1. Home
  2. Training Library
  3. Procedural and people security [CISMP]

Training and awareness

Training and awareness

A crucial part of fostering a positive and effective security culture is creating a training suite that’s informative, engaging, and tailored to the target audience.

It might seem simple, but there’s a lot that goes into creating a solution that delivers success, so let’s spend some time looking through some hints, tips, and best practices now.

Icon showing staff security training. Trainer points to screen while staff attend.

Who needs security training?

Anyone with access to the enterprise’s information systems should receive some form of information security education and training. The level of training needed can vary with their role, but it should ensure that they can carry out essential assurance procedures. It should also give the recipient an understanding of the correct use of their information systems. It should always make the individual aware of the acceptable use policy, no matter who they are.

Security training should: 

  • Help individuals to understand their assurance responsibilities 
  • Explain how the organisations information assets can be put at risk and how this can be avoided
  • Be tailored to the role of the recipients

So, how do you make sure you get your training right? Let’s move on to look at some different approaches


A great way to get people on board with security measures is by using case studies. Essentially, stories that are realistic and seem as though they could happen to anyone. Security incidents that may have occurred previously within the organisation or within other similar organisations are the perfect place to start.

Audio-visual training provides input via two senses - improving and reinforcing learning. PowerPoint and audio training provides positive reinforcement.

Security awareness and training should be seen as a mandatory, continuous process rather than a once-only exercise. Its overall objective is to reduce information assurance risk by developing a positive security culture. This happens when individuals and the organisation understand and respect what’s required from them as a whole.

There are two broad approaches to improving levels of knowledge:

  1. Through specific information security training - Instruction should be focused and addresses specific issues. Its primary aim is to give the user a certain level of competence in a given area.
  2. Through raising awareness of information security - Awareness is more general and aims to create a change in user behaviour and influence the perception of risk.

Best practice

Here are some best practice tips to take forward with you if you’re ever implementing training within your own organisation:

  • Use a tone of voice appropriate for your target audience
  • Use simple and concise language, avoiding jargon wherever possible
  • Use a mixture of audio and visual training assets like video, animation, or podcast style interviews to reinforce learning
  • Keep learning blended by using a mixture of active and passive experiences – i.e., not just reading and watching, but taking part and answering too

What's next?

Before moving on to the next Learning Path, which will look at Technical security controls, our experts Mark and David will be discussing acceptable use policy, practice, and restriction in computer technologies.


Procedural and people security is a key part of Information Assurance. Threats are not only external; they may also originate with or involve staff/ex-staff members. Therefore, it’s essential that all staff follow correct policies and procedures so they foster an appropriate security culture.

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.