Training and Education

Right or wrong, employees believe that it is up to employers to provide training. Without proper training, employees are generally unaware of how their actions or activities can affect the security of the organization. One of the weakest links in security is the people who work for the company. Social-engineering attacks prey on the fact that users are uneducated in good security practices; therefore, the greatest defense against these types of attacks is training, education, and security awareness (see Figure 3.5).

Figure 3.5. Training and education triad.

Besides security awareness, you might find that your employees need more in-depth training in matters of organizational security. This might consist of in-house training programs that teach new employees needed security skills or the decision to send the security staff offsite for a CISSP education program. Regardless of which program your company decides it needs, you can use seven steps to help determine what type of security training to sponsor:


Establish organizational technology objectives.


Conduct a needs assessment.


Find a training program that meets these needs.


Select the training methods and mode.


Choose a means of evaluating.


Administer training.


Evaluate the training.

Types of training include the following:

  • In-house training
  • Web-based training
  • Classroom training
  • Vendor training
  • On-the-job training
  • Apprenticeship programs
  • Degreed programs
  • Continuing education programs

Training and education are not the same. Training programs are of short duration and usually teach individuals a specific skill. Education is broader based and longer term. Degree programs are examples of education.


Security Awareness

Awareness programs can be effective in increasing employee understanding of security. Security awareness training must be developed differently for the various groups of employees that make up the organization. Not only will the training vary, but the topics and types of questions you'll receive from the participants will also vary. Successful employee awareness programs tailor the message to fit the audience. These are three of the primary groups that security awareness training should be targeted to

  • Senior management Don't try presenting an in-depth technical analysis to this group. They want to know the costs, benefits, and ramifications if good security practices are not followed.
  • Data custodians This group requires a more structured presentation on how good security practices should be implemented, who is responsible, and what the individual and departmental cost is for noncompliance.
  • Users This must align with an employee's daily tasks and map to the user's specific job functions.

Employee-awareness programs work best when they are run for short periods and changed frequently.

The goal of security awareness is to increase management's ability to hold employees accountable for their actions and to modify employee behavior toward security.

The CISSP Cram Sheet

A Note from Series Editor Ed Tittel

About the Author


We Want to Hear from You!



The CISSP Certification Exam

Physical Security

Security-Management Practices

Access-Control Systems and Methodology

System Architecture and Models

Telecommunications and Network Security

Applications and Systems-Development Security

Operations Security

Business Continuity Planning

Law, Investigations, and Ethics


Practice Exam 1

Answers to Practice Exam 1

Practice Exam 2

Answers to Practice Exam 2

CISSP Exam Cram 2
CISSP Exam Cram 2
ISBN: 078973446X
EAN: 2147483647
Year: 2003
Pages: 204
Authors: Michael Gregg © 2008-2020.
If you may any questions please contact us: