What the Human Firewall Trial Framework Involves
The Human Firewall Trial runs over ten working days, drawing on a 14-day platform licence. It involves ten representative users selected from across the business — finance, administration, operations, sales, and management. Not the IT team, and not the most technically confident people in the company. That selection matters: the goal is a realistic picture of everyday staff awareness, not a result that flatters assumptions.
The framework runs on five documents. Three are client-facing: a management summary that sets expectations before a single user logs in, a trial timeline that maps out how the ten days will progress, and a participant introduction written in plain language for the people taking part. Two are internal: an operational playbook that keeps the delivery consistent regardless of who is running the trial, and a close-out summary presented to the client’s management once it is complete.
The management summary carries one core message: this is a light, well-managed pilot, not a disruptive project. Si Futures does most of the operational work. The client will come away with a clearer picture of where their people stand, some concrete proof points, and a sensible recommendation about what to do next.
What Users Actually Experience in a Security Awareness Trial
The gap analysis works through twelve categories of practical awareness: phishing, password discipline, physical security, remote working, security at home, public Wi-Fi, social engineering, mobile device security, cloud security, removable media, internet use, and email use. This is not a test of technical ability. It is an assessment of everyday working habits and judgment — exactly the areas that bad actors target.
Based on where their gaps sit, each participant receives one short follow-up training item focused on their weakest area. They also complete one sample policy acknowledgement, introducing them to the policy management side of the platform, and take part in one phishing simulation. The total participant experience is kept deliberately light. Communication before the trial makes clear that this is designed to support people, not catch them out, because participants who feel threatened switch off before they even start.
What Management Receives: Turning Data Into Decisions
The close-out summary is where the trial earns its value. It translates ten days of platform data into a management-level conversation: the baseline picture, the strongest and weakest areas across the group, participation levels, and the practical next steps if the client wants to build on what they have found.
What tends to surprise clients at this stage is the unevenness. Even in a small, close-knit team, the spread between individuals can be wider than management expected. Basic categories — phishing recognition, password discipline — often come back weaker than assumed. And almost every group has genuine areas of strength, which matters because the conversation should be constructive, not alarming. The close-out summary is designed to turn assumptions into something visible and discussable, not to produce a scare.
After the trial we ran for the first client, the follow-up conversation shifted from a general concern about security to a specific question: what would it look like to close these gaps properly? That is what a well-run pilot is supposed to produce.
Why the Methodology Matters for Security Awareness Training
Giving a client a platform login is just access to a tool. This framework gives them a managed experience, a clear journey, meaningful reporting, and a business conversation at the end. It changes the offer from “here is a platform” to “here is a professional pilot with a purpose.” The reporting is usable. The close-out summary is something a managing director can act on. And the trial stays within scope, within ten days, and requires less than 30 minutes of involvement from each participant.
The point is not to give away free training. The point is to give management useful visibility, while keeping the entire exercise short, relevant, and manageable.
The question after a near-miss with a phishing email is almost always the right one: where do our people actually stand? A structured trial is the only honest way to find out.
Visibility into where your people actually stand on security awareness is not a nice-to-have. It is the foundation on which every subsequent investment in protection is built.
