Two serious consequences may result: first, lack of information about their system's security weaknesses can result in poor decisionmaking during the planning and design phases of a systems development project; second, inadequate knowledge may affect the support that data processing management receives. Security education should be directed toward executives, middle management, data processing personnel, system users, and the security professional. A complete security and privacy education and training program should encompass at least 11 security-related subjects. These should include computer security and privacy planning methodologies, system risks analysis techniques, and operations, internal and physical security. In addition, computer auditing, systems monitoring and surveillance, and disaster recovery planning should be taught. Privacy guidelines and control, data communications, and computer crime investigation procedures should also be included. Company planning might also encompass position refinements and research concerning available information. A chart and list of training sources is included.