No matter how good your policies and technical defenses are, some amount of social engineering and phishing will get to end users where they will need to make decisions. For that reason, end users must be taught how to recognize signs of maliciousness and how to deal with it. Chapter 11 discusses the great security awareness training program every organization should have in place to significantly reduce cybersecurity risk.

What Is Security Awareness Training?

Every organization should have a formal Security Awareness Training (SAT) program. But why is it called Security Awareness Training? Why isn't computer security training or computer security education a better descriptor?

First, the SAT focuses on computer security, both physical and logical, as opposed to comprehensive employee training across all disciplines. It doesn't cover non-cybersecurity training topics, such as harassment, corruption, and OSHA workplace laws. Those fall under a broad topic generally known as compliance training. It does cover physical security as it exists to protect cyber assets. SAT training might not cover what a person should do to prevent their car from being stolen, but it might cover how to prevent your laptop from being stolen from your car. It certainly includes how to prevent an unauthorized person from physically accessing an organization's work perimeter and cyber assets. SAT is about protecting and securing cyber assets and the confidential ...