Cyber Guru Awareness is an educational program based on advanced training methodologies and the most effective digital learning techniques for adult learners.
CGA is designed to engage the entire organization in an educational and stimulating learning journey, characterized by a consistent and gradual release approach:
-
training requires just a few minutes per week from participants, but the program is spread over 3 years (Cyber School), keeping learners highly engaged every time they interact with digital technologies;
-
at the end of the first 3 years (Cyber School), users can optionally be invited to certify their skills with a test session consisting of 50 questions. A certificate is issued to those who answer at least 60% of the questions correctly;
-
from the fourth year onward, users move into a maintenance and skills update phase through the Cyber Campus environment, where the platform delivers interactive learning modules;
-
lessons are available in multimedia format, with the option to access content via video (primary method) and text;
-
content can be accessed from different types of devices (PC, smartphone, tablet) at any time;
-
the language used is clear and accessible, designed to be effective for staff with varying levels of Cyber Security knowledge;
-
each video lesson is accompanied by assessment tests to measure learning progress;
-
interactive learning modules are designed to provide “reinforcement” or “redirecting” feedback, helping users retain knowledge with minimal effort;
-
all learning paths include gamification with rewards and recognition, encouraging learning and rewarding effort regardless of the learner’s starting level;
-
users can be grouped into teams, encouraging healthy competition and reducing the need for additional participation incentives;
-
to optimize cognitive processes, each training module is self-contained and focuses on a specific topic;
-
training modules are delivered monthly and consist of 3 lessons, each with related tests and supporting or in-depth documents;
-
learning modules are automatically delivered by the platform, maintaining a steady monthly commitment of about 15 to 30 minutes per month.
Figure 1 - Video lesson with coach actors.
The solution manages each user’s study plan with a high level of automation, bringing to distance learning the core principles of education that drive success in traditional schools and universities. By applying well-established concepts from andragogy and John Sweller’s Cognitive Load Theory, all content and learning concepts are sequenced optimally to reduce fatigue and maximize human memory retention.
Looking more closely at the learning modules that define Cyber Campus, they stand out for a higher level of engagement than Cyber School, addressing the critical importance of motivation in long-term, ongoing education.
These learning modules are based on an “active” training model, offering a highly interactive content experience.
These learning modules can be grouped into two main categories:
-
Knowledge maintenance and redirection modules, designed to “train memory” and provide a more active experience than what is offered in Cyber School.
-
Update modules, which use a teaching approach similar to Cyber School’s training modules, but are presented in a more “lightweight” and “focused” format.
Maintenance modules have several key features:
-
the user experience prioritizes interactivity over traditional content delivery, though educational content is still present;
-
every interaction generates feedback, which becomes the main learning driver;
-
“reinforcement” feedback is given for correct interactions, while “redirecting” feedback is provided for incorrect or partially correct responses;
-
regardless of the quality of user interactions, the learning load of a module remains consistent for everyone, always delivering concrete learning outcomes;
-
interactive experiences allow for more hands-on, Learning by Doing modules, simulating real-life situations and evaluating behavioral responses;
-
gamification mechanisms, which in Cyber School were limited to test results, are now integrated directly into the learning experience, creating a Game-based Learning environment.
Learning modules are further categorized by the main topics relevant to CSA:
-
Social Engineering
-
Authentication
-
Privacy & Data Protection
-
Malware
-
Behavior
The developed learning modules fall into three types:
-
WarmUp – interactive modules that are very “light” in terms of content, designed as warm-up exercises.
-
DidActive – interactive modules with more substantial content, focused on memory training through intensive feedback.
-
Cyber Game – interactive modules that use Serious Game and Game-Based Learning logic, while still providing an “individual” learning experience.
For Cyber Games, the chosen Serious Game model for the first level of Cyber Campus is the Escape Room.
Figure 2 - Immersive setting of the interactive "Escape Room" module.
Update modules are developed using a model we call Cyber Insights, as they are highly focused (vertical) on a specific topic. The development of these modules keeps pace with the constant evolution of threats and attack techniques.
