Kaspersky

Automated
Security Awareness
Platform
Kaspersky Automated
Security Awareness Platform
Knowledge Organizer
This is the knowledge organizer with a text information from the course, so you can return to the
materials at any time and revise it again with no need to watch the course all over again.

Introduction and goals

Why sell awareness

Security Awareness (corporate cybersecurity training for non-IT

employees) is one of the most in-demand areas of the IT market.
More than 80% of all cyberincidents are caused by human error,
and enterprises lose millions recovering from these incidents.
This includes incidents in which employees expose information
directly (for example, by misconfiguring databases) or by making
a mistake that enables cybercriminals to access the
organization's systems. Demand for computer-based security
awareness training software tools continues to grow rapidly. It's a
hot topic, with businesses understanding its importance and
appreciating its value. This is why many resellers are turning to
security awareness as an additional revenue stream.

There are many different types of learning programs on the

market, but the very traditional approaches too often fail to
achieve the desired behavioral changes and motivation.

The cornerstone of the Kaspersky Security Awareness

offering — the Automated Security Awareness Platform
(ASAP) — is a solution that changes employees’ perceptions of
cybersecurity and gives them the skills to add an extra layer of
protection to their company's cyber defense. The main
differentiators of the platform are:

• Pre-determined learning efficiency for employees;

• Time-saving program administration for companies;
• Benefits for partners: Ease of sales and delivery; MSP,
MSSP, VAS.

Understanding what lies behind any learning and teaching

process helps build an effective educational program, which is
why we developed the Kaspersky Automated Security Awareness Platform (ASAP). Not only does it
impart knowledge; it transforms bad habits, forms new behavior patterns and builds concrete
cyberhygiene skills, turning employees into a human firewall.

So why sell Kaspersky Security Awareness products?

Meet the increasing demand

Research shows that the market of Security Awareness Training growing at a compound annual growth
rate of 27.5% (Frost Radar™: Security Awareness Training, 2022). Among the reasons for this growth
are the number of cyberincidents, complexity of IT infrastructure, digitalization, shift to working from
home, and increased regulatory controls.

Attract new customers or increase deal size

Training acts as a door-opener: a strong market demand plus ease of use, modern technologies and a
human-centric approach — all make it easy to sell. It's also a good opportunity to speak to both the
business owner, IT, and HR when selling awareness, increasing your chances of closing a deal. By
offering security awareness training either separately or together with your other security solutions, you
are giving your customers a truly integrated approach to cybersecurity. About 50% of the customers who
purchased Awareness solutions later bought our technical security solutions.

Benefit from being an MSP partner (with Kaspersky ASAP)

Flexible licensing, monthly subscriptions, the ability to manage different customers under a single
account and set up licensing quotes for each customer and different rights for platform administrators.
The income from managed services goes directly to the reseller. For further details, please contact your
Kaspersky Manager or visit the Partner Portal. Become Security Awareness Specialized partner.
Specialized partners enjoy special conditions, rebates, and support.

It's genuinely meaningful

Awareness Platform is a human-centric endeavor. Selling this kind of training has intrinsic value beyond
only financial gain, as it makes the world a safer place, brings satisfaction and confidence to learners,
and increases sustainability for business owners by reducing the number of human-related incidents.
This course will provide key information to help you understand your customers' needs and, in doing so,
make more sales.

Here's what we'll cover:

1. Why your customers need Kaspersky Awareness products.

2. How to sell the Kaspersky Automated Security Awareness Platform.
3. How our product compares with other vendors' solutions.
4. The licensing model.
5. Channel marketing support.
6. Other Kaspersky Security Awareness training.
7. Frequently Asked Questions.
8. Course summary and sales kit.

Why your customers need Kaspersky Security Awareness

Now that most organizations have advanced phishing filters and firewalls, cybercriminals have shifted
their focus to employees. Exploiting common gaps in user knowledge is the easiest way to penetrate
corporate IT infrastructures.
According to a recent Kaspersky and B2B International survey, 52% of businesses admit that employees
are their biggest IT security weakness, with careless actions or lack of knowledge compromising their
corporate IT security strategy.

• 37% of people have accidentally found confidential information of their colleagues, e.g.,
salaries/bonuses at work.
• 80% of people don't think they are responsible for ensuring that documents — such as emails,
files, and paper documents — have the appropriate access controls or limits.
• More than 1 in 5 employees said they used the same password for their personal bank accounts
as they did for work-related accounts.

But properly trained, aware staff who practices effective cyberhygiene can also become a very effective
first line of defense reducing the number and cost of incidents.

While companies are eager to implement security awareness programs, many are unhappy with both the
process and the results. Small and medium businesses, which don't usually have the experience or
resources needed, are particularly challenged in this area.

• 42% of SMBs and 43% of enterprises have experienced IT security infringement by employees,
while changes to security policies are the most popular measure that companies use to prevent
the repetition of data breaches.
• 42% of organizations have experienced inappropriate IT resource use by employees.

There are programs that aren't efficient for students and are too time-consuming for administrators. But
there's no doubt that training is essential for raising awareness among employees and motivating them
to pay attention to cyberthreats and countermeasures — even if they don't initially realize that it's part of
their work responsibilities. Unfortunately, many security awareness training programs are ineffective.

