with the classification of information to be accessed during employment. Separating personnel must be made aware of their ongoing cyber security obligations.

Guideline detail

To enhance cyber security literacy and support staff to understand their role and responsibilities in relation to cyber security and create a positive cyber security culture, agencies should consider the following guidance:

  • Staff should be provided with cyber security training upon induction and at least annually thereafter, ensuring they are aware of their responsibilities regarding the appropriate use of agency information assets.
  • An assessment should be undertaken to determine the high-risk roles of the agency.
  • Targeted training should be provided to those in high-risk roles (including positions of trust due to their heightened security responsibilities/increased risk profiles) to help staff understand their role in relation to cyber security.
  • CSAT should consist of a variety of cyber security educational initiatives to support staff to understand their role in the management of digital information and systems.
  • Simulated phishing should be conducted at least quarterly, with campaigns based on emerging threats and agency identified cyber security risks.
  • A CSAT program should be designed to manage the approach and engage stakeholders, ensuring it is an agency wide program.
  • Regularly report on progress of the program to senior leadership and/or the executive team.
  • A CSAT program should take a 2-3 year view, as changing behaviour is a long-term strategy.
  • The CSAT program and material should be reviewed at least annually to keep up to date with cyber security trends and emerging threats.

CSAT program considerations

Agencies should have a CSAT program to support the delivery of their cyber security awareness and training. The program should focus on changing workforce behaviour and embedding a strong security culture in the agency. A CSAT program should be tailored to address the risks identified through the cyber risk management and identified human risks.

With the ever-evolving cyber security threats, coupled with the technology and platforms used within agencies, the CSAT program will require at least an annual review to remain effective and relevant. The program should provide a variety of awareness and training mechanisms to keep staff engaged.

Agencies should seek executive buy-in — driving a culture of change from the top, develop a plan to support the program and have a scheduled approach to rollout.

A CSAT Plan template has been developed to support agency planning and is available on the Security SA website.

A CSAT program should consider the following:

1. Identify the top human risks

While all staff are required to undertake CSAT, it is important to identify the top human risks and high-risk roles. Agencies should develop specialised awareness and training to manage these risks.To identify the top human risks, agencies should understand their threat environment by:

  • Reviewing the agency’s risk register to examine the top cyber security risks
  • Reviewing historical data of past incidents/breaches to find patterns and trends
  • Engaging with business units, including ICT, human resources, risk and audit and line managers, to discuss insights, behaviours and risks.
  • Reviewing cyber threat intelligence, such as advisories and alerts from the SA Government Cyber Security Watch Desk, trends from logs, Security Operations Centre (SOC) alerts, external feeds and advisories.
  • Reviewing past security assessments/audits.

Consolidate findings into a prioritised list of human risks, such as phishing, lack of incident reporting knowledge and unsafe data handling. This list will help you to develop cyber security awareness goals, training topics and role-specific learning paths.Awareness and training may vary to suit stakeholders or role groups, depending on the identified risk, such as privileged users, executive assistants, finance officers, and software developers.It’s important to consider that human risks will evolve over time, so it is recommended that you continuously assess the agency’s top human risks.

2. Define CSAT program goals and objectives

Understanding your agency’s strategic plan, business goals and mission will help establish a link between leadership support and the importance and value of the CSAT program. Develop CSAT program objectives that address the broader business objectives, in areas such as:

  • Agency strategy
  • Digital transformation
  • Security and remote work policies
  • Key projects and initiatives
  • Brand reputation and trust.

3. Gain leadership support

Gaining leadership support drives organisational culture and helps to enforce participation and accountability in the CSAT program.

Develop a Minute and seek Chief Executive approval that outlines:

  • The need for the CSAT program, including the agency’s risks and top human risks
  • Proposed program goals and objectives
  • Scope of work
  • Resources and funding required
  • Request for executive support to support the program’s success.

Once established, it is important to maintain leadership engagement. Consider providing regular CSAT updates to senior leadership and/or the agency’s cyber security steering committee as part of ongoing reporting. This helps maintain visibility of the program, demonstrates progress and value, and reinforces executive accountability for cyber security awareness across the agency.

4. Develop the formalised CSAT plan

Typically, a CSAT plan includes:

  • purpose, objectives, and benefits of cyber security awareness and training
  • top human risks
  • training scope
  • type of activities
  • frequency
  • roles and responsibilities
  • key messaging and communications channels
  • metrics and reporting
  • CSAT schedule.

