Security Awareness, Training, and Education – A Learning Continuum
- Written by: Jordan Engbers
If you work in the IT world or deal with information security on a regular basis, you’ll hear people talking about “security awareness training.” The term can be confusing because awareness and training are not the same thing. Generating awareness of something is distinctly different than the act of training. Awareness is about the learner receiving information from the teacher. Training is an active, engaged process in which the learner builds meaningful knowledge and skills that facilitate action.
To adequately train your team in cybersecurity, think of learning as a continuum. It starts with awareness, builds to training, and can evolve into education for those making a career out of information security. Building on concepts from the National Institute of Standards and Technology (NIST), this article highlights the IT Security Learning Continuum and covers both the differences and links among awareness, training and education.
Security Awareness
Awareness refers to having knowledge of a situation or fact. According to NIST’s glossary of terms, “Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.” Examples of awareness activities include anti-phishing posters placed in common areas; discussions of stronger passwords at staff meetings; or informational videos distributed via email.
It's critical to build your security training program on a strong foundation of awareness. The only way we can expect teams to innately understand existing risks, let alone react to them, is to give them guidance. That guidance begins on an employee's first day by including cybersecurity awareness as a required part of the initial onboarding process.
For example, NIST uses the example of building an awareness session (or awareness materials you distribute) around virus protection. You can address the subject simply and briefly by describing what a virus is, what can happen if a virus infects a user’s system, what the user should do to protect the system, and what the user should do if a virus is discovered.
NIST’s guide to IT security training requirements (known as SP 800-16) describes a transition stage between awareness and training called Security Basics and Literacy. At this stage, users learn a core set of terms, topics, and concepts. During the literacy stage, information is not tied to specific tools or systems. Literacy delivers basic concepts so that users can move on to more robust training programs, and it prioritizes personal responsibility and behavioral change.
Security Training
NIST SP 800-16 defines training as the part of the continuum that “strives to produce relevant and needed security skills and competencies by practitioners of functional specialties other than IT security (e.g., management, systems design and development, acquisition, auditing).” The most significant difference between awareness and training is that awareness seeks to focus an individual’s attention on an issue or set of issues, while training seeks to teach skills that allow a person to perform a specific function.
Awareness is a basic necessity, but training is the difference maker when it comes to truly safeguarding an organization’s sensitive information. And delivering information security training one time per year is simply not enough. You should plan to spread awareness and training activities across the year to provide greater persistence. Because cyber threats are constantly changing, the awareness and training program must be agile enough to provide information regarding the latest threats.
Security Education
NIST SP 800-16 defines education as the realm of people seeking a career in security. NIST says, “The ‘Education’ level integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multidisciplinary study of concepts, issues, and principles (technological and social), and strives to produce IT security specialists and professionals capable of vision and pro-active response.” Education goes beyond basic security courses and training. In NIST’s view, education is accomplished through a degree program at a college, university, or other educational forum.
You don’t need to give everyone a formal security education to establish a successful security program. Awareness and training, however, are integral to a security-minded business culture.
HBS’s team can help you create an awareness and training program tailored to your team’s specific needs. To get started on your program, contact us today.