Cybersecurity Awareness Training Materials
Free, open-source cybersecurity awareness training materials for organizations of all sizes. These training modules, quizzes, and reference guides help employees recognize and respond to cyber threats, meeting compliance requirements for CMMC, HIPAA, PCI DSS, NIST 800-171, and other frameworks.
Maintained by Petronella Technology Group β A cybersecurity firm based in Raleigh, NC with 23+ years of experience delivering security awareness training programs. For managed training solutions, visit our Security Awareness Training page.
Table of Contents
- Why Security Awareness Training Matters
- Compliance Requirements for Training
- Training Modules
- Module 1: Phishing and Social Engineering
- Module 2: Password Security and Authentication
- Module 3: Safe Internet and Email Practices
- Module 4: Physical Security
- Module 5: Mobile Device Security
- Module 6: Data Handling and Classification
- Module 7: Incident Reporting
- Module 8: Remote Work Security
- Knowledge Assessment Quiz
- Quick Reference Cards
- Training Program Implementation Guide
- Additional Resources
- About
Why Security Awareness Training Matters
Employees are both the greatest vulnerability and the strongest defense in any organization's cybersecurity posture. According to industry research, a significant majority of data breaches involve a human element -- whether through phishing, credential theft, social engineering, or simple mistakes.
Effective security awareness training: - Reduces phishing susceptibility significantly after consistent training - Meets regulatory requirements across multiple compliance frameworks - Creates a security culture where employees actively participate in defense - Reduces incident costs by enabling faster detection and reporting - Protects the organization from ransomware, data breaches, and fraud
Compliance Requirements for Training
| Framework | Training Requirement | Frequency |
|---|---|---|
| CMMC Level 2 | Security awareness (3.2.1), role-based training (3.2.2), insider threat (3.2.3) | At least annually |
| NIST 800-171 | Same as CMMC Level 2 (derived from NIST) | At least annually |
| HIPAA | Security awareness and training (164.308(a)(5)) | Ongoing; at hire and periodically |
| PCI DSS v4.0 | Security awareness (12.6) | At hire and annually |
| SOX | IT general controls training | At hire and annually |
| ISO 27001 | Awareness, education, and training (A.6.3) | At hire and ongoing |
| GDPR | Staff training on data protection | Regular intervals |
| Cyber Insurance | Most policies require documented training | Typically annually |
Training Modules
Module 1: Phishing and Social Engineering
Duration: 30 minutes | Audience: All employees
What is Phishing?
Phishing is a type of cyber attack where attackers send fraudulent messages designed to trick you into revealing sensitive information, clicking malicious links, or downloading malware. Phishing remains the number one attack vector used by cybercriminals.
Types of Phishing Attacks
| Type | Description | Example |
|---|---|---|
| Email Phishing | Mass emails impersonating trusted entities | Fake bank email requesting account verification |
| Spear Phishing | Targeted emails to specific individuals | Email appearing to come from your CEO |
| Whaling | Targeting executives and senior leaders | Fake board meeting notification to the CFO |
| Smishing | Phishing via SMS text messages | "Your package delivery failed" text with a link |
| Vishing | Phishing via phone calls | Caller claiming to be IT support needing your password |
| Business Email Compromise | Using a real compromised email account | Actual vendor's email requesting payment to a new account |
| QR Code Phishing (Quishing) | Malicious QR codes | Fake parking meter QR code that steals payment info |
Red Flags to Watch For
- Urgency or threats β "Your account will be locked in 24 hours"
- Unexpected attachments β Especially .exe, .zip, .docm files
- Suspicious sender address β Look closely:
support@micros0ft.comvssupport@microsoft.com - Generic greetings β "Dear Customer" instead of your name
- Grammar and spelling errors β Though sophisticated attacks may have none
- Mismatched URLs β Hover over links before clicking; the display text may differ from the actual URL
- Requests for sensitive info β Passwords, SSN, credit card numbers
- Too good to be true β "You've won a $500 gift card!"
