Workforce security awareness, role-based training, and human-factor controls
Primary statement
Workforce security awareness operates as: (1) general awareness training for all personnel at induction + annual refresher (>95% completion target per SEBI CSCRF PR.5); (2) role-based training for specialised roles — IT, developers, finance, HR, customer-facing per NIST CSF PR.AT-02; (3) regular phishing simulations with target click rate <5% within 12 months (SEBI CSCRF PR.5); (4) malware protection supported by appropriate user awareness (ISO 27001 A.8.7); (5) post-incident lessons-learned integrated into awareness materials (SEBI CSCRF RC.4); (6) customer-facing awareness campaigns where the workforce is customer (RBI CSF PR.16). The human factor is the largest single risk surface; awareness is its primary control.
Audit-fatigue payoff
A unified awareness programme — induction + annual refresher + role-based modules + phishing simulations + post-incident integration — satisfies awareness requirements across all 17 contributing frameworks. The strictest specifications draw target completion rates from SEBI CSCRF PR.5 (>95% in 30 days; <5% phishing click rate in 12 months), role-based depth from NIST CSF PR.AT-02, and lessons-learned integration from SEBI CSCRF RC.4. One awareness programme + delivery logs + phishing simulation results + lessons-learned record answers all framework questions on the human factor.
Strictness matrix
Scope
Scope: ALL staff complete induction security training within 30 days of joining. Annual refresher training for all staff with >95% completion target. Role-based modules for specialised roles. Customer-facing awareness where the customer is the user (RBI CSF PR.16 — campaigns in English plus regional languages with reach metrics by channel).
Ceiling source: sebi_cscrf:CSCRF.PR.5
Rationale: SEBI CSCRF PR.5 specifies the most enumerated scope — induction within 30 days, annual refresher, >95% completion target, role-based. Other frameworks require "awareness training" without specifying completion thresholds.
Threshold
Threshold: induction within 30 days of joining; refresher annually; completion >95%; phishing click rate <5% within 12 months. Quantified thresholds enable performance measurement and gap identification.
Ceiling source: sebi_cscrf:CSCRF.PR.5
Rationale: SEBI CSCRF PR.5 quantified thresholds (30 days / >95% / <5%) are uniquely strict. Other frameworks state "appropriate" or "regular" without measurable targets.
Method
Method: (1) general awareness training for all personnel (PR.AT-01); (2) role-based training for individuals in specialised roles (PR.AT-02) — privileged users, developers, IT operations, security team, finance, HR, customer-facing; (3) delivery via mixed channels — e-learning, classroom, simulated exercises; (4) phishing simulations quarterly with results tracked; (5) post-incident lessons learned integrated into awareness materials; (6) customer education for customer-facing organisations (RBI PR.16) with multi-channel and multi-language delivery.
Ceiling source: nist_csf:PR.AT-02
Rationale: NIST CSF 2.0 PR.AT-02 specifies the role-based training requirement most explicitly. SEBI CSCRF PR.5 adds the quantified delivery targets. Combined, this is the audit-defensible method.
Frequency
Induction training: within 30 days of joining. Refresher training: annual minimum. Phishing simulations: quarterly. Awareness campaign refresh: in response to current threat landscape and post-incident lessons. Customer awareness campaigns: ongoing with campaigns reflecting current fraud patterns (RBI PR.16).
Ceiling source: sebi_cscrf:CSCRF.PR.5
Rationale: SEBI CSCRF PR.5 quarterly phishing simulation cadence is the strictest periodic exercise frequency. Annual refresher is the consistent floor across frameworks.
Evidence
Required evidence: (1) awareness training curriculum per audience — general + role-based modules; (2) delivery records with completion metrics against the >95% target; (3) phishing simulation results with click-rate tracking; (4) sample test questions / knowledge checks per module; (5) post-incident lessons-learned integration evidence; (6) customer awareness campaign materials, delivery logs, reach metrics by channel, impact metrics (RBI CSF PR.16); (7) attestation records confirming training completion.
Ceiling source: sebi_cscrf:CSCRF.PR.5
Rationale: SEBI CSCRF PR.5 evidence list with the quantified completion metrics is the most explicit. Combined with RBI CSF PR.16 customer-awareness evidence, this is the audit-defensible package.
Auditor test pattern
Step 1: Inspect the awareness training curriculum; verify general + role-based modules. Step 2: Inspect delivery records and verify >95% completion target met for the past 12 months. Step 3: Inspect phishing simulation results; verify quarterly cadence and verify click rate trend (target <5% in 12 months). Step 4: Sample 3 employees from different roles and verify each completed role-appropriate training. Step 5: Inspect post-incident lessons-learned integration; sample one incident and verify the lesson made it into awareness materials. Step 6: For customer-facing organisations, inspect customer awareness campaigns; verify multi-channel + multi-language delivery and reach metrics.
Common findings
Common 2024–26 findings: (1) Annual completion target met overall but specific high-risk roles (developers, IT operations) below target; (2) Phishing simulations performed but click-rate trend ignored — same ~15% click rate quarter after quarter without programme adjustment; (3) Role-based training absent — general training delivered to everyone regardless of role; (4) Post-incident lessons-learned not integrated back into awareness materials; (5) Customer awareness campaigns limited to legal disclaimers without proactive education; (6) Reach metrics absent — campaign delivery measured but impact unknown; (7) Awareness training curriculum not refreshed in 18+ months — out of date with current threats.