Security Awareness Training Plan Template

For a 200-person company, expect $5,000-15,000/year for an LMS and phishing simulation platform (KnowBe4, Proofpoint, Cofense). Custom content development adds $2,000-5,000 if you build role-specific modules internally. The biggest cost is employee time: 4-6 hours per employee per year across all modules.

After two consecutive failures, assign a targeted 15-minute coaching session with the security team. After three consecutive failures, require completion of an additional interactive training module before the next simulation. Document the intervention for compliance purposes. Never use public shaming or disciplinary action.

Yes, for SOC 2 (CC1.4), ISO 27001 (A.7.2.2), HIPAA (164.308(a)(5)), and PCI DSS (12.6). All four frameworks require a documented security awareness program with evidence of employee participation. The specific content and frequency requirements vary, but annual training with phishing simulations satisfies all four.

Start with an off-the-shelf platform (KnowBe4, Proofpoint Security Awareness) for the core curriculum. Supplement with custom content for role-specific modules that reference your company's actual tools, policies, and workflows. Custom content is 3-5x more engaging than generic vendor content.

Short modules (under 15 minutes) delivered monthly have higher completion rates than long annual sessions. Use interactive formats (quizzes, scenario-based decisions) instead of passive videos. Send phishing simulations to personal devices used for work. Recognize and celebrate employees who report simulations correctly.