Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. In awareness activities the learner is a recipient of information, whereas the learner in a training environment has a more active role. Awareness relies on reaching broad audiences with attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate job performance.

Awareness; Sicherheit; Verhalten; Lernen; Training;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

The »Training« level of the learning continuum strives to produce relevant and needed security skills and competency by practitioners of functional specialties other than IT security (e.g., management, systems design and development, acquisition, auditing).

Awareness; Sicherheit; Verhalten; Lernen; Training;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

The »Education« level integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multi-disciplinary study of concepts, issues, and principles (technological and social), and strives to produce IT security specialists and professionals capable of vision and pro-active response.

Awareness; Sicherheit; Verhalten; Lernen; Training;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

There are three major steps in the development of an IT security awareness and training program – designing the program (including the development of the IT security awareness and training program plan), developing the awareness and training material, and implementing the program.

Awareness; Sicherheit; Verhalten; Lernen; Training;

{nist} 'Mark Wilson and Joan Hash' (2003) : Building an Information Technology Security Awareness and Training Program

An awareness and training program may be designed, developed, and implemented in many different ways. Three common approaches or models are described below: *[ [Model 1: Centralized policy, strategy, and implementation;] [Model 2: Centralized policy and strategy, distributed implementation; and] [Model 3: Centralized policy, distributed strategy and implementation.] ]*

Awareness; Sicherheit; Verhalten; Lernen; Training;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

Evaluating training effectiveness is a vital step to ensure that the training delivered is meaningful. Training is “meaningful” only when it meets the needs of both the student (employee) and the organization. If training content is incorrect, outdated, or inappropriate for the audience, the training will not meet student or organizational needs. If the delivery vehicle (e.g., classroom or computer-based training) is inappropriate, either in relation to the simplicity/complexity of the content or to the type of audience—or if there is an inadequate mix of vehicles in an agency’s overall training program—the training will not meet needs. Spending time and resources on training that does not achieve desired effects can reinforce, rather than dispel, the perception of security as an obstacle to productivity. Further, it can require the expenditure of far more resources in data or system recovery after a security incident occurs than would have been spent in prevention activities.

Awareness; Sicherheit; Verhalten; Lernen; Training;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

Meaningfulness, or effectiveness, requires measurement. Evaluating training effectiveness has four distinct but interrelated purposes -- to measure: *[ [The extent to which conditions were right for learning and the learner’s subjective satisfaction;] [What a given student has learned from a specific course or training event, i.e., learning effectiveness;] [A pattern of student outcomes following a specific course or training event; i.e., teaching effectiveness; and] [The value of the specific class or training event, compared to other options in the context of an agency’s overall IT security training program; i.e., program effectiveness.] ]*

Awareness; Sicherheit; Verhalten; Lernen; Training;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

An evaluation process should produce four types of measurement, each related to one of evaluation’s four purposes, as appropriate for three types of users of evaluation data: *[ [First, evaluation should yield information to assist the employees themselves in assessing their subsequent on-the-job performance.] [Second, evaluation should yield information to assist the employees’ supervisors in assessing individual students’ subsequent on-the-job performance.] [Third, it should produce trend data to assist trainers in improving both learning and teaching.] [Finally, it should produce return-on-investment statistics to enable responsible officials to allocate limited resources in a thoughtful, strategic manner among the spectrum of IT security awareness, security literacy, training, and education options for optimal results among the workforce as a whole.] ]*

Awareness; Sicherheit; Verhalten; Lernen; Training;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model

Four levels of evaluation, in order of complexity, are: *[ [Level 1: End-of-Course Evaluations (Student Satisfaction)] [ Level 2: Behavior Objective Testing (Learning Effectiveness, which is also a measure of Teaching Effectiveness)] [Level 3: Job Transfer Skills (Performance Effectiveness)] [ Level 4: Organizational Benefit (Training Program Effectiveness)] ]* Altogether, the four levels match the four purposes of training evaluation [...] in a staged manner.

Awareness; Sicherheit; Verhalten; Lernen; Training;

{nist800-16} 'Mark Wilson and Dorothea E. {de Zafra} and Sadie I. Pitcher and John D. Tressler and John B. Ippolito' (2003) : Information Technology Security Training Requirements: A Role- and Performance-Based Model