Are there real phishing simulations, and how are results judged honestly?

Yes. Controlled phishing simulations establish a baseline then run in periodic cycles with per-unit reports. Importantly, we apply the NIST Phish Scale (Technical Note 2276) to rate the difficulty of every simulated email. Without it, raw click rates mislead — easy emails make numbers look good, hard emails make them look bad. The Phish Scale makes cycle-over-cycle comparison fair and defensible to leadership.

Why is report rate as important as click rate?

Not clicking only means one employee was safe; reporting means the whole organization gets early warning. Industry benchmarks (Verizon DBIR 2024) show an average simulation report rate around 20%, and rates above that are typically the result of a behavior-change program, not annual training. We treat report rate as a core culture metric, not just click rate, because that is what separates resilient organizations.

Is this program aligned with recognized security-awareness frameworks?

Yes, explicitly mapped. Program design follows the 4-phase NIST SP 800-50 Rev 1 (2024) lifecycle — Plan & Strategy, Analysis & Design, Development & Implementation, Assessment & Improvement — and meets NIST CSF 2.0 PR.AT-01/PR.AT-02 outcomes (general awareness + role-based & privileged-user training). Delivery also satisfies ISO/IEC 27001:2022 Annex A 6.3 (documented, role-appropriate awareness, education & training). The goal is to prepare compliance, not to claim a certification we do not hold.

How does this program meet UU PDP No. 27/2022 obligations?

The PDP Law requires data controllers & processors to apply organizational measures to protect personal data — employee awareness is one of those core measures. Since obligations became fully enforceable (October 2024) with administrative sanctions up to 2% of annual revenue, our modules translate controller/processor duties, the DPO role, and personal-data handling into concrete employee behavior, then document it as evidence of implementation.

Is the content tailored to our sector regulation (e.g. banking)?

Yes. For banking, compliance modules are mapped to POJK 11/POJK.03/2022 and SEOJK 29/SEOJK.03/2022, which require cyber resilience across human resources, processes, and technology, including employee awareness. For other sectors we align to relevant regulation & guidance (BSSN, sector regulators) plus your internal security policy — mapped during the TNA.

Can the program reach thousands of distributed employees?

Yes. Roadshow and live-online formats are designed to scale to thousands across many branches/plants with rolling per-unit schedules. High-risk roles (frontline, executive, IT/privileged) get deeper on-site modules, while the broad population is reached via short sessions and reinforcement micro-learning.

How often should training repeat?

Annual-only training places an organization at the 'compliance-focused' SANS Maturity stage and does not change behavior. For heavily regulated sectors we recommend a quarterly or monthly cadence: micro-learning + rolling simulations with gradually rising Phish Scale difficulty. Behavior and culture change need continuous reinforcement, not one event a year.

How is the program personalized per role?

Following the NIST CSF 2.0 PR.AT role-based pattern, we separate the curriculum: general employees (phishing & basic hygiene), frontline (vishing/pretexting & customer data), executives (whaling, BEC, deepfake), and IT/privileged (PR.AT-02 — high-access handling). Risk and vectors differ per function, so uniform content for everyone is both wasteful and a gap.

What evidence do we receive for audits and regulators?

You receive training-coverage reports, knowledge-assessment scores, simulation results & trends (with Phish Scale context), and a SANS Maturity Model position mapping. This documentation is structured to serve as evidence for ISO/IEC 27001:2022 A.6.3 compliance, UU PDP obligations, and sector-regulator examination (e.g. OJK), mapped to Kirkpatrick levels.

How do we measure ROI or impact on risk management?

We use the Kirkpatrick model: Level 1 (reaction), Level 2 (knowledge via assessment), Level 3 (behavior — click/report-rate trend), Level 4 (results — audit readiness & reduced human risk). When finance/risk needs a figure, impact can be raised to Phillips ROI Level 5 with an avoided-loss estimate and isolation of training effects. A baseline is set at the TNA; we do not promise percentages we cannot prove.

