Report Prepared Especially For:

Razan Essa
February 6, 2021
 Welcome

Congratulations on becoming part of the KnowBe4 ASAP family. The following pages reflect your
individual survey responses and contain recommendations for specific training modules, videos and
supporting materials to help you catapult your training plans into a mature and multifaceted information
security awareness program.
A successful information security awareness program is essential to ensure your employees are
empowered with the knowledge they need to protect your organization. While employees are your most
important asset, they are at the same time your weakest link and your last line of defense. One of the best
ways to make sure your employees will not make costly errors regarding information security is to institute
company-wide security awareness training initiatives.
Effective security awareness and training programs are multifaceted. For example, an effective
program will include:
 Deployment of learning modules that cover topics critical to the organization, related to behavior,
policy, or compliance expectations
 Simulated phishing and social engineering attacks so that employees are conditioned to look for
red flags in any communication they receive
 Additional supportive messaging, information delivery methods, communication channels, and
interactive activities so that your organization has the best chance to effectively develop a
sustainable security mindset within each employee, job role, division, and region
 Knowledge and skills that are relevant and transferrable to an employee’s personal life and overall
security hygiene
Your ASAP program covers these requirements and also accounts for the uniqueness of your
organization based on your provided answers. The tasks that follow should serve as a guide towards the
implementation of a successful security awareness program. KnowBe4 is determined to help you achieve
your goal of strengthening your human firewall with your customized program.

Report Prepared Especially For: Razan Essa

 Task List

TASK DESCRIPTION DUE DATE

1. Engage your stakeholders February 9, 2021

In order to ensure that your company gets the most value out of any program, it is crucial to
have buy-in from your stakeholders. The below link will provide a sample email template you
can use for this purpose within your organization.
We recommend sending this email out to any stakeholders (C-level employees, Director of IT,
etc.) before the company-wide baseline phishing assessment. This will ensure that any
questions your stakeholders have about the program can be addressed. It will also prepare
your stakeholders with the information they need to answer any employee questions that occur
once the baseline assessment is administered.
To view the sample email, see the below article:
-How can I engage my stakeholders in my security awareness training program?
We have also listed below some additional resources which may be helpful for you to establish
a company security policy and gain support for your KnowBe4 security awareness program.
Establish your security policy:
-Customizable security awareness policy template
Gain support:
-Forrester: The total economic impact of KnowBe4

2. Customize your KnowBe4 console February 10, 2021

We recommend customizing your console to display your company logo as well as set your
default time zone, business days, and hours. You will also want to take this time to set up a
group for your high-risk users (for example, "Clickers" or "Phish-prone Users").
Adding your company logo will provide a “familiar face” to your users upon logging into the
security training for the first time, while setting your default time zone, business days, and
hours will help when setting up your phishing campaign, to ensure users only receive phishing
tests when you want them to.
You can add your company logo as well as change your default business days and hours in your
Account Settings. For more details, see the below articles:
-How do I add my company's logo to the console?
-How do I set up my account's time zone, business days, and hours?
You'll also want to set up a group for your high-risk users (for example, "Clickers" or "Phish-
prone Users"). This group can be used for targeted phishing campaigns or remedial training
campaigns in the future. See the below article:
-How do I create a new group?

3. Whitelist the KnowBe4 mail servers February 12, 2021

Because you will be sending simulated phishing emails and/or training notifications to your
users as part of using our product, you will need to whitelist our servers to allow these emails
through.
Whitelisting steps may vary depending on the set-up of your mail server and if you have any
mail hygiene services in place (spam filter, firewall, link intent analysis). Information about
whitelisting can be found on the below link:
-Whitelisting guide
Need assistance or guidance with whitelisting? Contact our Support Team.
After you whitelist, we strongly recommend setting up a test phishing campaign to go to a test

Report Prepared Especially For: Razan Essa

 Task List
group which includes only yourself and a few other colleagues. Once your test makes it through
to everyone, you’ll know you’ve whitelisted successfully. Be sure to have one or two of your
colleagues “fail” your phishing test to check out the Phishing area’s reporting features as well.

