Every member of your staff is responsible for doing their part to help secure the organization from incidents, but do they know that? Employee training is a significant component of an effective incident management program. In this article, we are going to explore training benefits, target audience, potential topics, and available resources.


According to the NIST Computer Security Incident Handling Guide, "improving user awareness regarding incidents should reduce the frequency of incidents." The FFIEC Information Security Booklet takes it a step further and states, "the quality of incident response is attributable to the institution's culture, policies, procedures, and training."

We validated this with our annual Tandem 2021 State of Cybersecurity report. According to our findings, phishing and business email compromise (BEC) were the top two most common incidents experienced by financial institutions in 2020. In addition, one-in-four financial institutions state that if they had additional cybersecurity resources, they would invest it in additional employee training.

In summary, there is a direct correlation between the effectiveness of your security incident management practices and employee training. To improve your security posture and reduce your risk exposure, training is a must.


When it comes to security incident management training, there is a balance which must be achieved. Since every employee is responsible for doing their part, every employee must receive an appropriate level of training. From a cost/benefit perspective, it is most effective and efficient to provide high-level, easy-to-understand training for all employees, while providing more frequent and targeted training based on business need for specific groups (e.g., the Incident Response Team, IT staff, helpdesk staff, etc.).


Your targeted training will depend largely on your environment, such as your incident response plan, technology, and culture. An effective training program for your entire staff should cover four primary topics, including an introduction to security incident management and details about what it looks like to prevent, detect, and respond to security incidents.

About Security Incident Management

When providing training to a large group, it can be helpful to start from the beginning. Some of your staff may not know what constitutes "security," much less "incident management." In this introduction, it is important to establish a foundation from which you can build the rest of the course.

The introduction should also answer the question, "why?" Demonstrate the value of the training. Discuss possible outcomes of an incident, both on the organization and the individual employee. Set the stage and ensure team members know they play a key role in the success of the business through their ability to successfully prevent, detect, and respond to security incidents.

Preventing Security Incidents

Training on "preventing security incidents" should be familiar territory. From simulated phishing emails to annual acceptable use policy (AUP) training, most of an organization's security awareness conversations are focused on preventing security incidents, even if not explicitly stated.

For a security incident management training course, a best practice would be to recap measures related to preventing common incidents. This could include topics like regularly installing patches and updates, using secure wi-fi networks, not circumventing security systems, etc.

The downside is that incident prevention is not foolproof. While taking steps to prevent security incidents is important, a layered incident management strategy is necessary, which is why the next two sections focus exclusively on detecting and responding to security incidents.

Detecting Security Incidents

While an incident may not always walk in wearing bells and whistles, there are visible signs of common incidents.

  • Some are very visible, such as when a laptop or mobile device is lost or stolen, company property is vandalized, or a fire begins in the break room.
  • Some are semi-visible, such as when malicious code triggers popups, or a colleague violates company policy by sharing information with an unauthorized individual.
  • Some are less visible, such as when a social engineer just needs the door held so they can take coffee to "Joe," or an employee becomes the victim of business email compromise, and they don't notice it until they are told about it.

Except in certain obvious cases, it may be difficult for an employee to know if they are observing indicators of an incident or not. As such, it is important to train employees to err on the side of caution and respond accordingly.

Responding to Security Incidents

It can be easy to slip into the mindset that just because an employee isn't on the Incident Response Team, they don't need training on responding to incidents. Nothing could be further from the truth.

When it comes to responding to an incident, employees should know that their number one priority is to assess their surroundings and ensure they are safe. This is particularly important in the event of physical security incidents, such as social engineering, criminal activity, or natural disasters.

Other topics to consider include:

  • What, when, and to whom information about a possible incident should be reported.
  • Initial steps to take (or to not take) when they experience an incident.
  • Not sharing information about the incident with unaffiliated coworkers, third parties, members of the media, etc.
  • Cooperating with the Incident Response Team's investigation.

When a security incident happens, the longer it remains uncontrolled, the more damage it could cause. As such, when an employee detects signs of a security incident, they need to know how to respond in a timely and accurate manner.


To help you get started, download our Security Incident Management Training Template. This presentation includes a base set of slides with security concepts to share with employees.

To take your training to the next level, consider subscribing to Tandem Incident Management. Complete with a learning management system (LMS), our Incident Management product builds upon the content from the training slides and provides an easy-to-use enrollment system, email reminders to notify employees, quizzes to assess learning, and charts, graphs, and reports to help you share results. Learn more at Tandem.App/Incident-Management-Software.