• Define Maturity Levels and Reputation Levels to be used in the tools.
• Plan and implement infrastractural adoptions (Spam Filter, Whitelists, WAF, Firewalls).
• Identify special risk groups. They will get dedicated campaigns and content.
• Define target audiences (recipient groups).
• Define starting level of tests and trainings. Do you want to start easy or already sophisticated?
• Define phases of the programme (phase planning). You can’t train everything at once. It makes sense to set priorities and bundle certain topics.
• Decide on brand usage. Attackers use well-known brands, companies, websites, etc. because they know that users are highly likely to click on them. Should your campaigns take this into account? You should also plan campaigns with your own faked or spoofed company name.
• Perform mail- and web filter analysis using LUCY’s MFT function. Discover what file types go through via browser or email client. You need this information order to decide what file types should be used within file based phishing simulations (or to block them).
• Create the testing content roadmap for your organization (‘Attack content framework’, see below).
• Create your training content roadmap (‘Awareness content framework’, see below).
• Plan empowerment of users in identifying and reporting threads. Define the reporting process together with support desk and SOC. Roll-out the Phishing Incident plugin and configure the incident console if needed.
• Create a campaign plan (Campaign & Audience Planning) for the next 12-18 months.
• Weigh the limits of any attack scenarios. Sometimes it may happen that you should run an attack simulation but the scenario you should use for it is a no-go. Are there any limitations in terms of scenarios/themes that cannot be used in attack simulations in your organization?
• Carry out the initial training campaign in the sense of basic training. Before you initialize the awareness programme and its first simulated phishing campaign in your organization, your current employees need to go through an introductory training scheme.
• Setup the reporting and communication chain in the company. When running campaigns, who needs to be informed? Who gets the campaign results? What information is distributed?

And: Don’t die in beauty!

• Sender Domain: An important part of your phishing attempt is choosing the right mail sender domain from which the phishing simulation emails will be sent out. Choose domain names that will normally pass through spam filters. If this is not the case you need to ‘white label’ them. Be aware that there isn’t much sense in using domains that would normally get filtered out via SPF protection because these will never make it to your employees’ inbox. Invitations to awareness trainings can easily be sent from the company’s own domain.
• Test run: Do a test run before firing the campaigns.
• Announce it: Do you have to notify phishing campaigns to (official) bodies?
• Schedule it. How many mails should be sent in which period of time? When should the training be sent? Immediately or after a time interval? Should phishing be sent randomly?
• Run it: Make sure you can and do monitor it in real time in case something goes awry. Don’t just do awareness training and phishing simulations. Also run ‘Bad USB’ or smishing campaigns.
• Alarm it: The employees should use the Phishing Incident Button!
• Report it: After the campaign create the report.
• Communicate it. Publish the results. People are
• Assess it: Don’t only test and train people. Run assessment campaigns using Lucy’s malware simulation toolkit. Perform extended mail- and web filter tests. Assess the network using the ransomware simulator. So you can find out until what extend a malware would be successful in your network.
• Campaign Iteration planning & execution: Often the results of the campaign indicate the need for follow-up training or the need for a follow-up campaign.
• OOO / no delivery campaigns: Create more sophisticated campaigns by enabling response detection in LUCY. Create campaigns that automatically respond to auto-reply and out of office messages (ooo).
• Tutoring the weak: Create special training for the weakest employees. Pay attention to small and short training modules. Respect all employees.
• Special education for the strong: Do not allow your best and most attentive employees to slip away; they are your most important asset and your strongest defense.
• Reward it! Create incentives through rewards, awards and competitions at employee and team level!
• Analytics it! Compare campaign results, identify trends, and carry out benchmarks. Your organization is unique; comparisons with other organizations mostly make little sense.

• Provide seasonal/actual content: Is there a current threat in the market or has a new security policy been published that requires training?
• Target readjustments: Are the objectives still okay?
• Process improvement. After a certain time you certainly can improve campaign preparation, reporting or alarming processes.
• Benchmarking. Once you have a basic data set and results for your organization and it’s units set up a benchmarking framework and use the power of comparison and gamification.
• Cross organizational collaboration. Start to share trainings and templates with other organizations. Perform cross company ‘competitions’. It’s here where you can start benchmarking! And: You can join the global LUCY user-group if you want to.
• External Review and Certification. A review by an external body can certainly make sense and, if desired, have yourself certified by a third body (e.g. through a LUCY company certification).

The testing roadmap and training show what you want to test, train and practice. They serve as the basis for the campaign plan, in which the concrete awareness campaigns, goals and recipient groups are planned. The roadmap documents show the management and other interested group what learning content is to be conveyed in principle, without a time reference or detailed assignment to risk and recipient groups.

Performing a phishing simulation in your own organization is nothing more than a realistic exercise to prepare for an emergency. Many companies conduct regular evacuation exercises of their office buildings. Educational social engineering measures such as fake phishing mails are virtually the same.

The Testing Roadmap helps to plan these IT security ‘fire drills’. Many anti phishing / awareness products available on the market support not only fake phishing, but also educational smishing, vishing, USB hacks and others. Often a selection can be made from hundreds of different templates. State-of-the-Art products also allow the efficient creation of individual attacks or adaptation of the templates, so that individualized phishing mails and landing pages can be created.

This is often referred to as compulsory training or policy driven training. The organization is obliged to enforce existing safety guidelines and safety instructions among its employees. This category includes in particular training for GDPR, PCI-DSS, ISO27001, HIPAA, etc.

Industry-specific training content on IT security and security in general fall into this category. This includes all topics in the field of social engineering with which the employee could be confronted:

• Phishing & malware attacks
• Password security
• Shoulder surfing
• Attacks with data carriers
• Vishing (Voice Phishing)
• Clean desk policy
• Physical security
• Visits and personal interaction (Visitors)
• Social Engineering in general
• Use of public WiFi’s
• Mobile devices
• Safe travel
• Security Incidents (security incidents)
• Cloud and Internet Security
• Malware
• BYOD
• Email security

Depending on the industry, there are additional special modules such as

• Classification of information
• Industrial Security
• Credit card data handling
• Handling of personal data
• Handling of patient data / health data
• Physical data carriers / disposal companies

The answer to this question depends mainly on the size of the company. Of course, the IT security awareness level of the organization also plays a role, as does the number of organizational units, risk groups, stakeholders etc. affected.

Smaller companies with a proactive decision-making culture can implement the basics for an awareness program including the first Baseline Phish and Train campaign in two to three days. Larger institutions, on the other hand, can take weeks or months to implement such a project. It’s not so much the amount of effort involved that matters, but rather the lead time. Welcoming all affected or involved stakeholders, as well as decision-making in a heterogeneous environment, simply take time.

The slides of this article can be downloaded here.

If you just want to configure and run a phishing and/or training campaign: The article ‘Plan your Phishing Simulation Campaign – Successful implementation of an attack simulation: tips and tricks‘ will help you if you want to carry out your specific campaign.

The Security Awareness Wiki of LUCY helps here too. The Onboarding Checklist is the most comprehensive technical guide for cybersecurity awareness programs on the Web.

We have hundreds of customers in over 40 countries. We are pleased to assist you. Please contact us with this form.