4. Import your users February 15, 2021

You will need to import your users' email addresses in order to set up phishing or training
campaigns. You will also want to consider how you would like to Group your users (for instance,
by department, location, or otherwise) for the purposes of conducting targeted phishing or
training campaigns in the future.
Users can be imported a few different ways. Our Quick Import box allows you to type or paste
in user email addresses. Alternatively, you can import a CSV of your active users. If you're using
Active Directory, we strongly recommend installing our Active Directory Integration (ADI) tool to
add users and maintain your user list.
For more information about each of the methods mentioned above, see the below article:
-Adding users and groups
We also have a video that demonstrate how to add users, available on the link below:
-Adding users (Video)
At this time, you'll also want to consider what additional information you'd like to import about
your users so you can utilize our placeholders. Placeholders allow you to customize phishing
templates and landing pages with user and company-specific information. This can be useful to
make phishing tests more difficult and targeted.
User information can be added three ways. You can include it as part of your CSV import,
import it automatically through Active Directory Integration, or manually add it to each user's
profile.
To learn what placeholders are available, see the below article:
-How to use placeholders

5. Create and complete a baseline phishing campaign February 19, 2021

This will show your organization’s initial phish-prone percentage. Consider it your starting point.
This number will allow you to see your progress over time and help measure your success using
our integrated training and phishing platform. We strongly recommend conducting this test
without warning your users.
The below article will guide you through setting up this test so you have the best possible
results:
-Recommendations for the most effective baseline phishing test
When you're ready, you can follow the below link to set up your baseline phishing campaign:
-Create your phishing campaign

6. Review the results of your phishing test February 23, 2021

After your phishing tests, you'll want to see who your phish-prone users are. When you have the
knowledge of who is vulnerable to a phishing or social engineering attack, you can take action
to remediate it.
To view individual phishing campaign details, click the title of any phishing campaign beneath
the Campaigns tab under Phishing to view details. See the below article for details about these
results:
-Monitoring and reviewing individual phishing campaigns
You can also check in and obtain reports about your overall phishing results by clicking on the
Reports tab under Phishing. Results about comparing and filtering are described in the below
article:

Report Prepared Especially For: Razan Essa

 Task List
-Phishing results

7. Communicate the Security Awareness Program with your employees February 24, 2021
After the baseline test, your employees who received the simulated phishing email may be
confused. Those that clicked the phishing link may worry that they will face repercussions. We
recommend that once the duration of your baseline test phishing campaign is complete, you
communicate with them that a test was conducted and explain why. As an option, you can even
share your company’s overall phish-prone percentage.
The message should convey the importance of everyone completing security awareness
training. Letting your users in on the potential threat to the organization or to themselves may
increase their participation level once you enroll them in training. We’ve provided a template in
the below link that you can send to all of your users after the baseline test is complete:
-My baseline test is finished. What do I tell my users now?
You can also provide the below link to your users, which is a short video explaining what their
training experience will look like:
-Getting started with KnowBe4 training

8. Assess your users' security awareness February 25, 2021

Before you enroll your users in Security Awareness training, it's important to establish their
current security awareness to see how it improves over time. Assign your users the Security
Awareness Proficiency Assessment (SAPA) to test their knowledge of seven different knowledge
areas. We recommend you assign the SAPA after your first phishing test but before your first
training campaign. Continue to assign your users the SAPA on a yearly basis to see how your
strengths and weaknesses change.
To learn how to use assessments, see the below article:
-How to Use Assessments
To learn more about the Security Awareness Proficiency Assessment (SAPA), see the below
article:
-What is the Security Awareness Proficiency Assessment (SAPA)?

