Cyber Security Awareness Training for Employees


LUCY offers more than 200 interactive, web-based training modules (videos, tests, quizzes, games and more) on various security topics. These can be given to employees based on the results of attack simulations, or independently of them.

Employees can manage their own learning content in the LUCY LMS while your IT administrator tracks their progress in real time. An integrated authoring tool allows you to quickly create new learning content, and our team can also create custom content for you.

  • Reputation-Based e-Learning

  • End User Training Portal

  • Awareness Education Diploma

  • e-Learning Authoring Toolkit

  • Rich Media Awareness Training

  • Training Library

  • Static Training Support

  • Offline Training Support

  • Microlearning Modules

  • Video Customization

  • Mobile-Responsive Format

  • Video Import/Export

  • SCORM Import/Export

  • Dynamic Training Hints

  • null


    Reputation-Based e-Learning

    Train your employees according to their required skills. Measure employee abilities and enable friendly competition between colleagues (gamification).
    Based on the reputation profiles of each end user, the system can automatically provide them with multiple training sessions. The reputation profiles are based, among other factors, on the user’s behaviour in phishing simulations. This ensures that users who are repeated offenders receive different training content from those who click on an attack simulation for the first time.

  • null


    End user Training Portal

    Learning Management System (LMS) functionality: Gives each employee permanent access to a personalized training homepage that features your own courses specifically tailored for them. On this homepage they can view their performance statistics, resume or repeat training, create course certificates, and compare their results with other departments or groups.

  • null


    Awareness Education Diploma

    Certificates of e-Learning can be created and printed out by the recipient either directly within a training or inside the LMS portal.

  • null


    e-Learning Authoring Toolkit

    The e-Learning Authoring Toolkit (Adapt) allows the creation of individualized learning content. Drag and drop videos or any other rich media format, insert exams from pre-defined menus, create interactive e-learning content from scratch in a short time.

  • null


    Rich Media Awareness Training

    Integrate rich media (video, audio, or other elements that encourage viewers to interact and engage with the content) in your awareness trainings. Use the existing educational videos, adapt them, or add your own rich media.

  • null


    Training Library

    Your employees can access your organization’s training content from an overview page called “training library.” It contains a large selection of LUCY’s regular e-learning templates, which serve as input. The overview page can be sorted by certain topics (video, quiz, test, etc.).

  • null


    Static Training Support

    Training content can also be published on static pages within LUCY or the intranet, giving the user permanent access to training content, independent of possible attack simulations.

  • null


    Offline Training Support

    LUCY is supplied with a series of editable templates (Adobe Photoshop or Illustrator files) for awareness training, such as posters, screensavers, fliers, etc.

  • null


    Microlearning Modules

    We have designed microlearning training modules (e.g., 1-minute videos or awareness 1-pagers) that can be tailored to the branding and policy needs of your organization.

  • null


    Video Customization

    Send us your company logo and we will include it in the training videos. You want another language? No problem. We will set the video to play in the language you prefer. You want a different scene? Simply download the video scripts and mark the desired changes.

  • null


    Mobile-Responsive Format

    Many of LUCY’s built-in modules are available in a mobile-responsive format that gives your users the flexibility to take the training on any type of connected device.

  • null


    Video Import/Export

    You can export LUCY videos to your own system as well as import your own videos into LUCY.

  • null


    SCORM Import/Export

    You can also export LUCY’s proven best practice training content to another LMS (Learning Management Solution) with the widely used SCORM interface.

  • null


    Dynamic Training Hints

    The implemented dynamic hints allow your administrator to set markers within the attack templates that could indicate to your employees, inside the e-learning material, where the phishing attack may have been detected.

Interactive Training & Gamification

LUCY’s interactive tests and web-based trainings can be used to determine the users’ level of knowledge about security. In addition to using traditional training methods, LUCY uses various gamification approaches to have a lasting e-learning experience. Keep in mind that gamification is not about playing games at work! Gamification is the process of engaging people and changing behaviour using game mechanics in a non-game context. Essentially, it takes the fun factor of games and applies it to situations that aren’t much fun—like how to block the next hacker from stealing company data. By creating effective leaderboards you can also motivate your employees to achieve better results.

Industry & Role-Based Training in 30+ Languages

LUCY comes with more than 200 editable awareness templates (posters, screensavers, flyers, games, interactive courses, videos, microlearning training modules, etc.) that cover the most common security topics in different languages. These can be easily adapted in terms of content and design. All training content is loaded directly to your LUCY server and can then be viewed by your employees. Alternatively, you can transfer the training directly from LUCY to your own system.

  • PCI Security
  • WLAN Security
  • Social Engineering
  • Clear Desk Policy
  • Data Privacy
  • Secure Social Networks
  • Secure Browsing
  • Phishing
  • Password Security
  • Physical Security
  • Shoulder Surfing
  • Malware
  • Traveling
  • Visitors
  • Spear Phishing etc.

Custom Module Creation & Authoring Tool

Customize existing learning content with the editors we developed specifically for LUCY. Images, texts, linked documents, content, and even the design can be modified. Do you want to create a completely new course in LUCY? No problem. With our e-Learning Authoring Toolkit you can create interactive learning content via drag and drop.

