Building The Human Firewall

A silhouette of a person with a shield and a lock portrayed within the visual of the head of the person.

By Mark Majewski, Team Leader, Information Security, Rock Central


By now, everyone understands the importance of information security. Organizations rely heavily on information technology to run their businesses and most organizations have InfoSec team members dedicated to managing their IT security. Most companies understand the need for security technology like firewalls, anti-virus software and authentication controls to protect data and computer systems. However, having a team focused on addressing the “human risk” is a relatively new function on InfoSec teams. These teams are commonly called Security Awareness.

Several years ago, Rocket Companies dedicated resources to create an Information Security Awareness team to ensure that team members can recognize and know how to respond to information security threats.

TRAM Model

As this team grew and matured, Team Leader Majewski developed a model that describes the core functions of a comprehensive program. This framework for an awareness program includes Training, Reinforcement, Assessment and Management (TRAM).

A visual depiction of “Train” represented by a picture of an apple, “Reinforce” represented by a picture of a megaphone, “Assess” represented by a clipboard with a check list, and “Manage” represented by a white collar shirt. This is the TRAM model.
The TRAM model
  • Training: Team members need to ensure they know how to detect and respond to security threats.
  • Reinforce: Studies show that people forget most of what they learn in training in the days & weeks after the training. Therefore, reinforcing the training with periodic communications is critical so the knowledge stays fresh.
  • Assess: Ultimately, it’s not what team members know that keeps us secure. Rather, it’s their secure behaviors that keep us safe.
  • Manage: Without oversight, awareness programs risk performing activities without the ability to demonstrate progress or adjust to become more effective.

While all security programs should have the TRAM core functions, not all have the same maturity. This is why Majewski also defines the Awareness Program Maturity Model (APMM) that gives awareness to professionals to assess their programs and aspire to improve.

APMM levels: 1. None, 2. Ad-Hoc, 3. Established Road, 4. Managed and Diverse, 5. Optimized and Targeted. This is visually depicted
APMM Levels


After building the TRAM and APMM frameworks, Majewski wanted to share them with security awareness professionals for their own use. Majewski now shares these frameworks with hundreds of security awareness professionals through presentations at industry events and with his peers in the International Association of Security Awareness Professionals (IASAP).

The Book

While Majewski never aspired to be an author, he felt it was important to document his approach to security awareness so others could benefit from the things he learned while working at Rocket Companies. Over 18 months, Majewski spent many evenings and weekends formalizing the TRAM and APMM models in his book Security Awareness Program Builder.

Join The Rocket Team

Rocket Companies is filled with talented team members obsessed with helping our clients achieve the dream of homeownership and financial freedom. At Rocket, you can learn, grow, become an expert and even become an author.

We’re still hiring! Even in the face of uncertainty, we’re reshaping the fintech industry. Interested in joining us? Check out our technology openings.

A picture of the author in a blue suit and cream colored button-down shirt.
Mark Majewski, Team Leader, Information Security, Rock Central

Mark Majewski is an Information Security Leader and Evangelist at Rocket Central, in Detroit, Michigan. Rocket Central is the centralized hub for the Rocket Companies fintech platform including the nation’s largest mortgage lender, Rocket Mortgage.

Majewski has a master’s degree in Information Systems and more than 25 years’ experience leading IT and Information Security programs in Energy, Finance and other industries. He is a board member of the International Association of Security Awareness Professionals (IASAP). Majewski has completed many certifications including SACP, SSAP, CRISC, CISSP, PMP, Lean-Green Belt and more.

When he is not online and working, you can find Majewski relaxing on Lake Saint Clair as the captain of his boat “Off Line”. You can find and follow Mark on LinkedIn at

These opinions are those of the author. Unless noted otherwise in this post, Rocket Mortgage Technology is not affiliated with, nor is it endorsed by any of the companies mentioned. All trademarks and other intellectual property used or displayed are the ownership of their respective owners. This article is © 2022 Rocket Mortgage Technology.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store