Establish and Manage Security Education, Training and Awareness
Start course

This course concludes the final module of Domain 1 of the CISSP, covering security and risk management. It covers topics that include the identification of threats, diagramming potential attacks, performing reduction analysis, and also examines technologies and processes to remediate the threats.

Learning Objectives

The objectives of this course are to provide you with and understanding of:

  • Threat modeling and how to apply these modes within your environment
  • How to integrate security risk considerations into acquisitions strategy and practice
  • How to establish and manage security education, training, and awareness within your organization

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


So we're going to continue on with section 12 in which we're going to establish and manage security education, training and awareness. So here we're going to talk about the appropriate levels of training, awareness, education that are needed in the organization and then periodic reviews for content relevancy. 

Looking at training and the need for it in an organization there's no end of the things that can result of a positive nature if people are properly trained to recognize, address and resolve these things and no end of trouble that can result if they're not. There's very few people who would ever dispute the importance and value of training and many say this is one of the highest return on investment and lowest actual cost types of controls that we can put in place. When we have security awareness, what we're doing is establishing an understanding common amongst all of our workforce of the importance and the need to comply with security policies throughout the organization and the basis for which they have come into existence so that they understand the why of the policy and can have any questions or concerns about that why being addressed. 

By doing formal security awareness training, we are able to craft our material and we are able to mold it to fit a particular message be that something the corporation itself wants, or something to do with a compliance requirement which is derived from outside the corporation and then implemented it through policy but this is a method by which the organizations are able to formally inform their employees about conditions in their roles. Things that they will encounter in those roles, methods and technologies that will be used to handle those roles from a select group and the expectations surrounding their roles and the observance of these requirements. So the activities and methods that we can use are really intended to create a culture of awareness. Now that may sound like a very popular phrase but the fact is the better a job we can do at this, the better effect we can have on the risks and the risk management processes within our organizations so that in the end what we're trying to achieve is how people can do the jobs they do but to do them and gain a better, more secure, more appropriate outcome with a minimum of fuzz, a minimum of bureaucracy and greater enablement if at all possible. Sometimes this can be provided through formalized courses. 

In many cases, we are bale to use less formalized things so that posters, walk throughs and other sorts of reminder-type elements can be used to seem less heavy-handed and yet still instill a most cultural sort of advance into the security program to protect the assets of the business. Some example topics that our program would cover. Obviously we want to be sure that we're training our employees in the corporate security policy so that they know quite literally what the rules of the road are. We want to be sure that they understand with relevance towards their particular roles and departments what the security program is about, the various objectives, the various steps that have to be taken and so on. In many cases, they will have to know exactly what compliance requirements are important to their role and require action and knowledge on their part to ensure that these are met. 

Another topic is social engineering. Here you see the box saying social engineering as an example of the kinds of human-based attacks we spoke of at the beginning of this particular module. In this particular kind of training, we want to go to the trouble to train our workforce members to recognize what social engineering style of attacks look like, both the ones that are direct coming to them through the telephone or directly from a person or the ones that come to them through our technology, most often delivered by email. Policies about do not click any links, block email that comes from unknown or untrusted sources or known untrusted sources. Rather than trying to make them experts in how this software works, we want them simply to follow a few simple rules and not take subsequent steps to receiving something tempting them to click a link or to visit a website or that there is any kind of situation where they would be able to share their username and password. It is very helpful for people to know the organization's position on this with great clarity. 

When it comes to training for business continuity or disaster recovery activities, this is where we give role-specific training for people throughout the organization letting them know what their particular role is, telling them of their roles of certain others that will be more actively involved in leadership roles when it comes to actual disaster recovery so that they will know what to do. We have of course security incident response and then when we train people on our workforce, we train them in here's what an incident might look like. If you see odd symptoms, here's the number that you call and of course for the people who are the responders, we give them training as well, specialized training for incident handling, how to handle a call when it comes in so that you can gain an appropriate amount of information and weed out false alarms. Training topics when people are generating information in our organization, we want to be sure that they know what it is that they're creating and how to label it so that other authorized users will always know what they're looking for because the information is properly and accurately labeled. 

Physical security is a common topic that needs to be exposed to everyone so that they know what to do, things that don't look normal. As we often hear in airports these days, TSA warns us that if you see something, say something, referring to anything unusual or anomalous that draws our attention, creates concern. Better to over report than to under report as we describe for all of our workforce what the proper care and handling of our security credentials, specifically those electronic things that we put into the computer and our badges, or any other sort of credential device that we have and then a role that they can all play respective to their department and their role and the overall risk assessment and management processes in our organization. Once again we're trying to conduct training to imbue the security culture that we want in our organization and these are the different ways that we can do this. We always have to be sure that the content that we're going to deliver aligns very closely with the roles and conditions of the employment of our intended audience. By properly targeting our material and our delivery to the audience, we can look forward to better effectiveness, perhaps not perfect but security is one of those topics that needs to be reviewed periodically and discussed periodically with our workforce to make sure that they appreciate that this not intended to be a police state creation action, we want them to understand that there is a real effectiveness level that we need to achieve to ensure that our assets, information and other things are properly protected and that they play an important role in achieving that level of protection, so in domain one we have covered different areas all of which in their own way address the topical area of risk assessment by dealing with the human, the technological, the physical, the process and other aspects of risk management we're able to recognize and act productively and effectively to reduce the possible effects of negative events on the assets that our business relies on. We've addressed a bit about how to handle business continuity, a natural outgrowth of the risk management process and we will talk about it again in other modules forthcoming and we've addressed the relationship that exists between the different elements of risk and we've closed out by addressing the primary one, the human element. 

So that concludes our discussion of the CISSP review seminar domain one, security and risk management. Please join us again as we're going to continue our discussion with domain two.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.

Covered Topics