The plan should take a 2-3 year view, changing behaviour is a long term strategy.  It should also include training that addresses the various stages of staff employment, from induction to separation from the agency.

5. Stakeholder engagement

The CSAT plan should identify the roles and responsibilities to ensure that staff understand their role in maintaining the CSAT program and its success. Below is an example of engagement and plan management activities and responsible stakeholders.

Understand human risk

Stakeholders: ICT/human resources/risk and audit/line managers

Consult key stakeholders to determine the resources already available to run the CSAT program

Stakeholders: Executives/business unit leads/cyber security team/medica and communication team/human resources/learning and development team

Draft a CSAT plan

Stakeholders: ICT/human resources/media and communication team/line managers

Endorsement of a CSAT plan

Stakeholders: Agency Chief Executive/ICT or cyber executive/Security Steering Committee

Implementation, support and ongoing activities

Stakeholders: Agency Chief Executive/line managers/cyber security team/media and communications team/human resources/learning and development team

6. Provide a variety of activities, communication and training

CSAT can be delivered in various ways depending on the topic, learning style and resources available. These include:

  • Internally and externally delivered in-person training
  • Online training
  • Online forums where staff can engage directly with the security team
  • Simulated phishing training
  • Team meetings
  • Intranet
  • Email, staff newsletters
  • Infographics, videos, and podcasts
  • Posters, flyers, fact sheets and hardcopy material
  • Screensavers and desktop images
  • Interactive methods such as quizzes and gamification.

A program should consider the agency’s most appropriate channels for delivery of awareness and training. Using a multi-channel approach will ensure different learning styles are accommodated and to promote staff engagement with awareness messages.

Consider creating agency specific key messages based on your risk environment, that will be reinforced and repeated in the cyber security awareness and training plan activities.

7. Set targets and KPIs

To measure the success of a CSAT program it is important to set targets, goals and KPIs so improvements can be measured.

Consideration should be given to establishing a baseline position and measuring again after training and awareness activities have been delivered to measure changes in knowledge and understanding, identify areas for further improvement and understand what aspects of the plan are working.

This baseline assessment could be achieved by conducting phishing simulations or by using the maturity model provided in the appendix, consideration of existing practices and measures or by providing a questionnaire for agency personnel to complete.

There are a range of benefits that can be used to set targets and KPI for the CSAT Plan:

  • Improved education and awareness
  • Improved customer confidence
  • Reduced risk profile for the agency
  • Decreased incidents and breaches
  • Increased reporting of incidents and breaches
  • Improved response times for reporting of incidents and breaches
  • Increased protection of assets, data and information
  • Prevented downtime (should a breach or incident occur, it will be less costly and take less time to repair and return to business-as-usual operations).

8. Set measures and metrics

Metrics should be selected based on the behaviours of agency risk. Metrics can include:

  • Compliance Metrics: These measure the training and engagement activities including workforce completion rates. These metrics are used primarily for compliance purposes.
  • Impact Metrics: These measure changes in the workforce, including assessing staff knowledge, tracking staff behaviours, and measuring attitudes and beliefs about cyber security. These metrics can include reduction in phishing click rates and increased reporting. These metrics are key to tracking impact against risk.
  • Strategic Metrics: These metrics track the overall reduction in risk, including reduction in incidents, policy violations and overall costs.

Report metrics regularly to the agency senior leadership and/or agency’s cyber security steering committee.

Agency self-assessment maturity model

An agency’s cyber security awareness and training (CSAT) maturity is categorised into four levels as described below,

  • Initial - the program is informal, unstandardised, and lacks leadership support and strategic alignment.
  • Defined - the program has some structure and documentation but lacks consistency and regular updates.
  • Managed - the program is standardised, well-documented, and shows moderate alignment with strategic objectives.
  • Optimised - the program is fully integrated, aligned with strategic goals, regularly reviewed, and continuously improved.

The below outlines the expectations of the four levels of maturity in different categories.

Maturity level - Initial

At this stage, the agency has minimal or no formal cyber security awareness and training efforts in place. Any existing awareness activities are informal, reactive, and lack structure.

Expectations:

CSAT plan

  • No dedicated CSAT plan.
  • There is no alignment between the key topics identified and the CSAT plan.

