
94 ◾ Information Security Management Handbook
To say it in a different way, your goal should be education and awareness, not training—an
effective result, rather than just more action. To achieve that goal, you have to get your employees to
internalize the information, meaning they understand the concepts well enough to act appropriately
in new situations. You cannot accomplish this goal by simply doing training, dropping notes in the
newsletter, and putting up posters. You have to adopt multiple learning and teaching modalities.
Learning and teaching styles vary among people; each person has their own strength. e key
to better security awa