In May of 2021 ISC2 changed the order of this acronym to Security, Education, Training and Awareness (SETA).

In addition to reducing the risk of insider threat, education, training and awareness helps employees to recognize security issues and incidents and to understand attack methods.  Candidates should know the difference between education, training, and awareness. Note: the prior idea of any of these being formal vs. informal is now gone.

Education simply refers to increasing your knowledge and understanding of something. 

Training refers to improving your skills and proficiency with certain tasks.

Awareness is how well-acquainted someone is with the education and training needed, or more importantly, how well-acquainted they are with the desired outcome.

Here are some common methods of delivering education, training, and awareness:

  • Computer based training
    • Benefits: standardization of the material, effectiveness of the material, automatic knowledge assessments, and automated tracking
    • Downside: users can click thru and not pay attention
  • Gamification refers to adding games to your education & training modules.  An example would be one of the matching questions you might get on the exam but with images instead of words.  Like dragging red flags over the text of a fake phishing email wherein points and scores are given.
  • Security champion “contests” are a way of publicly recognizing someone for their superior knowledge or application of security principles.  For example, if someone prevents a breach or discovers/prevents fraud, they might be rewarded with gift cards or vacation time, or might have their names added an intranet newsletter.
  • Live instruction
    • Benefits: eliminates click thru, Q&A in real time, builds rapport, 
    • Downside: requires special skillset (SME + educator)
  • Online synchronous training. Similar to live, in-person training, ‘online’ training can be conducted using virtual collaboration platforms where learners do not have to be physically present.
  • Recognition: Rewarding employees via, monetary, vacation time, etc.
    • Benefits: encourages correct behavior – resulting in better security, and creates a feeling of harmony between users and the security office
  • Frequent communications in the form of email reminders, newsletters, intranet page highlights, meeting reminders, meeting special guest speakers, one-on-one reminders, signs/posters
    • Benefits: emphasizes the importance of security, promotes awareness
  • Micro training: smaller modules than the typical annual training. An example would be a small module that trains users on how to avert phishing attempts, typically following an approved phishing campaign that’s overseen by the information security office.

Note: providing education, training, and awareness to our employees is part of practicing due care.

Content Review and Evaluations

Reviewing the content of training and awareness materials is important for maintaining an effective security and education program, and can reduce the likelihood that uneducated staff themselves become a vulnerability.

Periodic Content Review:

  • Whether the training includes all laws, especially those concerning breaches and security practices.
  • Accurate discussion of security tools (an example might be phishing reporting buttons in your email application, incident logging tools, SIEM, firewalls).
  • Security policy updates.
  • Attack methods currently directed to the organization.
  • Periodic content reviews is part of due diligence.

Effectiveness Evaluation:

  • Testing desired outcomes of the training, such as sending mock phishing emails to see who clicks on the links.
    • Note: starting with the desired outcome is the ideal place to begin an effectiveness evaluation, for example: ‘We want all employees to properly identify and report suspicious emails’.
  • Auditing, such as spot checking desks to see if confidential material is laying around, or examining policies and standards to ensure they have the correct directives, goals, and legal citations.
  • Penetration testing that can include mock social engineering and other attacks to examine employee responses to structured attacks. 
  • User log reviews can reveal whether or not employees are using the system for the purpose in which access was granted and whether their actions are in harmony with the entity’s training & awareness program.

Artificial Intelligence (AI)
The vast amount of data generated in the digital age has enabled machines to learn patterns and make intelligent decisions. AI powers machine learning (ML) and cognitive computing, helping machines mimic human thinking. Advances in AI have led to more sophisticated algorithms, paving the way for deep learning, the next evolution of ML.

Deep ML is shaping the future of industries like finance, healthcare, education, and gaming, thanks to rapid advancements in cloud computing, software, and hardware. Many security vendors claim to use AI and ML, but it’s important to ask for real-world proof to ensure these technologies deliver results.

Blockchain and Cryptocurrency
Blockchain is a decentralized digital ledger that records transactions securely and transparently. Initially developed for cryptocurrency, it has expanded to offer business value through its core features:

  • Immutability – Once a block is added, it cannot be removed or altered.
  • Redundancy – Data is stored across multiple nodes, preventing failures.
  • Transparency – Public visibility ensures secure audit trails.
  • Non-repudiation – Actions recorded on the blockchain cannot be denied, thanks to digital signatures and secure records.

These features make blockchain a powerful tool for security, finance, and other industries.