In May of 2021 ISC2 changed the order of this acronym to Security, Education, Training and Awareness (SETA).

In addition to reducing the risk of insider threat, education, training and awareness helps employees to recognize security issues and incidents and to understand attack methods.  Candidates should know the difference between education, training, and awareness. Note: the prior idea of any of these being formal vs. informal is now gone.

Education simply refers to increasing your knowledge and understanding of something. 

Training refers to improving your skills and proficiency with certain tasks.

Awareness is how well-acquainted someone is with the education and training needed, or more importantly, how well-acquainted they are with the desired outcome.

Here are some common methods of delivering education, training, and awareness:

  • Computer based training
    • Benefits: standardization of the material, effectiveness of the material, automatic knowledge assessments, and automated tracking
    • Downside: users can click thru and not pay attention
  • Gamification refers to adding games to your education & training modules.  An example would be one of the matching questions you might get on the exam but with images instead of words.  Like dragging red flags over the text of a fake phishing email wherein points and scores are given.
  • Security champion “contests” are a way of publicly recognizing someone for their superior knowledge or application of security principles.  For example, if someone prevents a breach or discovers/prevents fraud, they might be rewarded with gift cards or vacation time, or might have their names added an intranet newsletter.
  • Live instruction
    • Benefits: eliminates click thru, Q&A in real time, builds rapport, 
    • Downside: requires special skillset (SME + educator)
  • Rewarding employees via recognition, monetary, vacation time, etc.
    • Benefits: encourages correct behavior – resulting in better security, and creates a feeling of harmony between users and the security office
  • Frequent communications in the form of email reminders, newsletters, intranet page highlights, meeting reminders, meeting special guest speakers, one-on-one reminders, signs/posters
    • Benefits: emphasizes the importance of security, promotes awareness
  • Micro training: smaller modules than the typical annual training. An example would be a small module that trains users on how to avert phishing attempts, typically following an approved phishing campaign that’s overseen by the information security office.

Note: providing education, training, and awareness to our employees is part of practicing due care.

Content Review and Evaluations

Reviewing the content of training and awareness materials is important for maintaining an effective security and education program, and can reduce the likelihood that uneducated staff themselves become a vulnerability.

Periodic Content Review:

  • Whether the training includes all laws, especially those concerning breaches and security practices.
  • Accurate discussion of security tools (an example might be phishing reporting buttons in your email application, incident logging tools, SIEM, firewalls).
  • Security policy updates.
  • Attack methods currently directed to the organization.
  • Periodic content reviews is part of due diligence.

Effectiveness Evaluation:

  • Testing desired outcomes of the training, such as sending mock phishing emails to see who clicks on the links.
    • Note: starting with the desired outcome is the ideal place to begin an effectiveness evaluation, for example: ‘We want all employees to properly identify and report suspicious emails’.
  • Auditing, such as spot checking desks to see if confidential material is laying around, or examining policies and standards to ensure they have the correct directives, goals, and legal citations.
  • Penetration testing that can include mock social engineering and other attacks to examine employee responses to structured attacks. 
  • User log reviews can reveal whether or not employees are using the system for the purpose in which access was granted and whether their actions are in harmony with the entity’s training & awareness program.