How Syracuse University built a campus-wide security awareness culture

Andrew leads security awareness for 6,000+ faculty and staff while also finding practical ways to reach students. He also brings a perspective many security teams do not have: 20 years in higher education, including experience in research and instructional design. 

When Andrew took over security awareness in 2022, he wanted to move beyond internal training materials and build a program that felt more like campus life — varied, useful and worth paying attention to. With Infosec IQ, a student marketing role and a network of distributed campus admins, Syracuse increased annual faculty and staff training completion from the low 60% range to 89% without turning the program into a punitive exercise. 

Andrew understood learning design. Before moving into security, he supported faculty as they designed courses and digital learning experiences. That background made him quick to spot the problem with traditional awareness training.

At first, Andrew tried to improve the internal materials: fewer words, simpler slides and a clearer message. But there was only so much one person could do while also managing the SOC, alerts, newsletters, tabling events and questions from across campus. 

“It’s hard to ask somebody to wear all these hats for security and create content that people would care to consume,” Andrew said. “I’m not a Hollywood director or producer.” 

That became his business case. Syracuse needed a way to deliver professional training content and realistic phishing simulations without asking its security team to become a production studio. 

Choosing content people would actually use 

When Syracuse evaluated training providers, Andrew focused on the learner experience. He needed content that felt current, engaging and grounded in sound learning design — not another set of voiceover slides. He vetted both KnowBe4 and Proofpoint before going with Infosec Institute. 

Infosec IQ stood out for fresh content and a team that understood learning design. It gave Andrew a wider mix of formats to work with, including animated modules, live-action content and Pick-Your-Path gamified experiences. 

That variety mattered. Faculty, staff and students do not all respond to the same message. A program that works across campus needs enough flexibility to meet different audiences where they are. 

Different paths for different audiences 

For faculty and staff, Andrew built a steady cadence: annual training each spring, quarterly phishing simulations and adaptive follow-up training for people who click a simulated phishing message. Each quarterly campaign includes three phishing templates, giving employees 12 simulated emails across the year. 

The adaptive follow-up matters because it turns a click into a short, timely learning moment. Instead of shaming employees, Andrew assigns focused training, usually a three- to four-minute video, and keeps the message supportive. 

“It’s not too burdensome,” Andrew said. “We’re not trying to be mean about it. The goal is to have some targeted follow-up training that hits them in the right moment.” 

With roughly 25,000 students, Andrew chose not to add students to formal training or phishing simulations right away. Instead, his team reaches them through newsletters, tabling events, digital signage, screensavers and posters designed for student spaces. 

To keep student awareness fresh, Andrew turned one SOC student role into a communications-focused position. Syracuse hired a graduate student in marketing who now spends most of her time supporting security awareness. 

Poster created by graduate student Ria Rana.

That gives Andrew something many security awareness managers need but rarely have — a creative partner who understands the student audience. She has created digital awareness materials and AI-generated, Stranger Things-inspired poster concepts for residence hall bulletin boards. Andrew sets the topic and guardrails. Then he lets the creative work happen. 

“I’ll tell them what I want the messaging to cover,” Andrew said. “But they’re the creative. I just let them know if it’s appropriate.” 

That balance lets Syracuse speak in a way that feels native to students while keeping the program accurate, appropriate and aligned to the security team’s goals. 

Syracuse’s annual training completion rate used to land in the low 60% range. Andrew first pushed it close to 80% without being, in his words, “draconian.” With continued reminders and support from campus contacts, the university reached 89%. 

This improvement gave leadership a stronger story to tell trustees, senior leaders and insurance providers — all groups looking for evidence that awareness training is active and measurable. 

From a compliance standpoint, Andrew says the program also goes beyond a minimal interpretation of New York’s SHIELD Act. Instead of treating awareness as a once-a-year checkbox, Syracuse puts messages in front of people continually and in different formats. 

Phishing simulation data also helps Andrew keep improving the program. Service-based templates tend to draw the most clicks, especially Google, DocuSign and Microsoft-style messages. Spoofed manager emails also performed well, but they created more operational friction when employees did exactly what they were taught to do: check with the person who supposedly sent the message. 

Those results help Andrew tune the difficulty. A strong phishing program needs realism, but it also needs trust, he said. 

“I’m not trying to get you. I’m trying to get you to slow down and look at what is in the email.” 

Syracuse has also improved phishing reporting behavior by moving employees away from forwarding suspicious messages to a shared inbox and toward using the Outlook report phishing button. For Andrew, that change reduced manual triage and made reporting easier for employees. 

Andrew is clear about one thing: one person cannot personally reach 6,000+ faculty and staff across a large university. 

“For a school our size, it’s just too much for one person to be running around and keeping in touch with these people,” Andrew said. 

To scale the program, he works through distributed admins across Syracuse’s schools and colleges, including the iSchool, Arts and Sciences and Engineering. During annual training campaigns, Andrew sends weekly updates so local contacts can see completion progress, share reminders in school-specific newsletters and bring the message into meetings. 

His instructional design background helps here, too. He has spent years working with faculty and staff on how to build courses, teach effectively and communicate with learners. Security awareness gives him a new version of that same mission: helping people understand what to do before a real threat shows up. 

Keeping the program evolving 

Andrew is already thinking about what comes next. One idea is a spring cleaning campaign that connects cybersecurity, data hygiene and sustainability. The campaign could encourage people to clean out inboxes, unsubscribe from unwanted messages, shred old documents and dispose of outdated technology safely. 

He is also exploring adaptive training paths for repeat clickers and using quarterly phishing results to keep templates realistic without pushing them too far. 

That continuous improvement mindset is what makes Syracuse’s program work. Andrew did not build a one-time training push or a clever poster campaign. He built a sustainable program around how campus life actually works — combining his 20 years in higher education with Infosec IQ content and simulations, student-informed creativity and a champion network that helps carry the message across Syracuse.