Training for those with cybersecurity responsibilities

Training the cyber workforce to handle new threats

Agencies are getting fresh advice on how to address a perennial weak link in cybersecurity: People.

Agencies are required to have educational and training programs for workers, and the National Institute of Standards and Technology has released a draft revision of Special Publication 800-16, A Role-Based Model for Federal Information Technology/Cyber Security Training.

The document provides a methodology for developing training courses for those who have significant IT security responsibilities. The threat landscape these employees must address has changed significantly since its original publication in 1998, and the level of attention being paid to training needs has increased over the years.

“Some of the most effective current attacks on cyber networks worldwide exploit user behavior,” the authors write. “These include phishing attacks, social engineering to obtain passwords and introduction of malware via removable media. These threats are especially effective when directed at those with elevated network privileges and/or other elevated cyber responsibilities.”

In a recent survey of federal personnel,  security professionals estimated that almost half of all agency breaches are caused by a lack of user compliance to security policies. Education and training are recognized as deterrents to many threats, especially social engineering, and training programs are required under the Federal Information Security and Management Act.

These requirements fall into two broad categories: Awareness education for all personnel and role-based training. Agencies must identify workers whose jobs contain significant information or cyber security responsibilities and provide training appropriate for their roles.

“It is important to understand that there is a difference between education and training,” the publication says. Education provides learning and understanding of a subject, while training ensures an individual can perform required functions. “For example, a pilot is educated on the aerodynamics of an aircraft and trained on how to fly the aircraft.”

The guidance introduces the concept of Cyber Security Essentials training, which addresses the gap between the annual security awareness training that is provided to all IT users and the role-based security training which is specific to the job functions. Cyber Security Essentials provide the foundational skills on which role-based training builds.

Each worker who owns, uses or manages information must understand and be able to fulfill security responsibilities, and training must be appropriate for each role. In developing training programs agencies will have to tailor them for each agency’s needs and for the specific responsibilities of it workers.

Authors of the report note that several areas, including Appendix C, which contains definitions of specific job roles, need additional input before they are completed.

Comments on the draft revision should be sent by Nov. 30 to SP80016-comments@nist.gov, with “Comments NIST SP 800-16” in the subject line.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above