In some guidance documents (e.g., NIST SP800-16), you’ll find a distinction drawn between “awareness” and “training” even though most of us use the words together when talking about education of end-users. There’s actually a good theoretical basis for differentiating between them but, in practice, the value of treating them separately is less clear.
In Theory
Let’s start by considering the widely-used 4-stage model that describes the progression of students from incompetence to competence in a skill. Here’s how it can be portrayed:
And here’s how the 4 stages are typically defined:
1. Unconscious Incompetence
The individual neither understands nor knows how to do something, nor recognizes the deficit, nor has a desire to address it.
2. Conscious Incompetence
Though the individual does not understand or know how to do something, he or she does recognize the deficit, without yet addressing it.
3. Conscious Competence
The individual understands or knows how to do something. However, demonstrating the skill or knowledge requires a great deal of consciousness or concentration.
4. Unconscious Competence
The individual has had so much practice with a skill that it becomes “second nature” and can be performed easily (often without concentrating too deeply). He or she may or may not be able teach it to others, depending upon how and when it was learned.
Ref: Wikipedia – http://en.wikipedia.org/wiki/Four_stages_of_competence
These map, pretty well, onto what we see in the workplace (oblivious of security issues, realize there are security issues but don’t know what to do about them, know what to do when they think about it, and behave in a secure way without having to think about it).
Obviously, our ultimate aim is to move our students from Stage 1 (not recognizing security threats, and/or not knowing what to do when they see them) to Stage 4 (good security practice being second nature).
So how do the terms “awareness” and “training” map onto this model? “Awareness” is basically the process by which we try to move students from Stage 1 to Stage 2 by helping them to recognize what is going on, and how their current practice is insufficient. “Training” is the process by which we try to move students from Stage 2 to Stage 3 by telling them how to deal with the threats we identified during the Awareness phase.
And what of the other two transitions? Stage 3 to Stage 4 can only be achieved through “practice” – repetition of the newly learned behavior until it’s second nature. Stage 4 to Stage 1 is (sadly) out of our control as educators. It occurs when the students forget what they learned, or become sloppy, or the threat environment changes.
In Practice
In the workplace, the value in treating “awareness” and “training” as separate programs is less clear. Most of us who’ve been involved in setting up a training program for an organization know all too well that the time available for students to cover information security is extremely limited. A typical organization might allocate a few hours of training time during the new hire (or “onboarding”) process, maybe an hour each year for refresher training, plus a few minutes from time-to-time during staff meetings.
Given this lack of time, we’re basically forced to deal with the awareness and the training aspects in one course, or session, or presentation – perhaps supplemented with short reminders (emails, posters …) from time-to-time after that.
This is a case where the practical realities don’t align very well with the theoretical distinctions, and the reason why most of us talk about “awareness training” as a single term.
Pingback: Consciousness in Training? « Imran Research Notes