ISMS Mission 4 — Vulnerability Awareness
Technical controls protect against technical attacks. The vulnerabilities that actually compromise most organisations are human ones — a convincing email, an overshared document, a request that came from someone who sounded like IT. These can't be patched. They can be trained.
The Vulnerability That Sits Between the Firewall and the Chair
Information security investment concentrates on technical controls — firewalls, endpoint protection, intrusion detection, access management. These controls are necessary. They are also insufficient, for a reason that security teams understand and most employees do not: the attack surface that is hardest to defend is human behaviour.
Phishing attacks succeed not because the technology failed but because an employee made a decision — clicked a link, provided credentials, opened an attachment — that the attacker needed them to make. Social engineering works not because people are stupid but because it is designed to exploit the conditions under which people make fast, trusting decisions: time pressure, authority signals, familiar contexts.
The defence is not better firewalls. It is employees who recognise these techniques when they are being used, whose first response to urgency is scepticism rather than action, and who know exactly what to do when they think something has happened. This mission develops that capability.
What the Vulnerability Awareness Mission Covers
Phishing — recognition and response. What phishing attempts look like across the channels employees use — email, SMS (smishing), messaging platforms, and voice calls (vishing). The mission moves beyond the obvious indicators to the less obvious ones: convincing sender names, internal-seeming requests, legitimate-looking login pages.
Social engineering — how manipulation works. Social engineering uses psychological mechanisms — authority, urgency, familiarity, fear of consequences — to bypass rational decision-making. The mission explains how these mechanisms work and why they work, because understanding the technique is what makes employees resistant to it.
Insecure data sharing. Documents sent via personal email, sensitive files shared in collaboration platforms without access controls, screenshots of restricted information sent through messaging apps — the mission covers the specific practices that create these exposures and the habits that prevent them.
Weak access control practices. Accounts that retain access after a role change, devices left unlocked in shared spaces, screens visible in public locations, passwords noted in accessible locations. The mission develops the specific habits that close these gaps.
Reporting — turning awareness into organisational security. Recognising a threat is only valuable if it is reported. The mission covers what constitutes a reportable security incident, how to report it, and why prompt reporting matters.
Format and Delivery
The Vulnerability Awareness mission runs in the same immersive futuristic environment as the full ISMS programme — simulated attack scenarios with visible consequences for each choice.
Deploy standalone — often after a phishing incident — or as Mission 4 of the five-mission ISMS programme. Hosted online or custom SCORM for your LMS.
ISO 27001 and Human Vulnerability Management
ISO 27001 Annex A includes controls specifically addressing human factor vulnerabilities — covering awareness and training (A.6.3), information security event reporting (A.6.8), and controls against social engineering (A.8.23). ISO 27001 Clause 7.3 requires demonstrable awareness among all relevant personnel of the information security policy, their responsibilities, and the implications of non-conformance.
Human vulnerability — the attack surface created by employee decisions rather than technical weaknesses — is the area where training has the most direct impact on security outcomes.
FAQs
What is security vulnerability awareness training?▼
Security vulnerability awareness training teaches employees to recognise the human-factor vulnerabilities that attackers exploit — phishing emails, social engineering tactics, insecure data sharing practices, and weak access control habits. Unlike technical security training (which is for IT teams), vulnerability awareness training is designed for all employees, because the vulnerabilities it addresses are created by human decisions rather than technical failures. The goal is to develop the recognition and reporting behaviours that reduce the organisation's human attack surface.
What is the difference between phishing simulation and phishing awareness training?▼
Phishing simulation involves sending fake phishing emails to employees to test whether they click the link or report it — and is primarily a measurement tool. Phishing awareness training teaches employees to recognise phishing attempts and respond correctly, using scenario-based content rather than live tests. Both have a role: simulation measures current behaviour, training changes it. The most effective approaches use both — training to develop the capability, simulation to verify that it has transferred into real behaviour.
What social engineering techniques do employees need to be aware of?▼
The primary techniques employees encounter are: phishing (fraudulent emails designed to steal credentials or install malware), smishing (the same via SMS), vishing (voice calls impersonating IT support, senior colleagues, or vendors), pretexting (constructing a convincing false scenario to justify a request), and baiting (leaving infected USB drives or offering something of value to induce a security-compromising action). The common thread across all of these is the use of psychological triggers — urgency, authority, fear of consequences — to prevent the target from thinking carefully about the request. Awareness of the trigger is the primary defence.
Why do security awareness programmes fail to reduce phishing incidents?▼
Most security awareness programmes fail for the same reasons most compliance training fails: they test recall rather than developing behaviour. An employee who can identify a phishing email in a multiple-choice question may still click a convincing one in their inbox, because the knowledge has not transferred into reflex. Effective programmes use repeated scenario-based practice that puts employees in realistic situations rather than asking them to answer questions about situations. The repetition and the stakes of the scenario — even a simulated one — are what build the sceptical reflex that awareness alone does not.
How quickly can the Vulnerability Awareness mission be deployed following a security incident?▼
The hosted online version can be deployed within a working day of sign-off — employees receive an access link, complete the mission, and completion data is captured automatically. The SCORM version requires upload to your LMS following delivery of the branded package. Contact us to discuss timelines for incident-response deployment.
Related: Data Privacy · Password Management · AI Management & Security · Vulnerability · Cloud Security