Awareness Versus Training

Eric Conrad seems to indicate in his CISSP book that "awareness" aims to change behavior, training, to provide a skill set. Why are both necessary? Is it because despite training in applying a skill, someone, say an end user for example, might not see the need (intellectually) to apply that knowledge to their life? So, they need us to bring awareness to them about the importance of the need to practice the security skills they have?

Just wondering,

Thanks,

Dovid

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

f0rgiv3n

Awareness would provide the knowledge for someone to think for themselves. It changes their behavior because they are now aware of the risks involved with using a Internet-connected computer.

Training will provide a skill and mechanism for what to do with that awareness. Say they only have the awareness portion "i know that phishing emails exist" and receive a phishing email. If they do not have any training, they might not know what to do with the phishing email. That example is sort of funky and basic but hopefully it gets the idea across?

"I'm aware of my surroundings, but how do I react to what is happening?" "Here, let me train you."

Chassidic1

Thanks f0rgiv3n, makes sense

JDMurray

f0rgiv3n wrote: »

"I'm aware of my surroundings, but how do I react to what is happening?" "Here, let me train you."

Did you get this from a flashback scene in an episode of Kung Fu?

paul78

I don't have the Conrad book handy so I can't be certain in what context he is discussing security awareness and training. The basic description from @f0rgiv3n is spot on.

But from a practical real-world perspective, awareness and training are two different objectives and goals. A lot of companies will mandate security awareness training for all employees (many times it's a contractual or regulatory obligation). This type of Awareness training would take the form of educating the staff of the risks in the workplace and how to escalate or report security issues. I.e. why phishing is bad and what action the employee should take.

Actual security training take the form of targeted training. Security training is always most effective when it is targeted at the specific audience. For example, incident managers may be required to take training on evidence handling or developers may be required to take training on OWASP coding practices.