Training and Education

Right or wrong, employees believe that it is up to employers to provide training. Without proper training, employees are generally unaware of how their actions or activities can affect the security of the organization. One of the weakest links in security is the people who work for the company. Social-engineering attacks prey on the fact that users are uneducated in good security practices; therefore, the greatest defense against these types of attacks is training, education, and security awareness (see Figure 3.5).

Figure 3.5. Training and education triad.

Besides security awareness, you might find that your employees need more in-depth training in matters of organizational security. This might consist of in-house training programs that teach new employees needed security skills or the decision to send the security staff offsite for a CISSP education program. Regardless of which program your company decides it needs, you can use seven steps to help determine what type of security training to sponsor:

1.	Establish organizational technology objectives.
2.	Conduct a needs assessment.
3.	Find a training program that meets these needs.
4.	Select the training methods and mode.
5.	Choose a means of evaluating.
6.	Administer training.
7.	Evaluate the training.

Types of training include the following:

• In-house training
• Web-based training
• Classroom training
• Vendor training
• On-the-job training
• Apprenticeship programs
• Degreed programs
• Continuing education programs

Training and education are not the same. Training programs are of short duration and usually teach individuals a specific skill. Education is broader based and longer term. Degree programs are examples of education.

 

Security Awareness

Awareness programs can be effective in increasing employee understanding of security. Security awareness training must be developed differently for the various groups of employees that make up the organization. Not only will the training vary, but the topics and types of questions you'll receive from the participants will also vary. Successful employee awareness programs tailor the message to fit the audience. These are three of the primary groups that security awareness training should be targeted to

• Senior management Don't try presenting an in-depth technical analysis to this group. They want to know the costs, benefits, and ramifications if good security practices are not followed.
• Data custodians This group requires a more structured presentation on how good security practices should be implemented, who is responsible, and what the individual and departmental cost is for noncompliance.
• Users This must align with an employee's daily tasks and map to the user's specific job functions.

Employee-awareness programs work best when they are run for short periods and changed frequently.

The goal of security awareness is to increase management's ability to hold employees accountable for their actions and to modify employee behavior toward security.