So what's the problem?

Based on our vast experience and practice, we have identified the two main difficulties that customers
face when choosing a Security Awareness solution.
Let's see what kind of challenges companies face while building their security awareness program, what
your buyers' pain points are — and how Kaspersky Security Awareness Products can help.

Customer pain points

Traditional training is not efficient

Here is why
Security Awareness training is often perceived as a difficult, boring, or irrelevant drudge.
Some employees tend to consider this kind of training as too complicated and technical to be worth
devoting their time to, and often fail to see the connection between their actions and possible
consequences.

It's all about "don't" rather than about "how to".

Training can also be ineffective if employees feel so overwhelmed with instructions about what they
should and shouldn't do, that they can't digest it all and become defeatist — cybersecurity issues get
viewed as nothing more than a series of endless restrictions and hindrances to getting on with the job.
Knowledge is not retained
It's also a fact that training programs are often too short, so that the knowledge acquired just doesn't
have time to sink in and be retained. Or it's too long and tedious to complete, full of peripheral, irrelevant
information. In both these scenarios, employees continue to act just as normal.

Reading and listening aren't as efficient as doing

Passive education tools that aren't interactive are proven to be less effective than those that involve
learn-by-doing techniques. Students who engage in hands-on learning are much more likely to
remember what they're taught.

Another customer pain point is that training is often an administrative burden: when it comes to training,
many customers' IT teams have to endure painstaking program management, struggling with in-depth
reporting and pressured course corrections, not to mention employee engagement.

Let's take a closer look at these issues

Which learning format to choose?

A short course, like all topics in one day, so as not to annoy employees; only simulated phishing attacks
with feedback, as phishing is one of the most frequent causes of cyberincidents; educational funny
videos on cybersecurity topics, so it would be interesting for employees; posters with cybersecurity rules
hung throughout the office — there are so many different approaches, but which of them are most
efficient?

How to create a program and set up goals?

Many programs consist of a huge number of elements, which makes it very difficult for the administrator
to figure out and choose which topics whom to assign, which format is better, etc. The functionality can
be so redundant that it takes hundreds of hours of administrator's work within a year to set up, run, and
manage training.

How to control the progress?

Reporting doesn't help with goal tracking. There is a lack of measurement for security awareness beyond
just how many people were trained. Or vice versa, such a bunch of various reports, from which it is hard
to understand and evaluate the current situation with training at a glance.

How to engage people into learning?

If employees don't appreciate the program, they are unlikely to acquire and retain the skills. So how to
motivate them for learning?

How to find a right balance between mandatory half-day sessions, with the learner stuck in front of a
screen, pretending they're focused on a PowerPoint presentation while surreptitiously looking at their
phone, and extensive complex programs, where employees become so overwhelmed with instructions
about what they should and shouldn't do, that they simply fail to absorb anything, become despondent
and lose interest?

How Kaspersky Automated Security Awareness Platform responds

to customer pain points
We have a solution that can help: Introducing the Automated Security Awareness Platform (ASAP),
which forms the core of the Kaspersky Security Awareness training portfolio. It's an online tool that builds
strong practical cyberhygiene skills for employees throughout the year, providing organizations with built-
in help at every step of the journey towards a safe corporate cyber-environment.
1. Pre-determined learning efficiency provided through:

• Content based on well-defined secure behavior, comprised of specific, necessary skills, and
using different formats to ensure better mastering.
• Motivation: identification of gaps justifies the need for training. Real-life examples, relevance to
employees’ everyday life, ability to start applying skills immediately after each lesson help
maintain motivation.
• Schedule: an automated learning path clearly following various training activities based on a
training target. The activities are presented at certain intervals, taking into account the
characteristics of human memory, with incremental learning ensuring the use of acquired skills.
• Certification: to ensure that employees have the necessary skills to resist cyberthreats, they
simply need to take a test before training (if they think they are sufficiently advanced) or after
completing the module to certify the required level of knowledge.

2. Time-saving program management:

• Kaspersky's main advantage is full automation of online training. Program content is structured to
support incremental interval learning, with constant reinforcement.

So let's see how ASAP responds to customer pain points.

Pre-determined learning efficiency: a human-centric approach

One of the most important criteria when choosing an awareness program is its efficiency. But how do
you know that an awareness program is efficient? With ASAP, efficiency is built into the content and
automated management, and reinforced by the methodology and our cybersecurity expertise.
Let's see how it works.

Content: Well-defined secure behavior, comprised of specific, necessary skills

The platform's content is based on the accumulated experience of 25+ years in cybersecurity expressed
in a competency model comprising over 350 practical and essential cybersecurity skills that all
employees should have in order to protect themselves and their company from cyberthreats. All lessons
are specifically designed to develop these skills. The content and structure of the training material take
into consideration the specifics of human memory, and our ability to absorb and retain information. In
ASAP, all lessons have a clear structure, which follows the way people think employees are taught about
the reasons for and potential outcomes of unsafe behavior and advised on the correct responses in any
given situation.

High level of skills acquisition

When you have such a big content library, that the learning process doesn't turn into a "ball-ache" for the
training manager, it should be automated. How is this arranged in ASAP?
ASAP customers can choose whether to assign employees a basic Express course that will help them
quickly meet regulatory requirements for cybersecurity training, or refresh employees' knowledge, or opt
for the Main course broken down into complexity levels.