Cyber security awareness

  • No to low levels of formal cyber security awareness activities are in place.
  • A human risk assessment and/or cyber risk assessment has not been conducted, and the awareness program is not based on agency identified risks.
  • No simulated phishing exercises are conducted.
  • Ongoing cyber security responsibility reminders are not included in the separation process for staff or contractors.

Cyber security training

  • Limited to no training for employees on cyber security topics and any training is conducted on an ad-hoc basis.
  • No tailored training provided to employees in positions of trust.
  • Cyber security key topics are not included in the induction process for staff or contractors.
  • Cyber training is not integrated into daily operations and practices and is seen as a separate activity.
  • Little to no training documentation exists for cyber security training and has no standardisation, training varies widely.
  • Training materials are poor quality or outdated.
  • Training program has little to no alignment with strategic objectives.
  • Training program is not reviewed or improved.

Human risk management

  • Employees lack understanding of cyber security risks and their roles in mitigating them.
  • Security incidents are often due to human error, and responses are ad-hoc.

Metrics and improvements

  • No feedback mechanism in place to identify and address issues in the CSAT program.
  • Key metrics to measure the success of the training have not been identified.
  • Ineffective awareness and training to enhance staff awareness and skills in cyber security, with no noticeable improvements.
  • No measurable outcomes to link to the training program.
  • There is no measure of cyber awareness retention amongst staff post the completion of training.
  • Attendance records for cyber security training are not kept.

Agency security culture

  • Security practices are inconsistent and vary widely across the agency.
  • Leadership is rarely or never involved in promoting and supporting CSAT initiatives.

Maturity level - Defined

The agency has established some cyber security awareness and training activities, but they are still not fully integrated into the organisational culture. Awareness training is conducted, but not systematically.

Expectations:

CSAT plan

  • A draft CSAT plan exists.
  • Some of the key topics identified are covered in the CSAT plan.

Cyber security awareness

  • Awareness activities occur periodically, often in response to specific incidents or compliance requirements.
  • Awareness program is loosely based on the outcomes and identified risks from the human risk and/or cyber risk assessment conducted.
  • Irregular or ad-hoc phishing simulations are conducted.
  • Some aspects of cyber security awareness are included during staff separation e.g. during exit interviews, staff and contractors are reminded of their ongoing obligations.

Cyber security training

  • Basic cyber security training is available to staff, but it is not mandatory or regularly updated.
  • Basic cyber security training is scheduled annually as a refresher for all staff and Executives.
  • Tailored training exists for some users in positions of trust but doesn’t cover all roles and responsibilities.
  • Some aspects of cyber training are included in staff induction.
  • Limited integration of cyber training with minimal application into daily operations and practices.
  • Some training documentation exists but is incomplete or outdated and is partially standardised with significant variations.
  • Training materials only cover a basic level of cyber security knowledge and do not continually get refreshed with emerging risks, trends and threats.
  • Training program is partially aligned with agency’s strategic objectives but often seen as a separate initiative.
  • 50-69% of employees actively participate in the cyber security training program.
  • Training program is rarely reviewed and improved based on feedback and new developments.

Human risk management

  • Employees have a basic understanding of cyber security threats and policies but may not consistently apply best practices.
  • Security incidents caused by human error are reduced but still occur regularly.

Metrics and improvements

  • Ineffective feedback mechanism, with little feedback collected or implemented to identify and address issues in the awareness and training program.
  • Some metrics around cyber security awareness and incidents are captured, measured and reported annually.
  • Awareness and training to enhance staff awareness and skills in cyber security have shown minor improvements.
  • Few measurable outcomes, with mixed results to link to the training program.
  • Quizzes are conducted occasionally after training sessions.
  • Attendance records are sometimes kept for cyber security training.

Agency security culture

  • Some cyber security awareness and training activities are established but are not fully integrated into the organisational culture.
  • Leadership occasionally shows interest in promoting and supporting CSAT initiatives.

Maturity level - Managed

CSAT is well-integrated into the agency’s culture. The program is structured, proactive, and regularly updated. Employees are generally knowledgeable and adhere to best practices.

Expectations:

CSAT plan

  • A formal CSAT plan is established, with clear objectives and consistent training schedules.
  • All the key topics identified are covered in the CSAT plan.

Cyber security awareness

  • Awareness activities are well-integrated into the agency’s culture.
  • The awareness program is based on a human risk and/or cyber risk assessment.
  • Quarterly phishing simulations and interactive exercises are conducted to reinforce learning.
  • Cyber security training topics are included in the staff and contractor separation process.

