11 KiB
11 KiB
Security Awareness Lessons - Quick Reference
A quick reference guide for instructors and administrators using the learning platform.
Available Lessons Overview
| Lesson | Difficulty | Duration | Topics | Interactive |
|---|---|---|---|---|
| Phishing Email Detection | Beginner | 15 min | Email security, social engineering | No |
| SQL Injection Shop Demo | Intermediate | 20 min | Web security, OWASP Top 10 | Yes |
| Browser-in-the-Browser | Advanced | 25 min | Advanced phishing, OAuth | Yes |
Phishing Email Detection Basics
Quick Facts
- Best for: All employees, security awareness foundation
- Prerequisites: None
- Key Takeaway: How to identify and report phishing emails
What Students Learn
- Common phishing indicators (suspicious domains, urgent language)
- Email analysis techniques (hover over links, check headers)
- Organizational reporting procedures
Question Breakdown
- Q1 (50 pts): Identify phishing red flags (multiple choice)
- Q2 (25 pts): Safe email practices (single choice)
- Q3 (25 pts): Explain reporting procedures (free text)
Teaching Tips
- Use real examples from your organization
- Emphasize cost of successful attacks
- Make reporting easy and encouraged
- Follow up with participants who fail
Follow-Up Activities
- Conduct simulated phishing exercises
- Share recent phishing attempts with team
- Review organizational policies
SQL Injection Attack - Online Shop Demo
Quick Facts
- Best for: Developers, QA engineers, technical staff
- Prerequisites: Basic understanding of databases and web applications
- Key Takeaway: SQL injection is preventable with parameterized queries
What Students Learn
- How SQL injection vulnerabilities work
- Types of SQL injection (OR, UNION, destructive)
- Impact of successful attacks (data theft, deletion)
- Defense mechanisms (parameterized queries, input validation)
Interactive Component: Fake Shop
Students can:
- Search products normally
- Execute SQL injection attacks safely
- See real-time query visualization
- Compare vulnerable vs secure queries
Attack Examples Demonstrated:
' OR '1'='1- View all products' UNION SELECT ...- Extract user credentials'; DROP TABLE ...- Destructive attack
Question Breakdown
- Q1 (40 pts): Identify SQL injection payloads (multiple choice)
- Q2 (30 pts): Best prevention method (single choice)
- Q3 (30 pts): Explain parameterized queries (free text)
Teaching Tips
- Let students experiment with injections
- Emphasize parameterized queries over filtering
- Show real breach examples (British Airways, etc.)
- Discuss OWASP Top 10 context
- Connect to secure coding standards
Follow-Up Activities
- Code review session for SQL vulnerabilities
- Scan existing applications for SQL injection
- Implement parameterized queries in projects
- Add SQL injection tests to CI/CD pipeline
For Developers
This lesson directly applies to:
- Backend API development
- Database query construction
- Security code reviews
- Penetration testing
Browser-in-the-Browser (BitB) Attack
Quick Facts
- Best for: All staff, especially those using SSO/OAuth
- Prerequisites: Understanding of web browsers and login flows
- Key Takeaway: Physical testing (drag window) detects fake popups
What Students Learn
- How BitB attacks mimic legitimate browser windows
- Why traditional phishing training doesn't catch this
- Detection techniques (drag test, inspect element)
- Why password managers provide protection
Interactive Component: Fake Browser Popups
Students can:
- Launch realistic fake OAuth popups (Google, Microsoft)
- Compare real vs fake browser windows
- Test detection techniques (drag, right-click)
- See educational feedback when testing
Two Scenarios:
- Legitimate OAuth - Shows how real popups behave
- BitB Attack - Demonstrates fake trapped popup
Question Breakdown
- Q1 (40 pts): Detection indicators (multiple choice)
- Q2 (35 pts): Safest approach to popups (single choice)
- Q3 (25 pts): Why password managers help (free text)
Teaching Tips
- Emphasize this is NEW and sophisticated
- Practice the "drag test" multiple times
- Explain OAuth/SSO context for relevance
- Recommend password managers strongly
- Show real-world attack examples (2022+)
Follow-Up Activities
- Test SSO popups in your organization
- Deploy password manager to all staff
- Enable 2FA/MFA on all accounts
- Consider hardware security keys (FIDO2)
- Review OAuth implementation security
For Security Teams
This lesson supports:
- Advanced phishing awareness
- SSO security strategy
- Password manager adoption
- Zero-trust implementation
- Security tool evaluation
Scoring System
Point Distribution Philosophy
- Easy questions: 20-30% of total
- Medium questions: 40-50% of total
- Hard questions: 20-30% of total
Passing Scores
- 70% - Demonstrates basic competency
- 80% - Strong understanding
- 90%+ - Expert level
Partial Credit (Multiple Choice)
- Points awarded per correct selection
- Incorrect selections don't subtract points
- Encourages selecting all correct answers
Free Text Validation
- Keyword-based scoring
- Partial credit if some keywords present
- Minimum length requirements