Digital & AI Upskilling

Employee Cybersecurity Awareness

Make employees a measurable human line of defense: spot phishing, social engineering, and data leaks, with a curriculum mapped to NIST SP 800-50 Rev 1, NIST CSF 2.0 PR.AT, ISO/IEC 27001:2022 Annex A 6.3, and Indonesia's PDP Law obligations, tested with NIST Phish Scale-based simulations.

format: In-house / online / roadshow
duration: 2 hrs-1 day per batch + a 3-12 month periodic program
participants: Scalable to thousands
language: Indonesian / English

Quick Answer

Employee cybersecurity awareness training is an ongoing program that trains all employees to recognize phishing, social engineering, and data leakage so human-factor risk is reduced and measurable. Its curriculum is mapped to NIST SP 800-50 Rev 1, NIST CSF 2.0 PR.AT, and ISO 27001:2022 A.6.3, measured with the NIST Phish Scale and Kirkpatrick, aligned to Indonesia's PDP Law.

Free Consultation

Indonesia's PDP Law (UU No. 27/2022) is fully in force — employee awareness is an obligation

Since October 2024 data controller & processor obligations are fully enforceable, with administrative sanctions up to 2% of annual revenue. Employee awareness is an expected organizational measure that must be evidenced. This program translates that obligation into concrete behavior and audit documentation from day one.

Mapped to recognized awareness frameworks

Design follows NIST SP 800-50 Rev 1 (2024, 4-phase lifecycle), meets NIST CSF 2.0 PR.AT-01/PR.AT-02 outcomes, and ISO/IEC 27001:2022 Annex A 6.3 duties — documented, role-based, and ongoing, not generic 'security tips'.

The most common mistake: annual training without behavior measurement

Measuring raw click rate without the NIST Phish Scale misleads, and once-a-year training only places an organization at the 'compliance-focused' SANS Maturity stage. This program pursues behavior & culture change with normalized simulations and a report-rate metric, not just a checked audit box.

Employee Cybersecurity Awareness

Employee cybersecurity awareness training is an ongoing program that equips all employees to recognize and respond to everyday cyber threats — phishing, social engineering, data leakage — so human-factor incident risk is reduced and measurable. The curriculum is mapped to NIST SP 800-50 Rev 1, NIST CSF 2.0 Protect (PR.AT), and ISO/IEC 27001:2022 Annex A 6.3, measured with the NIST Phish Scale and the Kirkpatrick model, and aligned to UU PDP No. 27/2022 (Indonesia's PDP Law) and sector regulation (e.g. POJK 11/2022 for banking).

1Designed via a training needs analysis (TNA) and structured per role (general, frontline, executive, IT/admin) — the role-based pattern of NIST CSF 2.0 PR.AT-01/PR.AT-02

2Follows the 4-phase NIST SP 800-50 Rev 1 lifecycle: Plan & Strategy -> Analysis & Design -> Development & Implementation -> Assessment & Improvement

3Phishing simulations are measured with the NIST Phish Scale (TN 2276) so click-rate variance is judged honestly, not as misleading raw numbers

4More than annual literacy — it pursues behavior and culture change along the SANS Security Awareness & Culture Maturity Model (5 stages)

5Compliance modules explicitly mapped to UU PDP No. 27/2022, POJK 11/POJK.03/2022 + SEOJK 29/SEOJK.03/2022, and BSSN guidance

6Measurable output: baseline & per-unit click/report-rate trend reports, training evidence ready for ISO 27001 / regulator audits, and a security-culture maturity roadmap

Measurable Outcomes

Expected Outcomes

Success indicators mapped to Kirkpatrick evaluation levels and SANS Maturity Model stages — qualitative targets, set jointly during the TNA against the organization's baseline.

Phishing click rate (Kirkpatrick L3 — Behavior): A downward click-rate trend across simulation cycles, normalized with the NIST Phish Scale so comparison is fair
Phishing report rate (L3 — Behavior): A rising share of employees who actively report suspicious email — a culture indicator, not merely not-clicking
Coverage & assessment pass rate (L1-L2): Most employees complete mandatory modules and pass the threat & policy knowledge assessment
Audit-evidence readiness (L4 — Results): Training, assessment, and simulation evidence documented for ISO 27001 A.6.3, OJK, or internal-examiner audits
Security-culture maturity (L3 transfer): Movement of stage on the SANS Maturity Model — from compliance-focused toward behavior & culture change
Monetized ROI (Phillips L5 — optional): Estimated avoided human-factor incident loss with isolation of training effects, when finance/risk requires a figure

Program Format

Program Format Options

Chosen by employee distribution, regulatory intensity, and culture-maturity stage — finalized after the TNA.

Multi-Site Awareness Roadshow

Short sessions (60-120 min) touring units, branches, or plants for fast mass coverage — focused on spotting phishing, social engineering, and how to report, with messaging tailored per site.

Best for: Large distributed organizations (banks, retail, multi-plant manufacturing, agencies)

Role-Based Core Module + Baseline Simulation

Core training structured per role (general, frontline, executive, IT/privileged) followed by a baseline phishing simulation to set an honest measurement starting point.

Best for: Building an organizational awareness baseline & meeting ISO 27001 A.6.3

Periodic Program (quarterly/monthly)

Continuous reinforcement on a 70-20-10 pattern: micro-learning, rolling simulations with rising Phish Scale difficulty, and per-unit trend reviews.

Best for: Heavily regulated sectors & sustained behavior-change targets

Human-Risk Assessment & Diagnostic

A diagnostic session: a controlled phishing simulation, a behavior questionnaire, and mapping the organization's position on the SANS Maturity Model to set program priorities.

Best for: Organizations wanting to know their starting point before full investment

Free Consultation

Discuss your team's cyber-awareness program needs

Start with a free training needs analysis: we map your high-risk roles, your position on the SANS Maturity Model, and your regulatory obligations, then build a proposal & budget estimate grounded in real needs.

Request Proposal

Curriculum

Curriculum Framework

Built with ADDIE and the NIST SP 800-50 Rev 1 Analysis & Design phase; final modules curated from the TNA and roles. Topics below are the full coverage that can be activated.

Comparison

Choosing a Program Format

A concise decision matrix — the final recommendation is set after the training needs analysis.

Aspect	Awareness Roadshow	Core Module + Baseline Simulation	Periodic Program (quarterly)	Risk Assessment & Diagnostic
Primary goal	Fast mass coverage	Measurable awareness baseline	Behavior & culture change	Know the starting point first
Ideal participants	All distributed employees	Org building a baseline	Heavily regulated sectors	Exploratory IT/Risk leadership
Measurement	Coverage & brief assessment	Baseline click rate (Phish Scale)	Rolling click/report-rate trend	Diagnostic + SANS Maturity position
Compliance depth	Basic regulatory awareness	ISO 27001 A.6.3 fulfillment	Continuous audit evidence	Gap map vs frameworks & regulation
Target SANS Maturity stage	Toward compliance-focused	Strong compliance-focused	Behavior & culture change	Establishing the maturity baseline

For Whom

Who Is This Program For?

Structured per role following the NIST CSF 2.0 PR.AT role-based pattern — because risk and attack vectors differ per function.

General employees (knowledge workers)

The first human line of defense for everyday email, credentials, and data.

Common challenges

Inconsistently spot increasingly convincing phishing and social engineering
Don't know the reporting path, so incidents go undetected quickly
Unclear what data must not be shared or entered into unsanctioned tools

Frontline, service & call center

Favorite social-engineering targets because they interact with the public and hold customer data.

Common challenges

Fast-service pressure causes security verification to be skipped
Frequent vishing/pretexting targets impersonating a customer or superior
Hold personal data subject to UU PDP and sector regulation

Executives & privileged-access holders

Targets of whaling, BEC, and tailored attacks due to approval authority and system access.

Common challenges

Targeted by personalized spear phishing & deepfakes
Financial approvals exploitable via impersonation (transfer fraud)
No separate privileged-user training module yet (PR.AT-02 gap)

IT/Security, HR, Risk & Compliance teams

Design, run, and prove the awareness program and map human risk.

Common challenges

Hard to measure human risk objectively (raw click rate misleads)
ISO 27001 A.6.3 / OJK / UU PDP audit evidence incomplete & undocumented
The program stops at annual training with no proven behavior change

Industry Context

Use Cases by Industry

One specific use case per industry, naming a real workflow, threat, and regulation in that vertical.

Banking & Financial Services

Anti-fraud frontliner & targeted BEC simulation against treasury/operations, mapped to the workforce-awareness duties in POJK 11/POJK.03/2022 and SEOJK 29/SEOJK.03/2022, with training & simulation evidence ready for OJK examination and ISO 27001 A.6.3 audit.