ASAP covers all major cybersecurity topics. But in addition to those cybersecurity concepts that
correspond to separate topics, there are many more that are covered in several topics at once. The full
list of concepts covered within a course can be seen in its hashtag list.
ASAP Express course
A short version of the training in audio-video format. We recommend assigning this course when a
customer needs to quickly upskill employees: give a crash course to new staff, raise cybersecurity
awareness of those who were involved in cyberincidents or violate cybersecurity rules, meet regulation
requirements, or refresh what was taught earlier. Each cybersecurity topic contains several short lessons
to help the user grasp basic cybersecurity skills.

• Interactive theory;
• Videos;
• Tests.

ASAP Main course

Our schedule for each learning path is based on the Ebbinghaus theory on forgetting skills, which states
that the human brain forgets about 50% of information recently learned within a day, and only 10%
remains after a week! The key is reinforcement: if you reinforce knowledge, it sticks. And after 3-4
repetitions you no longer forget it and retain it pretty much forever.
Think of an exam: If you haven't studied during the semester, but decide to cram heavily the night before
the exam, you may well pass, and even get a good mark. But you won't retain that information in the
long term, so it's ultimately of little use.
This is exactly how the education in ASAP is built: it assumes that even if you complete lessons, you
may forget things over time. To consolidate received knowledge and help employees absorb new skills,
the platform automatically sends a reinforcement email 4 days after completing a lesson with a summary
of the most important information from it. In 3 more days, a test is assigned. If the employee passes the
test, in 3 days a simulated phishing attack will arrive (for the topics where it's relevant). All of these cover
the same skills, reinforced. We understand the desire to complete the course quickly, avoiding all
intervals, but our ultimate goal is behavior change, which is a long process — no matter how much we
would like to do otherwise.
Remember that in case of ASAP you don't have to spend your time manually assigning specific learning
materials to employees — you just select a target level, and the platform automatically trains
employees until they reach the required level.

Multi-modal content
ASAP offers well thought-out, structured content that includes easy-to-consume interactive lessons,
tests, constant reinforcement, and simulated phishing attacks to ensure that skills will be applied.
Reinforcement emails and lessons packed with real-life examples that highlight the personal importance
of cybersecurity for employees.

Phishing attacks are integrated into the learning path and assigned automatically, but can be also
launched separately as a simulated phishing campaign. Phishing campaigns are offered in addition to
the main course. They test employees' practical skills in avoiding phishing attacks, and help training
managers to quickly identify gaps in users' knowledge and encourage further study of troublesome
topics.

The platform comes with ready-made email templates containing phishing examples that can be sent to
users in all available languages. The templates take into account regional specifics, are regularly
updated and new ones added. There is also a possibility to create custom emails based on predefined
templates.

Propose your customers to try a simulated phishing attack before training to check their
employees' resilience! It will help you to demonstrate the importance of the learning, and for
employees and management to see the benefits of it.

Fact: In 2021, the average victim cost of a phishing attack was $136.
The state of phishing: Report and Statistics 2021.
Source: [Link]

$136 for a phishing attack doesn't sound too bad, right? Wait… let's just do the math.
Small businesses with fewer than 250 employees tend to be more susceptible to email threats like
phishing, spam, and malware. And one in every 323 emails sent to these businesses is malicious. Now
consider that each employee receives an average of 121 emails per day (some of which will be dealt
with by the spam filter). Let's take a company of 100 people. On average, based on the figures above,
they receive up to 37 malicious emails per day, which comes to 8,062 malicious emails per year (only
working days calculated). Now consider the average phishing click rate (taking into account regional
differences), which is about 20% for those who haven't completed security awareness training. What
does this mean in real terms? 1,612 * $136 = $219,232… an amount which far exceeds the cost of
security awareness training.

Use this information to show your customers the benefits of security awareness education.
This simple example will also help you to explain your prospects that security awareness is not an
expense but an investment in business sustainability and efficiency.

Employees can not only demonstrate their understanding of a topic by not being fooled by a simulated
phishing attack, but also illustrate the real change in their behavior and more conscious attitudes by
reporting phishing mails via the "Report phishing" tool.

Flexible learning
The scope of the learning is completely flexible, while retaining the advantages of sequential automated
learning management. For each training group you can choose:

• Main or Express course, or a combination of both.

• Topics to train in the Main course and/or the Express course which students in the group need to
learn.
• The target level you want students to achieve for each chosen topic in the Main course.
• Intensity (minutes per week). Average time to be spent on training on a weekly basis.
The learning path will be built automatically by the platform for each group of learners based on these
settings.

Time-saving program management

Another very important benefit of Kaspersky ASAP is that, because its automated, it saves hundreds of
hours for your customer's administrators. The predefined learning path, built-in notifications, clear
onboarding during the first login to the platform and support tools make it easy for customers to launch
and monitor their security awareness program.

Let's take a look at how it works.

Easy to manage
Fully automated learning management brings every employee up to the skills level appropriate to their
risk profile without any intervention from the platform administrator.
Synchronization with AD (Active Directory), SSO (Single Sign-On), Open API (the ability to interact with
third-party solutions), online onboarding during the first visit, a FAQ section and tips — all make platform
management convenient and efficient.

