F
Forged
Consulting Group
← Back to HomeDiscuss Your Project
Service Detail

Security Awareness Training

Phishing simulations, role-based training, and culture assessments — turning your biggest vulnerability into your first line of defense.

Your firewall doesn't matter if someone clicks the link. Your EDR doesn't help if an employee hands over credentials on a spoofed login page. Your encryption is irrelevant if a finance team member wires $200K to a fraudster impersonating the CEO. People are the most targeted and least trained layer of your security program. Forged builds security awareness programs that change behavior — not just check the compliance box. Realistic phishing simulations, role-based training, and measurable improvement over time.

What's Covered

Scope of Assessment

Phishing Simulations

Realistic phishing campaigns that mimic actual attack techniques — credential harvesting, malicious attachments, CEO impersonation, and vendor fraud. Quarterly campaigns with progressive difficulty.

Role-Based Training Modules

Training tailored to job function — executives get BEC and wire fraud scenarios, finance gets invoice fraud, HR gets W-2 scam training, IT gets social engineering defense. One-size-fits-all training doesn't work.

Security Culture Assessment

Measuring your organization's security culture beyond click rates — reporting behavior, policy awareness, password hygiene, clean desk compliance, and willingness to challenge suspicious requests.

New Hire Security Onboarding

Every new employee gets security awareness training in their first week — not their first quarter. Baseline expectations set before they have access to email, systems, and sensitive data.

Compliance-Aligned Content

Training content mapped to your regulatory requirements — HIPAA workforce training, PCI-DSS security awareness, SOC 2 personnel controls, and CMMC security training documentation.

Metrics & Improvement Tracking

Campaign-over-campaign trending showing click rates, report rates, training completion, and behavioral improvement. Data your leadership and auditors can use to measure program effectiveness.

Our Process

How It Works

01

Baseline Assessment

Before we train anyone, we measure where you are. An unannounced baseline phishing simulation establishes your current susceptibility — how many people click, how many report, and how many do nothing.

  • Unannounced baseline phishing campaign across the entire organization
  • Click rate, credential submission rate, and report rate measured
  • Results segmented by department, role, and location
  • Security culture survey — attitudes, awareness, and behavior assessment
  • Benchmarking against industry averages for your sector and company size
02

Program Design & Content Development

A 12-month training program designed around your baseline results, industry threats, compliance requirements, and organizational culture. Not generic videos — targeted training that addresses your specific gaps.

  • Annual training calendar with monthly touchpoints (not just one annual training)
  • Role-based content assignment — executives, finance, HR, IT, and general staff
  • Phishing simulation schedule — quarterly campaigns with escalating sophistication
  • Compliance-specific modules mapped to your regulatory obligations
  • Delivery format selection — microlearning, interactive modules, live workshops, or hybrid
03

Ongoing Campaigns & Training Delivery

Monthly training modules and quarterly phishing simulations deployed throughout the year. Users who fail simulations receive immediate, constructive coaching — not punishment. The goal is learning, not gotchas.

  • Monthly microlearning modules — 5–10 minutes, mobile-friendly, trackable
  • Quarterly phishing simulations with realistic, current threat scenarios
  • Just-in-time training — users who click receive immediate educational content
  • Targeted reinforcement for repeat offenders — additional coaching, not shame
  • Annual comprehensive training for compliance documentation
04

Measurement & Program Evolution

Quarterly reporting on program effectiveness with data-driven adjustments. What's working gets reinforced. What's not gets redesigned. Your program improves every quarter based on actual behavior change.

  • Quarterly metrics report — click rates, report rates, training completion, trend analysis
  • Year-over-year improvement tracking benchmarked against industry
  • Program adjustments based on emerging threats and your simulation results
  • Annual program review with leadership — ROI, risk reduction, and next year's plan
  • Compliance evidence package compiled for audit season
Deliverables

What You Receive

Baseline Assessment Report

Initial phishing simulation results and culture survey findings — your starting point. Segmented by department with specific vulnerability areas identified and recommendations prioritized.

