"Moving Beyond Security Awareness to Security Education"

Every organization's cybersecurity program should include security awareness training because employees cannot reduce risk if they do not understand what risk is. Even the most experienced cybersecurity expert has to learn not to click the link in a random email. Although phishing and social engineering attempts are successful enough that it is obvious that awareness training alone is insufficient, it can help employees recognize threats. In a recent survey by Security Journey, researchers questioned participants on the boundary between security education and awareness. It is crucial to understand the distinctions between the two methods in order to properly respond to that issue. According to Security Journey's report, security awareness in application development is the ability to identify potential flaws. However, security education entails knowing precisely how this flaw will impact the product, the company, and the customer, as well as what can be done to fix it. According to Amy Baker, a security education expert at Security Journey, security awareness in training is essential for establishing a security culture because it sets a foundation and a state of alertness. While awareness entails identifying a problem, it takes ongoing education and knowledge of solutions to actually change application security. Fundamentally, education imparts a deeper understanding of security procedures, while awareness only goes as far as a conceptual level. Most often, security awareness training is considered an annual or biannual presentation to the entire organization. It is common to believe that people who work in technical fields such as engineering and software development automatically understand risk. Baker emphasized that even though web application security flaws could be linked to more than half of the most significant occurrences in the previous five years, corporations are not spending money on educating engineers about secure coding. Both internal and external sources contribute to security education, but it should be promoted from the top and spread throughout technical and non-technical sectors. It should not be a one-size-fits-all approach, but rather one that is focused on the responsibilities that employees play within the organization. Whether or not they actually create code, the development team's leaders should make sure everyone is considering security. They must be aware of how security affects the outcomes of their work duties. This article continues to discuss the difference between security awareness and education, as well as how to better promote security education. 

Security Boulevard reports "Moving Beyond Security Awareness to Security Education"