Security awareness, training, and education

Learning is a continuum: it starts with awareness, builds to training, and evolves into education. We can use the definitions provided by NIST for further clarity.

Awareness – the ability of the user to recognize or avoid behaviors that would compromise cybersecurity

Training – the action provided to a user in the acquisition of security knowledge, skills, and competencies

Education – knowledge or skill obtained or developed by the learning process

Awareness sessions aren’t training but are intended to enable individuals to recognize security problems and act accordingly. Training, on the other hand, is designed to make sure individuals have appropriate security skills and competencies.

Given the rapid change in the types of security threat, training should be done regularly and tailored to meet the different needs of the organization and its workforce.

There are four steps to be considered when developing and implementing an IT security training program.

The different roles will inform the design of the program in the organization, the current knowledge of role holders, and the broader organizational context.

While there is a basic level of security awareness required of all employees, some roles need more frequent or in-depth training. For example, employees who handle customer personal data will need regular reminders of data protection laws such as GDPR in Europe and the raft of federal and state laws in the US.

Executives, some of whom might consider themselves above the need, are just as vulnerable and a target for criminals using whaling or business email compromise (BEC) threats. They also need a good grasp of the threat landscape and what the organization is doing about them so they can address any stakeholder questions.

Sub-contractors and temporary staff are often forgotten, particularly since they are frequently changed, but are a higher security risk and need to (Read more...)