Case studies: learning and development

How learning and development at Inland Revenue is building capability in artificial intelligence (AI) and security.

AI fluency — Inland Revenue

Improve AI knowledge at Inland Revenue

The goal was to boost AI knowledge across Inland Revenue (IR), making sure everyone understands AI and its uses, from the executive leadership team (ELT) to the end users at IR.

This helps IR stay ahead with technology changes and use AI effectively.

In , IR launched an AI fluency training programme to get staff up-to-speed on AI. The training was for 4 main groups:

  • executive leadership team
  • AI oversight group
  • business leaders
  • AI working group.
Figure 1: Tailored approaches for AI Fluency training at IR

Detailed description of the image

Table showing the 4 tailored and structured learning approaches for each of the 4 different groups across IR to gain AI literacy.

Group 1: Working group and select oversight group members

  • 4-week course for over 40 participants. Course includes 1 hour touch point and 1 hour study per week with a Dragon’s Den pitch.
  • What needs are being met? “We want consistent understanding across our senior leadership group to understand AI, and identify or triage high value use cases.”

Group 2: Oversight group

  • 2-hour workshop with over 20 participants.
  • What needs are being met? “Our senior governance group should have oversight of AI at IR, with a focus on applications and ethical considerations.”

Group 3: ELT Level

  • 2-hour workshop with the executive leadership team.
  • What needs are being met? “How do we appropriately govern a large organisation with a technology change happening so quickly.”

Group 4: Business Leaders

  • Electronic learning materials for over 100 participants. Materials include 7 e-learn modules and introductory recordings with executives."
  • What needs are being met? “We want to understand Gen AI, its risks and the possible threats to our business on an everyday basis, when it suits us to engage.”
View larger image (PNG 37KB)

As at , the programme has trained more than 2000 staff including all executive and senior leaders and people using AI tools.

Course modules covered

The course modules covered topics on:

  • Generative AI 101
  • Value and Measurements
  • Trust, Ethics and Governance
  • Prompt Training
  • Risk and Threat Management
  • Data and information Management.

Delivery of course modules

The programme included workshops, e-learning, and interactive sessions to explain AI, show its uses, and talk about risks and ethics.

Key programme workstreams included:

  • Executive workshops — Focused on AI governance, opportunities, value capture and strategy.
  • AI oversight group workshops — Covered AI practical uses, governance, value capture, trust, ethics, data and information management, risk and threats.
  • Business leaders e-learning — Flexible, self-paced learning on AI basics and risks. This was rolled out to all IR staff.
  • AI working group course — A 4-week intensive course for staff involved in improving IR’s AI capability. This ended with a Dragon's Den style pitch to apply AI knowledge to real-world cases where participants worked in teams.

The programme was a hit, with lots of participation and engagement. It built a strong AI knowledge base at IR, helping staff to use AI responsibly and effectively.

The 4-week intensive course was the most popular ‘Friday’ event and led to its wider reuse to support AI capability improvements within IR. The same training materials have now been shared with other public sector agencies and the Government Chief Digital Officer (GCDO) to incorporate into their AI training programmes.

AI Foundational Capability — Leadership Development Centre (LDC)

Security awareness — Inland Revenue

Keeping systems and data secure

Inland Revenue (IR) is New Zealand’s tax agency. It is essential that IR complies with the:

  • New Zealand Information Security Manual (NZISM)
  • Protective Security Requirements (PSR)
  • Tax Administration Act .

This is to protect IR’s customers’ data and privacy, and to maintain the agency's integrity and trust within New Zealand.

Whakangungu KaitiakiIR’s Information Security Awareness and Learning Programme

In

The learning programme raises awareness among IR’s people, empowering them to be the first line of defence against malicious threats and cyber-attacks.

The human element is often the weakest link in any cyber defence system. Hackers exploit psychological vulnerabilities through manipulation techniques, making it crucial to educate staff on vigilance and protection. Whakangungu Kaitiaki addresses this by educating employees to safeguard themselves and IR’s systems and information.

Security awareness and training is one way to help people understand what to look for and feel empowered to do the right things to keep systems and data secure.

Programme launch and initial assessment

A large contributing factor to the success of the programme is the support it received from IR’s Deputy Commissioner and CISO who sponsored and launched the program. They emphasised the important role IR employees play in keeping IR safe.

The programme kicked off with a Security Awareness Proficiency Assessment (SAPA) that was mandatory for all IR people to complete. This assessment, conducted annually, establishes a security awareness benchmark and identifies areas for improvement. The results guide the creation of targeted learning campaigns to strengthen their people’s role as guardians of IR’s systems and information.

The CyberSecurity team has done extensive measurement and evaluation to understand which cohorts/staff have completed the course. Some of the courses are mandatory.

The assessment covers 7 key knowledge areas:

  • email security
  • mobile devices
  • incident reporting
  • internet use
  • passwords and authentication
  • social media
  • human firewall.
Figure 2: Tracking improvements and changes in average scores across IR

Detailed description of the image

Charts showing the average score across the 7 key knowledge areas each year for the last 3 years.

The key knowledge area are:

  • Email security
  • Mobile devices
  • Incident reporting
  • Internet use
  • Passwords and authentications
  • Social media
  • Human firewall.
View larger image (PNG 28KB)

Additional campaigns and tools

The programme also includes participation in events like Privacy Week, Fraud Week, and Cyber Smart Week, in collaboration with other government agencies and financial institutions. User provisioning is managed through Active Directory Integration (ADI) or System for Cross-domain Identity Management (SCIM), allowing monitoring of each user’s risk score and contribution to the overall risk score of IR.

Security Culture Survey (SCS)

Annually, Whakangungu Kaitiaki distributes Security Culture Survey (SCS) to all IR staff. This 10-minute survey helps IR determine employees’ security awareness maturity and improves the security culture.

Phish Alert Button (PAB)

The programme has an email add-in, the Phish Alert Button (PAB), which replaced the ‘Report Message’ icon in Outlook. This button allows users to report suspicious emails, which are then forwarded to IR’s Service Desk for analysis. This functionality enhances reporting, improves visibility of potential cyber vulnerabilities, and strengthens the human firewall.

Phishing Simulation Exercises

Through the KnowBe4 Portal, IR conducts phishing simulation exercises throughout the year. After a phishing simulation exercise, additional targeted learning campaigns are put in place to educate users who failed the exercise. Once the learning is completed, people are tested again.

This comprehensive approach ensures that Inland Revenue remains vigilant and secure against cyber threats.

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated