Security Awareness Compliance Training Scenarios

Quick Answer

Why does security awareness belong in a compliance training library — and what do these scenarios cover that standard IT security training doesn’t?

The 2024 DOJ ECCP explicitly evaluates whether compliance programs address data privacy and technology risk — and the human behavior layer of security is increasingly where compliance and IT security converge. These scenarios cover the decision moments that sit in that convergence: the employee who knows the approved tool is slower and uses a personal one anyway, the colleague whose behavior pattern concerns you but you don’t want to be wrong, the AI tool that makes you more productive and isn’t clearly prohibited. Each scenario is built on the Decision Readiness Engine™ — targeting the specific rationalization that causes employees to make the wrong call, not because they don’t care about security, but because the right call has a social or professional cost that the wrong call doesn’t.

Shadow IT — Normalization

The Approved File-Sharing Tool Is Slow and Clunky. The Employee Uses Personal Dropbox Instead — Just for Non-Sensitive Files. “Everyone Does This.” Does That Make It Acceptable?

The shortcut feels harmless. The risk is structural. Three choices and the right answer on Shadow IT, unapproved tools, and why “non-sensitive” is a determination the employee isn’t qualified to make alone.

Read the scenario →

Shadow AI — Policy Gap Reasoning

An Employee Found an AI Tool That Makes Her Significantly More Productive. It’s Not on the Approved List. She Isn’t Sharing Sensitive Data Through It. The Policy Doesn’t Mention It. Is She in Compliance?

“The policy doesn’t say I can’t” is not the same as “the policy says I can.” Three choices and the right answer on Shadow AI, unapproved tool adoption, and the policy gap that creates invisible organizational risk.

Read the scenario →

Phishing — Relationship Trust Override

A Message Arrives From a Trusted Colleague Asking to Approve an Urgent Wire Transfer Before the End of the Day. The Account Number Is Slightly Different Than Usual. “It’s Michael — I Know Him.”

Social engineering works because trust overrides procedural caution. The attacker didn’t need to hack the system — they needed to know who Michael was. Three choices and the right answer.

Read the scenario →

Device Use — Ownership Rationalization

The Employee Uses His Work Laptop for Personal Browsing. His Kids Use It for Homework. His Spouse Checks Email on It. He’s Careful. Is There a Problem?

The risk isn’t the employee’s behavior — it’s everyone else’s. A phishing link clicked by a family member creates a corporate network exposure event. Three choices and the right answer on device use policy.

Read the scenario →

App Permissions — Legitimacy Rationalization

A Scheduling App Asks for Access to All Corporate Email and Calendar Entries. It’s Legitimate, Widely Used, and Makes Scheduling Easier. The Employee Clicks “Allow.” What Just Happened?

The app is real. The data access scope is not what the employee imagined. Three choices and the right answer on third-party app permissions and why “legitimate” and “authorized” are different questions.

Read the scenario →

Insider Threat — Loyalty & Diffusion

A Colleague Passed Over for Promotion Has Started Working Odd Hours, Accessing Files Outside His Normal Workflow, and Becoming Increasingly Withdrawn. Each Behavior Is Explainable. Together, They Fit a Pattern. What Is the Employee’s Obligation?

The hardest security reporting scenario — because the threat actor is someone you know, and the cost of being wrong feels higher than the cost of staying silent. Three choices, the right answer, and a full Manager’s Guide for team discussion facilitation.

Read the scenario + Manager’s Guide →

Why the Human Layer Is the Compliance Layer

Technical controls stop the threats that employees don’t create. Scenario-based training stops the ones they do.

Every scenario in this cluster begins at the moment where a technical control has no visibility — the employee’s decision. Shadow IT exists because the approved tool is inconvenient. Shadow AI expands because the policy hasn’t kept up. Phishing works because the attacker understands the organizational relationship well enough to exploit it. Insider threats persist because colleagues don’t report what they see. The Decision Readiness Engine™ targets those decision moments — building the recognition and reporting behaviors that sit below what any technical control can reach.

What Are Decision-Ready Employees? →

How to Use These Scenarios in Training

Scenarios 1–5 are individual decision-moment scenarios best delivered through monthly reinforcement—1 per month as part of a security awareness program or via the Compliance Reinforcement Kit™. They work equally well in e-learning, manager-facilitated team discussions, and email-based reinforcement formats.

Scenario  — Insider Threat — is specifically designed for manager-facilitated team discussion and includes a full Manager’s Guide. The insider threat scenario is the one where individual e-learning is least effective, and team conversation is most effective: the goal is to build shared team awareness of behavioral signals and a shared understanding of the reporting obligation, which only a group discussion can create. The Manager’s Guide gives managers everything they need to facilitate that conversation in 20 minutes. Each scenario connects to the Decision Readiness Engine™ recognition and action principles. Learn how it works →

Want Security Awareness Scenarios in Your Program?

Xcelus builds scenario-based security awareness training covering Shadow IT, Shadow AI, social engineering, device use, app permissions, and insider threat behavioral patterns — including the Manager’s Guide format for team-facilitated discussion.

View the Compliance Reinforcement Kit →
Contact Xcelus