- Unusual requests from colleagues β Especially involving money or credentials
- Pressure to bypass normal procedures β "Don't tell anyone, just process this transfer"
What To Do
If you receive a suspicious email: 1. Do NOT click any links or open any attachments 2. Do NOT reply to the email 3. Do NOT forward it to colleagues 4. Report it using your organization's reporting method (report phishing button, forward to IT security) 5. Delete it after reporting
If you clicked a link or entered credentials: 1. Stop β close the browser immediately 2. Disconnect from the network if instructed by IT 3. Change your password from a different, known-safe device 4. Report it immediately to IT security -- there is no penalty for reporting 5. Note the URL, time, and what information you may have entered
Module 2: Password Security and Authentication
Duration: 20 minutes | Audience: All employees
Password Best Practices
| Do | Don't |
|---|---|
| Use a unique password for every account | Reuse passwords across accounts |
| Make passwords at least 14 characters | Use short passwords (under 12 characters) |
| Use a passphrase (e.g., "correct horse battery staple") | Use dictionary words or common phrases |
| Use a password manager | Write passwords on sticky notes |
| Enable MFA on every account that supports it | Share passwords with colleagues |
| Change passwords immediately if a breach is suspected | Use personal info (birthdays, pet names) |
Multi-Factor Authentication (MFA)
MFA requires two or more of the following to log in:
| Factor | Type | Examples |
|---|---|---|
| Something you know | Knowledge | Password, PIN |
| Something you have | Possession | Phone, hardware token, smart card |
| Something you are | Biometric | Fingerprint, face recognition |
MFA Best Practices: - Use authenticator apps (Microsoft Authenticator, Google Authenticator) over SMS when possible - SMS is better than no MFA, but can be intercepted via SIM swapping - Hardware security keys (YubiKey, FIDO2) provide the strongest protection - Never share MFA codes with anyone, even if they claim to be from IT
Password Manager Usage
A password manager securely stores all your passwords behind one strong master password: - Generate unique, complex passwords for every account - Auto-fill credentials safely - Share passwords securely with team members when necessary - Audit for weak, reused, or compromised passwords
Module 3: Safe Internet and Email Practices
Duration: 20 minutes | Audience: All employees
Safe Browsing
- Look for HTTPS (lock icon) before entering any sensitive information
- Be cautious with downloads -- only download software from official sources
- Keep your browser updated to the latest version
- Do not install unknown browser extensions
- Be skeptical of pop-ups claiming your computer is infected
- Avoid using public Wi-Fi for sensitive work without a VPN
Email Security
- Verify unexpected requests through a different communication channel (call the person directly)
- Be cautious with email attachments, especially from unknown senders
- Use email encryption when sending sensitive data
- Check email forwarding rules periodically -- attackers often set up forwarding
- Report suspicious emails; do not just delete them
Social Media Safety
- Limit personal information shared publicly (job title, employer, location)
- Be cautious of connection requests from unknown individuals
- Do not discuss work projects, clients, or sensitive information on social media
- Attackers use social media to research targets for spear phishing
- Review your privacy settings regularly
Module 4: Physical Security
Duration: 15 minutes | Audience: All employees
Key Physical Security Practices
- Clean Desk Policy: Lock away sensitive documents when leaving your workspace
- Screen Lock: Lock your computer every time you step away (Windows: Win+L, Mac: Ctrl+Cmd+Q)
- Tailgating Prevention: Do not hold doors for unknown individuals; politely ask to see their badge
- Visitor Procedures: All visitors must sign in and be escorted
- Secure Printing: Use secure print features; collect printouts immediately
- Shredding: Cross-cut shred all sensitive documents before disposal
- Device Security: Never leave laptops, phones, or USB drives unattended
- Reporting: Report lost or stolen devices immediately -- within the hour
Module 5: Mobile Device Security
Duration: 15 minutes | Audience: All employees
Securing Your Mobile Devices
- Enable screen lock with PIN, biometric, or strong password
- Enable full-device encryption (enabled by default on modern iOS and Android)
- Keep the operating system and apps updated
- Only install apps from official app stores (App Store, Google Play)
- Enable remote wipe capability
- Use your organization's VPN when accessing work resources
- Do not jailbreak or root your device
- Be cautious with app permissions -- does a flashlight app really need access to your contacts?
