By: Khaled Alateeq

Learning Objectives What is SETA? What are its purposes? Security Education Security Training Security Awareness

Define security education, training and awareness

List situations where each strategy is appropriate

Identify how organizations can use each strategy to mitigate threats to information security

SETA is an acronym, for Security Education, Training, and Awareness

It targets all users in an organization with specific programs for their jobs and level of technical expertise

The SETA program is generally the responsibility of the Governance And Privacy Dept.

SETA holds employees accountable for their actions by communicating policy to all users

Builds an in-depth knowledge base to design, implement, or operate security programs for organizations and systems

Develops skills and knowledge so that users can perform their jobs using IT systems more securely

Improves awareness of the need to protect system resources

Most basic level of SETA Used for employees who are new or

unskilled Gets employees to focus on security Least common, but extremely effective

Get the word out with mugs, t-shirts, posters, banners, conferences, newsletters, and bulletin boards to reach employees

An example of a Security Awareness Topic: ‘Virus Protection’ What would the session cover? How does this benefit all users?

Focus on people both as a part of the problem and as part of the solution.

Refrain from using technical jargon; speak the language the users understand.

Use every available venue to access all users. Define at least one key learning objective, state it

clearly, and provide sufficient detail and coverage to reinforce the learning of it.

Keep things light; refrain from "preaching" to users.

Don't overload the users with too much detail or too great a volume of information.

Help users understand their roles in information security and how a breach in that security can affect their jobs.

Take advantage of in-house communications media to deliver messages.

Make the awareness program formal; plan and document all actions.

Provide good information early, rather than perfect information late.

Intermediate level of SETA According to the NIST SP 800-16:

Federal agencies and organizations cannot protect the integrity, confidentiality, and availability of information in today's highly networked systems environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them.

Provides detailed information and hands-on instruction

Teach users what to do and how to do it Employees are divided into general users,

technical users, and managerial users at beginner, intermediate, and advanced levels

General users are trained in the policies of the organization such as security practices, password management, violation reporting, and access controls. It is best to do this when they are first hired.

Managerial users should be trained in smaller groups to facilitate discussion.

Technical users are trained more in-depth than general and managerial users. This is often outsourced because of the high level of expertise required. Technical users are often separated according to job category, job function, and technology product.

Effective training programs are crucial to the success of an organization

Wrong training methods can lead to unnecessary expense and frustrated and poorly trained employee’s

Good training methods, regardless of delivery method, take advantage of the latest learning technologies and best practices.

One-on-One Method Formal Class Computer-Based Training Distance learning / Web Seminars User Support Groups On The Job Training Self-Study

Depending on the training deliver method chosen, A dedicated training staff may be required.

They should continually provide specific, effective training programs for an organization’s employee’s.

Staff must assess organizational needs, plan effective programs, implement these programs, and evaluate their effectiveness.

Step One: Identify the Programs Scope, Goals, and Objectives

Step Two: Identify the training staff Step Three: Identify the Audience Step Four: Motivation Step Five: Administer The Security Training Step Six and Seven: Listen to Employee feedback,

evolve the program to increase its effectiveness.

Highest level of SETA Used for employees in highly technical or

skilled positions that demand greater information security

Having a good Information Security Program is not enough.

SETA is crucial to a successful information security program in an organization.

Helps minimize loss of information assets and hold employee’s accountable for breaking policies.