Security Awareness Training Refresh: 30 60 90 Day Plan for Security Teams

TL;DR: Run a focused 30-60-90 day security awareness training refresh to cut phishing click rates, shorten mean time to detect, and reduce incident fallout - start with leadership alignment and a phishing baseline in days 1-30, roll out targeted training and simulated phishing in days 31-60, and move to automation, role-based reinforcement, and measurement by day 90. Use MSSP/MDR support for rapid simulation, threat telemetry integration, and incident response readiness.

Table of contents

• Quick answer
• Why this matters now
• Target outcomes and KPIs
• 30-day plan - Stabilize and baseline
• 60-day plan - Train, simulate, measure
• 90-day plan - Automate and embed
• Checklist: playbooks and templates
• Implementation specifics and sample commands
• Proof elements - scenarios and outcomes
• Objection handling and trade-offs
• References
• What should we do next?
• How do we measure success?
• What if we have limited staff?
• Can we run this without an MSSP?
• How long before measurable risk reduction?
• Get your free security assessment
• Next step recommendation
• Appendix - Quick 30-60-90 checklist (one-page)
• When this matters
• Definitions
• Common mistakes
• FAQ
  • How do we start?
  • What resources do we need?
  • Will this annoy users?
  • How do we measure success?
  • Is this the same as a long-term culture program?

Quick answer

If you need improved human-layer security fast, follow a strict 30-60-90 day program and treat this as a sprint: Week 1 - leadership alignment and baseline measurements; days 8-30 - targeted communications and technical hardening; days 31-60 - role-based training and repeated phishing simulations with immediate remediation workflows; days 61-90 - automation, policy enforcement, and reporting tied to business KPIs. This is a security awareness training refresh 30 60 90 day plan that reduces phishing click-through rates, lowers mean time to detect and contain, and supports incident response preparedness. Pairing with MSSP or MDR accelerates telemetry integration and incident playbook testing. For a quick assessment, use the CyberReplay quick risk scorecard or compare managed options on the CyberReplay managed services page.

Why this matters now

Phishing and human-targeted attacks remain the top initial access vector in investigations. The probability of a successful social engineering event is nontrivial and translates directly into downtime and cost. The average organization spends days to weeks on containment when human-initiated compromises occur, and delayed detection multiplies damage and legal exposure. A focused refresh avoids training fatigue, closes critical gaps, and produces measurable risk reduction fast.

Who this is for - security leaders, SOC managers, IT directors, and owners who need a short, auditable program to refresh awareness without the common pitfalls of checkbox training.

Who this is not for - organizations that need a full cultural transformation over years. This plan is a focused tactical program to produce measurable improvement in 90 days.

Target outcomes and KPIs

Set clear, measurable targets before you start. Examples:

• Reduce phishing simulation click rate by 40-60% within 90 days (industry programs report large early drops when simulations are frequent and targeted). SANS guidance shows measurable benefits of structured programs.
• Reduce mean time to detect (MTTD) of suspected user-reported phishing from 48 hours to under 4 hours within 90 days when combined with reporting workflows and SOAR integrations.
• Increase reporting rate of suspicious emails by end users by 3x in 90 days.
• Decrease phishing-related operational incidents requiring IR escalation by at least 25% in three months.

Track these KPIs weekly and tie them to business outcomes: fewer escalations, less downtime, and lower incident response costs.

30-day plan - Stabilize and baseline

Goal - establish leadership buy-in, measure current exposure, and fix obvious technical gaps.

1. Leadership alignment and scope (days 1-3)

• Get sign-off from CISO/IT director and a single sponsor in executive team. Define objectives and acceptable targets for 90 days.
• Assign an owner (security awareness lead) and identify the stakeholders: HR, IT, legal.

2. Baseline measurements (days 1-10)

• Run a simulated phishing baseline across a representative user sample - include high-risk roles (finance, HR, executives). Capture click, credential submission, and report rates.
• Record current metrics: phishing click-rate, report-to-phish ratio, MTTD, number of email threats blocked vs delivered.

3. Quick technical hardening (days 3-14)

• Ensure basic email protections are tuned: SPF, DKIM, DMARC enforcement at p=quarantine or p=reject if telemetry allows.
• Verify anti-phishing and anti-malware tool signatures are updated and that mailbox rules are not allowing auto-forwarding to external addresses.

4. Communications and microlearning rollout (days 7-30)

• Send a short executive email explaining the initiative and why it matters to operations and revenue.
• Deploy a 5-7 minute microlearning module focused on phishing recognition to the full staff within the 30-day window.

Expected outputs by day 30:

• Baseline report with metrics and attack surface map.
• Quick fixes completed for email authentication.
• Staff completion rate for initial microlearning >= 70%.

Note: include the term “security awareness training refresh 30 60 90 day plan” in your baseline report executive summary so stakeholders see the scope and timeline clearly.

60-day plan - Train, simulate, measure

Goal - execute targeted training, run simulations, and close human-technical handoffs.

1. Targeted role-based training (days 31-45)

• Release role-specific modules for finance, HR, and executives. Focus on fraud, invoices, and ransomware vectors.
• For executives, do a short live briefing or 1:1 session to cover high-risk scenarios and reporting expectations.

2. Phishing simulations and remediation workflows (days 35-60)

• Run a cadence of simulation waves every 7-10 days. Each wave uses different lures and difficulty levels.
• Enforce immediate remediation for clicked accounts: require password resets, MFA re-enrollment, and session termination for compromised credentials.

3. Integrate reporting into SOC/MDR (days 40-60)

• Ensure user-reported phishing flows into your ticketing and SOC queues. If you have an MSSP/MDR partner, onboard their incident routing so reported URLs and attachments are triaged in under 30 minutes.
• If available, connect phishing-reporting buttons to your SOAR playbooks to reduce analyst handling time by automating enrichment and blocking.

Measurement checkpoints:

• Track click-through and credential submission trends per cohort.
• Measure time from user report to SOC triage; aim for under 60 minutes by day 60.

90-day plan - Automate and embed

Goal - embed the changes into operations and hand off to continuous program.

1. Automation and policy enforcement (days 61-80)

• Automate account remediation steps after simulated or real clicks: password resets, forced MFA re-enroll, and conditional access policy application.
• Enforce mail flow policies such as blocking dangerous file types and external auto-forwarding.

2. Behavior reinforcement (days 61-90)

• Shift from one-off training to spaced repetition: micromodules every 2-4 weeks for high-risk cohorts.
• Introduce monthly dashboards for managers showing team-level risk indicators.

3. Reporting and governance (days 75-90)

• Produce a consolidated 90-day report for executives with metrics: baseline vs current click rate, MTTD improvement, incidents avoided, and projected cost savings.
• Formalize an ongoing cadence: quarterly simulation plan, annual policy review, and continuous SOC integration.

Expected 90-day outputs:

• Click rates reduced significantly vs baseline.
• SOC playbooks updated and tested with at least one tabletop scenario.
• Role-based reinforcement scheduled and funded in annual plan.

Checklist: playbooks and templates

Use these artifacts to accelerate execution. Each should be created, reviewed, and stored in a central repo.

• Executive sign-off memo template
• Baseline phishing simulation report template
• Microlearning module checklist (objectives, length, completion threshold)
• Phishing simulation calendar and sample lures
• Incident remediation playbook for clicked users (password reset, MFA re-enroll, session revoke)
• SOC triage checklist for reported phishing
• Manager dashboard template with team-level KPIs

Example remediation playbook steps (concise):

1. Identify clicked account and timestamp.
2. Disable active sessions and force password reset.
3. Re-enroll MFA and confirm no persistent sessions remain.
4. Scan mailbox for forwarded messages and suspicious rules.
5. If credentials used externally, escalate to IR and isolate device.

Implementation specifics and sample commands

Integrate with common tooling and identity platforms. Below are safe, practical examples.

PowerShell example - export users for a training cohort from AD:

# Export enabled users for a small cohort
Import-Module ActiveDirectory
Get-ADUser -Filter {Enabled -eq $true -and Title -like "*Finance*"} -Properties Mail,SamAccountName |
Select-Object SamAccountName,Mail | Export-Csv -Path .\finance-cohort.csv -NoTypeInformation

Example: sample API call to trigger a training assignment in an LMS (pseudo-curl):

curl -X POST https://lms.example.com/api/assignments \
  -H "Authorization: Bearer $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"course_id": "phish-101", "users": ["user1@example.com","user2@example.com"], "due_days": 7}'

SOAR playbook pseudo-logic for user-reported phishing:

• Accept report -> enrich URL/attachment -> check threat feeds -> block URL in MX gateway if malicious -> notify user + ticket -> if credential capture suspected, enforce reset + MFA re-enroll.

