NIST Special Publication 800-50
In awareness activities, the learner is the recipient of information, whereas the learner in a training
environment has a more active role. Awareness relies on reaching broad audiences with attractive
packaging techniques. Training is more formal, having a goal of building knowledge and skills to
facilitate the job performance.”
An example of a topic for an awareness session (or awareness material to be distributed) is virus
protection. The subject can simply and briefly be addressed by describing what a virus is, what can
happen if a virus infects a user’s system, what the user should do to protect the system, and what the user
should do if a virus is discovered. A list of possible awareness topics can be found in Section 4.1.1.
A bridge or transitional stage between awareness and training consists of what NIST Special Publication
800-16 calls Security Basics and Literacy. The basics and literacy material is a core set of terms, topics,
and concepts. Once an organization has established a program that increases the general level of security
awareness and vigilance, the basics and literacy material allow for the development or evolution of a
more robust awareness program. It can also provide the foundation for the training program.
2.3 Training
Training strives to produce relevant
and needed security skills and
competencies.
Training is defined in NIST Special Publication 800-16 as
follows: “The ‘Training’ level of the learning continuum
strives to produce relevant and needed security skills and
competencies by practitioners of functional specialties other
than IT security (e.g., management, systems design and
development, acquisition, auditing).” The most significant difference between training and awareness is
that training seeks to teach skills, which allow a person to perform a specific function, while awareness
seeks to focus an individual’s attention on an issue or set of issues. The skills acquired during training are
built upon the awareness foundation, in particular, upon the security basics and literacy material. A
training curriculum must not necessarily lead to a formal degree from an institution of higher learning;
however, a training course may contain much of the same material found in a course that a college or
university includes in a certificate or degree program.
An example of training is an IT security course for system administrators, which should address in detail
the management controls, operational controls, and technical controls that should be implemented.
Management controls include policy, IT security program management, risk management, and life-cycle
security. Operational controls include personnel and user issues, contingency planning, incident handling,
awareness and training, computer support and operations, and physical and environmental security issues.
Technical controls include identification and authentication, logical access controls, audit trails, and
cryptography. (See NIST Special Publication 800-12, An Introduction to Computer Security: The NIST
Handbook, for in-depth discussion of these controls
(http://csrc.nist.gov/publications/nistpubs/index.html).)
2.4 Education
Education integrates all of the security
skills and competencies of the various
functional specialties into a common
body of knowledge . . . and strives to
produce IT security specialists and
professionals capable of vision and pro-
active response.
Education is defined in NIST Special Publication 800-16 as
follows: “The ‘Education’ level integrates all of the security
skills and competencies of the various functional specialties
into a common body of knowledge, adds a multidisciplinary
study of concepts, issues, and principles (technological and
social), and strives to produce IT security specialists and
professionals capable of vision and pro-active response.”
9