From a training plan perspective, these modules are combined and distributed over time, always aiming to keep the monthly learning load around 15 to 20 minutes. Given the unique nature of interactive modules, the learning load is estimated based on the average user experience, calculated from a diverse user sample.
Modules like WarmUp, DidActive, and Cyber Insights are linked by a prerequisite system, meaning you must complete one module with a certain evaluation before moving to the next. This system does not apply to Serious Games, which are offered as standalone “challenges.”
Description of CGA Training Modules (Cyber School)
Below is the list of 36 training modules for the first three years of the program (Cyber School). While each module is self-contained, the sequence has been carefully designed to naturally reference topics covered earlier, reinforcing learning and memory retention.
Year 1
PHISHING
PHISHING is the most common attack technique used by cybercriminals, primarily spread through email, though it is quickly expanding to other channels like popular messaging apps and social media. It’s especially deceptive because it relies on tricking potential victims into taking actions that allow the criminal to launch their attack. This training module provides the knowledge needed to recognize a PHISHING attack and take the necessary countermeasures.
PASSWORD
One of the pillars of Cyber Security is the PASSWORD, the key to all IT resources that require secure and private access. Managing your PASSWORDS is a fundamental part of both personal and organizational defense strategies. This module provides the knowledge needed to manage PASSWORDS securely, protecting them from breaches that could have disastrous consequences.
SOCIAL MEDIA
SOCIAL MEDIA offer new ways to connect, thanks to the wide range of digital technology available today. But they also pose risks, potentially compromising both personal privacy and organizational security. This module provides the knowledge needed to use these tools wisely, protecting both individuals and organizations from the risks that come with sharing personal and professional content online.
PRIVACY & GDPR
The introduction of the new European data protection regulation has increased organizations’ awareness of PRIVACY and the protection of sensitive data. Beyond specific roles, it’s important for everyone in an organization to become more sensitive to data protection. This module provides the knowledge needed to take a proactive approach to data protection and help ensure the organization’s compliance with new European regulations.
MOBILE & APP
MOBILE DEVICES, especially smartphones and tablets, are becoming more critical every day and represent the highest risk of overlap between personal and professional life. This module provides the knowledge needed to use mobile devices—whether personal or work-related—safely, enabling best practices to increase security and data protection.
FAKE NEWS
FAKE NEWS are articles written with invented or distorted information, designed to mislead. This is a dangerous phenomenon that, if unchecked, can have negative consequences for both individuals and organizations. While often discussed from a social or political perspective, it also has a direct impact on Cyber Security. This module provides the knowledge needed to recognize Fake News, using investigative processes that help develop a critical approach to any information found online.
USB DEVICE
All USB devices, especially storage devices, can become a critical point when it comes to protecting confidential information, which is why they are often subject to specific policies. This module provides the knowledge needed to recognize all risks associated with USB devices, especially storage devices, and enables best practices to avoid data theft.
EMAIL SECURITY
EMAIL is an increasingly important tool, playing a central and critical role in professional life. Sensitive information is often exchanged via EMAIL, so security cannot be overlooked. This module provides the knowledge needed to secure emails and the information they contain.
MALWARE & RANSOMWARE
MALWARE in general, and RANSOMWARE in particular, have quickly made headlines, highlighting their dangers. People need to understand that antivirus software does not guarantee total protection against these malicious programs. This module provides the knowledge needed to reduce the risk of falling victim to this type of software and to limit the negative consequences in case of a breach.
WEB BROWSING
WEB BROWSING comes with many risks, and what seems like a routine activity can actually be quite risky. A good understanding of certain website and browser features can significantly reduce risk. This module provides the knowledge needed to browse the WEB safely.
CRITICAL SCENARIOS
When interacting with Cyberspace, there are some critical scenarios: using Cloud platforms, traveling for leisure or business, or using e-commerce platforms, whether in B2B or B2C contexts. These scenarios are particularly exposed to the risk of attacks by cybercriminals, with risks both on a personal and professional level. This module aims to provide essential awareness elements to help understand the often underestimated threats connected to these specific scenarios involving digital technologies.
