Educating the employees of an organization about general security practices and specific enterprise policies is the purpose of security awareness training. In essence, the security department attempts to reduce security incidents in the environment by presenting basic security principles in the hopes that the end user will not take an action that can cause the enterprise risk through data loss or downtime. The effectiveness of such a training has continued to be scrutinized. However, it is a requirement for standards such as the PCI DSS and is, in general, a good practice.

In order for security awareness training to be effective, it must be tailored to the organization and the various teams that will receive the training. ...