Everyone at Denialbase receives security awareness training on hire and annually thereafter. Role-specific modules add depth for developers, support staff, and anyone with privileged access.
Program overview
Universal baseline
Everyone completes on hire + annually: HIPAA Privacy/Security rule essentials, Denialbase security policies, phishing recognition, credential hygiene, incident reporting, PHI handling, device hygiene.
Role-specific modules
Add-on modules based on role — secure SDLC for engineers, support-desk PHI handling for CS, privileged access for ops, customer data handling for sales.
Continuous awareness
Monthly phishing simulations, weekly security digest, quarterly “red flag” walk-throughs of recent external incidents.
Just-in-time
Triggered training — e.g. if an access review reveals scope creep, training on least-privilege for that team.
Required learning (universal)
Every workforce member completes the following within their first 14 days:| Module | Duration | Format |
|---|---|---|
| HIPAA Privacy & Security Rule essentials | 45 min | Video + 10-question quiz (pass ≥ 80%) |
| Denialbase Information Security Policy | 20 min | Read-and-acknowledge |
| Acceptable Use Policy | 15 min | Read-and-acknowledge |
| Phishing recognition | 30 min | Video + practice exercises |
| Password & credential hygiene | 15 min | Quick course + 1Password setup |
| Incident reporting | 10 min | Video + contact sheet |
| PHI handling 101 | 30 min | Video + scenario quiz |
| Workstation hygiene | 15 min | Video + MDM verification |
Annual refresher
All workforce members complete an updated version of the universal modules each year, scheduled within 30 days of their hire anniversary or 1 January (whichever comes first). The refresher incorporates:- Changes to HIPAA enforcement or state privacy laws in the last year.
- Lessons from incidents in the last year (sanitized).
- New threat trends (e.g. AI-driven phishing, specific campaigns targeting healthcare SaaS).
- Any policy changes.
Role-specific modules
Software engineers
- OWASP Top 10 refresher (focused on Rails/React pitfalls)
- Threat modeling using STRIDE or equivalent
- Secure code review — what to look for as a reviewer
- Secure handling of customer data in dev/test — seed data only, no prod PHI
- Responding to
security@denialbase.comreports
Support staff
- PHI minimization in tickets, screenshots, and recordings
- Identity verification before discussing any customer account
- Social engineering resistance
- Escalation path for suspected breaches
Privileged access holders (CTO, Security Officer, senior engineers)
- Break-glass access procedure and documentation requirements
- Prod data access etiquette — just-in-time, time-limited, audit-logged
- Encryption key handling — never extract from Secret Manager, rotate procedures
- Terraform safety —
planbeforeapply, no force-flags, review requirements
Leadership (CEO, executives)
- Whaling / spear-phishing awareness (execs are the prime target)
- Wire transfer fraud recognition
- Board / investor communications security
- Legal privilege boundaries for incident response
Phishing simulation
Monthly campaigns
Monthly campaigns
One simulated phishing email per month, sent to all employees. Campaigns vary in difficulty and vector (credential phish, attachment, voice/SMS variants).
Click-rate tracking
Click-rate tracking
Per-person and org-level click and report rates tracked. Org target: click rate < 5%, report rate > 50%.
Response to clicks
Response to clicks
A click doesn’t trigger discipline — it triggers a 10-minute just-in-time micro-training and a follow-up simulation. Repeated clicks after training trigger a manager conversation.
Response to reports
Response to reports
Every report, real or simulated, is acknowledged within 1 business hour. Real reports go to the incident response flow.
Micro-learning
Short-form content to keep security top-of-mind between formal trainings:- Weekly “one-minute security” — a single tip, Slack-delivered, with a linked deep-dive.
- Quarterly “red flag” sessions — 20-min group walk-through of recent external incidents (Okta breach, 23andMe credential stuffing, healthcare ransomware reports) and what we’d do differently.
- Monthly office hours — the Security Officer holds a 30-min drop-in for questions, “is this suspicious”, or policy clarifications.
Records retained
| Record | Retention |
|---|---|
| Completion records (who, what, when) | Employment + 6 years |
| Quiz scores | Employment + 3 years |
| Phishing simulation outcomes | 3 years |
| Policy acknowledgements | Employment + 6 years |
Metrics
Reported quarterly to Management review:| Metric | Target |
|---|---|
| Universal training completion (new hires) | 100% within 14 days |
| Annual refresher completion | ≥ 95% within 30 days of invitation |
| Role-specific training completion | 100% within 30 days of role start |
| Phishing click rate (org average) | < 5% |
| Phishing report rate | > 50% |
| Quiz pass rate on first attempt | ≥ 80% |
Current gaps — honest status
Formal curriculum documentation
Formal curriculum documentation
Training modules are delivered via a mix of live sessions, third-party platform (TBD), and internal Loom recordings. Formal curriculum docs and an LMS are being set up Q2 2026.
Phishing simulation platform
Phishing simulation platform
Running manual simulations today; evaluating vendor platforms (KnowBe4, Proofpoint, Hoxhunt) for Q2 2026.
Evidenced completion records
Evidenced completion records
Completion is tracked today in a Google Sheet and per-person in employment records. Migrating to an HR platform with audit-exportable records Q3 2026.