Healthcare & Pharmaceuticals

Patient-data protection & hospital ransomware vigilance (a vector that can paralyze clinical services), with a patient personal-data handling module aligned to UU PDP No. 27/2022 and clear incident reporting for medical & administrative staff.

Government & Public Sector

Civil-servant awareness of citizen-data security and digital public services, aligned to BSSN guidance and public-sector UU PDP duties, with cross-unit roadshows and coverage evidence for internal examiners.

Energy & Resources

Vigilance against critical-infrastructure attacks and OT/IT boundary hygiene for plant & corporate staff, with social-engineering scenarios targeting operators and the supply chain.

Technology & Startups

Software supply-chain security and social engineering against engineers (tokens, secrets, repository access), with simulations targeting credential phishing and MFA fatigue.

State-Owned Enterprises (BUMN)

An enterprise-scale awareness program across subsidiaries with an auditable governance trail, aligned to UU PDP and the NIST SP 800-50 Rev 1 framework, supporting director accountability and readiness for BPK/internal-audit examination.

Delivery Method

Delivery

Format adapts to team distribution and operational schedule; every format is interactive with exercises & simulations, not one-way passive lecture.

In-house on-site & roadshow

Facilitator comes to the office/branch/plant; interactive sessions with local case studies, tabletop social-engineering simulation, and reporting drills.

Live online & micro-learning

Interactive class via Zoom/Teams for mass coverage, reinforced by short micro-learning for periodic reinforcement (70-20-10 pattern).

Hybrid

On-site sessions for high-risk roles (frontline, executive, IT) followed by rolling online phishing simulations and per-unit trend reviews.

Schedule built around the company's operational calendar, shifts, and peak seasons

Materials, worksheets, and simulation scenarios localized to the Indonesian threat context by the Neksus team

Phishing simulations run in a controlled environment with agreed consent & scope

Certificate of participation for every attendee

Evaluation & per-unit risk-trend report for the L&D, IT/Security, and leadership teams

Engagement Flow

Engagement Path

Following the 4-phase NIST SP 800-50 Rev 1 lifecycle — qualitative durations, adapted to organization scale & distribution.

Training Needs Analysis & Diagnostic (Plan & Strategy)

Mapping high-risk roles, regulatory duties (UU PDP/POJK/sector), the starting position on the SANS Maturity Model, and a measurement baseline. Output: a needs profile + simulation scope.

Initial stage

Role-Based Program Design (Analysis & Design / ADDIE)

Defining measurable learning objectives, a per-role syllabus (general/frontline/executive/privileged), local scenarios, and a compliance map to NIST/ISO 27001/UU PDP.

Before delivery

Baseline Simulation

A controlled phishing simulation to set the starting point, rated with the NIST Phish Scale so the baseline is honest and later comparable.

Program start

Delivery — Roll-out per Role & Site

Core training and cross-unit/branch/plant roadshows; high-risk roles get deeper modules (70-20-10 pattern, led by a security-champion group).

Rolling per batch

Reinforcement & Periodic Simulation Cycles

Micro-learning and rolling simulations with gradually rising Phish Scale difficulty; per-unit click & report-rate trend reviews.

Periodic (quarterly/monthly)

Evaluation & Institutionalization (Assessment & Improvement)

Kirkpatrick L1-L4 evaluation (Phillips L5 on request), re-mapping the SANS Maturity stage, audit evidence, and a security-culture maturity roadmap.

After each cycle & ongoing

Case Studies

Typical Outcome Patterns

Indicative impact patterns based on similar program structures — illustrative, with no named clients or promised numbers. External benchmarks (e.g. Verizon DBIR) are cited as industry references, not Neksus result claims.

A financial-services institution with thousands of employees across many branches

Intervention

Multi-site roadshow + a baseline phishing simulation then rolling cycles with Phish Scale difficulty raised gradually

Result

A downward click-rate trend across cycles and a rising report rate; training evidence assembled for regulator examination

A multi-unit healthcare network

Intervention

Quarterly program + a UU PDP-aligned patient-data protection module + a simplified reporting path

Result

Comprehensive training coverage and more complete compliance-audit documentation; ransomware awareness improved among non-technical staff

An agency/state-owned enterprise with many work units

Intervention

SANS Maturity Model position assessment + a phased program with a champion network (70-20-10 pattern)

Result

Movement from a compliance-focused stage toward behavior change, with trend metrics reportable to leadership

Procurement Info

Information for Procurement & Vendor Management

What procurement, finance, legal, and information-security teams need.