9. Establish a procedure for users to report suspected phishing emails March 2, 2021
KnowBe4’s Phish Alert Button (PAB) lets your end users report suspicious emails with just one
click. It is an add-in to your mail client or server that can be used to streamline the process of
what your employees should do when they receive a potential phishing email. Your users can
click the PAB if they suspect that they have received a suspicious email, whether the email is a
simulated phishing test or a real phishing attack.
Reported emails which are not simulated tests will be forwarded to your incident response
team or help desk, allowing you to see real-life phishing attacks that are making it to your end
users.
Your users can also receive fully customizable feedback from you. For instance, if they report a
potential phishing email and it turns out to be a simulated phishing test, you can congratulate
them for reporting the email and let them know it was not a real phishing attack.
The PAB is compatible with Outlook, Outlook Web Access, Office 365, GSuite (Chrome
Extension), and the Outlook Mobile App (for iOS and Android). Our Compatibility Matrix can
help you decide if the PAB is compatible with your environment.
For full installation details, see the below link:
-Phish Alert Button Installation Guide
You'll want to inform your users about this new tool and explain why and how it should be
used. See the below link for more information:
-How can I inform my users about the Phish Alert Button?

Report Prepared Especially For: Razan Essa

 Task List

10. Develop a threat response and management process for reported phishing emails March 5, 2021
Regardless of whether your employees have gone through security awareness training and
simulated phishing tests, processes should be in place for reporting suspicious or malicious
emails. How does your Incident Response team manage these reported emails?
PhishER helps to quickly identify and respond to the most dangerous email threats. Use this
Security Orchestration and Automation Response (SOAR) platform to manage all of the emails
your users report, and automatically disposition emails so you can prioritize and respond
quickly to real-life phishing attacks.
When using PhishER as a detective security control, your organization can identify potential
threats and strengthen your security measures and defense-in-depth plan.
Use the link below to see frequently asked PhishER questions:
-PhishER Frequently Asked Questions
See our full PhishER Product Manual here:
-PhishER Product Manual
Contact your Account Representative or Customer Success Manager if you’re interested in
learning more about PhishER, or see here to request a demo.

11. Review and select a fundamental training module March 8, 2021

For your fundamental training module, you'll want to choose a comprehensive course which will
cover multiple aspects of cyber security, including phishing, social engineering, ransomware,
and more.
Preview these suggested courses to see what will work best for your organization. You can also
browse the ModStore to check out what other courses are available.
After you've selected the right modules for your organization, you'll also want to add them to
your account's Library. This is done by clicking on the "Add to Library" button within the
ModStore. Further information about that process is available at the below link:
-How do I add content to my Library?

12. Create a training campaign for your fundamental training module March 8, 2021
The below article will advise you on the settings you should choose when setting up your first
Training Campaign.
First, review the recommendations in the below article which covers enrolling employees in
training:
-Enrolling your employees in security awareness training
If you'd like more guidance, we offer short videos explaining the various features of training
campaigns. You can access those videos below:
-Setting up a training campaign
-Monitoring training campaigns
-See more tutorial videos
When you're ready, create your training campaign by clicking the below link:
-Set up your training campaign
Hint: You may also want to consider adding a security policy to your training modules which
your users will have to read and accept as part of completing training. You can also optionally
provide this link to your users, which is a short video explaining what their training experience
will look like.

Report Prepared Especially For: Razan Essa

 Task List

13. Review and select a remedial training module for phishing test failures March 9, 2021
Remedial training allows you to target your high-risk users or "clickers" with additional security
training. High-risk users could be those employees that have clicked a link, opened an
attachment, or carried out other potentially dangerous behavior on a phishing test. Below is an
article explaining this further:
-Remedial training
We've suggested remedial training courses for you below. When choosing remedial courses for
your high-risk users, consider shorter-length courses which go into detail about the specific
action you're trying to address with remediation.
Select a course for your phish-prone users below. You can see additional training modules and
interactive games in our ModStore.
After you've selected the right modules for your organization, you'll also want to add them to
your account's Store Purchases. This is done by clicking on the "Add to Account" button within
the ModStore. Further information about that process is available at the below link:
-How do I add content to my Store Purchases?
See below link for additional tips on handling your phish-prone users:
-How to handle your clickers
Platinum and Diamond-level customers can also use our Smart Groups feature to create
dynamic groups of users based on specific criteria, such as clicking a link or opening an
attachment. These groups can be targeted with phishing or training campaigns. Learn more
about Smart Groups on the below link.
-Smart Groups