- Disable Bluetooth and Wi-Fi when not in use
- Report lost or stolen devices immediately
Module 6: Data Handling and Classification
Duration: 20 minutes | Audience: All employees
Data Classification Levels
| Classification | Description | Handling Requirements |
|---|---|---|
| Public | Information intended for public consumption | No restrictions |
| Internal | General business information not for public release | Standard access controls |
| Confidential | Sensitive business information | Encryption, access controls, need-to-know |
| Restricted/Regulated | CUI, PHI, PII, PCI data | Encryption at rest and in transit, strict access controls, regulatory compliance, audit logging |
Data Handling Best Practices
- Know what you're handling β Understand the classification of data you work with
- Encrypt sensitive data β Use approved encryption for CUI, PHI, PII, and PCI data
- Minimize data β Only collect, store, and transmit the minimum data necessary
- Secure transmission β Use encrypted channels (TLS, SFTP, encrypted email) for sensitive data
- Proper disposal β Securely delete digital files; cross-cut shred physical documents
- Access control β Only share data with those who have a legitimate need
- Label and mark β Apply appropriate markings (CUI banners, confidential labels)
- Report incidents β If you discover data in the wrong place or accessed by the wrong person, report it
Module 7: Incident Reporting
Duration: 10 minutes | Audience: All employees
What to Report
Report ANY of the following to your IT security team immediately:
- Suspicious emails or messages (phishing attempts)
- Unusual system behavior (unexpected pop-ups, slow performance, files missing)
- Unauthorized access attempts (unknown login alerts)
- Lost or stolen devices (laptops, phones, USB drives, badges)
- Suspected malware or ransomware
- Physical security concerns (tailgating, unescorted visitors, open secure doors)
- Suspected policy violations
- Social engineering attempts (suspicious phone calls asking for information)
How to Report
- Contact IT Security:
[Phone number / email / ticketing system] - Use the phishing report button in your email client (if available)
- Call your manager if you cannot reach IT security
- For emergencies: Call
[emergency contact number]
Important: No Blame Culture
- You will NOT be punished for reporting an incident, even if you caused it
- Speed matters β the faster you report, the less damage occurs
- When in doubt, report it β false alarms are better than missed incidents
- IT security is here to help, not to blame
Module 8: Remote Work Security
Duration: 20 minutes | Audience: Remote and hybrid employees
Securing Your Home Office
- Use your organization's VPN for all work activities
- Secure your home Wi-Fi: WPA3 (preferred) or WPA2 with a strong password
- Change your router's default admin credentials
- Keep your router firmware updated
- Position your screen so others cannot see it (shoulder surfing)
- Lock your workstation when stepping away, even at home
- Use a separate work profile or device if possible
- Do not allow family members to use your work device
Public Spaces
- Never access sensitive data on public Wi-Fi without a VPN
- Use a privacy screen filter on your laptop
- Be aware of shoulder surfing in coffee shops, airports, etc.
- Do not leave your device unattended
- Avoid taking phone calls about sensitive topics in public areas
- Do not print sensitive documents at public print stations
Knowledge Assessment Quiz
Use this quiz to assess employee understanding after training. Minimum passing score: 80%.
Quiz Questions
1. You receive an email from your CEO asking you to urgently purchase gift cards and send the codes. What should you do? - a) Purchase the gift cards since it's from the CEO - b) Reply to the email asking for confirmation - c) Contact the CEO through a different channel (phone or in-person) to verify the request - d) Forward the email to your colleagues for advice
Answer: c) Always verify unusual requests through an alternative communication channel. Do not reply to the email, as it may be compromised.
2. What is the most secure form of multi-factor authentication? - a) SMS text messages - b) Email verification codes - c) Hardware security key (FIDO2/YubiKey) - d) Security questions
Answer: c) Hardware security keys provide the strongest protection against phishing and account takeover.
3. You accidentally clicked a link in a suspicious email. What should you do first? - a) Delete the email and hope for the best - b) Shut down your computer - c) Report it to IT security immediately - d) Wait to see if anything happens
Answer: c) Report immediately. Speed is critical. There is no penalty for reporting.
4. Which of the following is the strongest password? - a) P@ssw0rd123! - b) CorrectHorseBatteryStaple - c) John1985 - d) qwerty12345
Answer: b) Long passphrases are more secure and easier to remember than short complex passwords.
5. You find a USB drive in the parking lot. What should you do? - a) Plug it into your computer to find the owner - b) Give it to a colleague to check - c) Turn it in to IT security without plugging it in - d) Throw it away
Answer: c) Never plug in unknown USB devices. They may contain malware. Turn them in to IT security.
6. What should you do before leaving your desk, even for a few minutes? - a) Nothing, if you'll be right back - b) Close all applications - c) Lock your computer screen - d) Turn off your monitor
Answer: c) Always lock your screen (Win+L or Ctrl+Cmd+Q on Mac) to prevent unauthorized access.
7. Which of the following is NOT a sign of a phishing email? - a) Urgent language demanding immediate action - b) An email from a known contact about a scheduled meeting - c) A request to verify your account by clicking a link - d) An attachment you were not expecting
Answer: b) Expected emails from known contacts about scheduled topics are normal. However, always stay vigilant.
8. A caller identifies themselves as IT support and asks for your password to fix a problem. What should you do? - a) Give them your password so they can fix the issue quickly - b) Ask for their employee ID and then give the password - c) Hang up and contact IT through your organization's official channels - d) Give them a temporary password
Answer: c) Legitimate IT support will never ask for your password. Verify through official channels.
9. You need to send a file containing customer Social Security numbers to a colleague. What is the safest method? - a) Regular email attachment - b) Upload to a personal cloud storage and share the link - c) Use your organization's encrypted file sharing system - d) Print it and hand deliver it
Answer: c) Use approved, encrypted channels for sensitive data. Never use personal cloud storage for work data.
