Feb 5, 2021

※日本語版はこちら（For the Japanese version, please refer to here.）

The number of cyber-attacks, such as phishing and targeted attacks using e-mail, to compromise the recipient as a starting point of cybersecurity incidents has been increasing. Organizations need to be aware of this as a significant threat since this is the attack to target "people" who tend to neglect security countermeasures and it seems relatively easy to attack them.
Security Awareness is a countermeasure against such attacks that target people.

In this article, I would like to explain what security awareness is by quoting from NIST SP 800-16 and NIST SP800-50.

NIST SP800-16 Information Technology Security Training Requirements: a Role- and Performance-Based Model (hereinafter referred to as NIST SP 800-16) [1] and NIST SP 800-50 Building an Information Technology Security Awareness and Training Program (hereinafter referred to as NIST SP 800-50) [2] [3].

What is Security Awareness?

Here is the quote of the definition of Security Awareness from NIST SP 800-16.
"Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly."

For your better understanding, here is the other quote from NIST SP800-50, which is closely related to SP 800-16 (translated in Japanese by IPA).
『意識向上はトレーニングではない。意識向上を掲げる目的は、単純にセキュリティへ意識を向けることである。意識向上は、各自が IT セキュリティの問題を認識し、適切な対応を行うことを意図したものである。』

As stated in the quote, security awareness can be interpreted as a way to make people "aware" of security risks when they use some IT systems and help them aware of the right actions when problems occur.

Note:
Based on the content and context of NIST SP 800-16, Awareness in the quote to be synonymous with Security Awareness.
Note:
From now on, simply refer to security awareness to awareness.

The nuance of the word is complicated (for Japanese people) to understand, but I think the point is that it is about making people "aware", not about making them "able". Awareness has been translated as "意識向上(ishiki-kojo : raising awareness)" in Japanese, and specific awareness initiatives include posters and fliers. This word shows that it is only meant to be raising awareness. (note: On the contrary, it may sound complicated if you are a non-Japanese speaker.)

Some might say that awareness alone is insufficient as a countermeasure; however, it is the training you need to actually be able to "do" something.

The relationship between awareness, training, and education is shown in NIST SP 800-16 and NIST SP 800-50.
"Training strives to produce relevant and needed security skills and competencies."
This is the quote from NIST SP 800-50, which provides a more concise definition of training.

As stated in the quote, training makes people learn and master the necessary skills. If you want your employees to be able to respond appropriately to targeted attacks using e-mail, you can train them to do so.

Awareness and IT Security Literacy

You may wonder what the difference is between Awareness and IT security literacy.
The quote from NIST SP800-16 on IT security literacy,
"IT Security literacy refers to an individual's familiarity with-and ability to apply-a core knowledge set (i.e., "IT security basics") needed to protect electronic information and systems. "
(Author's translation)
『ITセキュリティリテラシーとは情報とシステムを守るのに必要となるコアな知識体系(つまりITセキュリティの基本)を理解していて、それを実践できること。』

Awareness is not about understanding and practicing systematic knowledge of security, but rather making people aware of what kind of security risk issues exist in their business and what kind of countermeasures are appropriate.

IT security literacy is the acquisition of systematic knowledge of basic information security, so the image of being IT security literate is more like, "I've done the basic security textbooks, so I know the basics.

Security Awareness Training

Now we can see how awareness and training are different.
However, if you search for the keyword "security awareness" on the internet, you will find that various companies offer paid training under the name "security awareness training". Awareness and training are supposed to be different, but then, what is security awareness training?

Here is the definition of Awareness Training from NIST SP 800-16 Rev.1 A Role-Based Model for Federal Information Technology/Cybersecurity Training (3rd Draft) (NIST SP 800-16RD)[4], which is for reference only as it is a Retired Draft that was withdrawn in 2019. Training (3rd Draft) (hereinafter referred to as NIST SP 800-16RD)[4]. Since NIST SP 800-16RD defines Awareness and Training separately from Awareness Training, it is better to think of Awareness Training as a single term rather than two terms side by side.
"Awareness Training - consists of instructor-led, on-line courses, exercises or other methods that inform users of the acceptable use of and risk to the organization's organizations systems. "
(Author's translation)
『意識向上トレーニング -インストラクター付きのオンラインのコースやエクササイズなどの方法で行われるトレーニングです。トレーニングでは組織のシステムで許容される操作とリスクについて示されます。』

NIST SP 800-16RD is the document that was supposed to replace NIST SP 800-16, which was published in 1998, more than 20 years ago. Because of that, it seems the content of NIST SP 800-16 was considered inappropriate for the current state of society at one point.
When NIST SP 800-16 was published, it was probably not necessary to force all IT systems users to take security training, considering the social situation, and it might have been good enough just to raise awareness back then. However, social status has been changed dramatically since then with the recent phishing, targeted attack e-mails, and social engineering. I believe that there is now a need for people to acquire as one of the skills they had previously only promoted to raise awareness. Therefore, awareness training has been defined as a term to describe it.

And this is why companies are offering this awareness training under the name of "Security Awareness Training."

summary

I would like to add some examples of crossing an intersection to help you understand the differences between Awareness and IT security literacy and training and how each works.

Awareness: You know there is a possibility that there could be a car coming around the corner when you are crossing an intersection with a green light and being able to think, "Yes, it is a green light, but I still have to be careful." (Awareness training is to train such a sense.)

IT security literacy: You know how to check to walk across the street safely, such as looking right, left, and right again.

Training: You will learn how to walk across the street safely with the skill of looking right, left, and right, and you will be able to do it in actual crossing situations.

I hope this example makes it easier for you to understand the difference.

Lastly, I feel that cyber-attacks as tricky schemes target people as a starting point in many cases. People often could be the most vulnerable part of an organization because they inevitably have the potential to make mistakes.

Currently, cyber-attacks that originate from people have been increasing, and I think that security awareness training will be required more. Technology will cover even more to secure organization, but still, there will be an area remained people must take care of. Our society will be more stable and developed if we can raise the security level not only for technology but also for people, such as security awareness, in line with IT developments accordingly.

I hope this blog will be useful to you and contribute to a safe and secure society, even if only a little.

reference data

Read More at NEC Security Blog