14. Create a training campaign for phishing test "clickers" March 9, 2021
People who fail a phishing test should be enrolled in a remedial training campaign so they can
learn to "think before they click" on a phishing test in the future. Create a campaign using the
remedial training module you selected in the previous task by following the steps in the below
article:
-How to set up remedial training
Below is a video which will walk you through the steps you'll need to take when setting up a
remedial training campaign:
-Remedial training campaigns (Video)
When you're ready, use the below link to create your remedial training campaign:
-Create your remedial training campaign

15. Create a monthly phishing campaign March 10, 2021

As part of your questionnaire, you elected to phish your users monthly. This will be a great way
to keep your users on guard and ready to analyze emails they receive with greater caution.
Setting up this campaign to start after your initial training campaign will also help your users
practice the skills they learned as part of training.
Our recommendations for setting up your ongoing phishing campaign are below, along with a
video which will go into detail about the various options you have when creating your
campaign:
-How to set up an ongoing phishing campaign
-Setting up a phishing campaign (Video)
After reviewing the resources above, click the below link to set up your campaign:
-Set up your monthly phishing campaign
If you'd like to do remedial training on your phish-prone users, remember to "add clickers" to
your Clickers group!

Report Prepared Especially For: Razan Essa

 Task List
Note: As a best practice, we recommend phishing your users at least bi-weekly, so you may
want to consider adding an additional monthly test to go to your high-risk employees, such as
Executives, Accounting, or IT/Help Desk.

16. Create, upload, and distribute policies March 11, 2021

You may have one or more policies that your users must agree to when they join your
organization, or on an annual basis for compliance purposes.
You can upload these policies (in a PDF or URL format) to your console beneath the Policies tab
and then deploy them to your users as part of a training campaign. Your users will be required
to acknowledge or agree to these policies and their acceptance will be recorded. If you'd like,
you can include other training content in the training campaign as well.
When you're ready to distribute a policy to your users, use the below link to set up your
campaign:
-Set up your training campaign here
More information about how to manage policies can be found below:
-How to create and manage policies

17. Review and select quarterly training modules March 11, 2021
When selecting quarterly training modules, you'll want to choose those that will refresh a user's
memory and bolster the skills they learned in previous training. You'll also want to consider
introducing fresh content regularly to keep your users interested and engaged.
Preview the courses we've suggested below to see what you'd like to use. You can also browse
the ModStore to check out what other courses we have available.
After you've selected the right modules for your organization, you'll also want to add them to
your account's Library. This is done by clicking on the "Add to Library" button within the
ModStore. Further information about that process is available at the below link:
-How do I add content to my Library?

18. Create training campaigns for your quarterly training modules March 15, 2021
After selecting what modules you'd like to introduce quarterly, you can set up training
campaigns in advance. When you're ready, use the below link to set up your campaign:
-Set up your training campaign here
Hint: You can clone your first quarterly training campaign to quickly create the rest once you
have your settings the way you'd like them. Be sure to select the correct training module and
start date for your additional campaigns after cloning them. See the below article:
-How to clone a training campaign
If you'd like more guidance, we offer short videos explaining the various features of training
campaigns. You can access those videos below:
-Setting up a training campaign
-Monitoring training campaigns
-See more tutorial videos

19. Set up Scam of the Week campaign March 16, 2021

If you'd like to keep your users informed of the newest phishing and social engineering scams,
be sure to set up a weekly Scam of the Week newsletter using your phishing platform. The Scam
of the Week template category will be updated each week with the latest tips for your users to
prevent a cyber attack on your organization.
To view recommended settings for setting up your Scam of the Week newsletter, view the below
article:

Report Prepared Especially For: Razan Essa

 Task List
-How to set up a Scam of the Week campaign
When ready, use the below link to create your campaign:
-Create your Scam of the Week campaign
You may want to hide this campaign from your overall phishing reports. To learn how, click the
below link:
-How to Hide a Campaign From Reports

20. Determine your security culture March 17, 2021

In order to ensure your security awareness training is effective as it should be, you should
establish a strong security culture. Security culture is defined as the ideas, customs, and social
behaviors that impact the security of your organization. The Security Culture Survey breaks
down your organization's security culture into seven different dimensions. Use this survey to
see which dimensions can be made stronger and how your security culture changes over time.
Continue to survey your users once a year to see how your security culture score changes.
To learn how to use assessments, see the article below:
-How to Use Assessments
To learn more about the Security Culture Survey, see the article below:
-What is the Security Culture Survey (SCS)?