- Case-insensitive matching
Lesson Recommendations by Role
All Employees
- ✅ Phishing Email Detection (required)
- ⚠️ Browser-in-the-Browser (recommended)
Developers / Technical Staff
- ✅ SQL Injection Shop (required)
- ✅ Phishing Email Detection (required)
- ⚠️ Browser-in-the-Browser (recommended)
Security Team
- ✅ All lessons (required)
- Use as train-the-trainer material
Management / Executives
- ✅ Phishing Email Detection (required)
- ✅ Browser-in-the-Browser (recommended - targets high-value accounts)
Creating Training Events
Recommended Event Structures
New Hire Security Basics
Event: "Security Awareness Onboarding"
Duration: 1 week access
Lessons:
1. Phishing Email Detection (weight: 1.0)
2. Browser-in-the-Browser (weight: 1.0)
Passing: 70% overall
Developer Security Training
Event: "Secure Coding Fundamentals"
Duration: 2 weeks access
Lessons:
1. Phishing Email Detection (weight: 0.5)
2. SQL Injection Shop (weight: 2.0)
3. Browser-in-the-Browser (weight: 0.5)
Passing: 75% overall
Quarterly Security Refresher
Event: "Q1 Security Updates"
Duration: 1 week access
Lessons:
- Rotate lessons each quarter
- Include new lessons as available
Passing: 70% overall
Event Configuration Tips
Lesson Weights:
- Weight = 1.0: Normal importance
- Weight = 2.0: Double importance
- Weight = 0.5: Lower priority/bonus
Lesson Order:
- Beginner → Intermediate → Advanced
- Required lessons first
- Interactive lessons for engagement
Access Duration:
- Minimum: 3 days (allows flexible completion)
- Typical: 1-2 weeks
- Ongoing training: No end date
Point Configuration:
- Use default 100 max points per lesson
- Adjust weights instead of max points
- Keep passing score consistent (70-75%)
Troubleshooting Common Issues
"Lesson not showing up"
- ✅ Check lesson is assigned to event
- ✅ Verify event is active
- ✅ Confirm participant joined correct event
"Can't complete lesson"
- ✅ Ensure all questions answered
- ✅ Check for validation errors
- ✅ Verify lesson was started
- ✅ Try refreshing page
"Interactive component not working"
- ✅ Check browser console for errors
- ✅ Try different browser
- ✅ Verify JavaScript enabled
- ✅ Clear browser cache
"Score seems wrong"
- ✅ Review partial credit rules
- ✅ Check question weights
- ✅ Verify lesson weight in event
- ✅ See participant answers in admin panel
"Assigning lesson fails"
- ✅ Check lesson isn't already assigned
- ✅ Verify event exists
- ✅ Order index auto-increments now (fixed)
- ✅ Try different order index
Keyboard Shortcuts (Lesson Player)
| Action | Shortcut | Notes |
|---|---|---|
| Next step | → or Enter | Only if current step complete |
| Previous step | ← | Always available |
| Submit answer | Enter | In text input |
| Complete lesson | - | Click button when on last step |
Best Practices for Admins
Event Planning
- Schedule events with advance notice
- Provide clear deadline communication
- Send reminder emails at 50% and 90% of time
- Celebrate completion publicly
- Review analytics after event
Lesson Assignment
- Start with easier lessons
- Mix content types (text + interactive)
- Don't overload with too many lessons
- Consider time required for completion
- Weight by organizational priority
Participant Support
- Provide help desk contact info
- Monitor completion rates
- Follow up with non-completers
- Review common wrong answers
- Adjust training based on feedback
Monitoring Progress
- Check completion rates weekly
- Identify struggling participants
- Review average scores per lesson
- Look for common failure points
- Export data for reporting
Integration Ideas
With Existing Training
- Part of onboarding checklist
- Annual security training requirement
- Post-incident remediation
- Role-based training tracks
With Security Tools
- Password manager deployment
- 2FA enrollment campaign
- Phishing simulation platform
- Security awareness metrics
With HR/Compliance
- Track completion for compliance
- Report to leadership quarterly
- Include in performance reviews
- Tie to security culture initiatives
Metrics to Track
Completion Metrics
- % of participants who completed
- Average time to complete
- Completion rate by department
- Deadline adherence
Performance Metrics
- Average score per lesson
- Pass/fail rates
- Most missed questions
- Improvement over time
Engagement Metrics
- Time spent per lesson
- Interactive component usage
- Repeat attempts
- Question feedback ratings
Quick Access URLs
Assuming platform at http://localhost:
- Participant Hub:
/ - Admin Login:
/admin/login - Event Management:
/admin/events - Lesson Configuration:
/admin/events/{id}/lessons - Participant Data:
/admin/events/{id}/participants
Support Resources
For Lesson Content Questions
- Review lesson documentation
- Check existing lesson examples
- Test in development environment
For Technical Issues
- Check browser console
- Review backend logs
- Verify container health
- Check database connectivity
For Training Strategy
- Consult security team
- Review industry standards
- Benchmark against similar organizations
- Gather participant feedback
Last Updated: 2026-01-12 Platform Version: 1.0.0 Total Lessons: 3