10. How often should you update your passwords? - a) Every 30 days - b) Only when a breach is suspected or confirmed - c) Every year - d) Never, if it's a strong password
Answer: b) Current NIST guidance recommends changing passwords when there is evidence of compromise, rather than on an arbitrary schedule, provided passwords are strong and unique.
Quick Reference Cards
Phishing Quick Reference
STOP - LOOK - REPORT
STOP before clicking any link or opening any attachment
LOOK at the sender address, URL, and content for red flags
REPORT suspicious emails to IT security immediately
Red Flags:
- Urgency or threats
- Unexpected attachments
- Suspicious sender address
- Requests for passwords or personal info
- Grammar/spelling errors
- Mismatched URLs (hover to check)
Password Quick Reference
DO:
- Use 14+ character passphrases
- Use a password manager
- Enable MFA everywhere
- Use unique passwords for every account
DON'T:
- Reuse passwords
- Share passwords
- Write passwords on sticky notes
- Use personal info in passwords
Training Program Implementation Guide
Recommended Training Schedule
| Event | Training Required | Topics |
|---|---|---|
| New hire (Day 1) | Full training (all modules) | All 8 modules + quiz |
| Monthly | Phishing simulation | Simulated phishing emails |
| Quarterly | Micro-training (5-10 min) | Rotating topic focus |
| Annually | Full refresher training | All modules + updated threats |
| After incident | Targeted training | Relevant to incident type |
Documentation Requirements
For compliance purposes, maintain records of: - Training dates and topics covered - Attendee lists with signatures or electronic acknowledgment - Quiz scores and pass/fail status - Phishing simulation results - Remedial training for employees who fail assessments
Additional Resources
Official Sources
- CISA Cybersecurity Awareness β Federal cybersecurity awareness resources
- NIST Phishing Guidance β NIST guidance on phishing
- StaySafeOnline β National Cybersecurity Alliance resources
Related Open-Source Resources
- CMMC Compliance Checklist β Includes training requirements (3.2.x)
- Incident Response Plan Template β What happens after an employee reports an incident
- HIPAA Security Risk Assessment Template β Includes training safeguards
Professional Training Services
For organizations seeking a comprehensive, managed security awareness training program, Petronella Technology Group provides:
- Managed security awareness training platforms with automated delivery
- Phishing simulation campaigns with detailed reporting and metrics
- Customized training content for your industry and compliance requirements
- Dark web monitoring to detect compromised employee credentials
- Compliance reporting for CMMC, HIPAA, PCI DSS, and other frameworks
- Executive and board-level cybersecurity briefings
Visit petronellatech.com/solutions/security-awareness-training/ to learn more about our training programs.
β οΈ Why Free Materials Aren't Enough for Compliance
These training materials are a solid starting point, but regulatory frameworks require more than content β they require a documented, managed training program with:
- Completion tracking β You must prove every employee completed training (auditors ask for records)
- Role-based customization β Executives, IT staff, and general employees need different training (one-size-fits-all doesn't satisfy CMMC AT.2.056 or HIPAA 164.308(a)(5))
- Phishing simulations β Reading about phishing isn't the same as recognizing it in your inbox
- Regular cadence β Annual training is the minimum; quarterly reinforcement with current threat intelligence is the standard
- Assessment and remediation β Employees who fail assessments need additional training, not just a passing grade
95% of cybersecurity breaches involve human error. A documented, managed training program is your highest-ROI security investment.
π Need a Managed Training Program?
These materials teach the concepts. A managed program changes behavior.
Petronella Technology Group delivers turnkey security awareness training programs with built-in compliance reporting.
| Service | What You Get |
|---|---|
| Free Training Assessment | Evaluate your current program against compliance requirements |
| Managed Training Platform | Automated delivery, tracking, reporting, and compliance documentation |
| Phishing Simulations | Monthly simulated attacks with real-time coaching for employees who click |
| Custom Content | Training tailored to your industry, threats, and regulatory requirements |
β Schedule a Free Training Assessment | Call (919) 422-8500
About
These cybersecurity awareness training materials are maintained by Petronella Technology Group, a cybersecurity and IT compliance firm headquartered in Raleigh, North Carolina. Founded in 2002, Petronella Technology Group has over 23 years of experience helping organizations build security-aware cultures and protect against cyber threats.
Other Security Resources
- CMMC Compliance Checklist
- HIPAA Security Risk Assessment Template
- NIST 800-171 Controls Matrix
- Incident Response Plan Template
These materials are provided for informational and educational purposes. Organizations should adapt them to their specific environment, policies, and compliance requirements.
Licensed under CC-BY-SA-4.0. Contributions welcome β see CONTRIBUTING.md.