DISCUSSION [NIST SP 800-171 R2]
Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques include: formal training; offering supplies inscribed with security reminders; generating email advisories or notices from organizational officials; displaying logon screen messages; displaying security awareness posters; and conducting information security awareness events.
NIST SP 800-50 provides guidance on security awareness and training programs.
Further Discussion
Awareness training focuses user attention on security. Several techniques can be used, such as:
synchronous or asynchronous training;
simulations (e.g., simulated phishing emails);
security awareness campaigns (posters, reminders, group discussions); and
communicating regular email advisories and notices to employees.
Awareness training and role-based training are different. This practice, AT.L2-3.2.1, covers awareness training, which provides general security training to influence user behavior. This training can apply broadly or be tailored to a specific role. Role-based training focuses on the knowledge, skills, and abilities needed to complete a specific job and is covered by AT.L2- 3.2.2.
Example
You want to provide information to employees so they can identify phishing emails. To do this, you prepare a presentation that highlights basic traits, including:
suspicious-looking email address or domain name;
a message that contains an attachment or URL; and
a message that is poorly written and often contains obvious misspelled words.
You encourage everyone to not click on attachments or links in a suspicious email [c]. You tell employees to forward such a message immediately to IT security [d]. You download free security awareness posters to hang in the office [c,d]. You send regular emails and tips to all employees to ensure your message is not forgotten over time [c,d].
Potential Considerations
Do all users, managers, and system administrators receive initial and refresher training commensurate with their roles and responsibilities [c,d]?10
Do training materials identify the organizationally defined security requirements that must be met by users while interacting with the system as described in written policies, standards, and procedures [d]?
Copyright
Copyright 2020, 2021 Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory LLC.
Copyright 2021 Futures, Inc.
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center, and under Contract No. HQ0034-13-D-0003 and Contract No. N00024-13-D-6400 with the Johns Hopkins University Applied Physics Laboratory LLC, a University Affiliated Research Center.
The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation.
NO WARRANTY. THIS MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY AND THE JOHNS HOPKINS UNIVERSITY APPLIED PHYSICS LABORATORY LLC MAKE NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL NOR ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.