SOCIAL ENGINEERING
Social engineering is the mother of all cyber attack strategies. It relies on deception and psychological manipulation to achieve fraudulent goals. To make the attack more effective, the core of this strategy is gathering information about the intended victim. This module provides awareness about the techniques used by cybercriminals, serving as an ideal summary of elements already covered in previous modules.
Year 2
CLEAN DESK
Paying close attention to your workspace and avoiding leaving critical or even sensitive information accessible to unauthorized people is a basic element for ensuring information security, data protection, and compliance with privacy regulations. This module not only provides practical tips but also highlights concepts like data protection and privacy, including a focus on GDPR.
SMART-WORKING
With the COVID-19 emergency and the widespread adoption of smart-working—mainly understood as telework or remote work—it has become necessary to focus attention on this particular topic. Working outside the “safe” walls of our office exposes all users to increased cyber risks. This module highlights the main points of vulnerability encountered in this less protected environment and how risks can be mitigated through appropriate behaviors that reflect greater awareness.
SOCIAL COLLABORATION & VIDEO-CONFERENCING
The COVID-19 emergency and the rapid shift to smart-working led to a quick increase in the use of information sharing and collaboration tools, especially video conferencing tools. Their use has gone beyond the professional sphere and become part of our personal lives as well. This module highlights some threats closely related to sharing and collaboration, emphasizing the need for proper use of these tools to protect privacy and security.
SMISHING & VISHING
Another specific phishing technique targets users through messaging systems like WhatsApp, Messenger, Telegram, and SMS. This module, through a series of real-life examples, helps users understand how even messaging systems—sometimes considered “SAFE”—can hide particular dangers. It shows how careless or inappropriate behavior can put both our own security and that of our network of contacts at risk.
SPEAR PHISHING
We return to the topic of phishing, building on concepts already discussed, assuming that users have gained a basic understanding from previous modules to explore some topics in more depth and improve their ability to recognize phishing attacks. This module focuses on recognizing spear phishing attacks—a sophisticated technique targeting a specific individual or group—and highlights the methods used to collect sensitive information through deception.
RANSOMWARE
This is the most insidious type of MALWARE, causing the most damage and subjecting individuals and organizations to blackmail that is hard to escape. RANSOMWARE attacks have been able to halt the business operations of entire organizations, often forcing them to pay significant sums to regain control of their data and information. This technique is becoming more widespread and aggressive, and in recent times, there have been more and more serious attacks linked to it.
MULTI-FACTOR-AUTHENTICATION
This module explores advanced authentication systems, both to encourage their use wherever technically possible to strengthen overall security for individuals and organizations, and to inform users about new techniques hackers use to bypass these systems by exploiting the human factor. It focuses on Sneaky Phishing—a specific evolution of phishing techniques—and Sim Swap, where criminals try to fraudulently gain control of the user’s smartphone.
IoT DEVICE
We are increasingly interconnected, and this trend will only continue. Technological evolution is leading us toward total interconnection, which now involves not just people but also things. What would have seemed like science fiction a few years ago is now becoming reality before our eyes. This affects not only the professional sphere but also users’ private lives. Appliances, cameras, wearables, and increasingly smart cars—things are communicating more and more. This is both fascinating and, in some ways, unsettling. Every interconnected device, if not managed properly, becomes a potential vulnerability for security. This module explains how to approach this scenario, suggesting appropriate behaviors that won’t compromise the security of individuals or organizations.
BLUETOOTH & WIFI
This module focuses on two technological components essential for connectivity on the go and thus for people’s mobility. These are strategic components for digital transformation and innovation, but they also contain risks that can be managed with user awareness and responsible use.
INFORMATION CLASSIFICATION
Information classification is one of the key factors in information security management, but it’s also one of the least understood by users and is often seen as an unnecessary burden. Yet today, information classification is essential for compliance with standards and regulations regarding data protection. This module explains the meaning and reasons why organizations develop classification processes and helps users understand the importance of adjusting their behavior accordingly. It also takes a closer look at a special category of information: PERSONAL IDENTIFIABLE INFORMATION.