21. Review and select the appropriate role-based training modules March 18, 2021
Based on your questionnaire, we've suggested role-based training modules for you to enroll
your users in below.
Select all that apply for your organization. You can view all of our available content in the
ModStore.
After you've selected the right modules for your organization, you'll also want to add them to
your account's Library. This is done by clicking on the "Add to Library" button within the
ModStore. Further information about that process is available at the below link:
-How do I add content to my Library?

22. Create training campaigns for your role-based training modules March 18, 2021
Once you've selected what role-based module(s) you'll need train users with, you'll want to
make sure you've added users to specific groups that you can target for role-based training.
Creating groups allows you to target subsets of your users in the console. If you need to do
ongoing role-based training for only certain users, it will be worthwhile for you to take the time
to create and group users into specific "role-based training" groups now. See the below article:
-How do I create a new group?
Once you've grouped your users into their individual role-based groups, you can set up training
campaigns in advance. When you're ready, use the below link:
-Set up your role-based training campaigns
Hint: You can clone your first role-based training campaign to quickly create the rest once you
have your settings the way you'd like them. Be sure to select the correct training module, role-
based user group, and start date for your additional campaigns after cloning them. See the
below article:
-How to clone a training campaign
If you'd like more guidance, we offer short videos explaining the various features of training
campaigns. You can access those videos below:
-Setting up a training campaign
-Monitoring training campaigns
-See more tutorial videos

Report Prepared Especially For: Razan Essa

 Task List

23. Set up Security Hints and Tips campaign March 19, 2021
To reinforce basic security hints, tips, and tricks to your users, you can set up a monthly Security
Hints and Tips campaign. Security Hints and Tips contain general security tips that would be
useful for any employee to review. However, we also have specialized Security Hints and Tips
focusing on PCI and HIPAA compliance.
To learn how to set up this campaign, review the below article:
-How to set up a Security Hints and Tips campaign
When you're ready, set up your recurring Security Hints and Tips campaign by clicking the below
link:
-Create your Security Hints and Tips campaign
Hint: We recommend scheduling this campaign to begin after your initial security awareness
training campaign has been completed. You may also want to hide this campaign from your
overall phishing reports. To learn how, click the below link:
-How to hide a campaign from reports

24. Enable users to think twice about clicking on potentially dangerous links March 24, 2021
KnowBe4’s Second Chance security tool enables your users to make smarter cybersecurity
decisions by allowing them to back out of clicking a suspicious link in an email or email
attachment.
Second Chance inspects the links that your users click from their inboxes, and before navigating
to a potentially dangerous website, users are prompted to either “continue” or “abort” their
action. Aborting the action could provide your users with a “second chance” to avoid scenarios
such as malware infections or loss of sensitive data to a malicious website.
Second Chance also lets you decide what URLs are “safe” to visit in your organization–these
URLs will not trigger a prompt window to appear.
To learn if Second Chance is compatible with your email environment and for full product
details, see the below link:
-Second Chance Installation and Product Manual
You’ll want to introduce this tool to your users and explain how it should be used. See the below
link:
-How can I inform my users about Second Chance?