Easy to control
Clear, actionable, 'all-in-one' dashboard: the platform presents quantifiable results in graphs and
dashboards that objectively demonstrate progress and provide practical recommendations.
Easy to engage
Notifications are part of internal communications. Regular internal communications are embedded into
the platform and ensure the formation of a strong cybersafety culture within the company. The
administrator doesn't need to spend time on it; the platform itself sends reminders, reports, and
recommendations to users.

Regular internal communications ensure the formation of a strong cybersafety culture within the
company.
ASAP saves hours of administration work. Notifications are part of internal communications.
Customization and white labeling
The administrator can easily change the program's appearance:

• Replace the Kaspersky logo with the company’s logo in the admin panel, learning portal, and
platform emails.
• Change domain of the training portal (portal for learners).
• Customize certificates — change certificate background.
• Remove copyright information from the footer both for admins and learners
• Remove links to Kaspersky from the footer in the learners’ interface (only Terms of use, where
Kaspersky is mentioned, remain in the cloud version; in the On-premise version it can be
removed as well).
• Add personalized content to any lesson.

Integration
There is a possibility to use Open API to interact with third-party solutions — Open API works via HTTP
and offers a set of request/response methods.

Value Proposition

The Kaspersky Automated Security Awareness Platform is characterized by a well-balanced predefined

learning path that guarantees program appreciation and value for employees and company
management. Not only does it help to upskill employees and reinforce the human firewall, but it also has
positive effect on ROI by reducing the number of cyberincidents and cyberthreat response spending. In
addition to building real cyberhygiene skills and changing employees' behavior, it offers customers many
other important benefits, including:

• Predefined efficiency through full training automation. Program content is structured to support
incremental interval learning, with constant reinforcement.
 • Time-saving product management. The program is very easy to launch, configure, and
monitor, and ongoing management is fully automated. It's an online product with easy delivery.
Those customers who require maximum level of confidentiality and would like to work without
internet connection may benefit from ASAP On-premise edition (launched in Q4 2023) deployed
in the organization's network. This ensures the same functionality as cloud version of the
platform.
• Flexible licensing. The product has a per-user licensing model.
• Pay only for active users (those who are learning). There's no need to pay for those who are
away (left company or on maternity leave, for example).

Kaspersky ASAP can easily be sold by current Kaspersky Partners. It offers the following
benefits for partners:

Financial conditions. Kaspersky Security Awareness product rebates are calculated within the
framework of the partner program. Enrolling for security awareness specialization is another great
opportunity for partners to earn additional financial rewards and access other benefits. For MSP
partners, volume-based discounts are applied — the more customers you have, the less you pay.
Managed services. Even though ASAP is very easy to manage, some customers still prefer to invite
their IT service provider, for example, the Kaspersky partner — to configure and manage it. The income
from these managed services goes directly to the partner (and, of course, we offer free training to their
specialists to provide these services).

Licensing tailored to MSPs. Partners can buy a pool of licenses in their name and distribute them
among their customers. Monthly subscription is also available for these partners.

Managing multiple companies from the same account. The platform enables partners to deploy and
manage awareness training for all customers from a single console ready for multitenancy, with no need
for additional software. Good news! Kaspersky ASAP features License Quota Management, which
allows MSP partners to assign a quota of licenses for each company and set expiration periods for these
licenses. There is also a possibility to add additional administrators for each company and assign them
different roles.

Opportunities for xSPs. The solution perfectly fits xSP needs: many telecom providers, banks, etc., are
interested in selling online awareness platforms to their B2B customers. ASAP's ease of delivery,
automation, and flexible packaging is exactly what they need. Thanks to the On-premise version, they
can install ASAP on their servers or get only the ASAP content as a SCORM package to be integrated
into their LMS.

How the product works

Depending on customers' request, Kaspersky ASAP can be delivered as a completely cloud-based
solution and doesn't require LMS to run end-user training. To set up the platform and launch training 4
easy steps are required:

1. Create an account on the ASAP webpage.

2. Upload users (use AD synchronization or upload .xlsx file or add them manually).
3. Distribute them among groups (manually or using rules based on employees’ roles, departments,
access to sensitive information, etc. ) and set up target level for each group.
4. Select learning start date and set up the intensity for each group, and voila — all training
management will be automatically done by the platform.
Or, if a customer requires a higher level of confidentiality, the platform can be delivered as an On-
premise solution. ASAP On-premise edition has absolutely the same functionality as the cloud-based
one. The difference is that it's installed in customer's network and works without internet connection. To
deploy it, a distribution package with detailed instructions will be provided.

Tracking training progress with dashboards and advanced individual reporting functionality is easy and
includes recommendations on how to encourage users and foster their skills.

ASAP's universal, practical training curriculum develops specific security skills for all levels, from
beginner to advanced. ASAP covers a comprehensive range of key cybersecurity topics and
recommends training targets based on each participant's risk profile. Each unit includes several lessons
with an average duration of 3-5 minutes, reinforcements, tests, and simulated phishing attacks. This
learning path ensures that students can apply the acquired knowledge and skills in their daily life.