Legal entity

Registered PT under the Selestia ecosystem (Eduprima group); complete tax ID & legal documents; ready for service agreements and vendor onboarding.

Proposal

Structured proposal: measurable learning objectives, role-based syllabus, compliance map (NIST SP 800-50 Rev 1 / CSF 2.0 / ISO 27001 A.6.3 / UU PDP / POJK), simulation methodology, facilitator profiles, schedule, and a TNA-based cost breakdown.

Pricing model

TNA-based — flat per program, per session, per participant, tiered, or custom. No standard figure without a needs analysis; an estimate follows the TNA and once simulation scope is agreed.

Payment & tax

Flexible terms (deposit + balance / per-batch or per-quarter terms); tax invoice (PPN/VAT) and PO documentation support available.

BUMN/government process

Familiar with state-owned-enterprise/agency procurement stages: vendor documents, e-procurement, owner's estimate/bid, and compliance clauses.

Measurement

Kirkpatrick Level 1-3 evaluation report (attendance, assessment, click/report-rate trend with Phish Scale) and SANS Maturity stage mapping; Phillips ROI Level 5 on finance/risk request.

Confidentiality & data security

NDA signing, participant data confidentiality clauses, an agreed & controlled phishing-simulation scope, and practice aligned to UU PDP and your internal security policy.

Material ownership

Scenarios, materials, and reports built for the company belong to the company; training-material usage rights are agreed in the contract.

FAQ

Frequently Asked Questions

Next Step

Discuss your team's cyber-awareness program needs

Complimentary training needs analysis — the natural first step
Proposal, role-based syllabus, and a compliance map within a few business days
An honest, auditable NIST Phish Scale-based phishing-simulation methodology
Procurement-ready documents (company profile, tax ID, NDA, VAT invoice)

Request Proposal & Free TNA Free Consultation

Explore More

Discuss your team's cyber-awareness program needs

Complimentary training needs analysis — the natural first step
Proposal, role-based syllabus, and a compliance map within a few business days
An honest, auditable NIST Phish Scale-based phishing-simulation methodology
Procurement-ready documents (company profile, tax ID, NDA, VAT invoice)

Employee Cybersecurity Awareness

Employee Cybersecurity Awareness

Expected Outcomes

Program Format Options

Multi-Site Awareness Roadshow

Role-Based Core Module + Baseline Simulation

Periodic Program (quarterly/monthly)

Human-Risk Assessment & Diagnostic

Discuss your team's cyber-awareness program needs

Curriculum Framework

1Current Threat Landscape

2Social Engineering & Psychological Manipulation

3Digital Hygiene & Data Protection

4Incident Response & Reporting

5Governance, Compliance & Regulation

6Measurement, Simulation & Culture Institutionalization

Choosing a Program Format

Who Is This Program For?

General employees (knowledge workers)

Frontline, service & call center

Executives & privileged-access holders

IT/Security, HR, Risk & Compliance teams

Use Cases by Industry

Delivery

In-house on-site & roadshow

Live online & micro-learning

Hybrid

Engagement Path

Training Needs Analysis & Diagnostic (Plan & Strategy)

Role-Based Program Design (Analysis & Design / ADDIE)

Baseline Simulation

Delivery — Roll-out per Role & Site

Reinforcement & Periodic Simulation Cycles

Evaluation & Institutionalization (Assessment & Improvement)

Typical Outcome Patterns

Information for Procurement & Vendor Management

Frequently Asked Questions

Are there real phishing simulations, and how are results judged honestly?

Why is report rate as important as click rate?

Is this program aligned with recognized security-awareness frameworks?

How does this program meet UU PDP No. 27/2022 obligations?

Is the content tailored to our sector regulation (e.g. banking)?

Can the program reach thousands of distributed employees?

How often should training repeat?

How is the program personalized per role?

What evidence do we receive for audits and regulators?

How do we measure ROI or impact on risk management?

Discuss your team's cyber-awareness program needs

Related Topics

Discuss your team's cyber-awareness program needs