25. Check in on the effectiveness of your program March 25, 2021

Although your program can be set up to run virtually automatically after setting up your various
campaigns, you'll want to check in with your results periodically to ensure that your plan is
working for you.
See the below resources we've provided for additional insight:
-Monitoring and reviewing phishing reports
-Monitoring phishing campaigns (Video)
-Training reports
-Monitoring training campaigns (Video)
If your plan isn't helping you reach your security awareness goals, contact your Customer
Success Manager. They are available to make sure you have all of your needs met and to
provide insight on best practices. If you are experiencing any technical issues, our Support team
is one of the best you'll encounter. You can submit a ticket any time you need.
We are here to help you succeed with your security awareness program. We are determined to
partner with you to help you empower your users to make informed security decisions.

Report Prepared Especially For: Razan Essa

 Task List

26. Relay improvements in user behavior to your organization’s leadership March 26, 2021
As you’re building your security awareness culture, you may notice your users taking a more
active role in helping to keep your organization safe from cyber attacks. They may start to
report potential phishing emails, comment on how much they enjoyed their training
assignment, or communicate with their colleagues about proper security practices. When you
notice these improvements in user behavior, you’ll want to share that information with your
stakeholders or Executive team.
Your combined efforts of simulated phishing and security awareness training, if following
KnowBe4 best practices, should lower your organization’s Phish-prone Percentage and risk
score over time. You can navigate to the Reports tab in your console to find reports which
display these improvements, which you can then share with your stakeholders.
See the below resources for more information:
-Advanced Reporting Guide
-Virtual Risk Officer (VRO) Guide

27. Customize high-difficulty phishing campaign for low Phish-prone users March 29, 2021
It is important to craft high-difficulty phishing campaigns for your low Phish-prone users.
Attackers often use highly-sophisticated, realistic phishing emails to trick their victims. Consider
using phishing templates with a 4-5 star difficulty rating in these campaigns, or craft a custom
template to spear-phish these users.
See the below resources we've provided for additional insight:
-Customizing Emails and Landing Pages
-Customization of Phishing Templates and Landing Pages (Video)
Using Smart Groups (for Platinum and Diamond subscriptions), you can automate tiered
phishing campaigns for users based on their past performance with phishing tests.
-Automated Remedial Training and Tiered Phishing with Smart Groups

28. Identify high-risk groups so you can take action March 30, 2021
We recommend identifying the users and groups who are at a higher risk of receiving a phishing
email, so you can enroll them in additional, role-specific training.
Users who may receive more phishing attempts include, but are not limited to, your Executive,
Accounting/Payroll, and IT/Help Desk teams.
You can also review your user and group risk scores to find high-risk users and groups.
See more here:
-Advanced Reporting Guide
-Virtual Risk Officer (VRO) Guide

29. Use targeted training to initiate a training campaign for high-risk groups March 31, 2021
We recommend additional, role-specific training for the users who are at a higher risk of
receiving a phishing email due to the nature of their job role. Users who may receive more
phishing attempts include, but are not limited to, your Executive, Accounting/Payroll, and
IT/Help Desk teams.
You can use the Targeted Training filters when browsing the ModStore to find the content best
fit for training your high-risk employees.
See the below link to learn more:
-Finding Industry-Specific or Role-Based Training

Report Prepared Especially For: Razan Essa

 Questionnaire

1. How many of your users are going to be a part of this program?

 501-1000

2. Which sectors best describe your company?

 Healthcare & Pharmaceuticals

3. How would you rate the maturity of your current program?

 Low maturity

4. What level of maturity would you like to attain over the next 12 - 18 months?
 Average maturity

5. What would you like to have as the primary focus of your program?
 Security awareness delivery

6. What is your organization's tolerance for mandatory interactive training frequency?

 Quarterly

7. What delivery channels do you want to include?

 Interactive training modules

8. What style(s) of training are you interested in?

 Serious

9. What type of content fits your culture best?

 Text-based

10. What primary languages and cultures do you need to support?

 English - American
 English - British

11. What roles does your organization need specific training for?
 General IT Staff
 Administrators
 Typical office employee

12. How often would you like to train your users with simulated phishing emails?
 Monthly

13. Would you like to test your users with other attack vectors besides phishing?

Report Prepared Especially For: Razan Essa

 Questionnaire
 Artificial Intelligence Driven Agent (AIDA)

Report Prepared Especially For: Razan Essa