Security awareness training has made great strides in terms of recognition and adoption over the past decade. As such, it might seem odd for us to dedicate a blog to defining this term. But our goal isn’t to define security awareness training at a basic level. Rather, it’s to encourage you to think beyond the basics. And part of that is considering how you define security awareness training for those who will determine the success of your program: your end users.
Don’t Be Basic
Many cybersecurity professionals have a relatively narrow focus on what security awareness training means for their organizations. It’s understandable, especially since the infosec industry generally has a fairly narrow definition of it as well. Here’s an example from TechTarget’s WhatIs.com:
Security awareness training is a formal process for educating employees about computer security.
A good security awareness program should educate employees about corporate policies and procedures for working with information technology (IT). Employees should receive information about who to contact if they discover a security threat and be taught that data is a valuable corporate asset.
What, you might wonder, is wrong with this definition? It is, you might argue, fairly broad. And you’d be correct—to a degree. “Corporate policies and procedures” is certainly an expansive, chameleon-like subject. And the wide-ranging definition of “data” (and its v ..