All content elements are localized into major languages and are culturally appropriate. The platform is
available worldwide in 27 languages and the number of languages is growing constantly. The full list of
available languages can be checked on [Link].

How to sell the Kaspersky Automated Security Awareness

Platform

Target markets
Kaspersky Security Awareness training can act as a door-opener to winning new accounts. There are
also opportunities for you to upsell and cross-sell to existing customers. Kaspersky ASAP is suitable for
both SMB and enterprise segments as well as public and government bodies.
Kaspersky Automated Security Awareness Platform is integrated with KUMA and XDR and could be
promoted as a unique competitive advantage to the customers who use or plan to use these solutions.

Which roles to target inside the customer organization

In smaller companies, the CEOs are very much on the ground and understand what their employees
need extremely well. They are also approachable — so why not approach the CEO directly?
When doing so, use the following persuasive arguments: the huge financial and reputation losses
caused by human error, and how the Kaspersky Automated Security Awareness Platform provides
highly effective education with very reasonable investments in time and resources, positive impact on
spending due to reduction in the number and cost of incidents.
In larger organizations and government agencies, there are specific individuals responsible for security
education, so your primary contact should direct you to this person. They may be part of the CISO
structure, or possibly part of HR, with budget for employee education.
But most commonly this person will not be an expert in training and development — and have no desire
to develop such expertise.
When talking to them, always emphasize the point that the Kaspersky Automated Security Awareness
Platform will simplify their life by providing an easy-to-use method to release security awareness training
to their employees and will help both to prevent incidents that occur due to the human factor and to
comply with the requirements of the information security department, regulators and counterparties.

How to sell the Kaspersky Automated Security Awareness Platform

1. Security awareness training from the leading cybersecurity vendor. In the heart of the platform
lies more than 350 practical skills that employees should possess in order to behave cybersafely.
 2. Time-saving program management.
3. Training efficiency based on the specifics of human memory that develop 'pattern perception':
employees are able to recognize new dangers and behave safely even when faced with unknown
threats.
4. Well-thought-out program, not just a library of content.
5. Quantifiable results in graphs and dashboards.

Security awareness learning from the leading cybersecurity vendor

The first issue your customer will encounter when choosing a security awareness provider is having to
justify the budget and use commitment to management and other stakeholders.

Kaspersky products are installed on more than 400 million computers worldwide, and we understand
cybersecurity better than most — we're the most tested, most awarded security vendor. Our interactive
learning course consolidates systematized knowledge on security awareness principles and covers all
major security domains. Using our experience and expertise, we've created a competency model that
differentiates employee categories by typical risk profiles.

When management uses this model, they can easily set up their program objectives by making decisions
about time investments and targets for cybersecurity awareness.

SoftwareReviews, a leading source for insights on the software provider landscape, named Kaspersky a
Gold Medalist with an overall composite score of 8.9/10 in 2023 Security Awareness & Training Data
Quadrant Report. Customers called Kaspersky products critical to professional success (90%), also
noting ease of implementation (90%) and usability & intuitiveness (89%).

Time-saving program management

Once the objectives of the program have been confirmed, your customer will be faced with the challenge
of actually achieving the results.

Not all training levels are appropriate for all learners — some have less knowledge, and others learn
more quickly. Individual development plans may provide a solution, but who has time for something so
time-consuming? Our platform does this by itself. Automated program management will not just build a
learning schedule and assign all program elements to learners, but will also send reminders and
notifications without any interaction from the administrator's side.

Learning efficiency based on the specifics of human memory

Our approach to training is based on Ebbinghaus' "Forgetting Curve". As our target is not just to provide
knowledge, but to change users' behavior and make sure new skills will be applied, we use various
methods to overcome the forgetting curve:

• Constant reinforcement with certain intervals helps to cement the acquired skills.
• Real-world examples and contexts, test questions based on the situations employees may face in
their everyday work help them to better associate themselves with the training materials and,
accordingly, not to lose interest and to make it stick.
• Clear, logical lessons structure and digestible format make the training more convenient for
learners and better to absorb.
• Different content formats like interactive micro-lessons, tests, reinforcements, simulated phishing
attacks help to avoid learners' overload and preserve their attention.
• According to our research, 89% of respondents note behavior changes after taking the course.
Quantifiable results in graphs and dashboards
As the awareness program is implemented, the questions of control and results analysis arise. To enable
timely course corrections and comprehensive reporting to management, simple answers to key
questions are needed.

Our solution allows companies to set measurable goals that can be clearly monitored and are available
to the management team as required. It's not just overloaded with statistics (that you don't know what to
do about), but identifies trends, issues, and problems. This helps the customer take corrective or other
actions. Where goals are not reached, data can be analyzed down to individual level to take
corresponding measures.

Why it’s important to follow the script

You may conduct a demo and point out the virtues of our system. If the customer has no issues with
program management, they will look at how the system looks and what modules it contains. They will
then compare it to others on the basis of nothing more than price and "look and feel".

In a feature-by-feature comparison, you may not be able to clearly articulate the advantages of
Kaspersky approach. By identifying the tensions* the customer faces (rather than asking them to state
their need), you focus on things that really matter, and avoid embarrassing or demotivating the prospect.
Our advantage lies not in the list of features, number of states and reports, but in the human-centric
approach, learning methodology, and ease-of-use which facilitates true goal achievement.

