Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Information Security Training Requirements: A Role- and performance-Based Model (Draft)



Mark Wilson, Kevin M. Stine, Pauline Bowen


This document and NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program describe the following key approaches of an information security awareness and training program that federal departments and agencies should follow to help ensure that individuals learn the appropriate information security-related material: All employees of an organization must be regularly or continually exposed to information security awareness techniques (e.g., posters, awareness tools/trinkets, periodic e-mail, warning messages, tips of the day upon accessing an information system, computer/information security day events). All users of information and information systems must attend information security awareness training (on-line or in-person) each year. This material should provide the information security basics and literacy as described in Chapter 3 of this document. This basics and literacy knowledge serves as the foundation upon which role-based training is built for those with significant responsibility for information security. Each person who has been identified by his or her organization as having significant responsibility for information security must receive formal role-based information security training.1 The amount and frequency of training depends on the gap between an individual s existing and needed skills, and changes in technology and the operating environment to which the individual must adapt. Influences on training needs include individual development plans (IDPs), performance plans, and management. URL: 1/draft
Special Publication (NIST SP) - 800-16r1
Report Number


Wilson, M. , Stine, K. and Bowen, P. (2009), Information Security Training Requirements: A Role- and performance-Based Model (Draft), Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD (Accessed May 23, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created March 2, 2009, Updated December 20, 2017