Let's review the Capability Maturity Model diagram for security awareness phase C+:

Understanding that security awareness allows us to use the users to push cyber intelligence to IT operations and IT security, we now need to establish some target PIRs and support the collaboration between teams with policies and procedures: 

• The problem: There is no way to evaluate if users IT incidents can be related to any specific IT security/threat intelligence incident
• Baseline: Between IT help desk and IT security continuous monitoring, there are negligible (less than 25 globally) IT incidents being reported as information security incidents per shift
• Anomaly: Between IT help desk and IT security continuous monitoring, there is an increase (more than 25 globally) IT incidents being reported as information security incidents per shift
• Priority information request 1: We need to know when threat intelligence correlates to incident tickets reported to IT help desks
• Priority Information Request 2: We need to know when any systems are impacted by ransomware—location, time, date, and attack vector
• The targets—overview:
  • Phase initial: Planning with key personnel
  • Phase A:
    • Develop and establish the policy
    • Develop and prepare to implement the procedure
  • Phase B: 
    • Integrate threat intelligence into security awareness to enable users to identify and report anomalies (PIR 1)
    • Develop threat intelligence and IT help desk correlation monitoring capability for SOC and IT help desk (PIR 1)
    • Establish automated email reporting to key stakeholders for PIR 1
  • Phase C: Establish automated reporting to key stakeholders for PIR 2