How our product compares with other vendors' solutions

Kaspersky stands out in the field of training: unlike the majority of awareness vendors, Kaspersky is a
cybersecurity major. We employ 3,000 cybersecurity experts and this is why Kaspersky understands
what cybersafe user behavior looks like. We developed our cybersecurity skillset and then translated our
expertise into learning techniques to help our customers' employees be immune from attacks.

Let's take a closer look at the functionality of our products in comparison with other solutions currently on
the market.
In addition to learning platforms, there are also other security awareness solutions on the
market. Let's look at their pros and cons.

1. Classroom-based training
Classroom-based training is exactly what it sounds like.
Attendees are taken away from their usual roles and, for at least a few hours, take part in a workshop
where an instructor leads them through the ins-and-outs of at least one security topic.
The pros of classroom-based training:
The major advantage of classroom-based training is the immediate feedback loop both class instructor
and attendees receive. Participants can ask for clarification or request further information and advice,
and get an immediate response.

The cons of classroom-based training:

Despite these advantages, the overriding drawback of the classroom-based approach is its questionable
effectiveness. Classroom-based training conflicts almost entirely with Adult Learning Theory, which
states that adults are largely independent and, therefore, learn best independently.

Classroom-based training also comes with a relatively substantial price tag. The costs of staff away-days
can't be ignored, nor can the cost of hiring specialist instructors.

Finally, the infrequency of classroom-based training further jeopardizes its potential efficacy.
Organizational difficulties, sick days, vacations and workload of employees mean that for every
employee such training takes place annually at best. This raises questions about just how much the
training attendees will be able to recall 11 months down the line, and also how much of the content will
still be relevant a year on.

2. Visual aids & videos

Again, visual aids are just what they sound like — visual pointers offering bite-sized security advice.
They typically take the form of posters on topics such as secure passwords, handouts covering phishing
scams, or videos explaining things like the dangers of public Wi-Fi.

The pros of visual aids:

For many people, reading is hard. Conversely, processing both visual aids and audio is easy. In fact, it's
something humans can do inherently. Compared to written messages, visual aids are usually simple to
process, helping to communicate complex information quickly without overwhelming the participants.
Visual aids are also easy to refer to and ever-present. Like classroom-based training, their mere
presence can contribute towards a culture of security.

The cons of visual aids:

Unlike other forms of security awareness training, visual aids usually aren't interactive. As you'd expect,
they can therefore be easily ignored. After implementation, they can quickly fade into the background.
Testing helps to recall — which is why most security awareness training campaigns incorporate some
form of testing — and yet with visual aids, there is seldom any testing (and if there is, it's very poor).
Visual aids are also entirely one directional: there's no feedback loop between those sending the
message and those receiving it.

3. Simulated phishing attacks

Simulated phishing emails are designed to test people's response to threats "in the field", and include
simulated text messages or "misplaced" USB sticks temptingly labelled with things like "bonus
payments". The security specialists behind simulated attacks attempt to trick people in the same way
malicious actors do. Participants' responses to the attacks are monitored.

The pros of simulated attacks:

Numerous psychological studies suggest that simulated attacks can be a seriously powerful method of
transmitting a message, cementing messages in users' minds and changing long-term behavior,
because they're very emotionally engaged.
The cons of simulated attacks:
Some vendors use phishing as the core of their offering, supplemented with short training modules, but
it's still not enough to form skills and impart reliable knowledge. It's also worth bearing in mind that even
if phishing remains one of the most important vectors of attacks, there are numerous other ways that
cybercriminals may employ to trick users, which this kind of training ignores completely.

4. Online comprehensive security awareness program

Online security awareness training really should be the top choice for Chief Information Security Officers
(CISOs) — so your objective is to persuade the customer that not only is it the best option, but that we
offer the best, most effective and easiest to use online security awareness training available.

The pros of online security awareness training:

• Online training is designed to help adults learn by letting them do so at their own pace and take
control of their own learning. Bite-sized content blocks allow learners to put what they learn into
practice immediately.
• Online training is arguably less disruptive to the working day. Users can learn at their desks
during quiet periods.
• It costs less per attendee than classroom-based training organized by a third party.
• Online training is dynamic — unlike printed visual aids and one-off workshops.
• When new threats emerge or new regulations come into force, new modules can be included in
existing security courses. GDPR, for example, brought in stringent regulations on processing and
controlling data, so we responded by introducing a GDPR module to our platform.
• Another benefit of online training is its advanced analytical capabilities. Information security
officers and administrators can monitor who has done what and when and, by looking at test
results, they can identify areas of the business that are more at-risk than others. This enables
those in security to offer support to those who need it… before it’s too late.

The cons of online security awareness platform:

• The only real downside to online training is that the training landscape evolved as compliance-
based training. There are many compliance-based packages on the market, and the problem is
that it isn’t always easy to tell the difference between training especially built to reduce the
numbers of breaches and training designed to satisfy regulators.
• Many well-known security awareness vendors have been around for a long time, offering
products that have evolved over many years of development. They tend to have broad
functionality, and, as result, program management is often complex and time-consuming.

How Kaspersky’s online security awareness platform is different

’’Being a cybersecurity leader, Kaspersky knows what cybersafe user behavior looks like, so we have
incorporated learning techniques that help our customers’ employees become immune to attacks.

