Best Practices for Launching Security Awareness Training
Help IT and leadership introduce Tartan App in a way that builds better security habits without making the program feel punitive.
Recommended Launch Approach
Before sending training videos or phishing simulations, announce the program to staff. The message should explain why the organization is launching cybersecurity awareness training, what staff may receive from Tartan App, what action staff should take when something looks suspicious, and who staff can contact with questions.
The most effective launch message is simple: this program is here to help staff practice, report suspicious messages sooner, and protect the school community. It should not be introduced as a test, a trap, or a way to catch people making mistakes.
Whenever possible, have the announcement come from a trusted leader, such as a superintendent, principal, department head, or executive sponsor. IT should be listed as the operational contact, but the first message is stronger when leadership frames the program as an organization-wide safety effort.
Which Staff Introduction Page Should I Use?
If Your Organization Uses Tartan App Shield
Share this page when Tartan App Shield is enabled in the email client. It explains how staff can report suspicious emails directly to IT from their inbox.
If Your Organization Does Not Use Tartan App Shield
Share this page when the organization is using Tartan App training and phishing simulations without the Shield reporting tool.
What to Emphasize
Effective security awareness programs focus on behavior, not just completion.
When introducing Tartan App, emphasize that staff may receive:
- Practice phishing emails that look like realistic school-related messages
- Short cybersecurity training videos from
[email protected] - Quick tips if they click a link in a practice email
- Reporting guidance based on whether Tartan App Shield is enabled
If You Use Impersonation Attacks
If your organization uses Impersonation Attacks, be transparent before enabling them. Leadership, IT, and staff should understand that simulations may appear to come from trusted internal roles or from the school or district domain.
These simulations can feel very real, so they work best in organizations where staff already understand the purpose of the awareness program and know how to report suspicious messages.
Learn more about Impersonation AttacksWhat Not to Do
Avoid launch approaches that make staff defensive or confused.
- Do not start with an unannounced phishing simulation as a gotcha test.
- Do not describe staff as the weakest link.
- Do not publicly shame individuals or departments for clicking practice emails.
- Do not treat a single phishing click rate as proof that the program is working or failing.
Better metrics include training completion, risky emails being reported, click rate reduction, and improvement trends over time.
Email Templates
Tartan App Shield Launch Announcement
Subject: New cybersecurity training and email reporting tool
Hi everyone,
We are launching Tartan App cybersecurity awareness training to help our school community practice safer email habits and report suspicious messages more easily.
As part of this program, you may receive short training videos from [email protected] and occasional practice phishing emails. These practice emails are designed to help us build good habits in a safe environment.
We are also using Tartan App Shield, a reporting tool inside your email client. If an email looks unusual, unexpected, or potentially unsafe, use Tartan App Shield to report it to IT for review.
This program is for learning and improvement, not punishment. The goal is to help everyone feel more confident recognizing and reporting suspicious emails.
Please review the Tartan App Shield Introduction before the program begins.
If you have questions, contact [IT contact or help desk email].
Thank you,
[Leader name]
Tartan App Launch Announcement Without Shield
Subject: New cybersecurity awareness training
Hi everyone,
We are launching Tartan App cybersecurity awareness training to help our school community practice safer email habits and reduce the risk of phishing attacks.
As part of this program, you may receive:
- Short training videos from
[email protected] - Practice phishing emails that look like realistic school-related messages
- Quick tips if you click a link in a practice email
This program is for learning and improvement, not punishment. The goal is to help everyone pause before clicking, recognize suspicious messages, and know what to do when something feels off.
Please review the Tartan App Introduction before the program begins.
If you receive a suspicious email, please report it by [insert your reporting process, such as forwarding it to IT, using the existing report phishing button, or contacting the help desk].
If you have questions, contact [IT contact or help desk email].
Thank you,
[Leader name]
Research Basis
This guidance follows the same direction as widely used cybersecurity awareness guidance: successful programs should support behavior change, build a security culture, provide role-relevant learning, and measure improvement over time.
NIST SP 800-50r1: Building a Cybersecurity and Privacy Learning Program