Security Education, Awareness and Training: From Theory to Practice

We want to use security education as a means of improving the quality of our security program. That's our basic goal. Now let's look at some specific objectives. We'll break them up into three handy categories or phases: installation, maintenance, and enhancement. It's useful to think about these categories because you may want to use different tactics, depending on which type you're doing. They are also a good way to start thinking about when security education can and should be having a positive impact on your program.
In the installation category of security education, you're dealing with something new. It might be a new task to be performed. It might be a new person in the organization. It might be a person who's been around a while, but now has to perform a task that he or she hasn't done before. It might be a new method of performing a task either a change you've made or one that's been imposed by higher-ups in your agency or corporate management structure. So far, things are obvious. When we get new people in our organizations, we give them a good grounding in security rules. If people change jobs, we make sure they know what their responsibilities are in their new positions. If there's a new security requirement, we make sure people know about it. When we change a procedure, common sense leads us to get the word out.
The one area that falls under the...