Integrations to prioritize:

• Email gateway and EDR alerts into SOC
• Phishing-report button into ticketing or SOAR
• Identity provider (IdP) for rapid remediation steps

Proof elements - scenarios and outcomes

Scenario 1 - Finance invoice compromise averted

• Input: Finance receives a realistic invoice phishing email. Simulation shows 18% of finance cohort clicked at baseline.
• Action: After a targeted 15-minute module and two follow-up simulations over 60 days, click-rate fell to 6% for that cohort.
• Outcome: In a live test, when a similar lure was detected, reporting allowed SOC to block the sender and isolate the affected mailbox in under 45 minutes, preventing wire fraud.

Scenario 2 - Executive account targeted

• Input: An executive received a spear-phishing email. Baseline reporting rate was low for executives.
• Action: A 1:1 briefing plus a dedicated simulation reduced response time for executives from 72 hours to under 4 hours in the 90-day window.
• Outcome: The SOC was able to block the malicious domain and prevent lateral access.

These scenarios map technical controls to business outcomes: reduced fraud exposure, fewer escalations to IR, and lower projected recovery costs.

Objection handling and trade-offs

Objection - “We do not have time or budget for repeated training”

• Response: A focused 90-day program uses microlearning and automation to minimize time per user (5-10 minutes every 4 weeks for high-risk cohorts) and reduces incident costs, typically offsetting investment by lowering IR hours and downtime.

Objection - “Our staff will get training fatigue”

• Response: Use short, role-specific modules and spaced repetition rather than long annual trainings. Frequent, short simulations are more effective and less disruptive than annual all-hands sessions.

Objection - “We cannot handle the alerts this will generate”

• Response: Route user-reported mail to SOC/MDR with automated enrichment and prioritization. If internal capacity is limited, engaging an MSSP/MDR partner scales triage and reduces analyst burden.

Trade-offs

• Aggressive simulation cadence improves learning faster but creates workload spikes for remediation. Balance frequency with SOC capacity and automate routine remediation steps.

References

• NIST SP 800-50 - Building an Information Technology Security Awareness and Training Program - foundational standard for designing awareness programs and measuring effectiveness.
• CISA / US-CERT: Avoiding Social Engineering and Phishing Attacks (Tip ST04-014) - practical user-facing guidance and reporting recommendations.
• MITRE ATT&CK: T1566 - Phishing - technique definition, examples, and mitigations for phishing used in threat modeling and simulations.
• NCSC: Phishing guidance for organisations - operational controls, testing guidance, and common organisational mistakes to avoid.
• Microsoft: Anti-phishing protection in Microsoft Defender for Office 365 - technical controls and automation options referenced in the 30/60/90 plan.
• Verizon DBIR - Data Breach Investigations Report (DBIR) landing page for report downloads and details - empirical incident data showing phishing as a leading initial access vector.
• SANS: Security Awareness Training guidance and program resources - program design and measurable outcomes for structured awareness programs.

Citations: reference the specific items above inline when you reference baseline stats, simulations, technical hardening, SOC/MDR handoffs, and behavior change expectations.

What should we do next?

If you want immediate risk reduction, run a 7-10 day baseline simulation and executive briefing now. For a fast assessment and to compare options for managed support, complete a short online scorecard: CyberReplay scorecard. If you prefer hands-on support to run simulations and SOC integration, review managed service options here: CyberReplay managed services.

How do we measure success?

Measure both operational and business metrics. Operational metrics: phishing click rate, report-to-phish ratio, MTTD for reported phishing, and percentage of successful automated remediations. Business metrics: incidents avoided, estimated reduction in IR hours, and reduction in potential financial exposure from fraud or ransomware. Produce weekly dashboards for the first 90 days and a consolidated executive report at day 90.

What if we have limited staff?

Focus on automation and prioritized cohorts. Use managed detection and response or MSSP partnerships to route reports and handle triage. Start with the highest-risk 20% of users (finance, HR, executives) and expand as capacity allows. Consider outsourcing simulation campaigns and SOC enrichment if staffing is the constraint.

Can we run this without an MSSP?

Yes, but expect slower integration of telemetry and longer remediation SLAs. Running in-house requires prebuilt SOAR playbooks, IdP automation for account remediation, and staff time for ticket handling. If you lack these, an MSSP/MDR partner accelerates remediation, integrates simulations with threat intelligence, and provides incident response support: https://cyberreplay.com/cybersecurity-services/.

