From a government's perspective, security, education, training and awareness or SETA is the process through which users are made compliant with security expectations. Sometimes, this can devolve into simply checking the box that the security group completed this task. However, in order to have any chance of protecting digital assets, the security group must try to make users purposefully complicit in security effort rather than accidentally complicit with hackers. In essence, successful see the programs help users understand that they are both a part of the security problem and its solution. [SOUND] This is not to say that SETA program should not be a formal part of a security strategy. Definitely this box should be checked. But, how the program is delivered is going to be made more successful by understanding the intent of each part. User awareness of security concerns and the role they can play could generate know-what knowledge. Awareness programs can be carried out through simple messaging, like emails, texts, newsletters, or even posters. User training that incorporates hands-on components can generate know-how. Both awareness in training should be tailored to the user. This can be done by role. For example, technical, general, or managerial roles, or it can be done by experience. For example, novice, intermediate, and advanced training could be made available. Finally, and potentially most importantly, know why knowledge must be purposefully developed through user education efforts. This can happen through active and engaged mentoring and situational exercises like cyber attack simulations. [SOUND] Some topics not covered by SETA programs include insider threats and privileged users. As I described SETA trading, I said the target of such trading is to reduce accidental security breaches. This assumes all insiders, company employees, contractors, customers, etc., have honorable intentions. However, sometimes members of these groups can become disgruntled or simply see an opportunity to make money that does not violate their personal ethics even if it may violate the law. Such individuals may engage in behavior that results in a data leak, security groups must target these activities and attempt to ideally prevent them but at a minimum detect them. However, it is been argued including this concern to the SETA program may do as much harm as good. However, SETA programs may include telling employees how to report perceived abuses. Privileged users are those employees like security managers or technical leads who's jobs require greater system access as such these privileged user accounts are often the target of hackers because their credentials allow much greater system access than the average employee. These employees must be the most vigilant in their security practices. However, see the programs are typically not designed with these users in mind. Their security practices must be addressed more personally. [SOUND] Once an organization has designed it's SETA program and identified who is the target and who's not, delivery becomes a key decision. The readings provide a lot of information about how awareness, training and education can be delivered. Key among this information is that costs cannot be the primary driver, at least not the sole primary driver. Understanding how people learn, and how behavior gets changed, or key to designing an effective delivery mechanism where there is no one best choice for effective delivery of awareness training or education. There's certainly growing consensus that some combination of delivery method is preferred along with some matching of knowledge type to method. With choices of method including, for training, formal classes, 1-on-1 coaching, computer-based training, user support groups. For awareness, videos, posters, newsletters, conferences, trinkets like coffee mugs, and for education; readings, formal instruction, seminars. SETA program managers may feel overloaded with options. It's important to consider two things. One, people of different learning styles and employees have different needs. And two, there's evidence to suggest that knowledge is better attained when absorbed through multiple channels.