12-Month Training Calendar

Complete program schedule — monthly training modules, quarterly phishing campaigns, annual comprehensive training, and new hire onboarding timeline. Your roadmap for the year.

Phishing Campaign Reports

Detailed results from each simulation — emails sent, opened, clicked, credentials submitted, and reported. Trend analysis showing improvement (or regression) campaign over campaign.

Training Completion Records

Per-user training completion tracking with dates, scores, and module details. The documentation HR and compliance teams need for audits and regulatory requirements.

Quarterly Metrics Dashboard

Program effectiveness at a glance — susceptibility trends, reporting behavior, training engagement, and comparison to industry benchmarks. Executive-ready format.

Annual Program Review

Comprehensive year-end analysis — where you started, where you are, what drove improvement, what needs attention, and recommendations for the next 12 months.

Who It's For

Is This Right for You?

No Current Training Program

Your employees haven't received security training — or it was a one-time video they've forgotten. We build a program from scratch with baseline measurement and continuous improvement.

Compliance Requirements

HIPAA, PCI-DSS, SOC 2, CMMC, and most cyber insurance policies require documented security awareness training. We provide the program and the evidence your auditor needs.

After a Phishing Incident

Someone clicked and it caused damage. Now leadership wants a real training program. We deploy rapidly — baseline simulation within two weeks, training program live within 30 days.

Cyber Insurance Mandate

Your carrier requires phishing simulations and security awareness training as a condition of coverage. We check every box and provide the attestation letter they need.

Existing Program Not Working

You have training but click rates aren't improving. We assess what's failing — generic content, no consequences, too infrequent, wrong delivery method — and redesign for actual behavior change.

Multi-Location Organizations

Consistent training across offices, remote workers, and field teams. Same program, same standards, same reporting — regardless of where employees sit.

Common Questions

FAQ

How often should we run phishing simulations?

+

Quarterly is the minimum for meaningful behavior change. Monthly simulations are ideal for organizations with higher risk profiles or elevated phishing susceptibility. The key is consistency and variety — using the same template every time teaches people to spot that specific template, not phishing in general. We rotate techniques, urgency levels, and impersonation types across campaigns.

Should we punish employees who click on phishing simulations?

+

No — and the research is clear on this. Punitive programs create fear and underreporting, which makes your security worse, not better. When someone clicks, they receive immediate constructive coaching. Repeat offenders get additional targeted training and a conversation with their manager. The goal is a culture where people report suspicious emails because they want to help, not because they're afraid of being caught.

What click rate should we be targeting?

+

Industry average for the first baseline simulation is typically 15–30% depending on sector. A well-run program should bring that under 5% within 12 months. But click rate alone is misleading — report rate matters more. An organization where 3% click but 60% report is in much better shape than one where 5% click and only 10% report. We measure and optimize both.

Can training actually prevent breaches?

+

Training alone? No. Training as part of a layered security program? Absolutely. The goal isn't zero clicks — it's making phishing harder to succeed. If your training reduces susceptibility by 50% and your email gateway catches 95% of phishing, the residual risk drops dramatically. The organizations that get breached through phishing are almost always the ones with no training program at all.

How much time does training take per employee?

+

Monthly microlearning modules are 5–10 minutes each. Annual comprehensive training is 30–45 minutes. Phishing simulations take zero employee time unless they interact with the email. Total annual time investment: approximately 3–4 hours per employee. The alternative — a breach — costs the average mid-market company 3–6 months of disruption and $100K–$500K+ in direct costs.

Case Study
750-Staff Nonprofit Health Organization
Consolidated IT operations and improved quality without business interruption.
Read Case Study

Ready to Get Started?

Schedule a free consultation to discuss your project scope.

Schedule Free Assessment← Back to All Services