How long before measurable risk reduction?

You should see measurable improvements in user behavior within 30-60 days and stronger reductions by day 90 when simulations, role-based training, and automation are all in place. Concrete example: many teams report click-rate drops of 40% or more after consistent simulation waves and fast remediation workflows are implemented. See SANS and NIST guidance for program designs that map to these timelines.

Get your free security assessment

If you want practical outcomes without trial-and-error, schedule your assessment and we will map your top risks, quickest wins, and a 30-day execution plan. You can also complete the quick CyberReplay scorecard to get an immediate prioritized checklist.

Next step recommendation

Start with a 7-10 day baseline simulation and executive briefing, then execute the 30-60-90 plan above. If you want to accelerate telemetry integration and reduce SOC load, engage an MSSP/MDR to run simulations, intake reports, and automate remediation. For an immediate comparison of managed options and to request a tailored program, visit https://cyberreplay.com/managed-security-service-provider/ or complete the quick risk scorecard at https://cyberreplay.com/scorecard/.

Appendix - Quick 30-60-90 checklist (one-page)

• Days 1-7: Executive sign-off, owner assigned, baseline sample selected, initial microlearning assigned
• Days 8-30: Baseline simulation run, DMARC/SPF/DKIM checks, communications sent
• Days 31-45: Role-based training releases, executive briefings
• Days 46-60: Simulation waves every 7-10 days, automate remediation for clicked accounts
• Days 61-80: Integrate reporting to SOC/MDR, automate playbooks, manager dashboards
• Days 81-90: Consolidated 90-day report, tabletop test of playbooks, schedule ongoing calendar

When this matters

Use this 30-60-90 sprint when you need measurable human-layer risk reduction fast. Typical triggers:

• After a phishing-driven incident or near miss where human action led to containment work.
• When you are onboarding new remote teams and want a repeatable program to reduce early risk.
• Prior to high-risk financial cycles such as payroll or vendor payment windows.
• When SOC or IR capacity is stretched and you need faster user reporting and automated remediation to reduce analyst load.

This plan is not a replacement for a long-term security culture program, it is a deliberate refresh to reduce immediate exposure and prove value within 90 days.

Definitions

• Phishing: Social engineering emails or messages designed to trick users into revealing credentials or executing actions that lead to compromise.
• MTTD: Mean time to detect, the average time from an adverse event starting to when it is detected by people or systems.
• SOAR: Security Orchestration, Automation, and Response, tooling used to automate enrichment and routine remediation steps.
• MSSP / MDR: Managed Security Service Provider / Managed Detection and Response, third-party services that augment or run SOC functions.
• Microlearning: Short, targeted training modules typically 3-10 minutes long focused on a single learning objective.
• Role-based training: Training tailored to the specific risks faced by a user group such as finance or HR.
• Phishing simulation: Controlled, ethical mimic of phishing attacks to measure and improve user behavior.

Common mistakes

• Treating simulation as a checkbox exercise instead of a learning loop with remediation and reassessment.
• Running too-infrequent simulations that allow learned behaviors to decay.
• Failing to integrate user reports into SOC workflows, which removes the feedback loop for users and analysts.
• Overloading SOC with manual remediation for every click instead of automating low-risk steps where safe.
• Not getting executive sign-off early, which limits access to the necessary telemetry and policy changes.

FAQ

How do we start?

Start with leadership alignment and run a 7-10 day baseline phishing simulation across a representative sample. Use the baseline to set target KPIs and to secure executive sign-off for the 90-day sprint.

What resources do we need?

At minimum: an owner for the program, basic email telemetry (SPF/DKIM/DMARC status and gateway logs), a simple LMS or assignment mechanism for microlearning, and a ticketing flow for user reports. SOAR and IdP automation are recommended to scale remediation.

Will this annoy users?

Short, role-specific modules and transparent executive communication reduce fatigue. Emphasize that simulations are for safety and remediation is supportive, not punitive.

How do we measure success?

Operational: phishing click rate, report-to-phish ratio, MTTD for reported phishing, percent of automated remediations. Business: incidents avoided, estimated IR hours saved, and reduced potential financial exposure.

Is this the same as a long-term culture program?

No. This plan is a tactical refresh to drive measurable improvement in 90 days. Use it to build momentum and then transition good practices into a longer-term culture program.