The concept of training is a debatable aspect both in the field of cyber security as well as in information security. It visible in the way terms such as education, training, awareness, and exercises are used overlappingly.
Institute of Standard (NIST) has published two guidelines NIST SP 800-16 (1998) and NIST SP 800-50 (2003), which assess how to build an efficient information security training model. Guideline 800-16 is the first to differentiate between awareness, training and education. Awareness is seen as a pre-requisite to training, and education is seen as reserved only for IT specialists to fulfill their job requirements. Training, in the middle, is defined to strive to produce relevant and needed security skills and competences to other than IT security specialists. Learning is defined to be the action needed to move from one phase to another. (NIST SP 800-16, 1998). Also, guideline SP 800-50 differen-tiates awareness and training, as awareness could be seen to be guided with
“What behavior do we want to reinforce?” and training “What skill or skills do we want the audience to learn and apply?”. (NIST SP 800-50, 2003)
European Union Agency for Cyber Security (ENISA) was formed in 2004, with the goal of establishing high level cyber security across Europe. One way it promotes this is by supporting and organizing cyber exercises as well as promoting cyber security education. In 2012, it published a report on raising security awareness, which is mostly based on above mentioned NIST guidelines.
In the report, ENISA defined awareness to be the first component of an educa-tion strategy. Awareness is stated to consist of set of activities, and it occurs on an ongoing basis. According to ENISA, how awareness differs from training is that awareness campaigns are less formal and shorter. Training component re-lies on the skills built in awareness campaigns, and training as an event is more organized and seeks to teach participants. That is the reason why training pro-grams need to be based on organization’s learning objectives. (ENISA 2010).
So, these guidelines perceive that training is based on awareness, and the transition between these two stages is done by learning. Training is de-fined as an organized event, where skills and competences are built. In compar-ison to awareness, training is only for certain employees. Education is at the top of the pyramid, with only being relevant to IT professionals. Figure 1 illustrates this continuum.
In academic research, Amankwa, Loock & Kritzinger (2014) have done an in-depth conceptual analysis on the differences between awareness, training and education. They found the core differences to be on the concepts’
focus, purpose and methods of delivery. Training was defined by them to be any action that is taken to make sure that every employee is equipped with the necessary information security skills and knowledge. (Amankwa, Loock, &
Kritzinger, 2014).
Karjalainen (2011), on the other hand, has found, based on Siponen et al. (2006), that information security training is persuasive and non-cognitive.
She also states that IS security trainings have three existentialistic features, which are crucial for the training to be needed. These features are (1) existence of security-sensitive organizational asset, (2) threat towards them, and (3)
dif-Figure 1 Learning Continuum based on NIST 800-16 (National Institute of Standards and Technology, 1998).
ferent technical, social, and organizational mechanisms for protecting the or-ganizations assets. (Karjalainen, 2011)
Another approach in using the concepts comes from Puhakainen (2006), who uses the term awareness training in his research. There awareness training is stated to be action intended to improve employees’ information se-curity behavior to comply with IS sese-curity policies and instructions. (Pu-hakainen 2006) Nykänen’s (2011) definition can be seen to be in between these two definitions, as he does not use the term awareness training, but defined information security training to be action, in which the users’ motivation, be-havior, attitudes, and awareness regarding information security is improved and guided towards organizational security policies. (Nykänen, 2011)
As is visible, the usage of concepts is not clear, especially with awareness and training. Rather than making a clear distinction between these two, Puhakainen and Nykänen are combining awareness and training. This combination can be justified with the fact that in 1998 when NIST SP 800-16 was published, IT was still relevantly new aspect at workplace. This could then be the reason why only certain people who worked with IT needed to be trained instead of just being aware. Nowadays, IT is inevitably interlinked with all parts of work, and for that reason all employees can be perceived to have the need to be trained to have necessary skills regarding cyber security to secure assets.
In addition to awareness, training and education deriving from in-formation security research, cyber security learning also consists of exercises. It is widely recognized that training and exercises are different approaches, but how they differ is debated. Aalto and Taitto (2019) have done a distinction be-tween cyber security education, training and exercises. Education is, by them, perceived to be a phase, where basic understanding and knowledge is gained, which can then be used to develop skills. After education comes training, where skills are formed to gain certain competencies. Exercises are defined to be dis-tinctly separate events, where organizations test their readiness for cyberat-tacks.( Aaltola & Taitto, 2019) Thus in this definition, exercises are seen as sepa-rate events, which are not directly linked to any learning continuum.
Hazivasilis, Ioannidis, Smyrlis et al. (2020) have formed another type of differentiation between cyber security trainings and exercises, where exercises are seen as more advanced level in the learning continuum. In their research, they make a distinction between basic training and advanced training.
Basic training is defined to consist of lectures, awareness videos, tutorials and other educational material, which should be targeted for the general public.
Advanced training uses emulated and/or simulated scenarios as teaching tools targeted for security experts Their division is based on Bloom’s taxonomy knowledge pyramid. The first three steps, including third step applying, should be the goal in basic training. Then the three top steps are preserved for ad-vanced training. (Hatzivasilis, Ioannidis, Smyrlis, et al., 2020).
2015 ENISA report on national and international cyber security ex-ercises also makes a distinction between exex-ercises and trainings. ENISA’s
ter-minology on exercises and trainings was based on ISO-22398 standard. The standard states that exercises are “process to train for, assess, practice, and improve performance in an organization”. Training is defined as “activities designed to facili-tate the learning and development of knowledge, skills, and abilities, and to improve the performance of specific tasks or roles”. (ENISA 2015; International Organization for Standardization, 2013)
So, when information security is perceived to be a crucial part of cyber security due to organizational context, cyber security training could be stated to be actions of awareness raising and knowledge development, behavior and motivational changing, and skill building. The key difference between cyber exercises and trainings is that exercises are stated to be more focused on implementing previously formed knowledge and skills regarding cyber securi-ty, whereas training is meant for developing those knowledges and skills. Exer-cises can also be seen to have more distinguished communal learning objectives as they are focusing on the performance on organizational level, in comparison to trainings which focus on performance of specific tasks and roles. This cyber security learning framework is presented in Figure 2.
Now, even though cyber security exercises were left out on the em-pirical part, the concept and its methodologies will be introduced in the next sub-chapter, to give a better understanding of the whole cyber security learning process.
Figure 2 Cyber security training learning continuum