Cyber-security within Scottish Government: FOI release

Information requested

1. Does the organisation provide employees with a cyber-security awareness programme?

If yes, what methods of cyber-security awareness are used? If no, is this something that the organisation would consider?

2. How is the effectiveness of cyber-security awareness measured within the organisation?

If it isn’t measured, is there a plan to measure in future? How?

3. Is there buy-in and support from top level management for security awareness? 4. Do you utilise phishing simulation software to test employee’s cyber-security awareness towards phishing emails? 5. How many phishing attempts have the organisation received in the last year?

Has there been an increase due to the coronavirus pandemic?

Response

1. Yes, this is provided through face to face (pre-pandemic) and remote learning sessions and online tools. 2. Effectiveness of awareness education is gauged by direct measures (the gathering of metrics from feedback forms and questionnaires) as well as indirect measures (impact on behaviours as observed at an individual and organisational level). 3. The security awareness programme is sponsored and reviewed at Director General level. 4. Yes 5. While our aim is to provide information whenever possible, in this instance an exemption under section 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to your request. Disclosing this information would substantially prejudice our ability to carry out the effective conduct of public affairs. Providing details about the information you have requested into the public domain could subsequently be used by threat actors, taking into consideration both the external and insider threat, to evade any controls we might or might not have in place. This could therefore enable them to target specific types of attack or data exfiltration methods and would constitute substantial prejudice to the effective conduct of public affairs. About FOI The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.

Contact Please quote the FOI reference Central Enquiry Unit Email: ceu@gov.scot Phone: 0300 244 4000 The Scottish Government St Andrews House Regent Road Edinburgh EH1 3DG

Detected exemption language

While our aim is to provide information whenever possible, in this instance an exemption under section 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to your request.

Attachments

No attachments found.

Similar releases

• Job vacancies and feedback for unsuccessful candidates in recruitment processes: FOI release 2026-05-15 · not held · 2 files
• Compliance Metrics and quality assurance processes for FOI case management and documentation in 2025: FOI release 2026-05-15 · unclear · 2 files
• Correspondence involving Special Advisers which relates to FOI requests concerning the Scottish Government’s bond programme: FOI release 2026-05-15 · partially withheld · 2 files
• Perth and Kinross broadband queries: FOI release 2026-05-14 · not held · 0 files
• Correspondence sent or received by Special Advisers mentioning Scotonomics: FOI Release 2026-05-11 · partially withheld · 2 files
• Internal Scottish Government correspondence and documentation discussing reference no. 202500494326: FOI Release 2026-05-11 · partially withheld · 2 files
• Correspondence between the Justice Secretary and Professor Alexis Jay: FOI release 2026-05-08 · partially withheld · 0 files
• Processing of applications at Disclosure Scotland: FOI release 2026-05-07 · released · 4 files