Creating Role-Based Security Training Revised NIST Guidance Aimed at Managers Across Industry
Creating Role-Based Security Training

The National Institute of Standards and Technology this spring will unveil updated guidance on role-based cybersecurity training, which will help government agencies as well as private businesses to protect information, NIST Computer Scientist Patricia Toth says.

Toth is taking a lead role in developing the guidance, which will be known as Special Publication 800-16 Rev. 1. The guidance will focus on training tied to each individual's role within the organization, teaching them specifically what they need to do to help protect their organization's resources, she says.

"One example might be someone who is doing incident response," she says in an interview with Information Security Media Group (transcript below). "They need to know very specifically, when an incident happens, how they need to report it, how they need to respond and what they need to do on their particular system to prevent any further damage."

In the interview, Toth discusses:

  • How the new guidance differs from the original document published more than 15 years ago;
  • Differences between cybersecurity education and role-based training;
  • Challenges of determining whether the role-based training programs are effective.

"This document is trying to help those people who are responsible for developing that training to get a better handle on what they need to cover on those modules or training courses they're trying to put together," Toth says.

Toth is a supervisory computer scientist and has worked on numerous documents and projects during her 22 years at NIST. She has been involved with the Federal Information Systems Security Educators' Association and the National Initiative for Cybersecurity Education. She also helped write NIST's security controls guidance.

Role-Based Security Training

ERIC CHABROW: Can you summarize the concept of role-based cybersecurity training?

PATRICIA TOTH: Role-based training looks at the realm of computer security training within organizations in front of an individual's role. That is, what they do in terms of computer security within their organization, very specifically - not their job title, but actually the functions that they perform concerning computer security.

CHABROW: Is this designed just for the people within IT security, or is this for everybody in the organization?

TOTH: This particular document is designed for people who have significant role-based responsibilities within their organization. It is people who are working within the security field, who have very particular responsibilities within their organization. It doesn't cover everyone, like some of the other awareness and training materials that NIST has put out. This is very specific for these types of people.

Training Is for Everyone

CHABROW: Although there is a narrow field, would this include CISOs and CIOs, or are you talking specifically about the people who are charged with executing these programs?

TOTH: It's really for anyone who has a role within those security programs. So a CISO could have a security role, someone who performs just some back-up type of security role. It is the understanding of what your responsibilities are within the organization; it is how your role relates to computer security. In this particular document, there is training for those types of people within the organization so it's role-based training guidance.

CHABROW: Why is that important?

TOTH: It is important because ... FISMA and some of the OMB requirements require that we do the role-based training for people with significant security responsibilities within our organization. This document is trying to help those people who are responsible for developing that training get a better handle on what they need to cover within those modules or training courses that they are trying to put together.

CHABROW: The advice of this could be applied to the private sector as well, right?

TOTH: Certainly. There are similar roles within the private sector as well.

Changes Since 1998

CHABROW: How has role-based training evolved since NIST first published Special Publication 816 in 1998?

TOTH: Since that time we've really, with the developments of the FISMA guidance that NIST has put together, narrowed our focus on what particular responsibilities are for these types of people. So now, we have end-role requirements for everyone within your organization in terms of computer security awareness and training. This has really [helped] tighten what we mean by role-based training and how to help organizations develop that training.

Education vs. Role-based Training

CHABROW: What is the difference between education and role-based training?

TOTH: In general, there is a large difference between education and training. An example that we use within the document, and I've used in several presentations, is if you think about an aeronautical engineer - someone who has been educated to understand the methods for lifts, thrusts and engine dynamics - versus someone who is trained as a pilot. That pilot may have a basic cursory understanding of the aerodynamics behind the airplane, but that person knows how to fly it. Whereas the person who has been educated as an aeronautical engineer may never have flown an airplane even though they understand the design behind it. To me that's the difference between education and training. So what we're concerned with in this particular document is the training of those people within their role; that they need to know specifically what they need to do within their role to help protect their organization's resources.

CHABROW: Can you give an example within cybersecurity?

TOTH: Well one example might be someone who is doing incident response. They need to know very specifically when an incident happens, how they need to report it, how they need to respond, and what they need to do on their particular system to prevent any further damage. That is very different from someone who has been educated in building systems to identify incidents or to respond to the incident.

Putting Programs Together

CHABROW: Who at organizations are responsible for role-based training generally?

TOTH: Generally, in most federal organizations there is an individual who has been identified as the security training officer, and they're responsible for putting together an awareness and training program for their particular organization. So it would be that person's responsibility to make sure that this type of role-based training is developed and given to the appropriate people within their organization.

Measuring Success

CHABROW: Do organizations that implement role-based training judge whether their initiatives are successful or not, and are there metrics used to determine that?

TOTH: That is something that we're struggling with within the document. We have some feedback forms that we include in one of the appendices within 816, in order to accept that type of feedback from the people that are providing the training to do continuous improvement on the training that is being offered. But in terms of a larger look at whether this type of training is effective, we can look at the number of incidents that are reported, how are people responding to them and the overall sense of if the security of your organization improved or not.

CHABROW: If you look at the federal government at the moment, how would you assess how agencies are performing and instituting role-based training?

TOTH: I think that varies from agency to agency. Some agencies have very dynamic role-based training, where others are still really putting their [programs] together. So I'm hoping that this document will help those organizations build their security training programs. And for those organizations that do have a robust program in place, I'm hoping that we can develop some mechanism to share the type of training that they've developed among the federal government.

Future Workshops

CHABROW: So you can envision future workshops or something NIST might sponsor?

TOTH: Yes, absolutely. In fact, one of the other associations that I am the technical lead for is the Federal Information System's Security Educator Association, and FISSEA has an annual conference, which we hold at NIST. This year, it will be March 18 through the 20 at NIST in Gaithersburg, and these are the types of things that we discuss. Are the people who are out in the field providing training, developing training? This is a great conference to share that type of information among agencies and even among companies and contractors.

CHABROW: Is there a timetable for when the final version of revision 1 will be ready for publication?

TOTH: We're hoping to have final publications probably April/May timeframe.

Around the Network