end-user training: A group of professionals engaged in an information security (infosec) training session

Enhance your infosec through end-user training

Your organization’s security is only as strong as its weakest link: your end-users. Therefore, it is imperative to prioritize end-user training at the organization level.
A striking example of the consequences of overlooking employee training emerged in May 2022 when Yahoo’s senior research scientist, Qian Sang, gained unauthorized access to confidential information related to Yahoo’s AdLearn product. Sang managed to pilfer a staggering 570,000 files, including source code, backend architecture details, secret algorithms, and valuable intellectual property. Shockingly, he downloaded this sensitive data to his personal storage devices shortly after receiving a job offer from one of Yahoo’s competitors.

In response to this breach, Yahoo promptly filed three charges against Sang, one of which pertained to intellectual property data theft. They argued that Sang’s actions had not only exposed the company’s trade secrets but also provided rival companies with a substantial advantage in the market. This case serves as a stark reminder of the critical importance of end-user training in safeguarding an organization’s sensitive information.

What is end-user training?

End-user training in cybersecurity refers to the process of educating employees to raise their awareness and provide them with the essential knowledge and skills needed to safeguard both themselves and the company’s data against potential threats or breaches. This education equips individuals with the means to protect sensitive information better and prevent security incidents. Here is a link to our security awareness training quiz. You can partner with us to support your cybersecurity learning program.

What should be included in infosec training?

Effective training programs should cover a wide range of topics to ensure that employees understand the principles of information security and can apply them in their day-to-day activities.

What should be included in infosec training?

Effective training programs should cover a wide range of topics to ensure that employees understand the principles of information security and can apply them in their day-to-day activities. 

Here are some key elements that should be included in information security training:

Introduction to information security(infosec)

  • Define what information security is and why it’s important.
  • Explain the potential consequences of security breaches.

Security policies and procedures

  • Provide an overview of the organization’s security policies and procedures.
  • Explain how employees should handle sensitive information.

Password management

  • Teach employees how to create strong passwords.
  • Emphasize the importance of not sharing passwords.

Phishing awareness

  • Train employees to recognize phishing emails and other social engineering attacks.
  • Explain what to do if they suspect a phishing attempt.

Data classification

  • Educate employees about the importance of classifying data.
  • Describe how different types of data should be handled and protected.

Access control

  • Explain the concept of access control and the principle of least privilege.
  • Teach employees how to secure their accounts and devices.

Malware awareness

  • Discuss common types of malware (viruses, ransomware, etc.).
  • Teach employees how to avoid malware and what to do if their system is infected.

Physical security

  • Address physical security measures such as securing laptops, access badges, and visitor policies.

Incident response

  • Describe the steps to take in the event of a security incident.
  • Explain the importance of reporting incidents promptly.

Mobile device security

  • Teach employees how to secure their mobile devices (phones, tablets) and apps.
  • Discuss the risks associated with mobile devices.

Secure communication

  • Explain how to use encryption for secure communication.
  • Address secure email practices.

Data privacy

  • Educate employees about data privacy regulations (e.g., GDPR, HIPAA).
  • Describe the organization’s data handling practices in compliance with these regulations.

Social media and online safety

  • Provide guidelines for safe use of social media in a professional context.
  • Address the risks of oversharing personal information online.

Security best practices

  • Cover general security best practices, such as keeping software up to date and being cautious with downloads and links.

Security awareness exercises

  • Conduct simulated phishing exercises and other security awareness tests to reinforce training.

Compliance training

  • If applicable, provide training on industry-specific regulations and compliance requirements.

Reporting procedures

  • Clearly explain the process for reporting security concerns or incidents within the organization.

Regular updates

  • Stress the importance of staying informed about evolving security threats and best practices.

Remember that effective information security training should be ongoing, with periodic updates to reflect changing threats and technologies. It should also be tailored to the specific needs and risks of your organization.


How do you train end-users(employees) for information security(infosec).

How do you train your employees for information security?  Education is the first step. However, to create a lasting change in employee behavior, the training must be more than a single annual event. Studies show that frequent, granular training opportunities designed to address specific behaviors and practices are the most effective. Every employee should be included in the training, senior leadership, supervisors, and IT professionals. You can’t change what you don’t know you are doing wrong, or could be doing better.

Changing behavior takes time and effort….consistent effort. Finding ways to keep the cyber security conversation going is the key to success. One way to keep the conversation going is to have regular sessions using a variety of formats like a Lunch & Learn, exercises for team meetings, screen savers, etc. Find ways to help employees recognize dangerous situations and potential attacks so that they can be avoided

The reality is that we will all make mistakes at some point – click on a link we didn’t check, give an “IT professional” our credentials, etc. That means there also needs to be a way for employees to report not only a suspected attack but also when a mistake is made. Even false alarms could be a good indicator…that changes need to be made to your training program.



The security of your organization’s information assets is paramount in today’s digital age. As we’ve seen in recent examples, the weakest link in your security chain can have profound consequences. It’s clear that prioritizing end-user training and staying vigilant against potential threats is not an option but a necessity.

At Kalles Group, we understand the unique security challenges faced by small to midsize businesses, and we are committed to helping you navigate this complex landscape. We believe in proactive approaches to cybersecurity, and we invite you to join us in a discussion on what security topics should matter most to your organization.

Mark your calendars for our upcoming virtual presentation led by Kalles Group Practice Manager – Cyber Programs, Glen Willis, on Wednesday, September 20th, via Zoom. This is an opportunity to delve deeper into the strategies and solutions that can safeguard your business’s future. Let’s work together to accomplish what your unique organization needs in terms of information security. Join us in this important conversation, and let’s strengthen our collective defense against cyber threats. Your organization’s security is our priority, and we look forward to collaborating with you for a more secure digital future.