Learning is a continuum; it starts with awareness, builds to training, and evolves into education.

Lernen; Awareness; Motivation;

{nist} 'Mark Wilson and Joan Hash' (2003) : Building an Information Technology Security Awareness and Training Program

Security awareness efforts are designed to change behavior or reinforce good security practices.

Lernen; Awareness; Motivation;

{nist} 'Mark Wilson and Joan Hash' (2003) : Building an Information Technology Security Awareness and Training Program

Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.

Lernen; Awareness; Motivation;

{nist} 'Mark Wilson and Joan Hash' (2003) : Building an Information Technology Security Awareness and Training Program

While it is important to understand the policies that require agencies to develop and implement awareness and training, it is crucial that agencies understand who has responsibility for IT security awareness and training. This section identifies and describes those within an organization that have responsibility for IT security awareness and training.

Lernen; Awareness; Motivation;

{nist} 'Mark Wilson and Joan Hash' (2003) : Building an Information Technology Security Awareness and Training Program

A successful IT security program consists of: 1) developing IT security policy that reflects business needs tempered by known risks; 2) informing users of their IT security responsibilities, as documented in agency security policy and procedures; and 3) establishing processes for monitoring and reviewing the program.

Lernen; Awareness; Motivation;

{nist} 'Mark Wilson and Joan Hash' (2003) : Building an Information Technology Security Awareness and Training Program

Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. In awareness activities the learner is a recipient of information, whereas the learner in a training environment has a more active role. Awareness relies on reaching broad audiences with attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate job performance.

Lernen; Awareness; Motivation;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

The »Training« level of the learning continuum strives to produce relevant and needed security skills and competency by practitioners of functional specialties other than IT security (e.g., management, systems design and development, acquisition, auditing).

Lernen; Awareness; Motivation;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

The »Education« level integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multi-disciplinary study of concepts, issues, and principles (technological and social), and strives to produce IT security specialists and professionals capable of vision and pro-active response.

Lernen; Awareness; Motivation;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

There are three major steps in the development of an IT security awareness and training program – designing the program (including the development of the IT security awareness and training program plan), developing the awareness and training material, and implementing the program.

Lernen; Awareness; Motivation;

{nist} 'Mark Wilson and Joan Hash' (2003) : Building an Information Technology Security Awareness and Training Program

An awareness and training program may be designed, developed, and implemented in many different ways. Three common approaches or models are described below: *[ [Model 1: Centralized policy, strategy, and implementation;] [Model 2: Centralized policy and strategy, distributed implementation; and] [Model 3: Centralized policy, distributed strategy and implementation.] ]*

Lernen; Awareness; Motivation;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

Evaluating training effectiveness is a vital step to ensure that the training delivered is meaningful. Training is “meaningful” only when it meets the needs of both the student (employee) and the organization. If training content is incorrect, outdated, or inappropriate for the audience, the training will not meet student or organizational needs. If the delivery vehicle (e.g., classroom or computer-based training) is inappropriate, either in relation to the simplicity/complexity of the content or to the type of audience—or if there is an inadequate mix of vehicles in an agency’s overall training program—the training will not meet needs. Spending time and resources on training that does not achieve desired effects can reinforce, rather than dispel, the perception of security as an obstacle to productivity. Further, it can require the expenditure of far more resources in data or system recovery after a security incident occurs than would have been spent in prevention activities.

Lernen; Awareness; Motivation;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

Meaningfulness, or effectiveness, requires measurement. Evaluating training effectiveness has four distinct but interrelated purposes -- to measure: *[ [The extent to which conditions were right for learning and the learner’s subjective satisfaction;] [What a given student has learned from a specific course or training event, i.e., learning effectiveness;] [A pattern of student outcomes following a specific course or training event; i.e., teaching effectiveness; and] [The value of the specific class or training event, compared to other options in the context of an agency’s overall IT security training program; i.e., program effectiveness.] ]*

Lernen; Awareness; Motivation;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

An evaluation process should produce four types of measurement, each related to one of evaluation’s four purposes, as appropriate for three types of users of evaluation data: *[ [First, evaluation should yield information to assist the employees themselves in assessing their subsequent on-the-job performance.] [Second, evaluation should yield information to assist the employees’ supervisors in assessing individual students’ subsequent on-the-job performance.] [Third, it should produce trend data to assist trainers in improving both learning and teaching.] [Finally, it should produce return-on-investment statistics to enable responsible officials to allocate limited resources in a thoughtful, strategic manner among the spectrum of IT security awareness, security literacy, training, and education options for optimal results among the workforce as a whole.] ]*

Lernen; Awareness; Motivation;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

Four levels of evaluation, in order of complexity, are: *[ [Level 1: End-of-Course Evaluations (Student Satisfaction)] [ Level 2: Behavior Objective Testing (Learning Effectiveness, which is also a measure of Teaching Effectiveness)] [Level 3: Job Transfer Skills (Performance Effectiveness)] [ Level 4: Organizational Benefit (Training Program Effectiveness)] ]* Altogether, the four levels match the four purposes of training evaluation [...] in a staged manner.

Lernen; Awareness; Motivation;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

Setting the bar means that a decision must be made as to the complexity of the material that will be developed; it applies to all three types of learning – awareness, training, and education.

Lernen; Awareness; Motivation;

{nist} 'Mark Wilson and Joan Hash' (2003) : Building an Information Technology Security Awareness and Training Program

“Security Awareness” is explicitly required for ALL employees, whereas “Security Basics and Literacy” is required for those employees, including contractor employees, who are involved in any way with IT systems. In today’s environment this typically means all individuals within the organization.

Lernen; Awareness; Motivation;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

The “Security Basics and Literacy” category is a transitional stage between “Awareness” and “Training.” It provides the foundation for subsequent training by providing a universal baseline of key security terms and concepts.

Lernen; Awareness; Motivation;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

After “Security Basics and Literacy,” training becomes focused on providing the knowledges, skills, and abilities specific to an individual’s “Roles and Responsibilities Relative to IT Systems.” At this level, training recognizes the differences between beginning, intermediate, and advanced skill requirements.

Lernen; Awareness; Motivation;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

The ›Education and Experience‹ level focuses on developing the ability and vision to perform complex multi-disciplinary activities and the skills needed to further the IT security profession and to keep pace with threat and technology changes.

Lernen; Awareness; Motivation;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

Learning achieved through a single awareness activity tends to be short-term, immediate, and specific. Training takes longer and involves higher-level concepts and skills. For example, if a learning objective is “to facilitate the increased use of effective password protection among employees,” an awareness activity might be the use of reminder stickers for computer keyboards. A training activity might involve computer-based instruction in the use of passwords, parameters, and how to change the passwords for organization systems.

Lernen; Awareness; Motivation;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

Effective IT security awareness presentations must be designed with the recognition that people tend to practice a tuning-out process called acclimation. If a stimulus, originally an attentiongetter, is used repeatedly, the learner will selectively ignore the stimulus. Thus, awareness presentations must be on-going, creative, and motivational, with the objective of focusing the learner’s attention so that the learning will be incorporated into conscious decision-making. This is called assimilation, a process whereby an individual incorporates new experiences into an existing behavior pattern.

Lernen; Awareness; Motivation;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

Learning achieved through a single awareness activity tends to be short-term, immediate, and specific. Training takes longer and involves higher-level concepts and skills. For example, if a learning objective is “to facilitate the increased use of effective password protection among employees,” an awareness activity might be the use of reminder stickers for computer keyboards. A training activity might involve computer-based instruction in the use of passwords, parameters, and how to change the passwords for organization systems.

Lernen; Awareness; Motivation;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model