Role-based security awareness training is a customized approach to training that tailors the content and delivery of security awareness programs to the specific roles and responsibilities of individuals within an organization.

For example, your higher-level executives are more likely to be spear-phished, so your role-based training would include specialized spear-phishing training for each C-level. Then, your marketing team handles a lot of passwords, so you also have additional training for the marketing team focused on passwords.

But, the question is: Does role-based training work? And is it feasible for smaller businesses? In our twenty-third live Cyber Security Awareness Forum, I brought together a panel of cyber security experts to answer these questions. Meet the panel:

Michael Redman (MR) –  Michael is the Knowledge & Learning Management (KaLM) Lead Specialist for Shellman and full-time cyber security consultant for over a decade. 

"It’s been a “super-fantastic” experience to see people learning and talking about security threats."

For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges.  (Limited time offer. Normally valued at $999 USD)

Use Promo Code: 6WEEKS

Fletus Poston (FP) – A security champion, Fletus is a Senior Manager of Security Operations at CrashPlan®. CrashPlan® provides peace of mind through secure, scalable, straightforward endpoint data backup for any organization.

Tyler Sweaney (TS) – Tyler is a Cybersecurity Specialist Account Manager at Global CTI, a Management Service Provider that’s focused on servicing our customers in California.

Matthew Webber (MW)  – As a multi-time Chief Information Security Officer in a diverse list of organizations, Michael has been in the cyber security space for over 25 years. 

And I’m Scott Wright (SW), CEO of Click Armor, the Gamified Security Awareness Platform and Security Awareness Services Company. Now, let’s learn about online tracking threats and how you can protect yourself as an individual and your business.

Security Bites

Don’t have time to watch the whole panel? Get exactly what you need with these security bites:

Security Bite: I’m an executive

Security Bite: I’m a security awareness manager

Security Bite: I’m an individual

When should you implement role-based security training?

SW: If you’re in an area that is governed by a certain type of compliance training or compliance process, you are probably being required to have role based training in your organization. And if you’re not, then most often functional managers see some common risks within a particular group, like I.T, and need to train them on how to handle things properly.

Or there might be groups of people within an organization that have limitations on how they can be taught. So, if there are people who don’t have access to devices where you would normally take the training, you might have to do live training for these people and it might have to be role based in that sense.

How do you segment the roles for training?

FP: It’s straightforward until it’s not. For a smaller organization, you may have someone who’s a developer for part of the day, their assisting admin for the rest of the day, and then their backend for another part of the day. This gets very tricky when you have compliance based standards to align them with, so you have to align it based on the title that you give them. So what I’ve challenged organizations that I’ve worked with is to make sure that you’re giving a title or a role that you can audit. Then, look at which role has access to what and how they should be training. 

Also before you even begin, go interview your teams or customers. What are your pain points? What is your role? How can I help you to get training?

MW: It always depends on the organization and their needs. I usually have IT separate because they typically have additional requirements depending on the organization. I also take a look at the compliance framework and what level of security of information they are working with, who in the organization will be dealing with it, and how the organization wants it handled. In the end, it’s all about the business needs. 

How do you determine the performance and assessment criteria?

FP: Go back to compliance. They sign off or their manager signs off, then you can audit to see the percentage of people who have completed the training, then you give them a chance to apply it by letting them share their knowledge. Ask them to give you an example of what they’ve learned and how they applied it in real life then have them share a spotlight in a meeting or in a newsletter that you create. Now, you’re giving them attention and recognition, too. 

MW: You can figure out your assessment criteria then create a questionnaire. I’ve done this before electronically, but you could do it in person, too. There are also five minute trainings you can give once a month, then you can have a couple of questions you can ask quickly at the end to see if they are learning something. 

What should the training look like?

MR: With more complicated training like targeting networkers or targeting certain personnel groups like accounting or HR, I’ve always found instructor-led training is the best because it gives them an opportunity to ask their role-based questions to the instructors to get a better answer to something that you can’t really anticipate ahead of time and implement in any type of self-paced training.

MW: I agree. I’ve found that in situations where I’ve had to do training live, especially if you’re dealing with a small group of 20 or less, you sometimes get some really good insights from a cybersecurity perspective. You find some really surprising things that you didn’t think were actually happening. So, I find that there is value in sitting down, having some face time, and getting to know some people.

FP: Sometimes the training isn’t as obvious as you would think. For example, when you have your onboarding activity, you give the sales team certain things because they’re dealing with customer information or you give your IT team certain things because you know they have domain admin. If it’s your marketing team, they get certain tips and tricks factsheets that you can give them. It may not be auditable, there may not be a measure or a metric behind it, but they are receiving role based training because of their onboarding, their learning management system from their managers, from the HR. It doesn’t have to be formal for those under 50 to under 100 employees. 

As your organization gets larger, you can have instructional training, you can have a learning management system that you subscribe to your employees.


After hearing our panel’s thoughts, would your organization consider implementing role-based training? If yes, remember to follow the expert advice to start by defining the business needs, divide training by role titles, and always communicate with your team. To learn more about implementing role-based training watch the full panel here.

Click Armor is the first highly interactive security awareness platform, with engaging foundational courses and 3-minute weekly challenges that employees love. We offer content on everything from security basics, phishing and social engineering to passwords and privacy.

Even if your organization already has a solution, there’s a high likelihood that some employees are still not engaging and are exposing your systems and information to cyberthreats. Click Armor offers a special “remediation” package that complements existing solutions that don’t offer any relevant content for people who need a different method of awareness training.


Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.