Undoubtedly one of the most worrying issues when we talk about Security is Training, or rather the lack of it.This is largely due to the fact that the user in general is not aware of the importance of the information he handles daily, what he can do with it, the usefulness that a third party can give him and the consequences of it.When we talk about education in Information Security, we are really talking about two concepts: Training and Awareness.The first of the terms refers to publicizing and educating about a specific topic.On the other hand, awareness goes further and refers to the fact that the concept on which we are working forms part, really takes root and becomes a feeling in the person. Many times the term evangelize is also used to reflect this concept.In Systems and, more specifically in Security, performing these two actions acquires greater relevance since generally the public to whom our “preaching” will be directed will tend to brand us as schizophrenic and paranoid madmen from the Matrix (perhaps rightly so).The first thing we have to ask ourselves is: how would a beekeeper (nothing personal with them) come to technically explain how a bee sting Lonchura Punctulata is inflamed because it is a hymenopteran insect.Therefore, in a first contact, the training provided must be in a pleasant language, far from the classic anglicisms and technicalities of our profession.It is important to have indicators and statistics to control before and after training. These will be the reflection of the success or failure of the training and will indicate that we must include, improve or eliminate it. In addition, in principle these indicators will mark the topics of the first trainings. For example, if there is a high rate of viral infections or a high percentage of borrowed passwords, these will be good candidates for topics to be addressed.It is convenient to start with critical or high impact issues within the organization. For example, it could begin with a talk on Social Engineering where a simple phone call or a deceptive email serves as an example to introduce the concept and demonstrate the high impact that obtaining information can have by this means.The content to be treated must be carefully selected and each training must refer to a specific topic without introducing too many new concepts; taking advantage to refresh common themes.The theory must be just and necessary to introduce the topic but then there must be plenty of practical examples, anecdotes of experiences and demonstrations of cause and effect that, the more impressive they are, the greater the result obtained.The time devoted to training should not exceed the average concentration capacity of a person since the subjects are often heavy and even boring (although it pains me to admit it).It is worth mentioning that in the first time, after the training, the actions considered “internal attack” will be increased in our indicators. This is normal and is the product of many people want to live in “meat of their own” as is “being hacker” so they will try tools and actions tending to circumvent the security of the company itself. These actions are generally limited but should be monitored and controlled.Another way in which training is usually addressed is leaving information on an intranet, with periodic mails that deal with a specific topic or billboard with simple advice. Keep in mind that this type of training depends on the user because, for example, if you want you can delete the mail without reading it or never enter the Intranet.The most important thing and to emphasize is that this training must be permanent over time. It will be with this that, ultimately, we will be able to “convert” a simple training in awareness.