Most security awareness programs are stuck in a reactive loop. An incident occurs, the security team sends a mass alert, employees might read it, and everyone moves on. We’re constantly playing catch-up.
This model is fundamentally flawed. After nearly two decades in cybersecurity, I’ve watched organizations scramble to warn employees about seasonal threats while they are already under attack. I’ve seen this pattern firsthand: tax season hits, and we’re blasting emails about W-2 phishing while malicious links are already being clicked. The holidays arrive, and we’re warning about gift card scams as employees are already receiving malicious emails. By the time warnings arrive, the damage is often done. This reactive approach fails to respect the human factor: culture isn’t built with panic-driven alerts.
But what if we could flip this model? What if we could demonstrably reduce phishing incidents and build a genuine security culture by building awareness before the threats arrive?
By pre-building and pre-scheduling your awareness campaigns, you can create a simple, effective system that finally transforms security culture from a buzzword into a reality. This approach integrates seamlessly with broader security program management. Whether you’re building compliance frameworks, managing policies, or establishing governance controls, proactive awareness becomes a foundational element of your security culture.
The Proactive Framework: Simple, Effective, and Transformative
The core concept is simple: build your awareness campaigns months in advance and schedule them based on seasonal threat patterns.
Instead of scrambling when tax season hits, your finance team has already received three targeted emails about W-2 and invoice fraud. Instead of reacting to holiday gift card scams, your entire staff has been prepared for weeks.
This requires upfront work, but the payoff is a system that runs itself. You build a culture where awareness is consistent and useful, not chaotic and burdensome. By educating employees before threats peak, you give them the time to build the mental models they need to recognize and report threats.
The Seasonal Campaign Calendar
Attackers live by the calendar, and so should we.
- Q1 (January-March): Tax season threats, W-2 phishing, IRS impersonation, benefits enrollment scams
- Q2 (April-June): Summer travel scams, vacation-related phishing, fiscal year-end invoice fraud
- Q3 (July-September): Back-to-school phishing, tuition reimbursement scams, new-budget-related purchasing fraud
- Q4 (October-December): Holiday gift card scams, shipping notification fraud, charity scams, year-end bonus phishing
Department-Specific Targeting
A one-size-fits-all email is a one-size-fits-none-well email. Your Finance team and your IT staff face entirely different threats, and tailoring the message makes it relevant, practical, and memorable.
- Finance: Invoice fraud, wire transfer scams, vendor payment requests
- HR: W-2 phishing, benefits enrollment scams, malicious resume submissions
- IT/Security: Vendor support impersonation, fake system update alerts, security tool phishing
- Executives: Business Email Compromise (BEC), wire transfer fraud, CEO impersonation attacks
- General Employees: Broad seasonal campaigns, common phishing tactics, and clear reporting procedures
Building the System: A Simple, Scalable Engine
The key to making this work is reusability, you don’t need 48 unique emails, you need a few core templates that can be quickly adapted.
This approach works because it aligns with how people actually learn. When employees receive consistent, relevant information before they need it, they have time to process and internalize it. The repetition builds recognition patterns, and the department-specific targeting makes the information personally relevant. By the time a threat arrives, employees aren’t learning, they’re recognizing.
Start Simple:
- Write Content: Pre-write the content for your next high-risk season
- Create Variations: Create 2-3 department-specific variations for your highest-risk groups
- Schedule: Set up scheduled sending 2-4 weeks before the threat period typically peaks
- Link & Centralize: Link all communications to a single, stable internal resource (Confluence, SharePoint, etc.) that details how to report a phish
The goal is to “set it and forget it.” Your campaigns should run automatically, requiring minimal ongoing maintenance. Repetition builds habits, and habits build culture.
Measuring What Matters: Two Simple Metrics
Here is where most awareness programs fail: they don’t measure what matters, and tracking “Emails sent” is not a metric of success.
1. Reporting Rate (The Primary Metric)
This is your single most important indicator because when employees actively forward suspicious emails to your security team, your culture is working. Track this as Reports per 1,000 Employees per Month. A rising reporting rate is a clear sign of positive engagement.
Most email security platforms (like Microsoft Defender, Proofpoint, or Mimecast) can track reporting rates. You can also use your security team’s ticketing system or a dedicated phishing reporting mailbox to measure this metric.
2. Documentation View Count (The Secondary Metric)
If your campaigns link to an internal “How to Report Phishing” page, track its view count. When employees proactively seek out security information before they’re in a panic, that is culture change in action.
Most internal documentation platforms (Confluence, SharePoint, Notion) provide view analytics. Set up a baseline before launching, then track increases in views correlated with your campaign sends.
Establish your baselines before you launch, it will be the only way to prove your program is driving real change.
Getting Started: The Minimal Viable Approach
You don’t need a massive budget, start today.
A Transparent Experiment
I’ve implemented this framework, and it works. It’s a slow process and you may not see immediate results, but if you track your reporting rate and documentation views, you’ll eventually start seeing the metrics tick up. The method I used to track this was simple: monitoring our phishing reporting mailbox and tracking views on our internal security documentation. Start small, grow over time, and eventually automate it with your preferred tool.
Conclusion: From Burden to Shared Responsibility
Proactive security awareness isn’t about sending more emails, it’s about sending the right emails at the right time to the right people.
This simple, effective system respects the human element. People need education, not just warnings. They need relevance to their work and consistency to build habits. When you provide that, security stops being a burden and becomes a shared responsibility.
Start small, measure your results, and iterate. The goal is progress, not perfection.
Call to Action
If you’re building a proactive awareness program or want to share your experiences with seasonal campaigns, I’d love to hear from you. Reach out for collaboration, feedback, or just to share what’s working (or not working) in your organization.
Building security awareness that works requires more than sending emails, it requires a system. Start with one campaign, measure the results, and build from there.