In ASAP, learning is fully automated, which removes individual assignments and differentiated learning
paths, so that customers don’t waste time fiddling with individual settings. Although the platform interface
is intuitive, and most of our customers grasp it immediately, Kaspersky offers a variety of onboarding and
supporting tools.

Ongoing methodological and technical support is available via instant messages in online chat or by
email. Kaspersky offers guidelines for effective security awareness training — information/suggestions
on how to organize training, how to decide what target levels to set for different employee categories,
which criteria to use for initial user assessment, and so on. There are also suggestions on how to
improve training results, including ready-to-use communication templates. Online automated onboarding
for new users is also available.
The most effective approach — engage all employees, starting from the top, in cybersecurity
initiatives
In the past, many CISOs may have opted for just one of the above training methods. But today, many
are using a combination of all of them in order to effectively address the human aspect of cybersecurity
— an approach that we advocate at Kaspersky. While Kaspersky ASAP remains an essential part of our
offering, the ideal scenario is where customers buy ASAP together with our other role-based offerings.
All the different elements that make up the Kaspersky Security Awareness portfolio address a specific
part and purpose towards building a cybersafe culture. The ideal scenario that we recommend is for
organizations to take all the different components and create a holistic sequence of learning and skills
that result in a true culture of cybersafety at every level of your organization.

To recap: Because sustainable changes in behavior take time, our approach involves building a
continuous learning cycle with multiple components. Game-based learning engages senior management
turning them into advocates of cybersecurity initiatives and supporters of building a culture of cybersafe
behavior: KIPS simulation shows senior managers how IT security threats affect business results and
motivates to maintain a cybersafe working environment. Gamified assessment helps to define gaps in
employee knowledge and motivate them for further learning, while the online platform and simulations
equip them with the right skills, duly reinforced. And training for IT professionals helps build a strong first
line of incident response.

Key advantages
Let's remind ourselves of the key advantages of Kaspersky Security Awareness over competitors'
offerings.

Kaspersky has a family of computer-based training products that utilize the latest learning techniques
and address all levels of the organizational structure, ideal for SMBs and enterprises. Kaspersky ASAP
forms a central part of this comprehensive portfolio and represents an integrated solution that doesn't
focus only on one aspect of cybersecurity — like phishing — and isn't intrusive, but interactive.

Kaspersky's main advantage is full automation of online training, which ensures:

1. Efficient learning based on content and methods provided by specialists in education, personal
development and cybersecurity to minimize the number of incidents caused by employees’ errors
or ignorance.
2. Easy implementation — a unique feature in the security awareness market.
3. Training portfolio covers all organizational levels.

Licensing model
Kaspersky ASAP is licensed on per trainee basis. The licensing period is 1, 2, or 3 years. As mentioned
earlier, the minimum initial order quantity is 5 licenses.

Monthly subscription is available for MSP partners. To learn more about the MSP program, please visit
the relevant page on the partner portal. Please note that pricing may be different across regions — for
up-to-date price lists, just contact your local Kaspersky representative.

Renewal discounts are applicable.

There is a possibility to buy lessons only. There is a separate product code for this option. In this case
lessons will be delivered in SCORM files. Delivery does not include any analytical and reporting tools,
simulated attacks, and exam tests.

There is no separate SKU for ASAP On-premise solution. The minimum order quantity for On-premise
installation in the customer’s infrastructure is 250 licenses. To check technical compatibility with the
customer’s infrastructure, please refer to Online Help.

Channel marketing support

We have prepared a list of marketing activities and assets that we hope will make the selling process
easier. You can always find all necessary materials on the Partner portal. There are also battlecards and
telemarketing scripts, and much more that can be used to promote Kaspersky ASAP and Security
Awareness in general.

Frequently asked questions

Let's have a look at most common questions about Kaspersky ASAP:

Where can I find information on rebates?

Information on terms and conditions for rebate payments can be found in the Rebate Program Guide.

Is it obligatory to become a specialized partner to start selling awareness?

There is no restriction on partnership level, all registered/silver/gold partners can sell awareness without
becoming a specialized partner. However, specialized partners enjoy additional financial and marketing
benefits. For further information, consult the Specialization Guide or contact your PAM.

Can I buy a pool of licenses and resell them to different customers?

Partners can subscribe to a pool of licenses in their name and distribute them among their customers.
Monthly subscriptions are available for the partners having MSP status.

How can I get more detailed information about Kaspersky ASAP?

Why not experience the training first-hand before you sell it?
Find out more about the fully functional free trial here: [Link]
There is onboarding when you first come in that will help you to familiarize with the platform and FAQ
section in the footer. If you have any problems, you can always write to support asking them for help.
You can also find all planned features in the online roadmap. For additional information, check the
Security Awareness page on the partner portal, or contact your Kaspersky manager.

Handling customers' objection

Let's look at general objections that you may encounter when dealing with any of the sales scenarios.

We're too small to be a target

Small businesses are seen by attackers as less technically secure, making them 'easy pickings'. Smaller
businesses can also provide a conduit for the attacker into their larger external customers and partners
— not great for customer relations!
Accenture's Cybercrime study reveals that nearly 43% of cyberattacks are targeted at SMBs while only
14% of these SMBs are prepared to face such an attack.