Cyber security training

  • Training is mandatory for all employees and is delivered on a regular basis, and on an ad-hoc basis should a specific risk be identified.
  • Updated and tailored training available to most users in positions of trust including all high-risk user groups.
  • Most cyber training topics are included in the staff and contractor induction process.
  • Cyber training is partially integrated into daily operations and practices with occasional application.
  • Cyber training documentation exists but is infrequently updated and is mostly standardised with minor variations.
  • Training materials cover a range of cyber security topics but not often updated with emerging risks, trends and threats.
  • Training program is mostly aligned with agency’s strategic objectives with occasional adjustments needed.
  • 70-89% of employees actively participate in the cyber security training program.
  • Training program is occasionally reviewed with some improvements based on feedback and new developments.

Human risk management

  • Security incidents due to human error are less frequent, and employees are proactive in identifying and reporting threats.

Metrics and improvements

  • Moderately effective feedback mechanism, with some feedback addressed in the awareness and training program.
  • Metrics around cyber security awareness and incidents are captured and reported on a regular basis.
  • Awareness and training to enhance staff awareness and skills in cyber security are moderately effective with some improvements.
  • Some measurable outcomes but lacking consistent improvements that can be attributed to the training program.
  • Quizzes are conducted after training sessions to test what people have learned.
  • Attendance records are kept for all cyber training activities.

Agency security culture

  • CSAT is well-integrated into the agency’s culture.
  • Leadership is involved but not regularly promoting and supporting CSAT initiatives.

Maturity level - Optimised

The agency’s CSAT plan is mature and integrated into all aspects of the business. There is a culture of continuous improvement, with a focus on innovation and staying ahead of emerging threats.

Expectations:

CSAT plan

  • A mature CSAT plan is in place and integrated into all aspects of the business.
  • All the key topics identified are covered in the CSAT plan, and key topics are reviewed on a regular basis.

Cyber security awareness

  • Awareness activities are informed by innovative methods and emerging threats.
  • The awareness program is based on a human risk and/or cyber risk assessment which is updated annually, and an alignment check to the program occurs regularly.
  • Quarterly or more frequent simulated phishing exercises with themes based on emerging threats and agency identified cyber security risks.
  • Ongoing responsibility and cyber security topics are included in staff and contractor separation interviews, and email reminders are sent.

Cyber security training

  • Training is mandatory for all employees, and the training schedule is developed for the year in advance, and on an ad-hoc basis should specific risks be identified.
  • Updated and tailored training provided to all users based on the specific risks each group encounters.
  • All cyber security role based and targeted topics are included in staff and contractor induction.
  • Cyber training is fully integrated with regular application to daily work.
  • Comprehensive documentation exists for training, is regularly updated, and is fully standardised with consistent content delivery.
  • Simulated phishing exercises have a regular automatic schedule with customised, dynamic and regularly updated topics based on threat intelligence and industry trends.
  • Training materials are regularly updated with relevant emerging risks, trends and threats.
  • Training program is fully aligned and integrated into agency’s strategic planning.
  • 90-100% of employees actively participate in the cyber security training program.
  • Cyber training is regularly reviewed and continuously improved based on feedback and new developments.
  • Gamification and badges are incorporated to improve participation and interest.

Human risk management

  • Employees demonstrate strong cyber security practices in their daily activities, with minimal human-error-related incidents.

Metrics and improvements

  • Highly effective feedback mechanism, with clear processes for feedback collection and implementation in the awareness and training program.
  • Metrics around cyber security awareness and incidents are captured, and revisited. The agency uses advanced analytics to track the effectiveness of the awareness program and make data-driven improvements.
  • Highly effective awareness and training to enhance staff awareness and skills in cyber security, with measurable improvements.
  • Measurable outcomes with clear and positive outcomes directly linked to the training program.
  • Simulated phishing attacks, periodic quizzes, pre and post training assessments are conducted to establish baseline understanding and improvements. Surveys and self-assessments are conducted on regular basis.
  • Attendance records are kept, personnel who miss cyber security training are followed up for future sessions.

Agency security culture

  • CSAT is embedded in the agency’s culture, with continuous learning and improvement.
  • There is active engagement from leadership, and cyber security is considered a shared responsibility across all levels of the agency.
  • Leadership regularly reviews and promotes the CSAT initiatives.