Managing an Information Security and Privacy Awareness and Training Program: 2nd Edition (Hardback) book cover

Managing an Information Security and Privacy Awareness and Training Program

2nd Edition

By Rebecca Herold

CRC Press

568 pages | 38 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9781439815458
pub: 2010-08-24
SAVE ~$17.39
eBook (VitalSource) : 9780429131332
pub: 2010-08-24
from $43.48

FREE Standard Shipping!


Starting with the inception of an education program and progressing through its development, implementation, delivery, and evaluation, Managing an Information Security and Privacy Awareness and Training Program, Second Edition provides authoritative coverage of nearly everything needed to create an effective training program that is compliant with applicable laws, regulations, and policies. Written by Rebecca Herold, a well-respected information security and privacy expert named one of the "Best Privacy Advisers in the World" multiple times by Computerworld magazine as well as a "Top 13 Influencer in IT Security" by IT Security Magazine, the text supplies a proven framework for creating an awareness and training program. It also:

  • Lists the laws and associated excerpts of the specific passages that require training and awareness
  • Contains a plethora of forms, examples, and samples in the book’s 22 appendices
  • Highlights common mistakes that many organizations make
  • Directs readers to additional resources for more specialized information
  • Includes 250 awareness activities ideas and 42 helpful tips for trainers

Complete with case studies and examples from a range of businesses and industries, this all-in-one resource provides the holistic and practical understanding needed to identify and implement the training and awareness methods best suited to, and most effective for, your organization.

Praise for:

The first edition was outstanding. The new second edition is even better … the definitive and indispensable guide for information security and privacy awareness and training professionals, worth every cent. As with the first edition, we recommend it unreservedly..



The first edition was outstanding. The new second edition is even better - an excellent textbook packed with sound advice and loads of tips to make your security awareness program pull its weight.… engaging and stimulating, easy to read yet at the same time thought-provoking. … chock-full of good ideas, not just theoretical concepts but solid practical advice that can be put to use immediately. A side effect is that there are lots of lists, tables and bullet points but they are well structured and succinctly summarize the key points. …an excellent reference text. Extensive appendices (130 pages) include sample awareness materials and plans, a security glossary, various checklist/questionnaires and references. This is the definitive and indispensable guide for information security and privacy awareness and training professionals, worth every cent. As with the first edition, we recommend it unreservedly.


This book is remarkable because it covers in detail all the facets of providing effective security awareness training…I can, without reservation, recommend use of this book to any organization faced with the need to develop a successful training and awareness program. It surely provides everything you need to know to create a real winner.

—Hal Tipton, from the Foreword

Rebecca Herold has the answers in her definitive book on everything everybody needs to know about how to impart security awareness, training, and motivation. Motivation had been missing from the information security lexicon until Herold put it there in most thorough and effective ways … She demonstrates that security must become a part of job performance rather than being in conflict with job performance… The power of this book also lies in applying real education theory, methods, and practice to teaching security awareness and training … After reading this book, there is no question about the necessary and important roles of security awareness, training, and motivation.

—Donn B. Parker, CISSP, from the Preface

Rebecca Herold, an independent computer security advisor, knows privacy. Not all security consultants do. In her latest book, Managing an Information Security and Privacy Awareness and Training Program, Herold has collected her best advice.

—Privacy Journal

… perfect for lay and professional audiences, this is a guide not for implementing technical necessities but for getting everybody in an organization on board.

—Journal of Productive Innovation

Table of Contents

Brief History of Corporate Information Security and Privacy Awareness and Training