So, how can we implement a security
awareness program?


Assessing your needs

Evaluation is an essential first step in developing your wider security program, and it applies to security awareness training too. Assess the major risks that you want to tackle. If you’re in a regulated industry, you’ll want to include compliance requirements. Work out precisely what training is needed to meet those requirements.


Assessing your security culture

A strong security culture starts at the top which promotes the belief that security is everyone’s problem and responsibility. When the culture says that security belongs to everybody, the IT department is no longer fighting the battle solo. To launch a program, we start by assessing the needs and only then we begin creating the content.


Assessing your policies

All policies, guidelines, and standards related to the employee (user) must be analyzed. Those policies must be incorporated in the awareness training content at a later stage.


Identifying the involved target groups

The phishing simulation can be combined with services. These services help the company to better assess the risk. Here are a few examples:

  • Board of Directors: The Board of Directors may be invited to sit in on an annual User Awareness Training as a means of educating the Board on information related to the importance of Information Security (as well as the type of training being provided to the end user).
  • Management: The training should assist the management team in the execution of various duties (access authorization, data classification, etc.).
  • Technical staff: Because the technology staff is instrumental in both securing information assets as well as enforcing policy and configuring the system to enforce policy, it is imperative that a training program be developed to make all technical personnel aware of the appropriate policies, procedures, tools, standards, and guidelines that they must follow. Annual training should be supplemented with comprehension testing as well as ongoing training. Best practices include:
    • A “due diligence quiz” which documents that the user not only received the training but also understood key provisions of the policy.
    • A monthly awareness reminder: Once per month, an e-mail message will be sent related to a specific current topic.
    • As-needed awareness information: As new issues, vulnerabilities, or policies arise, we will send via the appropriate method additional reminders and/or vulnerability announcements.
    • Ongoing awareness exercises:  Throughout the year, as well as in advance of annual training, various awareness exercises, like phishing simulations, may be conducted.
  • Customer Awareness Training: We may also work with marketing personnel and web developers to ensure an adequate mix of identity theft prevention education is distributed to customers in the form of flyers, web page elements, and public announcements.


Develop cross-department partnerships

The awareness program is likely to be developed together with the IT department, or perhaps Risk or Compliance, but implementation needs partners in other departments. Partners could help with a couple of key needs: delivery (in the case of live, in-person sessions) and dissemination. The Human Resources department could help create policies that make the training mandatory, as well as track participation. The communication director or another professional communicator could be recruited to deliver the training content. If the compliance department has a newsletter, partnering with them could be used to distribute security awareness content.


Developing content

The content needs to be custom-tailored to each organization’s unique case, as well as the sector the organization operates in. The program needs to focus on the topics that will help users change their behaviors. Some common ones that apply to any sector include Social Engineering, Phishing, and Mobile Security. When developing training content, we make sure that we lay out some clear real-world examples and show the users what an attack looks like.


Find the right tools

Long PowerPoint presentations are a thing of the past—at least when it comes to awareness training. Having employees stuck in their seats for 45 minutes, listening to someone talk the entire time, doesn’t create an engaged audience that will retain the material. The best programs avoid this issue by using a variety of delivery methods—from video to interactive online modules, gamification, and simulated phishing attacks. It’s a good idea to deliver your training via several different methods. E-mail lists are an easy way to send out content. We also provide content on external websites or the intranet.


Scheduling and delivering training

Most companies will start with an annual training program, and training specifically for new hires is the required minimum. A successful awareness program is not a one-time activity, nor is it a once-a-year activity. It needs a regular, ongoing schedule that includes different types of activities delivered at appropriate intervals—some may be monthly, others quarterly or annually. The content should be mixed up and relevant to seasonal threats, where applicable. For example, e-cards can prove to be a tempting click right around Valentine’s Day, so make sure your staff know what suspicious signs to look for.


Testing the effectiveness of the training

When you put in place a new security system, you always want to test it to make sure it’s working properly; you should think about security awareness training in the same way. You may want to include relevant questions as part of your training content. Ending each section with a test is a good way to determine whether your staff have garnered the key information. For example, you might consider sending out a mock phishing e-mail a few weeks after your training to see who falls victim to it.


Tracking and acting accordingly

Testing the impact of your training is important, but you also want to track who completes the training you send out and how much time they spend on it; then measure the impact it has on actual security incidents. If people don’t complete the training or fail the tests, then they need to be sent for further training, and repeated fails should trigger a face-to-face meeting. If your program is truly effective, then you should see a drop in the number of security incidents. If you don’t see a correlation there, then you may need to rework your training materials and tweak your approach. When new threats emerge, you must be ready to work them in and update your training accordingly on a continuous basis. Train your staff properly and equip them with the knowledge they need; only then you will see a significant improvement in your overall cyber security.


Get started!

We are happy to advise you on the most suitable services. Please send us a message via the contact form below or call us at +1 512-917-9180 (USA) or +41 44 557 19 37 (Europe).

in our

in Lucy