Security Education, Awareness and Training: From Theory to Practice

When we took our quick look at the TEAM model for security education, we saw that what we would call "training" is what we do to make people able to perform their roles in our security program. And in looking at performance problem solving, we saw that training (or some alternative) was usually the right intervention if we found a skill, knowledge, or information shortfall. But we also saw there was another, odd component of the program education. Training, you'll recall, helps people with the who, what, where, when, and how of a task or set of tasks. Education goes one step beyond that and deals with the whys.
Too many times, the education component of security education gets the short end of the stick. We're busy. Our time is valuable. We gotta get people trained. Educating them would be nice, but that sort of thing takes a lot of time, which we don't have. We're busy and the people in our organization are busy, and "nice-to-haves" just don't happen in the security business.
In this chapter, we'd like to help you kick two ideas in the head. The first is that educating people is something you do only in formal settings, with classes and textbooks. The second is that education is kind of a nebulous thing that really doesn't have much payoff in the real world of a day-to-day security program. We'd like to suggest that education can take many hours or...