Once Upon a Time

Welcome to the Information Age

Information Security and Privacy Education

Current Challenges Bring Changes in Professional Education

Why Training and Awareness Are Important

Regulatory Requirements Compliance

Customer Trust and Satisfaction

Compliance with Published Policies

Due Diligence

Corporate Reputation


Legal and Regulatory Requirements for Training and Awareness

Awareness and Training Needs

Legal Considerations

Copyright Considerations

Specific Regulatory Education Requirements

Incorporating Training and Awareness into Job Responsibilities and Appraisals

Motivational Factors

Methods of Security and Privacy Objectives Assessments

Performance against Specific Privacy and Security Objectives

Using Appraisal Results

Considering Security and Privacy within Job Performance as a Whole

Paying for Performance

Additional Percentage Element Added to Pay


Common Corporate Education Mistakes

Throwing Education Together Too Quickly

Not Fitting the Environment

Not Addressing Applicable Legal and Regulatory Requirements

No Leadership Support

Budget Mismanagement or No Budget

Using Unmodified Education Materials

Information Overload

No Consideration for the Learner

Poor Trainers

Information Dumping

No Motivation for Education

Inadequate Planning

Not Evaluating the Effectiveness of Education

Using Inappropriate or Politically Incorrect Language

Getting Started

Determine Your Organization’s Environment, Goals, and Mission

Identify Key Contacts

Review Current Training Activities

Review Current Awareness Activities

Conduct a Needs Assessment

Create Your Road Map

Elements of an Effective Education Program

Establish a Baseline

Hard Data

Soft Data

Get Executive Support and Sponsorship

Executive Security and Privacy Training and Awareness Strategy Briefing

Provide Examples of Security- and Privacy-Impacting Events

Case Studies

Key Business Leader Information Protection Responsibilities

Identify Training and Awareness Methods

Adult Learning

Training Delivery Methods

Auditorium Presentations to Large Groups

Remote Access Labs

Satellite or Fiber-Optic Long-Distance Learning

Web-Based Interactive Training (such as Webinars)

Audio Instruction

Video and DVD

Workbooks On-the-Job (OTJ)

Conference Calls

Outsourced Training and Awareness with Professional

Educational Services

Education Provided by Professional Societies

Government-Sponsored Training

Awareness Methods

Awareness and Training Topics and Audiences

Target Groups

Mapping Topics to Roles and Target Groups

Standards and Principles

Define Your Message

Customer Privacy

Laws and Regulations

Access Controls

Risk Management

Prepare Budget and Obtain Funding

Obtain Traditional Funding if You Can

Obtain Nontraditional Funding When Necessary

Final Budget and Funding Thoughts

Training Design and Development

Training Methods

Design and Development

Choosing Content

Job-Specific Content and Topics for Targeted Groups

Learning Activities

Training Design Objectives

Awareness Materials Design and Development

Contrasting Awareness and Training

Make Awareness Interesting

Awareness Methods

Awareness Is Ongoing

Developing Awareness Activities and Messages

Monthly Information Security and Privacy Newsletters


Step 1: Identify Where You Need to Improve, Update, or Create Information Security and Privacy Training and Awareness

Step 2: Obtain Executive Sponsorship

Step 3: Communicate Information Security and Privacy Program Overview

Step 4: Send Target Groups Communications Outlining the Information Security and Privacy Training and Awareness Schedules and Their Participation Expectations

Deliver In-Person Training

What to Avoid in Training

Multinational Training Considerations

Delivering Classroom Training

Tips for Trainers

Visual Aids

Training in Group Settings

Case Studies

Launch Awareness Activities

Step 1: Identify Areas in Which You Need to Improve, Update, or Create Awareness

Step 2: Obtain Executive Sponsorship

Step 3: Communicate the Information Security and Privacy Program Overview

Step 4: Identify Trigger Events

Step 5: Identify Target Groups

Step 6: Identify Your Awareness Methods and Messages

Step 7: Evaluate Changed Behavior

Step 8: Update and Perform Ongoing Awareness Plan for Specific Events

Evaluate Education Effectiveness

Evaluation Areas

Evaluation Methods

Evaluating the Effectiveness of Specific Awareness and Training Methods

Education Effectiveness Evaluation Framework Activities Checklist

Leading Practices

Setting the Standard for Data Privacy and Awareness

Establishing a Security Culture Through Security Awareness

Empirical Evaluations of Embedded Training for Antiphishing User Education

We Are Now the Targets of Thieves!

Risks from Advanced Malware and Blended Threats

Case Study: 1200 Users, 11 Cities in 7 Weeks … and They Wanted to Come to Security Awareness Training

Obtaining Executive Sponsorship for Awareness and Training

Education and Awareness for Security Personnel

Aetna’s Award-Winning Security Awareness Program

Security Awareness Case Study


Sample Executive Education Sponsorship Memo

Training Contact Training Data Collection Form

Effectiveness Evaluation Framework

Sample Privacy Roles Definitions

Suggested Privacy Awareness and Training Strategy Announcement as Voice Mail Message

Privacy Icon or Mascot

Sample Privacy Training Survey

Privacy Sample Training Plans

Advocate and SME Interview Questions to Assist with Privacy Training Development

Training and Awareness Inventory

Incorporating Training and Awareness into the Job Appraisal Process Interview/Questionnaire

Sample Customer Privacy Awareness and Training Presentation

Designated Security and Privacy–Related Days

Education Costs Worksheet

Sample Pre-training/Awareness Questionnaire

Security Awareness Quiz Questions

Social Engineering Quiz

Subject Categories

BISAC Subject Codes/Headings:
COMPUTERS / Information Technology
COMPUTERS / Security / General