In 2021, small businesses were three times more likely to fall victim to fraudsters than larger companies.

We can't afford to lose productivity while employees spend time on awareness platform
The average loss from a single cyberattack has exploded from $34,000 to just under $200,000. Plus
there's legal fees, compliance penalties, reputational damage, and the loss of customers — could you
survive that sort of hit? There's really no point refusing to invest in the few training hours needed to
protect your business against being wiped out — at which point productivity will no longer be an issue.

Security Awareness programs cost too much

According to "The Ponemon 2021 Cost of Phishing Study" the cost of phishing attacks alone in
enterprises was $1,500 per employee. So, the cost of training employees to avoid attacks is dwarfed by
potential costs of not doing so.

Security awareness training doesn't work

Different methods of awareness training are used for different purposes, producing different results —
and some work better than others.

Classroom-based training, for example, is good for urgently delivering specific information because of
the immediate feed-back, while visual aids, videos, and games are perfect for engaging employees'
attention and preventing boredom. But they don't ensure knowledge retention and behavioral changes.
And attack simulations keep everyone on their toes! But there are a huge number of other types of
threats that employees need to be aware of — recognizing the signs of danger and knowing how to
avoid them. It's important to choose a program that includes different types of activities and content
formats to address different topics and appeal to different mindsets — based on real-life scenarios and
taking a human-centric approach. Behavioral change is not an 'instant fix'. For training to work properly,
it should also ideally be broken up into small portions throughout the year, constantly reminding and
reinforcing, rather than being offered as a single intensive learning experience which can then be left
behind.

85% of respondents of the Kaspersky ASAP users' survey noted positive changes in behavior in their
daily job as well as in their personal communication on the internet and using personal devices after
completing the course.

We have our own IT professionals to train our employees

IT or information security departments are committed to reducing the risk of an attack and mitigating the
possible consequences, and security awareness training supports their work by creating a more
cybersafe environment. But they're not professional educators, and the ability to effectively train non-
technical staff in cyber awareness is unlikely to be part of their skillset. Nor is it the best use of their
valuable time.

Having identified more than 350 practical cybersecurity skills that all employees should have in order to
protect themselves and their employer from cyberattacks, we employ a learning methodology grounded
in the science of the specifics of human memory. Our portfolio includes products for each stage of the
learning cycle: engagement and motivation, determining the current level of knowledge and identifying
gaps, training and consolidation.

We already provide training with simulated phishing attacks

Great — this should be an integral part of any comprehensive security awareness program. But there
are a huge number of other types of threats that employees need be aware of — recognizing the signs of
danger, understanding what non-compliance with IT hygiene rules can lead to, and knowing what to do if
they are under attack. Anti-phishing training alone is nowhere near enough.

Users who fail to respond correctly to a simulated phishing campaign are in the risk area. Our platform
offers an easy way to gather failed users into a training group and assign them a specific learning path to
improve their antiphishing skills.

We're already fully protected with technical security solutions

Technical solutions can see off a huge number of attacks that the average user isn't even aware of, but
software security solutions can't provide 100% protection. Social engineering-based attack tools and
others are specifically designed to circumvent security solutions and head straight for your most
vulnerable area — people. Then there's human error — like failing to install software updates on time,
accidentally entering data on a fake site, ill-conceived posts on social networks, using the same
password for different resources — all can have damaging and costly consequences.

We're happy with our current training program

Great! How about adding an independent knowledge assessment, just to see how your employees
would behave in real-life situations?

By the way, did you know that 76% of CEOs admit to bypassing one of their organization's security
protocols to get something done faster? Sounds familiar? We have a specific offering to target this area
— an exciting business simulation team game that vividly demonstrates the impact of cybersecurity on
business continuity and revenues. This can then be reinforced with an interactive workshop.

We also offer training for generalist IT-specialists — a type of employee who often misses out, because
security awareness programs are too basic, and costly advanced programs are built for information
security specialists.

We ran some training last year. So we don't need any more

Without constant repetition, 70% of what is learned is forgotten quite quickly. Within a year, only about
10% is still retained. Changing employee behavior is a long process — a one-time test of knowledge and
a certificate on the wall is not the same as an ongoing habit. Only constant reminders can guarantee
success.

Customers don’t need to run the same training modules for all employees every year: newcomers could
be assigned to a group with the basic training program, and employees who have already completed
training could be assigned to an express course, or you can assign them separately only the topics that
require improvement or where the content has been updated in accordance with actual threats. We
recommend backing up this training at least quarterly with simulated phishing attacks.

Awareness platforms take too much management. We don't have that sort of time
Launching and managing a comprehensive program full of different types of content and offering ample
scope for customization can take time, and the complexities of figuring out which elements to deploy and
what to assign to which employee can prove a stumbling block for smaller businesses.

So we've developed a program that not only addresses different levels in the organization, and where
each product serves a specific purpose, but one that has automated the learning process. To start
learning with our platform, simply register on the site, upload users to the platform and divide them into
groups according to the desired target level of learning. The platform will do the rest!
[Link]

© 2022 AO Kaspersky Lab. Registered trademarks

and service marks are the property of their respective owners.