Cyber awareness training methodology
How NureComp's Cyber Awareness programme maps to NCSC Cyber Essentials and NCSC 10 Steps, with forward-mapping to the Cyber Security and Resilience Bill 2026.
Self-authored v1.0 — pending IASME-accredited Cyber Essentials assessor review.
1. Statutory and standards anchors
- NCSC Cyber Essentials— five technical controls (firewalls, secure configuration, access control, malware protection, security update management). Workforce training is implicit in the “have your users been trained?” question.
- NCSC 10 Steps to Cyber Security — workforce awareness is Step 8.
- Cyber Security and Resilience Bill (2026, expected) — workforce training likely referenced as a core duty under the expanded NIS regime.
- NHS DSPT — Standard 1 (Personal Confidential Data) and Standard 6 (Responding to incidents) both require workforce training.
- PCI DSS — Requirement 12.6 mandates security-awareness training for everyone handling cardholder data.
2. Module structure
| Module | Audience | Duration |
|---|---|---|
| Foundations — passwords, MFA, phishing, device hygiene | All staff | 20 min · 0.5 CPD |
| BYOD overlay — personal devices for work | Mobile workers | 8 min · 0.25 CPD |
| IT admin overlay — privileged access, patching, backups | IT / sysadmin | 15 min · 0.5 CPD |
| Lone-worker overlay — out-of-office cyber risks | Field / remote staff | 8 min · 0.25 CPD |
| Incident response overlay — what to do when something looks wrong | All managers | 12 min · 0.25 CPD |
| Sector overlay — sector-specific scenarios | All staff | 10-15 min · 0.25 CPD |
| Final assessment — 20 scenario questions | All staff | 15 min · 0.5 CPD |
3. Role-mapping algorithm
- Foundations module (always)
- BYOD overlay if profile flags BYOD use
- IT admin overlay for staff with privileged access
- Lone-worker overlay if
is_lone_worker - Incident response overlay if
is_manager - One sector overlay based on
sector_id - Final scenario assessment (always)
4. Phishing simulation (Cycle 5 add-on)
MVP ships awareness + reporting + scenario assessment. Active phishing simulation ships as a Cycle 5 Enterprise add-on at £5/seat/year — eight initial templates, configurable cadence, plug-in via xAPI or webhook to integrate with an external simulator if you already have one.
5. Privacy posture
Cyber survey responses can be self-incriminating (admitted password reuse, falling for phishing). Default posture is aggregate-only (Doc 30 §7.6); individual visibility requires explicit learner opt-in. This protects honest engagement.
See also: Article 4 methodology · CPD methodology · Harassment · GDPR/DUAA