Training employees is part of the risk assessment tools from the FFIEC and the NIST. For instance, the FFIEC’s Cybersecurity Maturity Assessment Process includes Domain 1: Cyber-Risk Management and Oversight which states that “cyber-risk management and oversight addresses the board of directors' (board's) oversight and management's development and implementation of an effective enterprise-wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight”.

A key part of cyber-risk management and oversight is “training and culture” which includes the institution’s “employee training and customer awareness programs contributing to an organizational culture that emphasizes the mitigation of cybersecurity threats.” The NIST cybersecurity framework also includes protecting against cyber threats through cyber awareness and training.

Cyber-threat training and awareness programs should be structured to modify or even change behavior for some employees. For instance, employees may click on malicious email links without evaluating the risk embedded in the link. Awareness training should reinforce how to avoid clicking on malicious links and procedures for reporting the fraudulent email.

To assist bankers with the training and awareness component of their cybersecurity risk management program, this course focuses on methods for developing and administering an in-house cybersecurity training and awareness program. Although there are third-party vendors that can assist with this type of program, it is the responsibility of management and the board to have an effective in-house training and awareness program in place.