Foster a security, compliance and resilience-minded workforce through ongoing, role-based education on evolving threats, obligations and secure workplace practices.
Organizations develop and sustain a security, compliance and resilience-minded workforce through continuous education, awareness activities, practical exercises and role-based training that reinforces expected behaviors.
Technical controls assume users don't undermine them. They frequently do, not from malice but because they don't know better or haven't internalized why specific behaviors matter. The SAT domain governs the ongoing, role-based education program that builds a workforce that understands security obligations and behaves accordingly.
The SCF's intent for SAT emphasizes continuous education and role-based training. "Continuous" excludes annual awareness training as sufficient. Security threats change, regulatory obligations change and behaviors learned in a one-hour training atrophy. The domain requires an ongoing program, not a point-in-time event. "Role-based" excludes generic training as sufficient. A developer's security obligations differ from an executive's, which differ from a finance employee's. Effective SAT delivers content calibrated to what each role actually needs to know.
Practical exercises are specifically included in the SAT intent. Phishing simulations, tabletop exercises and security drills produce behavior change in ways that passive training does not. SAT that produces completion percentages but no behavior change is not fulfilling the domain's intent.