DATA PROTECTION
We return to the topic of data protection, focusing on security and, more specifically, privacy and its relationship with various quality and information security regulations, especially GDPR. This module can be considered an “annual” refresher of the Privacy & GDPR module as part of mandatory training, though it contains original and more advanced content compared to the first level.
SOCIAL ENGINEERING 2
At the end of each level (year), we revisit Social Engineering and the attack techniques that use deception and psychological manipulation as a basis for achieving fraudulent goals. This module, drawing on real-life examples, provides further awareness of the techniques used by cybercriminals, serving as an ideal summary of the elements covered in the second-level modules.
Year 3
PRIVACY
We return to the topic of Privacy, exploring it in more depth and especially highlighting its value and the importance of protecting it. The goal of this module is to provide the tools to understand that using digital technologies, the Web, and social media comes at a cost in terms of privacy loss. Being aware in this area allows us to have a balanced relationship with innovation, without paying too high a price in terms of confidentiality.
SOCIAL & CYBERBULLYING
This module addresses a particular social emergency: cyberbullying. As always, our modules aim to address both personal and professional dimensions, which often overlap significantly. While this topic may seem strictly personal and social, in reality, beyond raising cultural awareness, we’ll see how underestimating certain phenomena can also have security implications and may even cause legal or reputational damage to your organization.
LEGAL ASPECT
This module covers some legal aspects related to the unintentional use of digital technologies. Copyright infringement, non-compliance with regulations, illegal use of software products, and defamation are just a few concrete examples of the risk of committing offenses that can negatively impact both individuals and organizations.
REAL SCAM
This module presents real cases of scams that have occurred in the cyber world. The main goal is to help users become more aware by showing just how real the danger can be. The module will also highlight some best practices that could have prevented people from becoming scam victims.
PHONE SCAM
This module focuses on so-called combined attacks, which involve both cyber techniques and more traditional methods like phone calls. These attack methods are particularly sneaky because they tend to break down the skepticism some people have developed toward electronic communications and increase the sense of pressure and urgency, which is often the main lever used to push victims into making mistakes.
PHYSICAL SECURITY
Physical security also plays a role in protecting individuals and organizations. By physical security, we mean all the measures needed to prevent unauthorized access to premises, resources, or information. While physical security within organizations is subject to specific regulations, this module highlights general rules and best practices to reduce the risks associated with breaching physical barriers.
E-COMMERCE
This module focuses on a topic that was only introduced in the first level of training. It’s a particularly sensitive topic because the risks—and the potential damages—increase when an activity is directly linked to a flow of money, as in the case of e-commerce. We address the topic from all angles, considering the various types of e-commerce, from B2C to B2B, which have a greater impact on organizations.
HOLIDAY & BUSINESS TRIP
This module focuses on a topic that was only introduced in the first level of training. It covers vacations and business trips, because our cyber vulnerability always increases in these situations. We address the topic by covering the entire travel cycle—from planning to returning home or to the office—looking at all the risks that arise at each stage.
CYBER HYGIENE
Keeping devices in a proper state of hygiene helps achieve better productivity, but more importantly, it reduces information security risks. We should always maintain a proper device maintenance strategy, which also includes taking care of the content and data. This module provides a series of best practices on how to maintain good hygiene for our devices and, above all, control over the data that can be accessed through them.
BACKUP & RESTORE
Having a proper data backup and recovery strategy allows individuals—and therefore organizations—to protect themselves from the risk of damage following a successful cyber attack. This module aims to raise awareness about what can truly be considered a defensive tool, helping us avoid situations where our device becomes the target of a ransom, as happens in ransomware attacks, or where we lose important data due to a simple technical issue.
TOP BEST PRACTICE
The entire training program focuses on best practices, understood as positive behaviors that can help mitigate cyber risks. This module summarizes the concept by highlighting 12 best practices that can genuinely help reduce cyber risk.
SOCIAL ENGINEERING 3
At the end of each level (block of 12 modules), we return to the topic of Social Engineering—attack techniques that use deception and psychological manipulation as a basis to achieve fraudulent goals. This module, drawing on real-life examples, provides further insight into the techniques used by cyber criminals, serving as an ideal summary of the topics already covered in the third-level modules.